diff --git a/browsers/edge/Index.md b/browsers/edge/Index.md
index c836db4c8d..8dd1c27598 100644
--- a/browsers/edge/Index.md
+++ b/browsers/edge/Index.md
@@ -1,6 +1,6 @@
 ---
-Description: Overview information about Microsoft Edge, the default browser for Windows 10. This topic includes links to other Microsoft Edge topics.
-ms.assetid: 70377735-B2F9-4B0B-9658-4CF7C1D745BB
+description: Overview information about Microsoft Edge, the default browser for Windows 10. This topic includes links to other Microsoft Edge topics.
+ms.assetid: 70377735-b2f9-4b0b-9658-4cf7c1d745bb
 author: eross-msft
 ms.prod: edge
 ms.mktglfcycl: general
diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md
index 8b253864c5..f9b7a99dea 100644
--- a/browsers/edge/available-policies.md
+++ b/browsers/edge/available-policies.md
@@ -1,6 +1,6 @@
 ---
-Description: Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings.
-ms.assetid: 2E849894-255D-4F68-AE88-C2E4E31FA165
+description: Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings.
+ms.assetid: 2e849894-255d-4f68-ae88-c2e4e31fa165
 author: eross-msft
 ms.prod: edge
 ms.mktglfcycl: explore
diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md
index c59f39c894..b0c566fb90 100644
--- a/browsers/edge/emie-to-improve-compatibility.md
+++ b/browsers/edge/emie-to-improve-compatibility.md
@@ -1,6 +1,6 @@
 ---
-Description: If you're having problems with Microsoft Edge, this topic tells how to use the Enterprise Mode site list to automatically open sites using IE11.
-ms.assetid: 89C75F7E-35CA-4CA8-96FA-B3B498B53BE4
+description: If you're having problems with Microsoft Edge, this topic tells how to use the Enterprise Mode site list to automatically open sites using IE11.
+ms.assetid: 89c75f7e-35ca-4ca8-96fa-b3b498b53bE4
 author: eross-msft
 ms.prod: edge
 ms.mktglfcycl: support
diff --git a/browsers/edge/hardware-and-software-requirements.md b/browsers/edge/hardware-and-software-requirements.md
index 83abaeb1b3..e7467694cc 100644
--- a/browsers/edge/hardware-and-software-requirements.md
+++ b/browsers/edge/hardware-and-software-requirements.md
@@ -1,6 +1,6 @@
 ---
-Description: Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list.
-ms.assetid: 3C5BC4C4-1060-499E-9905-2504EA6DC6AA
+description: Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list.
+ms.assetid: 3c5bc4c4-1060-499e-9905-2504ea6dc6aa
 author: eross-msft
 ms.prod: edge
 ms.mktglfcycl: support
diff --git a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
index 95fd5047eb..9066c5205a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
@@ -1,5 +1,5 @@
 ---
-Description: How to use Group Policy to install ActiveX controls.
+description: How to use Group Policy to install ActiveX controls.
 ms.assetid: 59185370-558c-47e0-930c-8a5ed657e9e3
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
index cd64d9e041..1b86656cdc 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
@@ -1,6 +1,6 @@
 ---
-Description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager tool.
-ms.assetid: 20AF07C4-051A-451F-9C46-5A052D9AE27C
+description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager tool.
+ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c
 author: eross-msft
 ms.prod: IE11
 ms.mktglfcycl: deploy
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
index f9ab01de20..16c1a764fb 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
@@ -1,5 +1,5 @@
 ---
-Description: Add multiple sites to your Enterprise Mode site list using a file and the Windows 10 Enterprise Mode Site List Manager tool.
+description: Add multiple sites to your Enterprise Mode site list using a file and the Windows 10 Enterprise Mode Site List Manager tool.
 ms.assetid: da659ff5-70d5-4852-995e-4df67c4871dd
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
index 47622cfefc..9f05233368 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
@@ -1,6 +1,6 @@
 ---
-Description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that''s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
-ms.assetid: 042E44E8-568D-4717-8FD3-69DD198BBF26
+description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
+ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26
 author: eross-msft
 ms.prod: IE11
 ms.mktglfcycl: deploy
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
index 95560b2af3..098937190a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
@@ -1,5 +1,5 @@
 ---
-Description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that''s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
+description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that''s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
 ms.assetid: 513e8f3b-fedf-4d57-8d81-1ea4fdf1ac0b
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
index 04001483b1..17553922a8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Administrative templates and Internet Explorer 11
+description: Administrative templates and Internet Explorer 11
 ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
index 75239e8e5a..cc3bd55193 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Auto configuration and auto proxy problems with Internet Explorer 11
+description: Auto configuration and auto proxy problems with Internet Explorer 11
 ms.assetid: 3fbbc2c8-859b-4b2e-abc3-de2c299e0938
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
index 069c5e3be7..7957257207 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Auto configuration settings for Internet Explorer 11
+description: Auto configuration settings for Internet Explorer 11
 ms.assetid: 90308d59-45b9-4639-ab1b-497e5ba19023
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
index f9f610b20c..efba636009 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Auto detect settings Internet Explorer 11
+description: Auto detect settings Internet Explorer 11
 ms.assetid: c6753cf4-3276-43c5-aae9-200e9e82753f
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
index 0491632e86..0b26702487 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Auto proxy configuration settings for Internet Explorer 11
+description: Auto proxy configuration settings for Internet Explorer 11
 ms.assetid: 5120aaf9-8ead-438a-8472-3cdd924b7d9e
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
index 5a201201ed..6a7b6aab93 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
@@ -1,5 +1,5 @@
 ---
-Description: Browser cache changes and roaming profiles
+description: Browser cache changes and roaming profiles
 ms.assetid: 85f0cd01-6f82-4bd1-9c0b-285af1ce3436
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
index 920903cbfa..e98af43141 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
@@ -1,5 +1,5 @@
 ---
-Description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
+description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
 ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
index e43dd84668..3091bf3593 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Choose how to deploy Internet Explorer 11 (IE11)
+description: Choose how to deploy Internet Explorer 11 (IE11)
 ms.assetid: 21b6a301-c222-40bc-ad0b-27f66fc54d9d
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
index a3c8a8a8fb..64f586dc6b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Choose how to install Internet Explorer 11 (IE11)
+description: Choose how to install Internet Explorer 11 (IE11)
 ms.assetid: 9572f5f1-5d67-483e-bd63-ffea95053481
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
index d377f77c60..4349873adf 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
@@ -1,5 +1,5 @@
 ---
-Description: Create packages for multiple operating systems or languages
+description: Create packages for multiple operating systems or languages
 ms.assetid: 44051f9d-63a7-43bf-a427-d0a0a1c717da
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
index 44d81329a4..64ad245ecd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
@@ -1,5 +1,5 @@
 ---
-Description: Customize Internet Explorer 11 installation packages
+description: Customize Internet Explorer 11 installation packages
 ms.assetid: 10a14a09-673b-4f8b-8d12-64036135e7fd
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index c8662e43b1..ec0a98d0e3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-Description: Delete a single site from your global Enterprise Mode site list.
+description: Delete a single site from your global Enterprise Mode site list.
 title: Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
 ms.assetid: 41413459-b57f-48da-aedb-4cbec1e2981a
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
index f086125028..9ed8f0efec 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
@@ -1,5 +1,5 @@
 ---
-Description: You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS).
+description: You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS).
 ms.assetid: f51224bd-3371-4551-821d-1d62310e3384
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
index 7747feeda5..8acd111034 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
@@ -1,5 +1,5 @@
 ---
-Description: Deploy Internet Explorer 11 using software distribution tools
+description: Deploy Internet Explorer 11 using software distribution tools
 ms.assetid: fd027775-651a-41e1-8ec3-d32eca876d8a
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
index c944280aa7..d0b1a5dd07 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
@@ -1,5 +1,5 @@
 ---
-Description: You can pin websites to the Windows 8.1 taskbar for quick access using the Microsoft Deployment Toolkit (MDT) 2013.
+description: You can pin websites to the Windows 8.1 taskbar for quick access using the Microsoft Deployment Toolkit (MDT) 2013.
 ms.assetid: 24f4dcac-9032-4fe8-bf6d-2d712d61cb0c
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
index 21f5600fe6..de5ddde4e7 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
@@ -1,5 +1,5 @@
 ---
-Description: Windows Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices.
+description: Windows Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices.
 ms.assetid: 00cb1f39-2b20-4d37-9436-62dc03a6320b
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
index 9f6af6cb99..16c7670957 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-Description: You can use Internet Explorer 11 and the Enterprise Mode Site List Manager tool to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments.
+description: You can use Internet Explorer 11 and the Enterprise Mode Site List Manager tool to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments.
 ms.assetid: 76aa9a85-6190-4c3a-bc25-0f914de228ea
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
index f455eeea56..5fadb33d2b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
@@ -1,5 +1,5 @@
 ---
-Description: Enable and disable add-ons using administrative templates and group policy
+description: Enable and disable add-ons using administrative templates and group policy
 ms.assetid: c6fe1cd3-0bfc-4d23-8016-c9601f674c0b
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
index 55ff708c9b..04d3602bc5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Enhanced Protected Mode problems with Internet Explorer
+description: Enhanced Protected Mode problems with Internet Explorer
 ms.assetid: 15890ad1-733d-4f7e-a318-10399b389f45
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
index 2591aff024..5581dc3c60 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager tool in your company.
+description: Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager tool in your company.
 ms.assetid: d52ba8ba-b3c7-4314-ba14-0610e1d8456e
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
index 47916a03bc..72353b0be5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
@@ -1,6 +1,6 @@
 ---
-Description: Use the Enterprise Mode Site List Manager tool to create and update your Enterprise Mode site list for devices running Windows 7 or Windows 8.1 Update.
-ms.assetid: 17C61547-82E3-48F2-908D-137A71938823
+description: Use the Enterprise Mode Site List Manager tool to create and update your Enterprise Mode site list for devices running Windows 7 or Windows 8.1 Update.
+ms.assetid: 17c61547-82e3-48f2-908d-137a71938823
 author: eross-msft
 ms.prod: IE11
 ms.mktglfcycl: deploy
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
index 5aabb02a74..43b3031513 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
@@ -1,5 +1,5 @@
 ---
-Description: Use the Enterprise Mode Site List Manager tool to create and update your Enterprise Mode site list for devices running Windows 10.
+description: Use the Enterprise Mode Site List Manager tool to create and update your Enterprise Mode site list for devices running Windows 10.
 ms.assetid: 909ca359-5654-4df9-b9fb-921232fc05f5
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
index 54c79a5948..08b19154e2 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-Description: After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file.
+description: After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file.
 ms.assetid: 9ee7c13d-6fca-4446-bc22-d23a0213a95d
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
index 752d5f590e..54453d9b83 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
@@ -1,5 +1,5 @@
 ---
-Description: The Internet Explorer 11 Enterprise Mode site list lets you specify document modes for specific websites, helping you fix compatibility issues without changing a single line of code on the site.
+description: The Internet Explorer 11 Enterprise Mode site list lets you specify document modes for specific websites, helping you fix compatibility issues without changing a single line of code on the site.
 ms.assetid: 4b21bb27-aeac-407f-ae58-ab4c6db2baf6
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
index b3848e269a..051b4acaaf 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-Description: When you add multiple sites to your Enterprise Mode site list entries, they’re validated by the Enterprise Mode Site List Manager before they’re entered into your global list.
+description: When you add multiple sites to your Enterprise Mode site list entries, they’re validated by the Enterprise Mode Site List Manager before they’re entered into your global list.
 ms.assetid: 9f80e39f-dcf1-4124-8931-131357f31d67
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
index 8e66796bf1..5e6bc433cc 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Overview about Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11
+description: Overview about Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11
 ms.assetid: 63a7ef4a-6de2-4d08-aaba-0479131e3406
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
index f27985497b..d92ab9d3d3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Overview about Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11
+description: Overview about Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11
 ms.assetid: ae3d227d-3da7-46b8-8a61-c71bfeae0c63
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
index 6b59108ec1..5028bab10d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Use the topics in this section to learn about Group Policy and how to use it to manage Internet Explorer.
+description: Use the topics in this section to learn about Group Policy and how to use it to manage Internet Explorer.
 ms.assetid: 50383d3f-9ac9-4a30-8852-354b6eb9434a
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
index 2f4a2a344b..15b8ee2275 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Group Policy, the Local Group Policy Editor, and Internet Explorer 11
+description: Group Policy, the Local Group Policy Editor, and Internet Explorer 11
 ms.assetid: 6fc30e91-efac-4ba5-9ee2-fa77dcd36467
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md
index 0c0baf1e22..c0c1aad839 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Group Policy suggestions for compatibility with Internet Explorer 11
+description: Group Policy suggestions for compatibility with Internet Explorer 11
 ms.assetid: 7482c99f-5d79-4344-9e1c-aea9f0a68e18
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
index be5cf363fd..ed982594f5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Overview of the available Group Policy management tools
+description: Overview of the available Group Policy management tools
 ms.assetid: e33bbfeb-6b80-4e71-8bba-1d0369a87312
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
index 20d6d65ee8..379b8e22f1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Info about Group Policy preferences versus Group Policy settings
+description: Info about Group Policy preferences versus Group Policy settings
 ms.assetid: f2264c97-7f09-4f28-bb5c-58ab80dcc6ee
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
index 1ac5d1bfb1..042bb55c5f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Links to troubleshooting topics and log files that can help address Group Policy problems with Internet Explorer 11.
+description: Links to troubleshooting topics and log files that can help address Group Policy problems with Internet Explorer 11.
 ms.assetid: 0da0d9a9-200c-46c4-96be-630e82de017b
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
index 481f70db86..a358eecd9f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Instructions about how to create and configure shortcut preference extensions to file system objects, URLs, and shell objects.
+description: Instructions about how to create and configure shortcut preference extensions to file system objects, URLs, and shell objects.
 ms.assetid: c6fbf990-13e4-4be7-9f08-5bdd43179b3b
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
index 4e1ff2ae4b..6822bdc5ad 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Overview about how Group Policy works with Windows Powershell and Internet Explorer 11
+description: Overview about how Group Policy works with Windows Powershell and Internet Explorer 11
 ms.assetid: e3607cde-a498-4e04-9daa-b331412967fc
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
index f09dfb77c3..e504c8029b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-Description: If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager.
+description: If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager.
 ms.assetid: cacd5d68-700b-4a96-b4c9-ca2c40c1ac5f
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
index d30183214b..bd48d3ce11 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment.
+description: Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment.
 ms.assetid: caca18c1-d5c4-4404-84f8-d02bc562915f
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
index ab94210420..4d84c02d42 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
@@ -1,5 +1,5 @@
 ---
-Description: How to add and deploy the Internet Explorer 11 update using Microsoft Intune.
+description: How to add and deploy the Internet Explorer 11 update using Microsoft Intune.
 ms.assetid: b2dfc08c-78af-4c22-8867-7be3b92b1616
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
index bab425078d..3555e507a2 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
@@ -1,5 +1,5 @@
 ---
-Description: How to install the Internet Explorer 11 update using Microsoft Deployment Toolkit (MDT) and your Windows images.
+description: How to install the Internet Explorer 11 update using Microsoft Deployment Toolkit (MDT) and your Windows images.
 ms.assetid: e16f9144-170c-4964-a62d-0d1a16f4cd1f
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
index 71d430f68a..b7fc1bac1f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
@@ -1,5 +1,5 @@
 ---
-Description: How to install the Internet Explorer 11 update using System Center 2012 R2 Configuration Manager
+description: How to install the Internet Explorer 11 update using System Center 2012 R2 Configuration Manager
 ms.assetid: 9ede9722-29b3-4cb7-956d-ffa91e7bedbd
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
index b6a721ee00..b6d35b63c0 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
@@ -1,5 +1,5 @@
 ---
-Description: How to install the Internet Explorer 11 update using your network
+description: How to install the Internet Explorer 11 update using your network
 ms.assetid: 85f6429d-947a-4031-8f93-e26110a35828
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
index d9008cea54..229278982b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
@@ -1,5 +1,5 @@
 ---
-Description: How to install the Internet Explorer 11 update using third-party tools and command-line options.
+description: How to install the Internet Explorer 11 update using third-party tools and command-line options.
 ms.assetid: 30190c66-49f7-4ca4-8b57-a47656aa0c7e
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
index db0df00b57..fb74106e67 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
@@ -1,5 +1,5 @@
 ---
-Description: How to install the Internet Explorer 11 update using Windows Server Update Services (WSUS)'
+description: How to install the Internet Explorer 11 update using Windows Server Update Services (WSUS)'
 ms.assetid: 6cbd6797-c670-4236-8423-e0919478f2ce
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
index 169bb0a63d..c79e0a7a9e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: How to fix intranet search problems with Internet Explorer 11
+description: How to fix intranet search problems with Internet Explorer 11
 ms.assetid: 3ee71d93-d9d2-48e1-899e-07932c73faa6
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
index 8280835db5..8993bbcf38 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
@@ -1,5 +1,5 @@
 ---
-Description: Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for Internet Explorer.
+description: Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for Internet Explorer.
 ms.assetid: eb3cce62-fc7b-41e3-97b6-2916b85bcf55
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
index 49386888c6..f3d32fb46c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: IEM-configured settings have been deprecated for Internet Explorer 10 and newer. Use this topic to learn where to go to fix the affected settings through Group Policy Preferences, Administrative Templates (.admx), or the IEAK.
+description: IEM-configured settings have been deprecated for Internet Explorer 10 and newer. Use this topic to learn where to go to fix the affected settings through Group Policy Preferences, Administrative Templates (.admx), or the IEAK.
 ms.assetid: 89084e01-4e3f-46a6-b90e-48ee58d6821c
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
index a80ceb2432..c1c70107bb 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
@@ -1,5 +1,5 @@
 ---
-Description: Internet Explorer 11 uses the latest standards mode, which simplifies web page compatibility for users by removing the **Compatibility View** button and reducing the number of compatibility options in the F12 developer tools for developers.
+description: Internet Explorer 11 uses the latest standards mode, which simplifies web page compatibility for users by removing the **Compatibility View** button and reducing the number of compatibility options in the F12 developer tools for developers.
 ms.assetid: 501c96c9-9f03-4913-9f4b-f67bd9edbb61
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
index 4a24e377b5..184aee8b3d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: How to turn managed browser hosting controls back on in Internet Explorer 11.
+description: How to turn managed browser hosting controls back on in Internet Explorer 11.
 ms.assetid: b0b7f60f-9099-45ab-84f4-4ac64d7bcb43
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
index 0cf4aa3930..440c91313f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: New group policy settings for Internet Explorer 11
+description: New group policy settings for Internet Explorer 11
 ms.assetid: 669cc1a6-e2cb-403f-aa31-c1de52a615d1
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
index 462dfda537..f0eda349b5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
@@ -1,5 +1,5 @@
 ---
-Description: Use out-of-date ActiveX control blocking to help you know when IE prevents a webpage from loading outdated ActiveX controls and to update the outdated control, so that it’s safer to use.
+description: Use out-of-date ActiveX control blocking to help you know when IE prevents a webpage from loading outdated ActiveX controls and to update the outdated control, so that it’s safer to use.
 ms.assetid: e61866bb-1ff1-4a8d-96f2-61d3534e8199
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
index 9e1128475b..c703a74e9f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Possible solutions to the problems you might encounter after installing IE11, such as crashing or seeming slow, getting into an unusable state, or problems with adaptive streaming and DRM playback.
+description: Possible solutions to the problems you might encounter after installing IE11, such as crashing or seeming slow, getting into an unusable state, or problems with adaptive streaming and DRM playback.
 ms.assetid: c4b75ad3-9c4a-4dd2-9fed-69f776f542e6
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index 649c3b37be..03e34ca328 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-Description: Instructions about how to clear all of the sites from your global Enterprise Mode site list.
+description: Instructions about how to clear all of the sites from your global Enterprise Mode site list.
 ms.assetid: 90f38a6c-e0e2-4c93-9a9e-c425eca99e97
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
index 9bcc82970d..0b1e0e6b69 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
@@ -1,6 +1,6 @@
 ---
-Description: Instructions about how to remove sites from a local compatibility view list.
-ms.assetid: F6ECAA75-EBCB-4F8D-8721-4CD6E73C0AC9
+description: Instructions about how to remove sites from a local compatibility view list.
+ms.assetid: f6ecaa75-ebcb-4f8d-8721-4cd6e73c0ac9
 author: eross-msft
 ms.prod: IE11
 ms.mktglfcycl: deploy
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
index 04351f6ae8..14d587d2eb 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
@@ -1,6 +1,6 @@
 ---
-Description: Instructions about how to remove sites from a local Enterprise Mode site list.
-ms.assetid: C7D6DD0B-E264-42BB-8C9D-AC2F837018D2
+description: Instructions about how to remove sites from a local Enterprise Mode site list.
+ms.assetid: c7d6dd0b-e264-42bb-8c9d-ac2f837018d2
 author: eross-msft
 ms.prod: IE11
 ms.mktglfcycl: deploy
diff --git a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
index deb6a7d303..20b7daca7a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-Description: You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems.
+description: You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems.
 ms.assetid: 254a986b-494f-4316-92c1-b089ee8b3e0a
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index e66d749de5..fcfcfe5767 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-Description: Search to see if a specific site already appears in your global Enterprise Mode site list.
+description: Search to see if a specific site already appears in your global Enterprise Mode site list.
 ms.assetid: e399aeaf-6c3b-4cad-93c9-813df6ad47f9 
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
index 80bed4f91a..89d6428b85 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
@@ -1,6 +1,6 @@
 ---
-Description: Use the Group Policy setting, Set a default associations configuration file, to set the default browser for your company devices running Windows 10.
-ms.assetid: F486C9DB-0DC9-4CD6-8A0B-8CB872B1D361
+description: Use the Group Policy setting, Set a default associations configuration file, to set the default browser for your company devices running Windows 10.
+ms.assetid: f486c9db-0dc9-4cd6-8a0b-8cb872b1d361
 author: eross-msft
 ms.prod: IE11
 ms.mktglfcycl: deploy
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
index 53754b0943..ae2f3d8cc7 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
@@ -1,5 +1,5 @@
 ---
-Description: Set up and turn on Enterprise Mode logging and data collection in your organization.
+description: Set up and turn on Enterprise Mode logging and data collection in your organization.
 ms.assetid: 2e98a280-f677-422f-ba2e-f670362afcde
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
index 7bf87c552b..bf52290a0c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Reviewing log files to learn more about potential setup problems with Internet Explorer 11.
+description: Reviewing log files to learn more about potential setup problems with Internet Explorer 11.
 ms.assetid: 2cd79988-17d1-4317-bee9-b3ae2dd110a0
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
index 3b64a7122d..569a366377 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Lists the minimum system requirements and supported languages for Internet Explorer 11.
+description: Lists the minimum system requirements and supported languages for Internet Explorer 11.
 ms.assetid: 27185e3d-c486-4e4a-9c51-5cb317c0006d
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
index 698277e4b1..3f743c6747 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with Internet Explorer.
+description: Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with Internet Explorer.
 ms.assetid: 0361c1a6-3faa-42b2-a588-92439eebeeab
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
index 4b7bf1f9fb..6068c992d8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
@@ -1,5 +1,5 @@
 ---
-Description: How to turn Enteprrise Mode off temporarily while testing websites and how to turn it off completely if you no longer want to to use it.
+description: How to turn Enteprrise Mode off temporarily while testing websites and how to turn it off completely if you no longer want to to use it.
 ms.assetid: 5027c163-71e0-49b8-9dc0-f0a7310c7ae3
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
index 83c7e1e63e..7dffa89bdd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
@@ -1,5 +1,5 @@
 ---
-Description: Turn off natural metrics for Internet Explorer 11
+description: Turn off natural metrics for Internet Explorer 11
 ms.assetid: e31a27d7-662e-4106-a3d2-c6b0531961d5
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
index edbf645bef..5aaf827d87 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -1,5 +1,5 @@
 ---
-Description: How to turn on Enterprise Mode and specify a site list. 
+description: How to turn on Enterprise Mode and specify a site list. 
 ms.assetid: 800e9c5a-57a6-4d61-a38a-4cb972d833e1
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
index dcb4eca01f..e4d18d269f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -1,5 +1,5 @@
 ---
-Description: Turn on local user control and logging for Enterprise Mode.
+description: Turn on local user control and logging for Enterprise Mode.
 ms.assetid: 6622ecce-24b1-497e-894a-e1fd5a8a66d1
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
index 54e06d6247..a58c9b8903 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: High-level info about some of the new and updated features for Internet Explorer 11.
+description: High-level info about some of the new and updated features for Internet Explorer 11.
 ms.assetid: f53c6f04-7c60-40e7-9fc5-312220f08156
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager-tool.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager-tool.md
index a7eb016607..7d7f5c25dc 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager-tool.md
@@ -1,5 +1,5 @@
 ---
-Description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Manager tool.
+description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Manager tool.
 ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
index 4bf900b1ed..0e1533193e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Info about where features went in the IEAK11, where the Favorites, Command, and Status bars went, and where the search bar went.
+description: Info about where features went in the IEAK11, where the Favorites, Command, and Status bars went, and where the search bar went.
 ms.assetid: 7324faff-ccb6-4e14-ad91-af12dbca575e
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
index ac6c6a1830..b47ac2397c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
@@ -1,6 +1,6 @@
 ---
-Description: Use this section to learn about how to turn on and use IE7 Enterprise Mode or IE8 Enterprise Mode.
-ms.assetid: 238EAD3D-8920-429A-AC23-02F089C4384A
+description: Use this section to learn about how to turn on and use IE7 Enterprise Mode or IE8 Enterprise Mode.
+ms.assetid: 238ead3d-8920-429a-ac23-02f089c4384a
 author: eross-msft
 ms.prod: IE11
 ms.mktglfcycl: deploy
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
index 0af9c6c968..43d7ddb582 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
@@ -1,5 +1,5 @@
 ---
-Description: How to use IEAK 11 while planning, customizing, and building the custom installation package.
+description: How to use IEAK 11 while planning, customizing, and building the custom installation package.
 ms.assetid: af93742f-f955-44ab-bfa2-7bf0c99045d3
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
index 4d71ea7d4b..b0ec5657e5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
@@ -1,5 +1,5 @@
 ---
-Description: How to use Setup Information (.inf) files to create installation packages.
+description: How to use Setup Information (.inf) files to create installation packages.
 ms.assetid: 04fa2ba8-8d84-4af6-ab99-77e4f1961b0e
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
index d622e8ac2e..eef5dd2a0f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Virtualization and compatibility with Internet Explorer 11
+description: Virtualization and compatibility with Internet Explorer 11
 ms.assetid: b0388c04-2584-4b6d-a7a8-4e0476773a80
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
index 0bb0e77915..af00defb04 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
@@ -1,5 +1,5 @@
 ---
-Description: Info about the features included in Enterprise Mode with Internet Explorer 11.
+description: Info about the features included in Enterprise Mode with Internet Explorer 11.
 ms.assetid: 3c77e9f3-eb21-46d9-b5aa-f9b2341cfefa
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
index 5ef5971b98..b2bde8e6b2 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
@@ -1,5 +1,5 @@
 ---
-Description: How to download and use the Internet Explorer 11 Blocker Toolkit to turn off the automatic delivery of IE11 through the Automatic Updates feature of Windows Update.
+description: How to download and use the Internet Explorer 11 Blocker Toolkit to turn off the automatic delivery of IE11 through the Automatic Updates feature of Windows Update.
 ms.assetid: fafeaaee-171c-4450-99f7-5cc7f8d7ba91
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
index 6fc01aeeb4..f2de81a8e7 100644
--- a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
+++ b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
@@ -1,5 +1,5 @@
 ---
-Description: Frequently asked questions about Internet Explorer 11 for IT Pros
+description: Frequently asked questions about Internet Explorer 11 for IT Pros
 ms.assetid: 140e7d33-584a-44da-8c68-6c1d568e1de3
 author: eross-msft
 ms.prod: IE11
diff --git a/browsers/internet-explorer/index.md b/browsers/internet-explorer/index.md
index cfc630d8d1..480d0fb2fc 100644
--- a/browsers/internet-explorer/index.md
+++ b/browsers/internet-explorer/index.md
@@ -1,6 +1,6 @@
 ---
 description: The landing page for IE11 that lets you access the documentation.
-assetid: BE3DC32E-80D9-4D9F-A802-C7DB6C50DBE0
+assetid: be3dc32e-80d9-4d9f-a802-c7db6c50dbe0
 author: eross-msft
 ms.prod: IE11
 ms.mktglfcycl: deploy
diff --git a/mdop/TOC.md b/mdop/TOC.md
new file mode 100644
index 0000000000..cbac82ca91
--- /dev/null
+++ b/mdop/TOC.md
@@ -0,0 +1 @@
+#[MDOP Placeholder](index.md)
\ No newline at end of file
diff --git a/mdop/docfx.json b/mdop/docfx.json
new file mode 100644
index 0000000000..85c859a765
--- /dev/null
+++ b/mdop/docfx.json
@@ -0,0 +1,24 @@
+{
+  "build": {
+    "content":
+      [
+        {
+          "files": ["**/**.md"],
+          "exclude": ["**/obj/**"]
+        }
+      ],
+    "resource": [
+        {
+          "files": ["**/images/**", "**/*.json"],
+          "exclude": ["**/obj/**"]
+        }
+    ],
+    "globalMetadata": {
+        "ROBOTS": "INDEX, FOLLOW"
+    },
+    "externalReference": [
+    ],
+    "template": "op.html",
+    "dest": "mdop"
+  }
+}
\ No newline at end of file
diff --git a/mdop/index.md b/mdop/index.md
new file mode 100644
index 0000000000..858fac9563
--- /dev/null
+++ b/mdop/index.md
@@ -0,0 +1 @@
+#Placeholder for MDOP content
\ No newline at end of file
diff --git a/windows/TOC.md b/windows/TOC.md
new file mode 100644
index 0000000000..42192a7b73
--- /dev/null
+++ b/windows/TOC.md
@@ -0,0 +1,6 @@
+# [Windows 10 and Windows 10 Mobile](index.md)
+## [What's new in Windows 10](whats-new/)
+## [Plan for Windows 10 deployment](plan/)
+## [Deploy Windows 10](deploy/)
+## [Keep Windows 10 secure](keep-secure/)
+## [Manage and update Windows 10](manage/)
\ No newline at end of file
diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md
new file mode 100644
index 0000000000..86ea7532e1
--- /dev/null
+++ b/windows/deploy/TOC.md
@@ -0,0 +1,136 @@
+# [Deploy Windows 10](index.md)
+## [Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md)
+## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
+## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+### [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+#### [Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)
+#### [MDT 2013 Update 2 Lite Touch components](mdt-2013-lite-touch-components.md)
+#### [Prepare for deployment with MDT 2013 Update 2](prepare-for-windows-deployment-with-mdt-2013.md)
+### [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+### [Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+### [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+### [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+### [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+### [Configure MDT settings](configure-mdt-2013-settings.md)
+#### [Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
+#### [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+#### [Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
+#### [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+#### [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+#### [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
+#### [Use web services in MDT](use-web-services-in-mdt-2013.md)
+#### [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
+## [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
+### [Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+### [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+### [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+### [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+### [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
+### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+### [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
+### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
+## [Windows 10 edition upgrade](windows-10-edition-upgrades.md)
+## [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
+## [Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md)
+## [Sideload apps in Windows 10](sideload-apps-in-windows-10.md)
+## [Volume Activation [client]](volume-activation-windows-10.md)
+### [Plan for volume activation [client]](plan-for-volume-activation-client.md)
+### [Activate using Key Management Service [client]](activate-using-key-management-service-vamt.md)
+### [Activate using Active Directory-based activation [client]](activate-using-active-directory-based-activation-client.md)
+### [Activate clients running Windows 10](activate-windows-10-clients-vamt.md)
+### [Monitor activation [client]](monitor-activation-client.md)
+### [Use the Volume Activation Management Tool [client]](use-the-volume-activation-management-tool-client.md)
+### [Appendix: Information sent to Microsoft during activation [client]](appendix-information-sent-to-microsoft-during-activation-client.md)
+## [Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md)
+### [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
+### [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md)
+### [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation-management-tool.md)
+#### [Introduction to VAMT](introduction-vamt.md)
+#### [Active Directory-Based Activation Overview](active-directory-based-activation-overview.md)
+#### [Install and Configure VAMT](install-configure-vamt.md)
+##### [VAMT Requirements](vamt-requirements.md)
+##### [Install VAMT](install-vamt.md)
+##### [Configure Client Computers](configure-client-computers-vamt.md)
+#### [Add and Manage Products](add-manage-products-vamt.md)
+##### [Add and Remove Computers](add-remove-computers-vamt.md)
+##### [Update Product Status](update-product-status-vamt.md)
+##### [Remove Products](remove-products-vamt.md)
+#### [Manage Product Keys](manage-product-keys-vamt.md)
+##### [Add and Remove a Product Key](add-remove-product-key-vamt.md)
+##### [Install a Product Key](install-product-key-vamt.md)
+##### [Install a KMS Client Key](install-kms-client-key-vamt.md)
+#### [Manage Activations](manage-activations-vamt.md)
+##### [Perform Online Activation](online-activation-vamt.md)
+##### [Perform Proxy Activation](proxy-activation-vamt.md)
+##### [Perform KMS Activation](kms-activation-vamt.md)
+##### [Perform Local Reactivation](local-reactivation-vamt.md)
+##### [Activate an Active Directory Forest Online](activate-forest-vamt.md)
+##### [Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md)
+#### [Manage VAMT Data](manage-vamt-data.md)
+##### [Import and Export VAMT Data](import-export-vamt-data.md)
+##### [Use VAMT in Windows PowerShell](use-vamt-in-windows-powershell.md)
+#### [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
+##### [Scenario 1: Online Activation](scenario-online-activation-vamt.md)
+##### [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md)
+##### [Scenario 3: KMS Client Activation](scenario-kms-activation-vamt.md)
+#### [VAMT Known Issues](vamt-known-issues.md)
+### [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md)
+#### [User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+##### [User State Migration Tool (USMT) Overview](usmt-overview.md)
+##### [Getting Started with the User State Migration Tool (USMT)](getting-started-with-the-user-state-migration-tool.md)
+##### [Windows Upgrade and Migration Considerations](windows-upgrade-and-migration-considerations.md)
+#### [User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
+##### [Exclude Files and Settings](usmt-exclude-files-and-settings.md)
+##### [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)
+##### [Include Files and Settings](usmt-include-files-and-settings.md)
+##### [Migrate Application Settings](migrate-application-settings.md)
+##### [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md)
+##### [Migrate User Accounts](usmt-migrate-user-accounts.md)
+##### [Reroute Files and Settings](usmt-reroute-files-and-settings.md)
+##### [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)
+#### [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+##### [Common Issues](usmt-common-issues.md)
+##### [Frequently Asked Questions](usmt-faq.md)
+##### [Log Files](usmt-log-files.md)
+##### [Return Codes](usmt-return-codes.md)
+##### [USMT Resources](usmt-resources.md)
+#### [User State Migration Toolkit (USMT) Reference](usmt-reference.md)
+##### [USMT Requirements](usmt-requirements.md)
+##### [USMT Best Practices](usmt-best-practices.md)
+##### [How USMT Works](usmt-how-it-works.md)
+##### [Plan Your Migration](usmt-plan-your-migration.md)
+###### [Common Migration Scenarios](usmt-common-migration-scenarios.md)
+###### [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
+###### [Choose a Migration Store Type](usmt-choose-migration-store-type.md)
+####### [Migration Store Types Overview](migration-store-types-overview.md)
+####### [Estimate Migration Store Size](usmt-estimate-migration-store-size.md)
+####### [Hard-Link Migration Store](usmt-hard-link-migration-store.md)
+####### [Migration Store Encryption](usmt-migration-store-encryption.md)
+###### [Determine What to Migrate](usmt-determine-what-to-migrate.md)
+####### [Identify Users](usmt-identify-users.md)
+####### [Identify Applications Settings](usmt-identify-application-settings.md)
+####### [Identify Operating System Settings](usmt-identify-operating-system-settings.md)
+####### [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md)
+###### [Test Your Migration](usmt-test-your-migration.md)
+##### [User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
+###### [ScanState Syntax](usmt-scanstate-syntax.md)
+###### [LoadState Syntax](usmt-loadstate-syntax.md)
+###### [UsmtUtils Syntax](usmt-utilities.md)
+##### [USMT XML Reference](usmt-xml-reference.md)
+###### [Understanding Migration XML Files](understanding-migration-xml-files.md)
+###### [Config.xml File](usmt-configxml-file.md)
+###### [Customize USMT XML Files](usmt-customize-xml-files.md)
+###### [Custom XML Examples](usmt-custom-xml-examples.md)
+###### [Conflicts and Precedence](usmt-conflicts-and-precedence.md)
+###### [General Conventions](usmt-general-conventions.md)
+###### [XML File Requirements](xml-file-requirements.md)
+###### [Recognized Environment Variables](usmt-recognized-environment-variables.md)
+###### [XML Elements Library](usmt-xml-elements-library.md)
+##### [Offline Migration Reference](offline-migration-reference.md)
+
diff --git a/windows/deploy/activate-forest-by-proxy-vamt.md b/windows/deploy/activate-forest-by-proxy-vamt.md
new file mode 100644
index 0000000000..03cd03b3ee
--- /dev/null
+++ b/windows/deploy/activate-forest-by-proxy-vamt.md
@@ -0,0 +1,66 @@
+---
+title: Activate by Proxy an Active Directory Forest (Windows 10)
+description: Activate by Proxy an Active Directory Forest
+ms.assetid: 6475fc87-a6f7-4fa8-b0aa-de19f2dea7e5
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Activate by Proxy an Active Directory Forest
+You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest for an isolated workgroup that does not have Internet access. ADBA enables certain volume products to inherit activation from the domain.
+
+**Important**  
+ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host key (CSVLK). To use ADBA, one or more KMS Host keys (CSVLK) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products.
+
+In a typical proxy-activation scenario, the VAMT host computer distributes a product key to one or more client computers and collects the installation ID (IID) from each computer. The VAMT host computer sends the IIDs to Microsoft on behalf of the client computers and obtains the corresponding Confirmation IDs (CIDs). The VAMT host computer then installs the CIDs on the client computer to complete the activation. If you use this activation method, only the VAMT host computer needs to have Internet access.
+
+**Note**  
+For workgroups that are isolated from any larger network, you can still perform an AD forest activation. This requires installing a second instance of VAMT on a computer in the isolated group and using removable media to transfer activation data between that computer and another VAMT host computer that has Internet access. You can also activate by proxy a KMS Host key (CSVLK) in the core network if you do not want the host computer to connect to Microsoft over the Internet.
+
+## Requirements
+Before performing proxy activation, ensure that the network and the VAMT installation meet the following requirements:
+- There is an instance of VAMT that is installed on a computer that has Internet access. If you are performing proxy activation for an isolated workgroup, you must also have VAMT installed on one of the computers in the workgroup.
+
+- VAMT has administrative permissions to the Active Directory domain.
+
+**To perform an Active Directory forest proxy activation**
+
+1.  Open VAMT.
+
+2.  In the left-side pane, click the **Active Directory-Based Activation** node.
+
+3.  In the right-side **Actions** pane, click **Proxy activate forest** to open the **Install Product Key** dialog box.
+
+4.  In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to activate.
+
+5.  If you want to rename the ADBA object, enter a new Active Directory-Based Activation Object name.
+
+    **Important**  
+    If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed.
+
+6.  Enter the name of the file where you want to save the offline installation ID, or browse to the file location and then click **Open**. If you are activating an AD forest in an isolated workgroup, save the .cilx file to a removable media device.
+
+7.  Click **Install Key**.
+
+    VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane.
+
+9.  Insert the removable media into the VAMT host that has Internet access. Make sure that you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane.
+
+10. In the right-side **Actions** pane, click **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box.
+
+11. In the **Acquire confirmation IDs for file** dialog box, browse to where the .cilx file you exported from the isolated workgroup host computer is located. Select the file, and then click **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and acquires the CIDs.
+
+12. When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows how many confirmation IDs were successfully acquired, and the name of the file to which the IDs were saved. Click **OK** to close the message.
+
+13. Remove the storage device that contains the .cilx file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated workgroup.
+
+14. Open VAMT and then click the **Active Directory-Based Activation** node in the left-side pane.
+
+15. In the right-side **Actions** pane, click **Apply confirmation ID to Active Directory domain**, browse to the .cilx file and then click **Open**.
+
+VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane.
+
+## Related topics
+- [Add and Remove Computers](add-remove-computers-vamt.md)
\ No newline at end of file
diff --git a/windows/deploy/activate-forest-vamt.md b/windows/deploy/activate-forest-vamt.md
new file mode 100644
index 0000000000..65c4159dc4
--- /dev/null
+++ b/windows/deploy/activate-forest-vamt.md
@@ -0,0 +1,50 @@
+---
+title: Activate an Active Directory Forest Online (Windows 10)
+description: Activate an Active Directory Forest Online
+ms.assetid: 9b5bc193-799b-4aa5-9d3e-0e495f7195d3
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Activate an Active Directory Forest Online
+You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest over the Internet. ADBA enables certain products to inherit activation from the domain.
+
+**Important**  
+ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host keys (CSVLKs). To use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products.
+
+## Requirements
+Before performing online activation, ensure that the network and the VAMT installation meet the following requirements:
+
+-   VAMT is installed on a host computer that has Internet access.
+
+-   VAMT has administrative permissions to the Active Directory domain.
+
+-   The KMS Host key (CSVLK) you intend to use is added to VAMT in the **Product Keys** node.
+
+
+**To perform an online Active Directory forest activation**
+
+1.  Open VAMT.
+
+2.  In the left-side pane, click the **Active Directory-Based Activation** node.
+
+3.  In the right-side **Actions** pane, click **Online activate forest** to open the **Install Product Key** dialog box.
+
+4.  In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to apply to the AD forest.
+
+5.  If required, enter a new Active Directory-Based Activation Object name
+
+    **Important**  
+    If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed.
+
+6.  Click **Install Key**.
+
+7.  VAMT displays the **Activating Active Directory** dialog box until it completes the requested action.
+
+The activated object and the date that is was created appear in the **Active Directory-Based Activation** node in the center pane.
+
+## Related topics
+- [Scenario 1: Online Activation](scenario-online-activation-vamt.md)
+- [Add and Remove Computers](add-remove-computers-vamt.md)
\ No newline at end of file
diff --git a/windows/deploy/activate-using-active-directory-based-activation-client.md b/windows/deploy/activate-using-active-directory-based-activation-client.md
new file mode 100644
index 0000000000..54dfb802e3
--- /dev/null
+++ b/windows/deploy/activate-using-active-directory-based-activation-client.md
@@ -0,0 +1,118 @@
+---
+title: Activate using Active Directory-based activation (Windows 10)
+description: Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
+ms.assetid: 08cce6b7-7b5b-42cf-b100-66c363a846af
+keywords: ["vamt", "volume activation", "activation", "windows activation"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Activate using Active Directory-based activation
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012 R2
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+**Looking for retail activation?**
+
+-   [Get Help Activating Microsoft Windows](http://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated by adprep.exe on a computer running Windows Server 2012 R2 or Windows Server 2012, but after the schema is updated, older domain controllers can still activate clients.
+
+Any domain-joined computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 with a GVLK will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention.
+
+To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console in Windows Server 2012 R2 or the VAMT in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10.
+
+The process proceeds as follows:
+
+1.  Perform one of the following tasks:
+
+    -   Install the Volume Activation Services server role on a domain controller running Windows Server 2012 R2, and add a KMS host key by using the Volume Activation Tools Wizard.
+
+    -   Extend the domain to the Windows Server 2012 R2 schema level, and add a KMS host key by using the VAMT.
+
+2.  Microsoft verifies the KMS host key, and an activation object is created.
+
+3.  Client computers are activated by receiving the activation object from a domain controller during startup.
+
+    ![Active Directory-based activation flow](images/volumeactivationforwindows81-10.jpg)
+
+    **Figure 10**. The Active Directory-based activation flow
+
+For environments in which all computers are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment.
+
+If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office.
+
+Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180day period. By default, this reactivation event occurs every seven days.
+
+When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, when the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS.
+
+## Step-by-step configuration: Active Directory-based activation
+**Note**  
+You must be a member of the local Administrators group on all computers mentioned in these steps. You also need to be a member of the Enterprise Administrators group, because setting up Active Directory-based activation changes forest-wide settings.
+
+**To configure Active Directory-based activation on Windows Server 2012 R2, complete the following steps:**
+
+1.  Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller.
+
+2.  Launch Server Manager.
+
+3.  Add the Volume Activation Services role, as shown in Figure 11.
+
+    ![Adding the Volume Activation Services role](images/volumeactivationforwindows81-11.jpg)
+
+    **Figure 11**. Adding the Volume Activation Services role
+
+4.  Click the link to launch the Volume Activation Tools (Figure 12).
+
+    ![Launching the Volume Activation Tools](images/volumeactivationforwindows81-12.jpg)
+
+    **Figure 12**. Launching the Volume Activation Tools
+
+5.  Select the **Active Directory-Based Activation** option (Figure 13).
+
+    ![Selecting Active Directory-Based Activation](images/volumeactivationforwindows81-13.jpg)
+
+    **Figure 13**. Selecting Active Directory-Based Activation
+
+6.  Enter your KMS host key and (optionally) a display name (Figure 14).
+
+    ![Entering your KMS host key](images/volumeactivationforwindows81-14.jpg)
+
+    **Figure 14**. Entering your KMS host key
+
+7.  Activate your KMS host key by phone or online (Figure 15).
+
+    ![Choosing how to activate your product](images/volumeactivationforwindows81-15.jpg)
+
+    **Figure 15**. Choosing how to activate your product
+
+8.  After activating the key, click **Commit**, and then click **Close**.
+
+## Verifying the configuration of Active Directory-based activation
+To verify your Active Directory-based activation configuration, complete the following steps:
+
+1.  After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing.
+
+2.  If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key.
+
+3.  If the computer is not joined to your domain, join it to the domain.
+
+4.  Sign in to the computer.
+
+5.  Open Windows Explorer, right-click **Computer**, and then click **Properties**.
+
+6.  Scroll down to the **Windows activation** section, and verify that this client has been activated.
+
+    **Note**<br>
+    If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmrg.vbs /dlv** command also indicates whether KMS has been used.
+    
+## See also
+-   [Volume Activation for Windows 10](volume-activation-windows-10.md)
\ No newline at end of file
diff --git a/windows/deploy/activate-using-key-management-service-vamt.md b/windows/deploy/activate-using-key-management-service-vamt.md
new file mode 100644
index 0000000000..2bf225376d
--- /dev/null
+++ b/windows/deploy/activate-using-key-management-service-vamt.md
@@ -0,0 +1,155 @@
+---
+title: Activate using Key Management Service (Windows 10)
+ms.assetid: f2417bfe-7d25-4e82-bc07-de316caa8dac
+description: 
+keywords: ["vamt", "volume activation", "activation", "windows activation"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Activate using Key Management Service
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012 R2
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+**Looking for retail activation?**
+
+-   [Get Help Activating Microsoft Windows](http://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+There are three possible scenarios for volume activation of Windows 10 or Windows Server 2012 R2 by using a Key Management Service (KMS) host:
+
+-   Host KMS on a computer running Windows 10
+
+-   Host KMS on a computer running Windows Server 2012 R2
+
+-   Host KMS on a computer running an earlier version of Windows
+
+## Key Management Service in Windows 10
+Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7.
+
+Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers.
+
+To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft’s activation services.
+
+**Configure KMS in Windows 10**
+
+1.  Open an elevated command prompt.
+
+2.  Enter one of the following commands.
+    -   To install a KMS key, type **slmgr.vbs /ipk &lt;KmsKey&gt;**.
+    -   To activate online, type **slmgr.vbs /ato**.
+    -   To activate by using the telephone, type **slui.exe 4**.
+
+3.  After activating the KMS key, restart the Software Protection Service.
+
+For more information, see the information for Windows 7 in [Deploy KMS Activation](http://go.microsoft.com/fwlink/p/?LinkId=717032).
+
+## Key Management Service in Windows Server 2012 R2
+Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Sever 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista.
+
+**Note**  
+You cannot install a client KMS key into the KMS in Windows Server.
+
+This scenario is commonly used in larger organizations that do not find the overhead of using a server a burden.
+
+**Note**  
+If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](http://go.microsoft.com/fwlink/p/?LinkId=620687).
+
+**Configure KMS in Windows Server 2012 R2**
+
+1.  Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials.
+
+2.  Launch Server Manager.
+
+3.  Add the Volume Activation Services role, as shown in Figure 4.
+
+    ![Adding the Volume Activation Services role in Server Manager](images/volumeactivationforwindows81-04.jpg)
+
+    **Figure 4**. Adding the Volume Activation Services role in Server Manager
+
+4.  When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5).
+
+    ![Launching the Volume Activation Tools](images/volumeactivationforwindows81-05.jpg)
+
+    **Figure 5**. Launching the Volume Activation Tools
+
+5.  Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6).
+
+    This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10.
+
+    ![Configuring the computer as a KMS host](images/volumeactivationforwindows81-06.jpg)
+
+    **Figure 6**. Configuring the computer as a KMS host
+
+6.  Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
+
+    ![Installing your KMS host key](images/volumeactivationforwindows81-07.jpg)
+
+    **Figure 7**. Installing your KMS host key
+
+7.  If asked to confirm replacement of an existing key, click **Yes**.
+
+8.  After the product key is installed, you must activate it. Click **Next** (Figure 8).
+
+    ![Activating the software](images/volumeactivationforwindows81-08.jpg)
+
+    **Figure 8**. Activating the software
+
+The KMS key can be activated online or by phone. See Figure 9.
+
+![Choosing to activate online](images/volumeactivationforwindows81-09.jpg)
+
+**Figure 9**. Choosing to activate online
+
+Now that the KMS host is configured, it will begin to listen for activation requests. However, it will not activate clients successfully until the activation threshold is met.
+
+## Verifying the configuration of Key Management Service
+You can verify KMS volume activation from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests will be processed. The verification process described here will increment the activation count each time a client computer contacts the KMS host, but unless the activation threshold is reached, the verification will take the form of an error message rather than a confirmation message.
+
+**Note**  
+If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that will not first try to activate itself by using Active Directory-based activation. You could use a workgroup computer that is not joined to a domain or a computer running Windows 7 or Windows Server 2008 R2.
+
+To verify that KMS volume activation works, complete the following steps:
+
+1.  On the KMS host, open the event log and confirm that DNS publishing is successful.
+
+2.  On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.<p>
+The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
+
+3.  On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr /dlv**, and then press ENTER.<p>
+The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
+
+For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](http://go.microsoft.com/fwlink/p/?LinkId=733639).
+
+## Key Management Service in earlier versions of Windows
+If you have already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps:
+
+1.  Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
+
+2.  Request a new KMS host key from the Volume Licensing Service Center.
+
+3.  Install the new KMS host key on your KMS host.
+
+4.  Activate the new KMS host key by running the slmrg.vbs script.
+
+For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](http://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=626590).
+
+## See also
+-   [Volume Activation for Windows 10](volume-activation-windows-10.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/activate-windows-10-clients-vamt.md b/windows/deploy/activate-windows-10-clients-vamt.md
new file mode 100644
index 0000000000..584155bc6f
--- /dev/null
+++ b/windows/deploy/activate-windows-10-clients-vamt.md
@@ -0,0 +1,128 @@
+---
+title: Activate clients running Windows 10 (Windows 10)
+description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy.
+ms.assetid: 39446e49-ad7c-48dc-9f18-f85a11ded643
+keywords: ["vamt", "volume activation", "activation", "windows activation"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Activate clients running Windows 10
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012 R2
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+**Looking for retail activation?**
+
+-   [Get Help Activating Microsoft Windows](http://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works.
+
+Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer.
+
+If activation or reactivation is required, the following sequence occurs:
+
+1.  If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals.
+
+2.  If the computer is not a member of a domain or if the volume activation object is not available, the computer will issue a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer’s GVLK.
+
+3.  The computer tries to activate against Microsoft servers if it is configured with a MAK.
+
+If the client is not able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart.
+
+## How Key Management Service works
+KMS uses a client–server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP.
+
+### Key Management Service activation thresholds
+You can activate physical computers and virtual machines by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers (called the activation threshold). KMS clients will be activated only after this threshold has been met. Each KMS host counts the number of computers that have requested activation until the threshold is met.
+
+A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold are not activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more.
+
+When KMS clients are waiting for the KMS to reach the activation threshold, they will connect to the KMS host every two hours to get the current activation count. They will be activated when the threshold is met.
+
+In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it is activated. If a computer running Windows 10 receives an activation count of 25 or more, it is activated.
+
+### Activation count cache
+To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30day period begins again. If a KMS client computer does not renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one.
+
+However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days.
+
+The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size.
+
+### Key Management Service connectivity
+KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients use DNS to publish and find the KMS. The default settings can be used, which require little or no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements.
+
+### Key Management Service activation renewal
+KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every 7 days. If KMS activation fails, the client computer retries every two hours. After a client computer’s activation is renewed, the activation validity interval begins again.
+
+### Publication of the Key Management Service
+The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update is not available or the KMS host does not have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts.
+
+### Client discovery of the Key Management Service
+By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it.
+
+Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters.
+
+If the KMS host that a client computer selects does not respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host does not respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records.
+
+By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way.
+
+### Domain Name System server configuration
+The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update.
+
+The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records.
+
+### Activating the first Key Management Service host
+KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host does not communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers.
+
+### Activating subsequent Key Management Service hosts
+Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organization’s KMS key by calling a Microsoft Volume [Licensing Activation Center](http://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception.
+
+## How Multiple Activation Key works
+A MAK is used for one-time activation with Microsoft’s hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization’s exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit.
+
+You can activate computers by using a MAK in two ways:
+
+-   **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16.
+
+    ![MAK independent activation](images/volumeactivationforwindows81-16.jpg)
+
+    **Figure 16**. MAK independent activation
+
+-   **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17.
+
+    ![MAK proxy activation with the VAMT](images/volumeactivationforwindows81-17.jpg)
+
+    **Figure 17**. MAK proxy activation with the VAMT
+
+A MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers that require activation does not meet the KMS activation threshold.
+
+You can use a MAK for individual computers or with an image that can be duplicated or installed by using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. This is useful for moving a computer off the core network to a disconnected environment.
+
+### Multiple Activation Key architecture and activation
+MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet.
+
+In MAK proxy activation, the VAMT installs a MAK product key on a client computer, obtains the installation ID from the target computer, sends the installation ID to Microsoft on behalf of the client, and obtains a confirmation ID. The tool then activates the client computer by installing the confirmation ID.
+
+## Activating as a standard user
+Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 do not require administrator privileges for activation, but this change does not allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as “rearm.”
+
+## See also
+-   [Volume Activation for Windows 10](volume-activation-windows-10.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/active-directory-based-activation-overview.md b/windows/deploy/active-directory-based-activation-overview.md
new file mode 100644
index 0000000000..fc73f66ca1
--- /dev/null
+++ b/windows/deploy/active-directory-based-activation-overview.md
@@ -0,0 +1,32 @@
+---
+title: Active Directory-Based Activation Overview (Windows 10)
+description: Active Directory-Based Activation Overview
+ms.assetid: c1dac3bd-6a86-4c45-83dd-421e63a398c0
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Active Directory-Based Activation Overview
+Active Directory-Based Activation (ADBA) enables enterprises to activate computers through a connection to their domain. Many companies have computers at offsite locations that use products that are registered to the company. Previously these computers needed to either use a retail key or a Multiple Activation Key (MAK), or physically connect to the network in order to activate their products by using Key Management Services (KMS). ADBA provides a way to activate these products if the computers can join the company’s domain. When the user joins their computer to the domain, the ADBA object automatically activates Windows installed on their computer, as long as the computer has a Generic Volume License Key (GVLK) installed. No single physical computer is required to act as the activation object, because it is distributed throughout the domain.
+
+## Active Directory-Based Activation Scenarios
+VAMT enables IT Professionals to manage and activate the Active Directory-Based Activation object. Activation can be performed by using a scenario such as the following:
+
+-   Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the Active Directory-Based Activation Object a name.
+
+-   Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the Active Directory-Based Activation Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function.
+
+## Related topics
+- [How to Activate an Active Directory Forest Online](http://go.microsoft.com/fwlink/p/?LinkId=246565)
+- [How to Proxy Activate an Active Directory Forest](http://go.microsoft.com/fwlink/p/?LinkId=246566)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md
new file mode 100644
index 0000000000..7be8c2bbe2
--- /dev/null
+++ b/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -0,0 +1,75 @@
+---
+title: Add a Windows 10 operating system image using Configuration Manager (Windows 10)
+description: Operating system images are typically the production image used for deployment throughout the organization.
+ms.assetid: 77f769cc-1a47-4f36-8082-201cd77b8d3b
+keywords: ["image, deploy, distribute"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Add a Windows 10 operating system image using Configuration Manager
+
+
+**Applies to**
+
+-   Windows 10
+
+Operating system images are typically the production image used for deployment throughout the organization. This topic shows you how to add a Windows 10 operating system image created with Microsoft System Center 2012 R2 Configuration Manager, and how to distribute the image to a distribution point.
+
+For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard, as the distribution point. CM01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md). Our image is named REFW10-X64-001.wim. For details on building this image, please see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
+
+1.  Using File Explorer, in the **E:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**.
+
+2.  Copy the REFW10-X64-001.wim file to the **E:\\Sources\\OSD\\OS\\Windows 10 Enterprise x64 RTM** folder.
+
+    ![figure 17](images/fig17-win10image.png)
+
+    Figure 17. The Windows 10 image copied to the Sources folder structure.
+
+3.  Using the Configuration Manager Console, in the Software Library workspace, right-click **Operating System Images**, and select **Add Operating System Image**.
+
+4.  On the **Data Source** page, in the **Path:** text box, browse to \\\\CM01\\Sources$\\OSD\\OS\\Windows 10 Enterprise x64 RTM\\REFW10-X64-001.wim and click **Next**.
+
+5.  On the **General** page, assign the name Windows 10 Enterprise x64 RTM and click **Next** twice, and then click **Close**.
+
+6.  Distribute the operating system image to the CM01 distribution point by right-clicking the Windows 10 Enterprise x64 RTM operating system image and selecting **Distribute Content**.
+
+7.  In the Distribute Content Wizard, add the CM01 distribution point.
+
+8.  View the content status for the Windows 10 Enterprise x64 RTM package. Do not continue until the distribution is completed. You also can review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
+
+    ![figure 18](images/fig18-distwindows.png)
+
+    Figure 18. The distributed Windows 10 Enterprise x64 RTM package.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
new file mode 100644
index 0000000000..b655ccdd8b
--- /dev/null
+++ b/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -0,0 +1,112 @@
+---
+title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager (Windows 10)
+description: In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines.
+ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c
+keywords: ["deploy, task sequence"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager
+
+
+**Applies to**
+
+-   Windows 10
+
+In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system.
+
+For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+## <a href="" id="sec01"></a>Add drivers for Windows PE
+
+
+This section will show you how to import some network and storage drivers for Windows PE. This section assumes you have downloaded some drivers to the E:\\Sources\\OSD\\DriverSources\\WinPE x64 folder on CM01.
+
+1.  On CM01, using the Configuration Manager Console, in the Software Library workspace, right-click the **Drivers** node and select **Import Driver**.
+
+2.  In the Import New Driver Wizard, on the **Specify a location to import driver** page, below the Import all drivers in the following network path (UNC) option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\WinPE x64** folder and click **Next**.
+
+3.  On the **Specify the details for the imported driver** page, click **Categories**, create a category named **WinPE x64**, and then click **Next**.
+
+4.  On the **Select the packages to add the imported driver** page, click **Next**.
+
+5.  On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image. Also select the **Update distribution points when finished** check box, and click **Next** twice.
+
+![figure 21](images/fig21-add-drivers.png)
+
+Figure 21. Add drivers to Windows PE.
+
+**Note**  
+The Updating Boot Image part of the wizard will appear to hang when displaying Done. It will complete in a minute or two.
+
+ 
+
+## <a href="" id="sec02"></a>Add drivers for Windows 10
+
+
+This section illustrates how to add drivers for Windows 10 through an example in which you want to import Windows 10 drivers for the HP EliteBook 8560w model. For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the E:\\Sources\\OSD\\DriverSources\\Windows 10 x64\\HP EliteBook 8560w folder on CM01.
+
+1.  On CM01, using the Configuration Manager Console, right-click the **Drivers** folder and select **Import Driver**.
+
+2.  In the Import New Driver Wizard, on the **Specify a location to import driver** page, below the Import all drivers in the following network path (UNC) option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\Windows 10 x64\\HP EliteBook 8560w** folder and click **Next**.
+
+3.  On the **Specify the details for the imported driver** page, click **Categories**, create a category named Windows 10 x64 - HP EliteBook 8560w, and then click **Next**.
+
+    ![figure 22](images/fig22-createcategories.png)
+
+    Figure 22. Create driver categories.
+
+4.  On the **Select the packages to add the imported driver** page, click **New Package**, use the following settings for the package, and then click **Next**:
+
+    1.  Name: Windows 10 x64 - HP EliteBook 8560w
+
+    2.  Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\HP EliteBook 8560w
+
+    **Note**  
+    The package path does not yet exist, so you have to type it in. The wizard will create the new package in that folder.
+
+     
+
+5.  On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**.
+
+**Note**  
+If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
+
+ 
+
+![figure 23](images/mdt-06-fig26.png)
+
+Figure 23. Drivers imported and a new driver package created.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/add-manage-products-vamt.md b/windows/deploy/add-manage-products-vamt.md
new file mode 100644
index 0000000000..6bc5b1b8a8
--- /dev/null
+++ b/windows/deploy/add-manage-products-vamt.md
@@ -0,0 +1,31 @@
+---
+title: Add and Manage Products (Windows 10)
+description: Add and Manage Products
+ms.assetid: a48fbc23-917d-40f7-985c-e49702c05e51
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Add and Manage Products
+This section describes how to add client computers into the Volume Activation Management Tool (VAMT). After the computers are added, you can manage the products that are installed on your network.
+
+## In this Section
+
+|Topic |Description |
+|------|------------|
+|[Add and Remove Computers](add-remove-computers-vamt.md) |Describes how to add client computers to VAMT. |
+|[Update Product Status](update-product-status-vamt.md) |Describes how to update the status of product license. |
+|[Remove Products](remove-products-vamt.md) |Describes how to remove a product from the product list. |
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/add-remove-computers-vamt.md b/windows/deploy/add-remove-computers-vamt.md
new file mode 100644
index 0000000000..426401e5ff
--- /dev/null
+++ b/windows/deploy/add-remove-computers-vamt.md
@@ -0,0 +1,75 @@
+---
+title: Add and Remove Computers (Windows 10)
+description: Add and Remove Computers
+ms.assetid: cb6f3a78-ece0-4dc7-b086-cb003d82cd52
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Add and Remove Computers
+You can add computers that have any of the supported Windows or Office products installed to a Volume Activation Management Tool (VAMT) database by using the **Discover products** function. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query. You can remove computers from a VAMT database by using the **Delete** function. After you add the computers, you can add the products that are installed on the computers by running the **Update license status** function.
+
+Before adding computers, ensure that the Windows Management Instrumentation (WMI) firewall exception required by VAMT has been enabled on all target computers. For more information see [Configure Client Computers](configure-client-computers-vamt.md).
+
+## To add computers to a VAMT database
+1.  Open VAMT.
+
+2.  Click **Discover products** in the **Actions** menu in the right-side pane to open the **Discover Products** dialog box.
+
+3.  In the **Discover products** dialog box, click **Search for computers in the Active Directory** to display the search options, then click the search option you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query.
+
+    -   To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**, then under **Domain Filter Criteria**, in the list of domain names click the name of the domain you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
+
+    -   To search by individual computer name or IP address, click **Manually enter name or IP address**, then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that VAMT supports both IPv4 and IPV6 addressing.
+
+    -   To search for computers in a workgroup, click **Search for computers in the workgroup**, then under **Workgroup Filter Criteria**, in the list of workgroup names click the name of the workgroup you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
+
+    -   To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box provided. VAMT will validate only the LDAP query syntax, but will otherwise run the query without further checks.
+
+4.  Click **Search**.
+
+5.  VAMT searches for the specified computers and adds them to the VAMT database. During the search, VAMT displays the **Finding computers** message shown below.
+
+    To cancel the search, click **Cancel**. When the search is complete the names of the newly-discovered computers appear in the product list view in the center pane.
+
+    ![VAMT, Finding computers dialog box](images/dep-win8-l-vamt-findingcomputerdialog.gif)
+    
+    **Important**  
+    This step adds only the computers to the VAMT database, and not the products that are installed on the computers. To add the products, you need to run the **Update license status** function.
+
+## To add products to VAMT
+1.  In the **Products** list, select the computers that need to have their product information added to the VAMT database.
+
+2.  You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+
+3.  In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+
+    -   To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    -   To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+
+4.  Click **Filter**. VAMT displays the filtered list in the center pane.
+
+5.  In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**.
+
+6.  VAMT displays the **Collecting product information** dialog box while it collects the licensing status of all supported products on the selected computers. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane.
+
+    **Note**  
+    If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading.
+
+## To remove computers from a VAMT database
+You can delete a computer by clicking on it in the product list view, and then clicking **Delete** in the **Selected Item** menu in the right-hand pane. In the **Confirm Delete Selected Products** dialog box that appears, click **Yes** to delete the computer. If a computer has multiple products listed, you must delete each product to completely remove the computer from the VAMT database.
+
+## Related topics
+- [Add and Manage Products](add-manage-products-vamt.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/add-remove-product-key-vamt.md b/windows/deploy/add-remove-product-key-vamt.md
new file mode 100644
index 0000000000..c237513201
--- /dev/null
+++ b/windows/deploy/add-remove-product-key-vamt.md
@@ -0,0 +1,34 @@
+---
+title: Add and Remove a Product Key (Windows 10)
+description: Add and Remove a Product Key
+ms.assetid: feac32bb-fb96-4802-81b8-c69220dcfcce
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Add and Remove a Product Key
+Before you can use a Multiple Activation Key (MAK), retail, or KMS Host key (CSVLK) product key, you must first add it to the Volume Activation Management Tool (VAMT) database.
+
+## To Add a Product Key
+1.  Open VAMT.
+
+2.  In the left-side pane, right-click the **Product Keys** node to open the **Actions** menu.
+
+3.  Click **Add product keys** to open the **Add Product Keys** dialog box.
+
+4.  In the **Add Product Keys** dialog box, select from one of the following methods to add product keys:
+
+    -   To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys separated by line breaks, and click **Add Key(s)**.
+
+    -   To import a Comma Separated Values (CSV) file containing a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**.
+
+    **Note**  
+    If you are activating a large number of products with a MAK, you should refresh the activation count of the MAK, to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs.
+
+## Remove a Product Key
+-   To remove a product key from the list, simply select the key in the list and click **Delete** on the **Selected Items** menu in the right-side pane. Click **Yes** to confirm deletion of the product key. Removing a product key from the VAMT database will not affect the activation state of any products or computers on the network.
+
+## Related topics
+- [Manage Product Keys](manage-product-keys-vamt.md)
\ No newline at end of file
diff --git a/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md
new file mode 100644
index 0000000000..69204429e8
--- /dev/null
+++ b/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md
@@ -0,0 +1,86 @@
+---
+title: Appendix Information sent to Microsoft during activation (Windows 10)
+ms.assetid: 4bfff495-07d0-4385-86e3-7a077cbd64b8
+description: 
+keywords: ["vamt", "volume activation", "activation", "windows activation"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Appendix: Information sent to Microsoft during activation
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012 R2
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+**Looking for retail activation?**
+
+-   [Get Help Activating Microsoft Windows](http://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+When you activate a computer running Windows 10, the following information is sent to Microsoft:
+
+-   The Microsoft product code (a five-digit code that identifies the Windows product you are activating)
+
+-   A channel ID or site code that identifies how the Windows product was originally obtained
+
+    For example, a channel ID or site code identifies whether the product was originally purchased from a retail store, obtained as an evaluation copy, obtained through a volume licensing program, or preinstalled by a computer manufacturer.
+
+-   The date of installation and whether the installation was successful
+
+-   Information that helps confirm that your Windows product key has not been altered
+
+-   Computer make and model
+
+-   Version information for the operating system and software
+
+-   Region and language settings
+
+-   A unique number called a *globally unique identifier*, which is assigned to your computer
+
+-   Product key (hashed) and product ID
+
+-   BIOS name, revision number, and revision date
+
+-   Volume serial number (hashed) of the hard disk drive
+
+-   The result of the activation check
+
+    This includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled:
+
+    -   The activation exploit’s identifier
+
+    -   The activation exploit’s current state, such as cleaned or quarantined
+
+    -   Computer manufacturer’s identification
+
+    -   The activation exploit’s file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit
+
+-   The name and a hash of the contents of your computer’s startup instructions file
+
+-   If your Windows license is on a subscription basis, information about how your subscription works
+
+Standard computer information is also sent, but your computer’s IP address is only retained temporarily.
+
+## Use of information
+Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft does not use the information to contact individual consumers.
+
+For additional details, see [Windows 10 Privacy Statement](http://go.microsoft.com/fwlink/p/?LinkId=619879).
+
+## See also
+-   [Volume Activation for Windows 10](volume-activation-windows-10.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md
new file mode 100644
index 0000000000..d5fba8327f
--- /dev/null
+++ b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md
@@ -0,0 +1,160 @@
+---
+title: Assign applications using roles in MDT (Windows 10)
+description: This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer.
+ms.assetid: d82902e4-de9c-4bc4-afe0-41d649b83ce7
+keywords: ["settings, database, deploy"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Assign applications using roles in MDT
+
+
+This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer. For the purposes of this topic, the application we are adding is Adobe Reader XI. In addition to using computer-specific entries in the database, you can use roles in MDT to group settings together.
+
+## <a href="" id="sec01"></a>Create and assign a role entry in the database
+
+
+1.  On MDT01, using Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration** and then expand **Database**.
+
+2.  In the **Database** node, right-click **Role**, select **New**, and create a role entry with the following settings:
+
+    1.  Role name: Standard PC
+
+    2.  Applications / Lite Touch Applications:
+
+    3.  Install - Adobe Reader XI - x86
+
+![figure 12](images/mdt-09-fig12.png)
+
+Figure 12. The Standard PC role with the application added
+
+## <a href="" id="sec02"></a>Associate the role with a computer in the database
+
+
+After creating the role, you can associate it with one or more computer entries.
+
+1.  Using Deployment Workbench, expand **MDT Production**, expand **Advanced Configuration**, expand **Database**, and select **Computers**.
+
+2.  In the **Computers** node, double-click the **PC00075** entry, and add the following setting:
+
+    -   Roles: Standard PC
+
+![figure 13](images/mdt-09-fig13.png)
+
+Figure 13. The Standard PC role added to PC00075 (having ID 1 in the database).
+
+## <a href="" id="sec03"></a>Verify database access in the MDT simulation environment
+
+
+When the database is populated, you can use the MDT simulation environment to simulate a deployment. The applications are not installed, but you can see which applications would be installed if you did a full deployment of the computer.
+
+1.  On PC0001, log on as **CONTOSO\\MDT\_BA**.
+
+2.  Modify the C:\\MDT\\CustomSettings.ini file to look like the following:
+
+    ``` syntax
+    [Settings]
+    Priority=CSettings, CRoles, RApplications, Default
+
+    [Default]
+    _SMSTSORGNAME=Contoso
+    OSInstall=Y
+    UserDataLocation=AUTO
+    TimeZoneName=Pacific Standard Time 
+    AdminPassword=P@ssw0rd
+    JoinDomain=contoso.com
+    DomainAdmin=CONTOSO\MDT_JD
+    DomainAdminPassword=P@ssw0rd
+    MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
+    SLShare=\\MDT01\Logs$
+    ScanStateArgs=/ue:*\* /ui:CONTOSO\*
+    USMTMigFiles001=MigApp.xml
+    USMTMigFiles002=MigUser.xml
+    HideShell=YES
+    ApplyGPOPack=NO
+    SkipAppsOnUpgrade=NO
+    SkipAdminPassword=YES
+    SkipProductKey=YES
+    SkipComputerName=NO
+    SkipDomainMembership=YES
+    SkipUserData=NO
+    SkipLocaleSelection=YES
+    SkipTaskSequence=NO
+    SkipTimeZone=YES
+    SkipApplications=NO
+    SkipBitLocker=YES
+    SkipSummary=YES
+    SkipCapture=YES
+    SkipFinalSummary=NO
+    EventService=http://MDT01:9800
+
+    [CSettings]
+    SQLServer=MDT01
+    Instance=SQLEXPRESS
+    Database=MDT
+    Netlib=DBNMPNTW
+    SQLShare=Logs$
+    Table=ComputerSettings
+    Parameters=UUID, AssetTag, SerialNumber, MacAddress
+    ParameterCondition=OR
+
+    [CRoles]
+    SQLServer=MDT01
+    Instance=SQLEXPRESS
+    Database=MDT
+    Netlib=DBNMPNTW
+    SQLShare=Logs$
+    Table=ComputerRoles
+    Parameters=UUID, AssetTag, SerialNumber, MacAddress
+    ParameterCondition=OR
+
+    [RApplications]
+    SQLServer=MDT01
+    Instance=SQLEXPRESS
+    Database=MDT
+    Netlib=DBNMPNTW
+    SQLShare=Logs$
+    Table=RoleApplications
+    Parameters=Role
+    Order=Sequence
+    ```
+
+3.  Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command:
+
+    ``` syntax
+    Set-Location C:\MDT
+    .\Gather.ps1
+    ```
+
+![figure 14](images/mdt-09-fig14.png)
+
+Figure 14. ZTIGather.log displaying the application GUID belonging to the Adobe Reader XI application that would have been installed if you deployed this machine.
+
+## Related topics
+
+
+[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
+
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+
+[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
+
+[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+
+[Use web services in MDT](use-web-services-in-mdt-2013.md)
+
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md
new file mode 100644
index 0000000000..8d78744690
--- /dev/null
+++ b/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md
@@ -0,0 +1,311 @@
+---
+title: Build a distributed environment for Windows 10 deployment (Windows 10)
+description: In this topic, you will learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations.
+ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c
+keywords: ["replication, replicate, deploy, configure, remote"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Build a distributed environment for Windows 10 deployment
+
+
+**Applies to**
+
+-   Windows 10
+
+In this topic, you will learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of the deployment solution. With images reaching 5 GB in size or more, you can't deploy machines in a remote office over the wire. You need to replicate the content, so that the clients can do local deployments.
+
+We will use four machines for this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 standard server, and PC0006 is a blank machine to which you will deploy Windows 10. You will configure a second deployment server (MDT02) for a remote site (Stockholm) by replicating the deployment share in the original site (New York). MDT01, MDT02, and PC0006 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+
+![figure 1](images/mdt-10-fig01.png)
+
+Figure 1. The machines used in this topic.
+
+## <a href="" id="sec01"></a>Replicate deployment shares
+
+
+Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in a number of different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) 2013 use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content.
+
+**Note**  
+Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target.
+
+ 
+
+### Linked deployment shares in MDT 2013 Update 2
+
+LDS is a built-in feature in MDT for replicating content. However, LDS works best with strong connections such as LAN connections with low latency. For most WAN links, DFS-R is the better option.
+
+### Why DFS-R is a better option
+
+DFS-R is not only very fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication target(s) as read-only, which is exactly what you want for MDT. This way, you can have your master deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02.
+
+## <a href="" id="sec02"></a>Set up Distributed File System Replication (DFS-R) for replication
+
+
+Setting up DFS-R for replication is a quick and straightforward process. You prepare the deployment servers and then create a replication group. To complete the setup, you configure some replication settings.
+
+### Prepare MDT01 for replication
+
+1.  On MDT01, using Server Manager, click **Add roles and features**.
+
+2.  On the **Select installation type** page, select **Role-based or feature-based installation**.
+
+3.  On the **Select destination server** page, select **MDT01.contoso.com** and click **Next**.
+
+4.  On the **Select server roles** page, expand **File and Storage Services (Installed)** and expand **File and iSCSI Services (Installed)**.
+
+5.  In the **Roles** list, select **DFS Replication**. In the **Add Roles and Features Wizard** dialog box, select **Add Features**, and then click **Next**.
+
+    ![figure 2](images/mdt-10-fig02.png)
+
+    Figure 2. Adding the DFS Replication role to MDT01.
+
+6.  On the **Select features** page, accept the default settings, and click **Next**.
+
+7.  On the **Confirm installation selections** page, click **Install**.
+
+8.  On the **Installation progress** page, click **Close**.
+
+### Prepare MDT02 for replication
+
+1.  On MDT02, using Server Manager, click **Add roles and features**.
+
+2.  On the **Select installation type** page, select **Role-based or feature-based installation**.
+
+3.  On the **Select destination server** page, select **MDT02.contoso.com** and click **Next**.
+
+4.  On the **Select server roles** page, expand **File and Storage Services (Installed)** and expand **File and iSCSI Services (Installed)**.
+
+5.  In the **Roles** list, select **DFS Replication**. In the **Add Roles and Features Wizard** dialog box, select **Add Features**, and then click **Next**.
+
+6.  On the **Select features** page, accept the default settings, and click **Next**.
+
+7.  On the **Confirm installation selections** page, click **Install**.
+
+8.  On the **Installation progress** page, click **Close**.
+
+### Create the MDTProduction folder on MDT02
+
+1.  On MDT02, using File Explorer, create the **E:\\MDTProduction** folder.
+
+2.  Share the **E:\\MDTProduction** folder as **MDTProduction$**. Use the default permissions.
+
+    ![figure 3](images/mdt-10-fig03.png)
+
+    Figure 3. Sharing the **E:\\MDTProduction folder** on MDT02.
+
+### Configure the deployment share
+
+When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT, that can be done by using the DefaultGateway property.
+
+1.  On MDT01, using Notepad, navigate to the **E:\\MDTProduction\\Control** folder and modify the Boostrap.ini file to look like this:
+
+    ``` syntax
+    [Settings]
+    Priority=DefaultGateway, Default
+    [DefaultGateway]
+    192.168.1.1=NewYork
+    192.168.2.1=Stockholm
+    [NewYork]
+    DeployRoot=\\MDT01\MDTProduction$
+    [Stockholm]
+    DeployRoot=\\MDT02\MDTProduction$
+    [Default]
+    UserDomain=CONTOSO
+    UserID=MDT_BA
+    SkipBDDWelcome=YES
+    ```
+
+    **Note**  
+    The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md).
+
+     
+
+2.  Save the Bootstrap.ini file.
+
+3.  Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**.
+
+    ![figure 4](images/mdt-10-fig04.png)
+
+    Figure 4. Updating the MDT Production deployment share.
+
+4.  Use the default settings for the Update Deployment Share Wizard.
+
+5.  After the update is complete, use the Windows Deployment Services console. In the **Boot Images** node, right-click the **MDT Production x64** boot image and select **Replace Image**.
+
+    ![figure 5](images/mdt-10-fig05.png)
+
+    Figure 5. Replacing the updated boot image in WDS.
+
+6.  Browse and select the **E:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings.
+
+## <a href="" id="sec03"></a>Replicate the content
+
+
+Once the MDT01 and MDT02 servers are prepared, you are ready to configure the actual replication.
+
+### Create the replication group
+
+1.  On MDT01, using DFS Management, right-click **Replication**, and select **New Replication Group**.
+
+2.  On the **Replication Group Type** page, select **Multipurpose replication group**, and click **Next**.
+
+3.  On the **Name and Domain** page, assign the **MDTProduction** name, and click **Next**.
+
+4.  On the **Replication Group Members** page, click **Add**, add **MDT01** and **MDT02**, and then click **Next**.
+
+    ![figure 6](images/mdt-10-fig06.png)
+
+    Figure 6. Adding the Replication Group Members.
+
+5.  On the **Topology Selection** page, select the **Full mesh** option and click **Next**.
+
+6.  On the **Replication Group Schedule and Bandwidth** page, accept the default settings and click **Next**.
+
+7.  On the **Primary Member** page, select **MDT01** and click **Next**.
+
+8.  On the **Folders to Replicate** page, click **Add**, type in **E:\\MDTProduction** as the folder to replicate, click **OK**, and then click **Next**.
+
+9.  On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and click **Edit**.
+
+10. On the **Edit** page, select the **Enabled** option, type in **E:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, click **OK**, and then click **Next**.
+
+    ![figure 7](images/mdt-10-fig07.png)
+
+    Figure 7. Configure the MDT02 member.
+
+11. On the **Review Settings and Create Replication Group** page, click **Create**.
+
+12. On the **Confirmation** page, click **Close**.
+
+### Configure replicated folders
+
+1.  On MDT01, using DFS Management, expand **Replication** and then select **MDTProduction**.
+
+2.  In the middle pane, right-click the **MDT01** member and select **Properties**.
+
+3.  On the **MDT01 (MDTProduction) Properties** page, configure the following and then click **OK**:
+
+    1.  In the **Staging** tab, set the quota to **20480 MB**.
+
+    2.  In the **Advanced** tab, set the quota to **8192 MB**.
+
+        In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Here is a Windows PowerShell example that calculates the size of the 16 largest files in the E:\\MDTProduction deployment share:
+
+        ``` syntax
+        (Get-ChildItem E:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB
+        ```
+
+    ![figure 8](images/mdt-10-fig08.png)
+
+    Figure 8. Configure the Staging settings.
+
+4.  In the middle pane, right-click the **MDT02** member and select **Properties**.
+
+5.  On the **MDT02 (MDTProduction) Properties** page, configure the following and then click **OK**:
+
+    1.  In the **Staging** tab, set the quota to **20480 MB**.
+
+    2.  In the **Advanced** tab, set the quota to **8192 MB**.
+
+**Note**  
+It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly.
+
+ 
+
+### Verify replication
+
+1.  On MDT02, wait until you start to see content appear in the **E:\\MDTProduction** folder.
+
+2.  Using DFS Management, expand **Replication**, right-click **MDTProduction**, and select **Create Diagnostics Report**.
+
+3.  In the Diagnostics Report Wizard, on the **Type of Diagnostics Report or Test** page, select **Health report** and click **Next**.
+
+4.  On the **Path and Name** page, accept the default settings and click **Next**.
+
+5.  On the **Members to Include** page, accept the default settings and click **Next**.
+
+6.  On the **Options** page, accept the default settings and click **Next**.
+
+7.  On the **Review Settings and Create Report** page, click **Create**.
+
+8.  Open the report in Internet Explorer, and if necessary, select the **Allow blocked content** option.
+
+![figure 9](images/mdt-10-fig09.png)
+
+Figure 9. The DFS Replication Health Report.
+
+## <a href="" id="sec04"></a>Configure Windows Deployment Services (WDS) in a remote site
+
+
+Like you did in the previous topic for MDT01, you need to add the MDT Production Lite Touch x64 Boot image to Windows Deployment Services on MDT02. For the following steps, we assume that WDS has already been installed on MDT02.
+
+1.  On MDT02, using the WDS console, right-click **Boot Images** and select **Add Boot Image**.
+
+2.  Browse to the E:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim file and add the image with the default settings.
+
+## <a href="" id="sec05"></a>Deploy the Windows 10 client to the remote site
+
+
+Now you should have a solution ready for deploying the Windows 10 client to the remote site, Stockholm, connecting to the MDT Production deployment share replica on MDT02.
+
+1.  Create a virtual machine with the following settings:
+
+    1.  Name: PC0006
+
+    2.  Location: C:\\VMs
+
+    3.  Generation: 2
+
+    4.  Memory: 2048 MB
+
+    5.  Hard disk: 60 GB (dynamic disk)
+
+2.  Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The machine will now load the Windows PE boot image from the WDS server.
+
+3.  After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
+
+    1.  Password: P@ssw0rd
+
+    2.  Select a task sequence to execute on this computer:
+
+        1.  Windows 10 Enterprise x64 RTM Custom Image
+
+        2.  Computer Name: PC0006
+
+        3.  Applications: Select the Install - Adobe Reader XI - x86 application
+
+4.  The setup will now start and do the following:
+
+    1.  Install the Windows 10 Enterprise operating system.
+
+    2.  Install the added application.
+
+    3.  Update the operating system via your local Windows Server Update Services (WSUS) server.
+
+## Related topics
+
+
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+
+[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+
+[Configure MDT settings](configure-mdt-2013-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md
new file mode 100644
index 0000000000..3ca65edd17
--- /dev/null
+++ b/windows/deploy/change-history-for-deploy-windows-10.md
@@ -0,0 +1,38 @@
+---
+title: Change history for Deploy Windows 10 (Windows 10)
+description: This topic lists new and updated topics in the Deploy Windows 10 documentation for Windows 10 and Windows 10 Mobile.
+ms.assetid: 19C50373-6B25-4F5C-A6EF-643D36904349
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Change history for Deploy Windows 10
+This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+
+## December 2015
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Activate using Key Management Service](activate-using-key-management-service-vamt.md) | Updated |
+| [Windows 10 edition upgrade](windows-10-edition-upgrades.md) | Updated |
+
+## November 2015
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Windows 10 edition upgrade](windows-10-edition-upgrades.md) | New |
+
+## Related topics
+- [Change history for What's new in Windows 10](../whats-new/change-history-for-what-s-new-in-windows-10.md)
+- [Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
+- [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
+- [Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/configure-client-computers-vamt.md b/windows/deploy/configure-client-computers-vamt.md
new file mode 100644
index 0000000000..0b64ceb406
--- /dev/null
+++ b/windows/deploy/configure-client-computers-vamt.md
@@ -0,0 +1,114 @@
+---
+title: Configure Client Computers (Windows 10)
+description: Configure Client Computers
+ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Configure Client Computers
+To enable the Volume Activation Management Tool (VAMT) to function correctly, certain configuration changes are required on all client computers:
+
+-   An exception must be set in the client computer's firewall.
+
+-   A registry key must be created and set properly, for computers in a workgroup; otherwise, Windows® User Account Control (UAC) will not allow remote administrative operations.
+
+Organizations where the VAMT will be widely used may benefit from making these changes inside the master image for Windows.
+
+**Important**  
+This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](http://go.microsoft.com/fwlink/p/?LinkId=182933).
+
+## Configuring the Windows Firewall to allow VAMT access
+Enable the VAMT to access client computers using the **Windows Firewall** Control Panel:
+
+1.  Open Control Panel and double-click **System and Security**.
+
+2.  Click **Windows Firewall**.
+
+3.  Click **Allow a program or feature through Windows Firewall**.
+
+4.  Click the **Change settings** option.
+
+5.  Select the **Windows Management Instrumentation (WMI)** checkbox.
+
+6.  Click **OK**.
+
+    **Warning**  
+    By default, Windows Firewall Exceptions only apply to traffic originating on the local subnet. To expand the exception to apply to multiple subnets, you need to change the exception settings in the Windows Firewall with Advanced Security, as described below.
+
+## Configure Windows Firewall to allow VAMT access across multiple subnets
+Enable the VAMT to access client computers across multiple subnets using the **Windows Firewall with Advanced Security** Control Panel:
+
+![VAMT Firewall configuration for multiple subnets](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif)
+
+1.  Open the Control Panel and double-click **Administrative Tools**.
+
+2.  Click **Windows Firewall with Advanced Security**.
+
+3.  Make your changes for each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private):
+
+    -   Windows Management Instrumentation (ASync-In)
+
+    -   Windows Management Instrumentation (DCOM-In)
+
+    -   Windows Management Instrumentation (WMI-In)
+
+4. In the **Windows Firewall with Advanced Security** dialog box, select **Inbound Rules** from the left-hand panel.
+        
+5. Right-click the desired rule and select **Properties** to open the **Properties** dialog box.
+        
+    - On the **General** tab, select the **Allow the connection** checkbox.
+
+    - On the **Scope** tab, change the Remote IP Address setting from "Local Subnet" (default) to allow the specific access you need.
+
+    - On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public).
+
+In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports.
+
+For more info, see [How to configure RPC dynamic port allocation to work with firewalls](http://go.microsoft.com/fwlink/p/?LinkId=182911).
+
+## Create a registry value for the VAMT to access workgroup-joined computer
+**Caution**  
+This section contains information about how to modify the registry. Make sure to back up the registry before you modify it; in addition, ensure that you know how to restore the registry, if a problem occurs. For more information about how to back up, restore, and modify the registry, see [Windows registry information for advanced users](http://go.microsoft.com/fwlink/p/?LinkId=182912).
+
+On the client computer, create the following registry key using regedit.exe.
+
+1.  Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system`
+
+2.  Enter the following details:
+
+    **Value Name: LocalAccountTokenFilterPolicy**
+
+    **Type: DWORD**
+
+    **Value Data: 1**
+
+    **Note**  
+    To discover VAMT-manageable Windows computers in workgroups, you must enable network discovery on each client.
+
+## Deployment options
+There are several options for organizations to configure the WMI firewall exception for computers:
+
+-   **Image.** Add the configurations to the master Windows image deployed to all clients.
+
+-   **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**.
+
+-   **Script.** Execute a script using Microsoft System Center Configuration Manager or a third-party remote script execution facility.
+
+-   **Manual.** Configure the WMI firewall exception individually on each client.
+
+The above configurations will open an additional port through the Windows Firewall on target computers and should be performed on computers that are protected by a network firewall. In order to allow VAMT to query the up-to-date licensing status, the WMI exception must be maintained. We recommend administrators consult their network security policies and make clear decisions when creating the WMI exception.
+
+## Related topics
+- [Install and Configure VAMT](install-configure-vamt.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md
new file mode 100644
index 0000000000..01607fa6ca
--- /dev/null
+++ b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md
@@ -0,0 +1,83 @@
+---
+title: Configure MDT for UserExit scripts (Windows 10)
+description: In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address.
+ms.assetid: 29a421d1-12d2-414e-86dc-25b62f5238a7
+keywords: ["rules, script"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Configure MDT for UserExit scripts
+
+
+In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. MDT supports calling external VBScripts as part of the Gather process; these scripts are referred to as UserExit scripts. The script also removes the colons in the MAC Address.
+
+## Configure the rules to call a UserExit script
+
+
+You can call a UserExit by referencing the script in your rules. Then you can configure a property to be set to the result of a function of the VBScript. In this example, we have a VBScript named Setname.vbs (provided in the book sample files, in the UserExit folder).
+
+``` syntax
+[Settings]
+Priority=Default
+[Default]
+OSINSTALL=YES
+UserExit=Setname.vbs
+OSDComputerName=#SetName("%MACADDRESS%")#
+```
+
+The UserExit=Setname.vbs calls the script and then assigns the computer name to what the SetName function in the script returns. In this sample the %MACADDRESS% variable is passed to the script
+
+## The Setname.vbs UserExit script
+
+
+The Setname.vbs script takes the MAC Address passed from the rules. The script then does some string manipulation to add a prefix (PC) and remove the semicolons from the MAC Address.
+
+``` syntax
+Function UserExit(sType, sWhen, sDetail, bSkip) 
+  UserExit = Success 
+End Function 
+Function SetName(sMac)
+  Dim re
+  Set re = new RegExp
+  re.IgnoreCase = true
+  re.Global = true
+  re.Pattern = ":"
+  SetName = "PC" & re.Replace(sMac, "")
+End Function
+```
+
+The first three lines of the script make up a header that all UserExit scripts have. The interesting part is the lines between Function and End Function. Those lines add a prefix (PC), remove the colons from the MAC Address, and return the value to the rules by setting the SetName value.
+
+**Note**  
+The purpose of this sample is not to recommend that you use the MAC Address as a base for computer naming, but to show you how to take a variable from MDT, pass it to an external script, make some changes to it, and then return the new value to the deployment process.
+
+ 
+
+## Related topics
+
+
+[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
+
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+
+[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
+
+[Use web services in MDT](use-web-services-in-mdt-2013.md)
+
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/configure-mdt-2013-settings.md b/windows/deploy/configure-mdt-2013-settings.md
new file mode 100644
index 0000000000..40a852f3b9
--- /dev/null
+++ b/windows/deploy/configure-mdt-2013-settings.md
@@ -0,0 +1,64 @@
+---
+title: Configure MDT settings (Windows 10)
+description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) 2013 is its extension capabilities; there is virtually no limitation to what you can do in terms of customization.
+ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
+keywords: ["customize, customization, deploy, features, tools"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Configure MDT settings
+
+
+One of the most powerful features in Microsoft Deployment Toolkit (MDT) 2013 is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment.
+
+For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+
+![figure 1](images/mdt-09-fig01.png)
+
+Figure 1. The machines used in this topic.
+
+## In this section
+
+
+-   [Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
+
+-   [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+
+-   [Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
+
+-   [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+
+-   [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+
+-   [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
+
+-   [Use web services in MDT](use-web-services-in-mdt-2013.md)
+
+-   [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
+
+## Related topics
+
+
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+
+[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/configure-mdt-deployment-share-rules.md b/windows/deploy/configure-mdt-deployment-share-rules.md
new file mode 100644
index 0000000000..f0b9946f1e
--- /dev/null
+++ b/windows/deploy/configure-mdt-deployment-share-rules.md
@@ -0,0 +1,137 @@
+---
+title: Configure MDT deployment share rules (Windows 10)
+description: In this topic, you will learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine.
+ms.assetid: b5ce2360-33cc-4b14-b291-16f75797391b
+keywords: ["rules, configuration, automate, deploy"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Configure MDT deployment share rules
+
+
+In this topic, you will learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file.
+
+## <a href="" id="sec01"></a>Assign settings
+
+
+When using MDT, you can assign setting in three distinct ways:
+
+-   You can pre-stage the information before deployment.
+
+-   You can prompt the user or technician for information.
+
+-   You can have MDT generate the settings automatically.
+
+In order illustrate these three options, let's look at some sample configurations.
+
+## <a href="" id="sec02"></a>Sample configurations
+
+
+Before adding the more advanced components like scripts, databases, and web services, consider the commonly used configurations below; they demonstrate the power of the rules engine.
+
+### Set computer name by MAC Address
+
+If you have a small test environment, or simply want to assign settings to a very limited number of machines, you can edit the rules to assign settings directly for a given MAC Address. If you have many machines, it makes sense to use the database instead.
+
+``` syntax
+[Settings]
+Priority=MacAddress, Default
+[Default]
+OSInstall=YES
+[00:15:5D:85:6B:00]
+OSDComputerName=PC00075
+```
+
+In the preceding sample, you set the PC00075 computer name for a machine with a MAC Address of 00:15:5D:85:6B:00.
+
+### Set computer name by serial number
+
+Another way to assign a computer name is to identify the machine via its serial number.
+
+``` syntax
+[Settings]
+Priority=SerialNumber, Default
+[Default]
+OSInstall=YES
+[CND0370RJ7]
+OSDComputerName=PC00075
+```
+
+In this sample, you set the PC00075 computer name for a machine with a serial number of CND0370RJ7.
+
+### Generate a computer name based on a serial number
+
+You also can configure the rules engine to use a known property, like a serial number, to generate a computer name on the fly.
+
+``` syntax
+[Settings]
+Priority=Default
+[Default]
+OSInstall=YES
+OSDComputerName=PC-%SerialNumber%
+```
+
+In this sample, you configure the rules to set the computer name to a prefix (PC-) and then the serial number. If the serial number of the machine is CND0370RJ7, the preceding configuration sets the computer name to PC-CND0370RJ7.
+
+**Note**  
+Be careful when using the serial number to assign computer names. A serial number can contain more than 15 characters, but the Windows setup limits a computer name to 15 characters.
+
+ 
+
+### Generate a limited computer name based on a serial number
+
+To avoid assigning a computer name longer than 15 characters, you can configure the rules in more detail by adding VBScript functions, as follows:
+
+``` syntax
+[Settings]
+Priority=Default
+[Default]
+OSInstall=YES
+OSDComputerName=PC-#Left("%SerialNumber%",12)#
+```
+
+In the preceding sample, you still configure the rules to set the computer name to a prefix (PC-) followed by the serial number. However, by adding the Left VBScript function, you configure the rule to use only the first 12 serial-number characters for the name.
+
+### Add laptops to a different organizational unit (OU) in Active Directory
+
+In the rules, you find built-in properties that use a Windows Management Instrumentation (WMI) query to determine whether the machine you are deploying is a laptop, desktop, or server. In this sample, we assume you want to add laptops to different OUs in Active Directory. Note that ByLaptopType is not a reserved word; rather, it is the name of the section to read.
+
+``` syntax
+[Settings]
+Priority=ByLaptopType, Default
+[Default]
+MachineObjectOU=OU=Workstations,OU=Contoso,DC=contoso,DC=com
+[ByLaptopType]
+Subsection=Laptop-%IsLaptop%
+[Laptop-True]
+MachineObjectOU=OU=Laptops,OU=Contoso,DC=contoso,DC=com
+```
+
+## Related topics
+
+
+[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
+
+[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
+
+[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
+
+[Use web services in MDT](use-web-services-in-mdt-2013.md)
+
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
new file mode 100644
index 0000000000..7b6d831fae
--- /dev/null
+++ b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -0,0 +1,117 @@
+---
+title: Create a custom Windows PE boot image with Configuration Manager (Windows 10)
+description: In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features.
+ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809
+keywords: ["tool, customize, deploy, boot image"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Create a custom Windows PE boot image with Configuration Manager
+
+
+**Applies to**
+
+-   Windows 10
+
+In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) 2013 Update 2 wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
+
+For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+## <a href="" id="sec01"></a>Add DaRT 10 files and prepare to brand the boot image
+
+
+The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. We assume you have downloaded Microsoft Desktop Optimization Pack (MDOP) 2015 and copied the x64 version of MSDaRT10.msi to the C:\\Setup\\DaRT 10 folder. We also assume you have created a custom background image and saved it in C:\\Setup\\Branding on CM01. In this section, we use a custom background image named ContosoBackground.bmp.
+
+1.  Install DaRT 10 (C:\\Setup\\DaRT 10\\MSDaRT10.msi) using the default settings.
+
+2.  Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder.
+
+3.  Copy the Toolsx64.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x64** folder.
+
+4.  Copy the Toolsx86.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x86** folder.
+
+5.  Using File Explorer, navigate to the **C:\\Setup** folder.
+
+6.  Copy the **Branding** folder to **E:\\Sources\\OSD**.
+
+## <a href="" id="sec02"></a>Create a boot image for Configuration Manager using the MDT wizard
+
+
+By using the MDT wizard to create the boot image in Configuration Manager, you gain additional options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard.
+
+1.  Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**.
+
+2.  On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Boot\\Zero Touch WinPE x64** and click **Next**.
+
+    **Note**  
+    The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard.
+
+     
+
+3.  On the **General Settings** page, assign the name **Zero Touch WinPE x64** and click **Next**.
+
+4.  On the **Options** page, select the **x64** platform, and click **Next**.
+
+5.  On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
+
+    ![figure 15](images/mdt-06-fig16.png)
+
+    Figure 15. Add the DaRT component to the Configuration Manager boot image.
+
+6.  On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ ContosoBackground.bmp**. Then click **Next** twice.
+
+    **Note**  
+    It will take a few minutes to generate the boot image.
+
+     
+
+7.  Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**.
+
+8.  In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
+
+9.  Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads STATMSG: ID=2301. You also can view Content Status in the Configuration Manager Console by selecting **the Zero Touch WinPE x86** boot image.
+
+    ![figure 16](images/fig16-contentstatus.png)
+
+    Figure 16. Content status for the Zero Touch WinPE x64 boot image.
+
+10. Using the Configuration Manager Console, right-click the **Zero Touch WinPE x64** boot image and select **Properties**.
+
+11. In the **Data Source** tab, select the **Deploy this boot image from the PXE-enabled distribution point** check box, and click **OK**.
+
+12. Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: Expanding PS10000B to E:\\RemoteInstall\\SMSImages.
+
+13. Review the **E:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS10000B) is from your new boot image with DaRT.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md
new file mode 100644
index 0000000000..3430f96464
--- /dev/null
+++ b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -0,0 +1,197 @@
+---
+title: Create a task sequence with Configuration Manager and MDT (Windows 10)
+description: In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard.
+ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98
+keywords: ["deploy, upgrade, task sequence, install"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Create a task sequence with Configuration Manager and MDT
+
+
+**Applies to**
+
+-   Windows 10
+
+In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in System Center 2012 R2 Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages.
+
+For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard, both of which are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+## <a href="" id="sec01"></a>Create a task sequence using the MDT Integration Wizard
+
+
+This section will walk you through the process of creating a System Center 2012 R2 Configuration Manager task sequence for production use.
+
+1.  On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
+
+2.  On the **Choose Template** page, select the **Client Task Sequence** template and click **Next**.
+
+3.  On the **General** page, assign the following settings and then click **Next**:
+
+    1.  Task sequence name: Windows 10 Enterprise x64 RTM
+
+    2.  Task sequence comments: Production image with Office 2013
+
+4.  On the **Details** page, assign the following settings and then click **Next**:
+
+    1.  Join a Domain
+
+    2.  Domain: contoso.com
+
+        1.  Account: CONTOSO\\CM\_JD
+
+        2.  Password: Passw0rd!
+
+    3.  Windows Settings
+
+        1.  User name: Contoso
+
+        2.  Organization name: Contoso
+
+        3.  Product key: &lt;blank&gt;
+
+5.  On the **Capture Settings** page, accept the default settings, and click **Next**.
+
+6.  On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
+
+7.  On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT 2013**. Then click **Next**.
+
+8.  On the **MDT Details** page, assign the name **MDT 2013** and click **Next**.
+
+9.  On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then click **Next**.
+
+10. On the **Deployment Method** page, accept the default settings and click **Next**.
+
+11. On the **Client Package** page, browse and select the **OSD / Configuration Manager Client** package. Then click **Next**.
+
+12. On the **USMT Package** page, browse and select **the OSD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**.
+
+13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Settings\\Windows 10 x64 Settings**. Then click **Next**.
+
+14. On the **Settings Details** page, assign the name **Windows 10 x64 Settings** and click **Next**.
+
+15. On the **Sysprep Package** page, click **Next** twice.
+
+16. On the **Confirmation** page, click **Finish**.
+
+## <a href="" id="sec02"></a>Edit the task sequence
+
+
+After you create the task sequence, we recommend that you configure the task sequence for an optimal deployment experience. The configurations include enabling support for Unified Extensible Firmware Interface (UEFI), dynamic organizational unit (OU) allocation, computer replace scenarios, and more.
+
+1.  On CM01, using the Configuration Manager Console, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** task sequence, and select **Edit**.
+
+2.  In the **Install** group, select the **Set Variable for Drive Letter** action and configure the following:
+
+    -   OSDPreserveDriveLetter: True
+
+    **Note**  
+    If you don't change this value, your Windows installation will end up in E:\\Windows.
+
+     
+
+3.  In the **Post Install** group, select **Apply Network Settings**, and configure the Domain OU value to use the **Contoso / Workstations** OU (browse for values).
+
+4.  In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.)
+
+5.  After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**.
+
+6.  After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings:
+
+    1.  Name: HP EliteBook 8560w
+
+    2.  Driver Package: Windows 10 x64 - HP EliteBook 8560w
+
+    3.  Options: Task Sequence Variable: Model equals HP EliteBook 8560w
+
+    **Note**  
+    You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
+
+     
+
+    ![figure 24](images/fig27-driverpackage.png)
+
+    Figure 24. The driver package options.
+
+7.  In the **State Restore / Install Applications** group, select the **Install Application** action.
+
+8.  Select the **Install the following applications** option, and add the OSD / Adobe Reader XI - OSD Install application to the list.
+
+    ![figure 25](images/fig28-addapp.png)
+
+    Figure 25. Add an application to the Configuration Manager task sequence.
+
+9.  In the **State Restore** group, after the **Set Status 5** action, add a **Request State Store** action with the following settings:
+
+    1.  Restore state from another computer
+
+    2.  If computer account fails to connect to state store, use the Network Access account
+
+    3.  Options: Continue on error
+
+    4.  Options / Condition:
+
+        1.  Task Sequence Variable
+
+        2.  USMTLOCAL not equals True
+
+10. In the **State Restore** group, after the **Restore User State** action, add a **Release State Store** action with the following settings:
+
+    1.  Options: Continue on error
+
+    2.  Options / Condition:
+
+        1.  Task Sequence Variable
+
+        2.  USMTLOCAL not equals True
+
+11. Click **OK**.
+
+**Note**  
+The Request State Store and Release State Store actions need to be added for common computer replace scenarios.
+
+ 
+
+## <a href="" id="sec03"></a>Move the packages
+
+
+While creating the task sequence with the MDT wizard, a few operating system deployment packages were created. To move these packages to the OSD folder, take the following steps.
+
+1.  On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**.
+
+2.  Select the **MDT 2013** and **Windows 10 x64 Settings** packages, right-click and select **Move**.
+
+3.  In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/create-a-windows-10-reference-image.md b/windows/deploy/create-a-windows-10-reference-image.md
new file mode 100644
index 0000000000..61dd970142
--- /dev/null
+++ b/windows/deploy/create-a-windows-10-reference-image.md
@@ -0,0 +1,862 @@
+---
+title: Create a Windows 10 reference image (Windows 10)
+description: Creating a reference image is important because that image serves as the foundation for the devices in your organization.
+ms.assetid: 9da2fb57-f2ff-4fce-a858-4ae4c237b5aa
+keywords: ["deploy, deployment, configure, customize, install, installation"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Create a Windows 10 reference image
+
+
+**Applies to**
+
+-   Windows 10
+
+Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT) 2013 Update 2. You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution.
+
+For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, PC0001 is a Windows 10 Enterprise x64 client, and MDT01 is a Windows Server 2012 R2 standard server. HV01 is a Hyper-V host server, but HV01 could be replaced by PC0001 as long as PC0001 has enough memory and is capable of running Hyper-V. MDT01, HV01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation.
+
+**Note**  
+For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+
+ 
+
+![figure 1](images/mdt-08-fig01.png)
+
+Figure 1. The machines used in this topic.
+
+## The reference image
+
+
+The reference image described in this documentation is designed primarily for deployment to physical machines. However, the reference image is created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are the following:
+
+-   You reduce development time and can use snapshots to test different configurations quickly.
+
+-   You rule out hardware issues. You simply get the best possible image, and if you have a problem, it's not likely to be hardware related.
+
+-   It ensures that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process.
+
+-   It's easy to move between lab, test, and production.
+
+## <a href="" id="sec01"></a>Set up the MDT build lab deployment share
+
+
+With Windows 10, there is no hard requirement to create reference images; however, to reduce the time needed for deployment, you may want to create a reference image that contains a few base applications as well as all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process.
+
+### Create the MDT build lab deployment share
+
+-   On MDT01, log on as Administrator in the CONTOSO domain using a password of **P@ssw0rd**.
+
+-   Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**.
+
+-   Use the following settings for the New Deployment Share Wizard:
+
+-   Deployment share path: E:\\MDTBuildLab
+
+-   Share name: MDTBuildLab$
+
+-   Deployment share description: MDT Build Lab
+
+-   &lt;default&gt;
+
+-   Verify that you can access the \\\\MDT01\\MDTBuildLab$ share.
+
+![figure 2](images/mdt-08-fig02.png)
+
+Figure 2. The Deployment Workbench with the MDT Build Lab deployment share created.
+
+### Configure permissions for the deployment share
+
+In order to write the reference image back to the deployment share, you need to assign Modify permissions to the MDT Build Account (MDT\_BA) for the **Captures** subfolder in the **E:\\MDTBuildLab** folder
+
+1.  On MDT01, log on as **CONTOSO\\Administrator**.
+
+2.  Modify the NTFS permissions for the **E:\\MDTBuildLab\\Captures** folder by running the following command in an elevated Windows PowerShell prompt:
+
+    ``` syntax
+    icacls E:\MDTBuildLab\Captures /grant '"MDT_BA":(OI)(CI)(M)'
+    ```
+
+![figure 3](images/mdt-08-fig03.png)
+
+Figure 3. Permissions configured for the MDT\_BA user.
+
+## <a href="" id="sec02"></a>Add the setup files
+
+
+This section will show you how to populate the MDT 2013 Update 2 deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image.
+
+### Add the Windows 10 installation files
+
+MDT 2013 supports adding both full source Windows 10 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft.
+
+**Note**  
+Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM.
+
+ 
+
+### Add Windows 10 Enterprise x64 (full source)
+
+In these steps we assume that you have copied the content of a Windows 10 Enterprise x64 ISO to the **E:\\Downloads\\Windows 10 Enterprise x64** folder.
+
+1.  On MDT01, log on as **CONTOSO\\Administrator**.
+
+2.  Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Build Lab**.
+
+3.  Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
+
+4.  Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
+
+5.  Full set of source files
+
+6.  Source directory: E:\\Downloads\\Windows 10 Enterprise x64
+
+7.  Destination directory name: W10EX64RTM
+
+8.  After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click the added operating system name in the **Operating System** node and change the name to the following: **Windows 10 Enterprise x64 RTM Default Image**
+
+![figure 4](images/figure4-deployment-workbench.png)
+
+Figure 4. The imported Windows 10 operating system after renaming it.
+
+## <a href="" id="sec03"></a>Add applications
+
+
+Before you create an MDT task sequence, you need to add all of the applications and other sample scripts to the MDT Build Lab share.
+
+The steps in this section use a strict naming standard for your MDT applications. You add the "Install - " prefix for typical application installations that run a setup installer of some kind, and you use the "Configure - " prefix when an application configures a setting in the operating system. You also add an " - x86", " - x64", or "- x86-x64" suffix to indicate the application's architecture (some applications have installers for both architectures). Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency.
+
+By storing configuration items as MDT applications, it is easy to move these objects between various solutions, or between test and production environments. In this topic's step-by-step sections, you will add the following applications:
+
+-   Install - Microsoft Office 2013 Pro Plus - x86
+
+-   Install - Microsoft Silverlight 5.0 - x64
+
+-   Install - Microsoft Visual C++ 2005 SP1 - x86
+
+-   Install - Microsoft Visual C++ 2005 SP1 - x64
+
+-   Install - Microsoft Visual C++ 2008 SP1 - x86
+
+-   Install - Microsoft Visual C++ 2008 SP1 - x64
+
+-   Install - Microsoft Visual C++ 2010 SP1 - x86
+
+-   Install - Microsoft Visual C++ 2010 SP1 - x64
+
+-   Install - Microsoft Visual C++ 2012 Update 4 - x86
+
+-   Install - Microsoft Visual C++ 2012 Update 4 - x64
+
+In these examples, we assume that you downloaded the software in this list to the E:\\Downloads folder. The first application is added using the UI, but because MDT supports Windows PowerShell, you add the other applications using Windows PowerShell.
+
+**Note**  
+All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](http://go.microsoft.com/fwlink/p/?LinkId=619523).
+
+ 
+
+### Create the install: Microsoft Office Professional Plus 2013 x86
+
+You can customize Office 2013. In the volume license versions of Office 2013, there is an Office Customization Tool you can use to customize the Office installation. In these steps we assume you have copied the Office 2013 installation files to the E:\\Downloads\\Office2013 folder.
+
+### Add the Microsoft Office Professional Plus 2013 x86 installation files
+
+After adding the Microsoft Office Professional Plus 2013 x86 application, you then automate its setup by running the Office Customization Tool. In fact, MDT 2013 detects that you added the Office Professional Plus 2013 x86 application and creates a shortcut for doing this.
+
+You also can customize the Office installation using a Config.xml file. But we recommend that you use the Office Customization Tool as described in the following steps, as it provides a much richer way of controlling Office 2013 settings.
+
+1.  Using the Deployment Workbench in the MDT Build Lab deployment share, expand the **Applications / Microsoft** node, and double-click **Install - Microsoft Office 2013 Pro Plus x86**.
+
+2.  In the **Office Products** tab, click **Office Customization Tool**, and click **OK** in the **Information** dialog box.
+
+    ![figure 5](images/mdt-08-fig05.png)
+
+    Figure 5. The Install - Microsoft Office 2013 Pro Plus - x86 application properties.
+
+    **Note**  
+    If you don't see the Office Products tab, verify that you are using a volume license version of Office. If you are deploying Office 365, you need to download the Admin folder from Microsoft.
+
+     
+
+3.  In the Office Customization Tool dialog box, select the Create a new Setup customization file for the following product option, select the Microsoft Office Professional Plus 2013 (32-bit) product, and click OK.
+
+4.  Use the following settings to configure the Office 2013 setup to be fully unattended:
+
+    1.  Install location and organization name
+
+        -   Organization name: Contoso
+
+    2.  Licensing and user interface
+
+        1.  Select Use KMS client key
+
+        2.  Select I accept the terms in the License Agreement.
+
+        3.  Select Display level: None
+
+        ![figure 6](images/mdt-08-fig06.png)
+
+        Figure 6. The licensing and user interface screen in the Microsoft Office Customization Tool
+
+    3.  Modify Setup properties
+
+        -   Add the **SETUP\_REBOOT** property and set the value to **Never**.
+
+    4.  Modify user settings
+
+        -   In the **Microsoft Office 2013** node, expand **Privacy**, select **Trust Center**, and enable the Disable Opt-in Wizard on first run setting.
+
+5.  From the **File** menu, select **Save**, and save the configuration as 0\_Office2013ProPlusx86.msp in the **E:\\MDTBuildLab\\Applications\\Install - Microsoft Office 2013 Pro Plus - x86\\Updates** folder.
+
+    **Note**  
+    The reason for naming the file with a 0 (zero) at the beginning is that the Updates folder also handles Microsoft Office updates, and they are installed in alphabetical order. The Office 2013 setup works best if the customization file is installed before any updates.
+
+     
+
+6.  Close the Office Customization Tool, click Yes in the dialog box, and in the **Install - Microsoft Office 2013 Pro Plus - x86 Properties** window, click **OK**.
+
+### Connect to the deployment share using Windows PowerShell
+
+If you need to add many applications, you can take advantage of the PowerShell support that MDT has. To start using PowerShell against the deployment share, you must first load the MDT PowerShell snap-in and then make the deployment share a PowerShell drive (PSDrive).
+
+1.  On MDT01, log on as **CONTOSO\\Administrator**.
+
+2.  Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt:
+
+    ``` syntax
+    Import-Topic "C:\Program Files\Microsoft Deployment Toolkit\bin\MicrosoftDeploymentToolkit.psd1"
+
+    New-PSDrive -Name "DS001" -PSProvider MDTProvider -Root "E:\MDTBuildLab"
+    ```
+
+### Create the install: Microsoft Visual C++ 2005 SP1 x86
+
+In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2005SP1x86.
+
+1.  On MDT01, log on as **CONTOSO\\Administrator**.
+
+2.  Create the application by running the following commands in an elevated PowerShell prompt:
+
+    ``` syntax
+    $ApplicationName = "Install - Microsoft Visual C++ 2005 SP1 - x86"
+    $CommandLine = "vcredist_x86.exe /Q"
+    $ApplicationSourcePath = "E:\Downloads\VC++2005SP1x86"
+    Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -Commandline $Commandline -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName 
+    -Verbose
+    ```
+
+### Create the install: Microsoft Visual C++ 2005 SP1 x64
+
+In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2005SP1x64.
+
+1.  On MDT01, log on as **CONTOSO\\Administrator**.
+
+2.  Create the application by running the following commands in an elevated PowerShell prompt:
+
+    ``` syntax
+    $ApplicationName = "Install - Microsoft Visual C++ 2005 SP1 - x64"
+    $CommandLine = "vcredist_x64.exe /Q"
+    $ApplicationSourcePath = "E:\Downloads\VC++2005SP1x64"
+    Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -Commandline $Commandline -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName 
+    -Verbose
+    ```
+
+### Create the install: Microsoft Visual C++ 2008 SP1 x86
+
+In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2008SP1x86.
+
+1.  On MDT01, log on as **CONTOSO\\Administrator**.
+
+2.  Create the application by running the following commands in an elevated PowerShell prompt:
+
+    ``` syntax
+    $ApplicationName = "Install - Microsoft Visual C++ 2008 SP1 - x86"
+    $CommandLine = "vcredist_x86.exe /Q"
+    $ApplicationSourcePath = "E:\Downloads\VC++2008SP1x86"
+    Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -Commandline $Commandline -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName 
+    -Verbose
+    ```
+
+### Create the install: Microsoft Visual C++ 2008 SP1 x64
+
+In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2008SP1x64.
+
+1.  On MDT01, log on as **CONTOSO\\Administrator**.
+
+2.  Create the application by running the following commands in an elevated PowerShell prompt:
+
+    ``` syntax
+    $ApplicationName = "Install - Microsoft Visual C++ 2008 SP1 - x64"
+    $CommandLine = "vcredist_x64.exe /Q"
+    $ApplicationSourcePath = "E:\Downloads\VC++2008SP1x64"
+    Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -Commandline $Commandline -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName 
+    -Verbose
+    ```
+
+### Create the install: Microsoft Visual C++ 2010 SP1 x86
+
+In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2010SP1x86.
+
+1.  On MDT01, log on as **CONTOSO\\Administrator**.
+
+2.  Create the application by running the following commands in an elevated PowerShell prompt:
+
+    ``` syntax
+    $ApplicationName = "Install - Microsoft Visual C++ 2010 SP1 - x86"
+    $CommandLine = "vcredist_x86.exe /Q"
+    $ApplicationSourcePath = "E:\Downloads\VC++2010SP1x86"
+    Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName 
+    -Verbose
+    ```
+
+### Create the install: Microsoft Visual C++ 2010 SP1 x64
+
+In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2010SP1x64.
+
+1.  On MDT01, log on as **CONTOSO\\Administrator**.
+
+2.  Create the application by running the following commands in an elevated PowerShell prompt:
+
+    ``` syntax
+    $ApplicationName = "Install - Microsoft Visual C++ 2010 SP1 - x64"
+    $CommandLine = "vcredist_x64.exe /Q"
+    $ApplicationSourcePath = "E:\Downloads\VC++2010SP1x64"
+    Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName 
+    -Verbose
+    ```
+
+### Create the install: Microsoft Visual C++ 2012 Update 4 x86
+
+In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Update 4 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2012Ux86.
+
+1.  On MDT01, log on as **CONTOSO\\Administrator**.
+
+2.  Create the application by running the following commands in an elevated PowerShell prompt:
+
+    ``` syntax
+    $ApplicationName = "Install - Microsoft Visual C++ 2012 Update 4 - x86"
+    $CommandLine = "vcredist_x86.exe /Q"
+    $ApplicationSourcePath = "E:\Downloads\VC++2012Ux86"
+    Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName 
+    -Verbose
+    ```
+
+### Create the install: Microsoft Visual C++ 2012 Update 4 x64
+
+In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Update 4 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2012Ux64.
+
+1.  On MDT01, log on as **CONTOSO\\Administrator**.
+
+2.  Create the application by running the following commands in an elevated PowerShell prompt:
+
+    ``` syntax
+    $ApplicationName = "Install - Microsoft Visual C++ 2012 Update 4 - x64"
+    $CommandLine = "vcredist_x64.exe /Q"
+    $ApplicationSourcePath = "E:\Downloads\VC++2012Ux64"
+    Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName 
+    -Verbose
+    ```
+
+## <a href="" id="sec04"></a>Create the reference image task sequence
+
+
+In order to build and capture your Windows 10 reference image for deployment using MDT, you will create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 10 reference image.
+
+After creating the task sequence, you configure it to enable patching against the Windows Server Update Services (WSUS) server. The Task Sequence Windows Update action supports getting updates directly from Microsoft Update, but you get more stable patching if you use a local WSUS server. WSUS also allows for an easy process of approving the patches that you are deploying.
+
+### Drivers and the reference image
+
+Because we use modern virtual platforms for creating our reference images, we don’t need to worry about drivers when creating reference images for Windows 10. We use Hyper-V in our environment, and Windows Preinstallation Environment (Windows PE) already has all the needed drivers built-in for Hyper-V.
+
+### Create a task sequence for Windows 10 Enterprise
+
+To create a Windows 10 reference image task sequence, the process is as follows:
+
+1.  Using the Deployment Workbench in the MDT Build Lab deployment share, right-click **Task Sequences**, and create a new folder named **Windows 10**.
+
+2.  Expand the **Task Sequences** node, right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+
+    1.  Task sequence ID: REFW10X64-001
+
+    2.  Task sequence name: Windows 10 Enterprise x64 RTM Default Image
+
+    3.  Task sequence comments: Reference Build
+
+    4.  Template: Standard Client Task Sequence
+
+    5.  Select OS: Windows 10 Enterprise x64 RTM Default Image
+
+    6.  Specify Product Key: Do not specify a product key at this time
+
+    7.  Full Name: Contoso
+
+    8.  Organization: Contoso
+
+    9.  Internet Explorer home page: http://www.contoso.com
+
+    10. Admin Password: Do not specify an Administrator Password at this time
+
+### Edit the Windows 10 task sequence
+
+The steps below walk you through the process of editing the Windows 10 reference image task sequence to include the actions required to update the reference image with the latest updates from WSUS, install roles and features, and utilities, and install Microsoft Office 2013.
+
+1.  In the Task Sequences / Windows 10 folder, right-click the Windows 10 Enterprise x64 RTM Default Image task sequence, and select Properties.
+
+2.  On the **Task Sequence** tab, configure the Windows 10 Enterprise x64 RTM Default Image task sequence with the following settings:
+
+    1.  State Restore. Enable the Windows Update (Pre-Application Installation) action.
+
+        **Note**  
+        Enable an action by going to the Options tab and clearing the Disable this step check box.
+
+         
+
+    2.  State Restore. Enable the Windows Update (Post-Application Installation) action.
+
+    3.  State Restore. Enable the Windows Update (Post-Application Installation) action. State Restore. After the **Tattoo** action, add a new **Group** action with the following setting:
+
+        -   Name: Custom Tasks (Pre-Windows Update)
+
+    4.  State Restore. After Windows Update (Post-Application Installation) action, rename Custom Tasks to Custom Tasks (Post-Windows Update).
+
+        **Note**  
+        The reason for adding the applications after the Tattoo action but before running Windows Update is simply to save time during the deployment. This way we can add all applications that will upgrade some of the built-in components and avoid unnecessary updating.
+
+         
+
+    5.  State Restore / Custom Tasks (Pre-Windows Update). Add a new Install Roles and Features action with the following settings:
+
+        1.  Name: Install - Microsoft NET Framework 3.5.1
+
+        2.  Select the operating system for which roles are to be installed: Windows 8.1
+
+        3.  Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0)
+
+        **Important**  
+        This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It is installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed.
+
+         
+
+        ![figure 7](images/fig8-cust-tasks.png)
+
+        Figure 7. The task sequence after creating the Custom Tasks (Pre-Windows Update) group and adding the Install - Microsoft NET Framework 3.5.1 action.
+
+    6.  State Restore - Custom Tasks (Pre-Windows Update). After the **Install - Microsoft NET Framework 3.5.1** action, add a new **Install Application** action with the following settings:
+
+        1.  Name: Install - Microsoft Visual C++ 2005 SP1 - x86
+
+        2.  Install a Single Application: Install - Microsoft Visual C++ 2005 SP1 - x86-x64
+
+    7.  Repeat the previous step (add a new **Install Application**) to add the following applications:
+
+        1.  Install - Microsoft Visual C++ 2005 SP1 - x64
+
+        2.  Install - Microsoft Visual C++ 2008 SP1 - x86
+
+        3.  Install - Microsoft Visual C++ 2008 SP1 - x64
+
+        4.  Install - Microsoft Visual C++ 2010 SP1 - x86
+
+        5.  Install - Microsoft Visual C++ 2010 SP1 - x64
+
+        6.  Install - Microsoft Visual C++ 2012 Update 4 - x86
+
+        7.  Install - Microsoft Visual C++ 2012 Update 4 - x64
+
+        8.  Install - Microsoft Office 2013 Pro Plus - x86
+
+    8.  After the Install - Microsoft Office 2013 Pro Plus - x86 action, add a new Restart computer action.
+
+3.  Click **OK**.
+
+### Optional configuration: Add a suspend action
+
+The goal when creating a reference image is of course to automate everything. But sometimes you have a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you click the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine.
+
+![figure 8](images/fig8-suspend.png)
+
+Figure 8. A task sequence with optional Suspend action (LTISuspend.wsf) added.
+
+![figure 9](images/fig9-resumetaskseq.png)
+
+Figure 9. The Windows 10 desktop with the Resume Task Sequence shortcut.
+
+### Edit the Unattend.xml file for Windows 10 Enterprise
+
+When using MDT, you don't need to edit the Unattend.xml file very often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer 11 behavior, then you can edit the Unattend.xml for this. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you will want to use Internet Explorer Administration Kit (IEAK).
+
+**Note**  
+You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the Install Roles and Features action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you are adding packages via Unattend.xml, it is version specific, so Unattend.xml must match the exact version of the operating system you are servicing.
+
+ 
+
+Follow these steps to configure Internet Explorer settings in Unattend.xml for the Windows 10 Enterprise x64 RTM Default Image task sequence:
+
+1.  Using the Deployment Workbench, right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**.
+
+2.  In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This will take a few minutes, and then Windows System Image Manager (Windows SIM) will start.
+
+3.  In Windows SIM, expand the **4 specialize** node in the **Answer File** pane and select the amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral entry.
+
+4.  In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values:
+
+    -   DisableDevTools: true
+
+5.  Save the Unattend.xml file, and close Windows SIM.
+
+6.  On the Windows 10 Enterprise x64 RTM Default Image Properties, click **OK**.
+
+![figure 10](images/fig10-unattend.png)
+
+Figure 10. Windows System Image Manager with the Windows 10 Unattend.xml.
+
+## <a href="" id="sec05"></a>Configure the MDT deployment share rules
+
+
+Understanding rules is critical to successfully using MDT. Rules are configured using the Rules tab of the deployment share's properties. The Rules tab is essentially a shortcut to edit the CustomSettings.ini file that exists in the E:\\MDTBuildLab\\Control folder. This section discusses how to configure the MDT deployment share rules as part of your Windows 10 Enterprise deployment.
+
+### MDT deployment share rules overview
+
+In MDT, there are always two rule files: the CustomSettings.ini file and the Bootstrap.ini file. You can add almost any rule to either; however, the Bootstrap.ini file is copied from the Control folder to the boot image, so the boot image needs to be updated every time you change that file.
+
+For that reason, add only a minimal set of rules to Bootstrap.ini, such as which deployment server and share to connect to - the DEPLOYROOT value. Put the other rules in CustomSettings.ini because that file is updated immediately when you click OK. By taking the following steps, you will configure the rules for the MDT Build Lab deployment share:
+
+1.  Using the Deployment Workbench, right-click the **MDT Build Lab deployment share** and select **Properties**.
+
+2.  Select the **Rules** tab and modify using the following information:
+
+    ``` syntax
+    [Settings]
+    Priority=Default
+    [Default]
+    _SMSTSORGNAME=Contoso
+    UserDataLocation=NONE
+    DoCapture=YES
+    OSInstall=Y
+    AdminPassword=P@ssw0rd
+    TimeZoneName=Pacific Standard Time 
+    JoinWorkgroup=WORKGROUP
+    HideShell=YES
+    FinishAction=SHUTDOWN
+    DoNotCreateExtraPartition=YES
+    WSUSServer=http://mdt01.contoso.com:8530
+    ApplyGPOPack=NO
+    SLSHARE=\\MDT01\Logs$
+    SkipAdminPassword=YES
+    SkipProductKey=YES
+    SkipComputerName=YES
+    SkipDomainMembership=YES
+    SkipUserData=YES
+    SkipLocaleSelection=YES
+    SkipTaskSequence=NO
+    SkipTimeZone=YES
+    SkipApplications=YES
+    SkipBitLocker=YES
+    SkipSummary=YES
+    SkipRoles=YES
+    SkipCapture=NO
+    SkipFinalSummary=YES
+    ```
+
+    ![figure 11](images/mdt-08-fig14.png)
+
+    Figure 11. The server-side rules for the MDT Build Lab deployment share.
+
+3.  Click **Edit Bootstrap.ini** and modify using the following information:
+
+    ``` syntax
+    Settings]
+    Priority=Default
+    [Default]
+    DeployRoot=\\MDT01\MDTBuildLab$
+    UserDomain=CONTOSO
+    UserID=MDT_BA
+    UserPassword=P@ssw0rd
+    SkipBDDWelcome=YES
+    ```
+
+    ![figure 12](images/mdt-08-fig15.png)
+
+    Figure 12. The boot image rules for the MDT Build Lab deployment share.
+
+    **Note**  
+    For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it is acceptable to do so in this situation.
+
+     
+
+4.  In the **Windows PE** tab, in the **Platform** drop-down list, select **x86**.
+
+5.  In the **Lite Touch Boot Image Settings** area, configure the following settings:
+
+    1.  Image description: MDT Build Lab x86
+
+    2.  ISO file name: MDT Build Lab x86.iso
+
+6.  In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
+
+7.  In the **Lite Touch Boot Image Settings** area, configure the following settings:
+
+    1.  Image description: MDT Build Lab x64
+
+    2.  ISO file name: MDT Build Lab x64.iso
+
+8.  Click **OK**.
+
+**Note**  
+In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except on computers based on Unified Extensible Firmware Interface).
+
+ 
+
+### Update the deployment share
+
+After the deployment share has been configured, it needs to be updated. This is the process when the Windows Windows PE boot images are created.
+
+1.  Using the Deployment Workbench, right-click the **MDT Build Lab deployment share** and select **Update Deployment Share**.
+
+2.  Use the default options for the Update Deployment Share Wizard.
+
+**Note**  
+The update process will take 5 to 10 minutes.
+
+ 
+
+### The rules explained
+
+Now that the MDT Build Lab deployment share (the share used to create the reference images) has been configured, it is time to explain the various settings used in the Bootstrap.ini and CustomSettings.ini files.
+
+The Bootstrap.ini and CustomSettings.ini files work together. The Bootstrap.ini file is always present on the boot image and is read first. The basic purpose for Bootstrap.ini is to provide just enough information for MDT to find the CustomSettings.ini.
+
+The CustomSettings.ini file is normally stored on the server, in the Deployment share\\Control folder, but also can be stored on the media (when using offline media).
+
+**Note**  
+The settings, or properties, that are used in the rules (CustomSettings.ini and Bootstrap.ini) are listed in the MDT documentation, in the Microsoft Deployment Toolkit Reference / Properties / Property Definition section.
+
+ 
+
+### The Bootstrap.ini file
+
+The Bootstrap.ini file is available via the deployment share's Properties dialog box, or via the E:\\MDTBuildLab\\Control folder on MDT01.
+
+``` syntax
+[Settings]
+Priority=Default
+
+[Default]
+DeployRoot=\\MDT01\MDTBuildLab$
+UserDomain=CONTOSO
+UserID=MDT_BA
+UserPassword=P@ssw0rd
+
+SkipBDDWelcome=YES
+```
+
+So, what are these settings?
+
+-   **Priority.** This determines the order in which different sections are read. This Bootstrap.ini has only one section, named \[Default\].
+
+-   **DeployRoot.** This is the location of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location.
+
+-   **UserDomain, UserID, and UserPassword.** These values are used for automatic log on to the deployment share. Again, if they are not specified, the wizard prompts you.
+
+    **Note**  
+    Caution is advised. These values are stored in clear text on the boot image. Use them only for the MDT Build Lab deployment share and not for the MDT Production deployment share that you learn to create in the next topic.
+
+     
+
+-   **SkipBDDWelcome.** Even if it is nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard.
+
+**Note**  
+All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values.
+
+ 
+
+### The CustomSettings.ini file
+
+The CustomSettings.ini file, whose content you see on the Rules tab of the deployment share Properties dialog box, contains most of the properties used in the configuration.
+
+``` syntax
+[Settings]
+Priority=Default
+[Default]
+_SMSTSORGNAME=Contoso
+UserDataLocation=NONE
+DoCapture=YES
+OSInstall=Y
+AdminPassword=P@ssw0rd
+TimeZoneName=Pacific Standard Time 
+JoinWorkgroup=WORKGROUP
+HideShell=YES
+FinishAction=SHUTDOWN
+DoNotCreateExtraPartition=YES
+WSUSServer=http://mdt01.contoso.com:8530
+ApplyGPOPack=NO
+SLSHARE=\\MDT01\Logs$
+SkipAdminPassword=YES
+SkipProductKey=YES
+SkipComputerName=YES
+SkipDomainMembership=YES
+SkipUserData=YES
+SkipLocaleSelection=YES
+SkipTaskSequence=NO
+SkipTimeZone=YES
+SkipApplications=YES
+SkipBitLocker=YES
+SkipSummary=YES
+SkipRoles=YES
+SkipCapture=NO
+SkipFinalSummary=YES
+```
+
+-   **Priority.** Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you have multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file.
+
+-   **\_SMSTSORGNAME.** The organization name displayed in the task sequence progress bar window during deployment.
+
+-   **UserDataLocation.** Controls the settings for user state backup. You do not need to use when building and capturing a reference image.
+
+-   **DoCapture.** Configures the task sequence to run the System Preparation (Sysprep) tool and capture the image to a file when the operating system is installed.
+
+-   **OSInstall.** Must be set to Y or YES (the code actually just looks for the Y character) for the setup to proceed.
+
+-   **AdminPassword.** Sets the local Administrator account password.
+
+-   **TimeZoneName.** Establishes the time zone to use. Don't confuse this value with TimeZone, which is only for legacy operating systems (Windows 7 and Windows Server 2003).
+
+    **Note**  
+    The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names.
+
+     
+
+-   **JoinWorkgroup.** Configures Windows to join a workgroup.
+
+-   **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 8.1 deployments in which the deployment wizard will otherwise appear behind the tiles.
+
+-   **FinishAction.** Instructs MDT what to do when the task sequence is complete.
+
+-   **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There is no need to do this for your reference image.
+
+-   **WSUSServer.** Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied.
+
+-   **SLSHARE.** Instructs MDT to copy the log files to a server share if something goes wrong during deployment, or when a deployment is successfully completed.
+
+-   **ApplyGPOPack.** Allows you to deploy local group policies created by Microsoft Security Compliance Manager (SCM).
+
+-   **SkipAdminPassword.** Skips the pane that asks for the Administrator password.
+
+-   **SkipProductKey.** Skips the pane that asks for the product key.
+
+-   **SkipComputerName.** Skips the Computer Name pane.
+
+-   **SkipDomainMemberShip.** Skips the Domain Membership pane. If set to Yes, you need to configure either the JoinWorkgroup value or the JoinDomain, DomainAdmin, DomainAdminDomain, and DomainAdminPassword properties.
+
+-   **SkipUserData.** Skips the pane for user state migration.
+
+-   **SkipLocaleSelection.** Skips the pane for selecting language and keyboard settings.
+
+-   **SkipTimeZone.** Skips the pane for setting the time zone.
+
+-   **SkipApplications.** Skips the Applications pane.
+
+-   **SkipBitLocker.** Skips the BitLocker pane.
+
+-   **SkipSummary.** Skips the initial Windows Deployment Wizard summary pane.
+
+-   **SkipRoles.** Skips the Install Roles and Features pane.
+
+-   **SkipCapture.** Skips the Capture pane.
+
+-   **SkipFinalSummary.** Skips the final Windows Deployment Wizard summary. Because you use FinishAction=Shutdown, you don't want the wizard to stop in the end so that you need to click OK before the machine shuts down.
+
+## <a href="" id="sec06"></a>Build the Windows 10 reference image
+
+
+Once you have created your task sequence, you are ready to create the Windows 10 reference image. This will be performed by launching the task sequence from a virtual machine which will then automatically perform the reference image creation and capture process.
+
+This steps below outline the process used to boot a virtual machine using an ISO boot image created by MDT, and then execute the reference image task sequence image to create and capture the Windows 10 reference image.
+
+1.  Copy the E:\\MDTBuildLab\\Boot\\MDT Build Lab x86.iso on MDT01 to C:\\ISO on the Hyper-V host.
+
+    **Note**  
+    Remember, in MDT you can use the x86 boot image to deploy both x86 and x64 operating system images. That's why you can use the x86 boot image instead of the x64 boot image.
+
+     
+
+2.  Create a virtual machine with the following settings:
+
+    1.  Name: REFW10X64-001
+
+    2.  Location: C:\\VMs
+
+    3.  Memory: 1024 MB
+
+    4.  Network: External (The network that is connected to the same infrastructure as MDT01 is)
+
+    5.  Hard disk: 60 GB (dynamic disk)
+
+    6.  Image file: C:\\ISO\\MDT Build Lab x86.iso
+
+3.  Take a snapshot of the REFW10X64-001 virtual machine, and name it **Clean with MDT Build Lab x86 ISO**.
+
+    **Note**  
+    Taking a snapshot is useful if you need to restart the process and want to make sure you can start clean.
+
+     
+
+4.  Start the REFW10X64-001 virtual machine. After booting into Windows PE, complete the Windows Deployment Wizard using the following settings:
+
+    1.  Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Default Image
+
+    2.  Specify whether to capture an image: Capture an image of this reference computer
+
+        -   Location: \\\\MDT01\\MDTBuildLab$\\Captures
+
+    3.  File name: REFW10X64-001.wim
+
+        ![figure 13](images/fig13-captureimage.png)
+
+        Figure 13. The Windows Deployment Wizard for the Windows 10 reference image.
+
+5.  The setup now starts and does the following:
+
+    1.  Installs the Windows 10 Enterprise operating system.
+
+    2.  Installs the added applications, roles, and features.
+
+    3.  Updates the operating system via your local Windows Server Update Services (WSUS) server.
+
+    4.  Stages Windows PE on the local disk.
+
+    5.  Runs System Preparation (Sysprep) and reboots into Windows PE.
+
+    6.  Captures the installation to a Windows Imaging (WIM) file.
+
+    7.  Turns off the virtual machine.
+
+After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the E:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim.
+
+## Related topics
+
+
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+
+[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+
+[Configure MDT settings](configure-mdt-2013-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
new file mode 100644
index 0000000000..d0edd50de2
--- /dev/null
+++ b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -0,0 +1,102 @@
+---
+title: Create an application to deploy with Windows 10 using Configuration Manager (Windows 10)
+description: Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process.
+ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
+keywords: ["deployment, task sequence, custom, customize"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Create an application to deploy with Windows 10 using Configuration Manager
+
+
+**Applies to**
+
+-   Windows 10
+
+Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in System Center 2012 R2 Configuration Manager that you later configure the task sequence to use.
+
+For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+**Note**  
+Even though the new application model is fully supported to deploy via the task sequence, the most reliable way to deploy software via the task sequence is still the legacy packages, especially if you deploy many applications.
+
+ 
+
+## Example: Create the Adobe Reader XI application
+
+
+The steps below show you how to create the Adobe Reader XI application. This section assumes that you have downloaded the MSI version of Adobe Reader XI to the C:\\Setup\\Adobe Reader XI folder on CM01.
+
+1.  On CM01, using File Explorer, copy the **C:\\Setup\\Adobe Reader XI** folder to the **E:\\Sources\\Software\\Adobe** folder.
+
+2.  Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**.
+
+3.  Right-click **Applications** and select **Folder / Create Folder**. Assign the name **OSD**.
+
+4.  Right-click the **OSD** folder, and select **Create Application**.
+
+5.  In the Create Application Wizard, on the **General** page, use the following settings:
+
+    1.  Automatically detect information about this application from installation files
+
+    2.  Type: Windows Installer (\*.msi file)
+
+    3.  Location: \\\\CM01\\Sources$\\Software\\Adobe\\Adobe Reader XI
+
+    4.  \\AdbeRdr11000\_en\_US.msi
+
+    ![figure 19](images/mdt-06-fig20.png)
+
+    Figure 19. The Create Application Wizard.
+
+6.  Click **Next**, and wait while Configuration Manager parses the MSI file.
+
+7.  On the **Import Information** page, review the information and then click **Next**.
+
+8.  On the **General Information** page, name the application Adobe Reader XI - OSD Install, click **Next** twice, and then click **Close**.
+
+    **Note**  
+    Since it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
+
+     
+
+    ![figure 20](images/mdt-06-fig21.png)
+
+    Figure 20. Add the "OSD Install" suffix to the application name.
+
+9.  In the **Applications** node, select the Adobe Reader XI - OSD Install application, and click **Properties** on the ribbon bar.
+
+10. In the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and click **OK**.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/deploy-a-windows-10-image-using-mdt.md b/windows/deploy/deploy-a-windows-10-image-using-mdt.md
new file mode 100644
index 0000000000..9ae073428b
--- /dev/null
+++ b/windows/deploy/deploy-a-windows-10-image-using-mdt.md
@@ -0,0 +1,917 @@
+---
+title: Deploy a Windows 10 image using MDT 2013 Update 2 (Windows 10)
+description: This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically.
+ms.assetid: 1d70a3d8-1b1d-4051-b656-c0393a93f83c
+keywords: ["deployment, automate, tools, configure"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Deploy a Windows 10 image using MDT 2013 Update 2
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. You will prepare for this by creating a MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. You will then configure the deployment share, create a new task sequence, add applications, add drivers, add rules, and configure Active Directory permissions for deployment.
+
+For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0005. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 standard server, and PC0005 is a blank machine to which you deploy Windows 10. MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation.
+
+**Note**  
+For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+ 
+
+![figure 1](images/mdt-07-fig01.png)
+
+Figure 1. The machines used in this topic.
+
+## <a href="" id="sec01"></a>Step 1: Configure Active Directory permissions
+
+
+These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have downloaded the sample [Set-OUPermissions.ps1 script](http://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01. The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory.
+
+1.  On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**.
+
+2.  Select the **Service Accounts** organizational unit (OU) and create the MDT\_JD account using the following settings:
+
+    1.  Name: MDT\_JD
+
+    2.  User logon name: MDT\_JD
+
+    3.  Password: P@ssw0rd
+
+    4.  User must change password at next logon: Clear
+
+    5.  User cannot change password: Select
+
+    6.  Password never expires: Select
+
+3.  In an elevated Windows PowerShell prompt (run as Administrator), run the following commands and press **Enter** after each command:
+
+    ``` syntax
+    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
+    Set-Location C:\Setup\Scripts
+    .\Set-OUPermissions.ps1 -Account MDT_JD 
+    -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
+    ```
+
+4.  The Set-OUPermissions.ps1 script allows the MDT\_JD user account permissions to manage computer accounts in the Contoso / Computers OU. Below you find a list of the permissions being granted:
+
+    1.  Scope: This object and all descendant objects
+
+        1.  Create Computer objects
+
+        2.  Delete Computer objects
+
+    2.  Scope: Descendant Computer objects
+
+        1.  Read All Properties
+
+        2.  Write All Properties
+
+        3.  Read Permissions
+
+        4.  Modify Permissions
+
+        5.  Change Password
+
+        6.  Reset Password
+
+        7.  Validated write to DNS host name
+
+        8.  Validated write to service principal name
+
+## <a href="" id="sec02"></a>Step 2: Set up the MDT production deployment share
+
+
+When you are ready to deploy Windows 10 in a production environment, you will first create a new MDT deployment share. You should not use the same deployment share that you used to create the reference image for a production deployment. For guidance on creating a custom Windows 10 image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
+
+### Create the MDT production deployment share
+
+The steps for creating the deployment share for production are the same as when you created the deployment share for creating the custom reference image:
+
+1.  On MDT01, log on as Administrator in the CONTOSO domain using a password of **P@ssw0rd.**
+
+2.  Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**.
+
+3.  On the **Path** page, in the **Deployment share path** text box, type **E:\\MDTProduction** and click **Next**.
+
+4.  On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**.
+
+5.  On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**.
+
+6.  On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**.
+
+7.  Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
+
+## <a href="" id="sec03"></a>Step 3: Add a custom image
+
+
+The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores additional components in the Sources\\SxS folder which is outside the image and may be required when installing components.
+
+### Add the Windows 10 Enterprise x64 RTM custom image
+
+In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image in the E:\\MDTBuildLab\\Captures folder on MDT01.
+
+1.  Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**.
+
+2.  Right-click the **Windows 10** folder and select **Import Operating System**.
+
+3.  On the **OS Type** page, select **Custom image file** and click **Next**.
+
+4.  On the **Image** page, in the **Source file** text box, browse to **E:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and click **Next**.
+
+5.  On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **E:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and click **Next**.
+
+6.  On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, click **Next** twice, and then click **Finish**.
+
+7.  After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to match the following: **Windows 10 Enterprise x64 RTM Custom Image**.
+
+**Note**  
+The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image.
+
+ 
+
+![figure 2](images/fig2-importedos.png)
+
+Figure 2. The imported operating system after renaming it.
+
+## <a href="" id="sec04"></a>Step 4: Add an application
+
+
+When you configure your MDT Build Lab deployment share, you will also add any applications to the new deployment share before creating your task sequence. This section walks you through the process of adding an application to the MDT Production deployment share using Adobe Reader as an example.
+
+### Create the install: Adobe Reader XI x86
+
+In this example, we assume that you have downloaded the Adobe Reader XI installation file (AdbeRdr11000\_eu\_ES.msi) to E:\\Setup\\Adobe Reader on MDT01.
+
+1.  Using the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
+
+2.  Right-click the **Applications** node, and create a new folder named **Adobe**.
+
+3.  In the **Applications** node, right-click the **Adobe** folder and select **New Application**.
+
+4.  On the **Application Type** page, select the **Application with source files** option and click **Next**.
+
+5.  On the **Details** page, in the **Application** name text box, type **Install - Adobe Reader XI - x86** and click **Next**.
+
+6.  On the **Source** page, in the **Source Directory** text box, browse to **E:\\Setup\\Adobe Reader XI** and click **Next**.
+
+7.  On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader XI - x86** and click **Next**.
+
+8.  On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AdbeRdr11000\_eu\_ES.msi /q**, click **Next** twice, and then click **Finish**.
+
+![figure 3](images/mdt-07-fig03.png)
+
+Figure 3. The Adobe Reader application added to the Deployment Workbench.
+
+## <a href="" id="sec05"></a>Step 5: Prepare the drivers repository
+
+
+In order to deploy Windows 10 with MDT 2013 Update 2 successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples:
+
+-   Lenovo ThinkPad T420
+
+-   Dell Latitude E6440
+
+-   HP EliteBook 8560w
+
+-   Microsoft Surface Pro
+
+For boot images, you need to have storage and network drivers; for the operating system, you need to have the full suite of drivers.
+
+**Note**  
+You should only add drivers to the Windows PE images if the default drivers don't work. Adding drivers that are not necessary will only make the boot image larger and potentially delay the download time.
+
+ 
+
+### Create the driver source structure in the file system
+
+The key to successful management of drivers for MDT 2013 Update 2, as well as for any other deployment solution, is to have a really good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use.
+
+1.  On MDT01, using File Explorer, create the **E:\\Drivers** folder.
+
+2.  In the **E:\\Drivers** folder, create the following folder structure:
+
+    1.  WinPE x86
+
+    2.  WinPE x64
+
+    3.  Windows 10 x64
+
+3.  In the new Windows 10 x64 folder, create the following folder structure:
+
+    -   Dell
+
+        -   Latitude E6440
+
+    -   HP
+
+        -   HP EliteBook 8560w
+
+    -   Lenovo
+
+        -   ThinkPad T420 (4178)
+
+    -   Microsoft Corporation
+
+        -   Surface Pro 3
+
+**Note**  
+Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use.
+
+ 
+
+### Create the logical driver structure in MDT 2013 Update 2
+
+When you import drivers to the MDT 2013 Update 2 driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This is done by creating logical folders in the Deployment Workbench.
+
+1.  On MDT01, using Deployment Workbench, select the **Out-of-Box Drivers** node.
+
+2.  In the **Out-Of-Box Drivers** node, create the following folder structure:
+
+    1.  WinPE x86
+
+    2.  WinPE x64
+
+    3.  Windows 10 x64
+
+3.  In the **Windows 10 x64** folder, create the following folder structure:
+
+    -   Dell Inc.
+
+        -   Latitude E6440
+
+    -   Hewlett-Packard
+
+        -   HP EliteBook 8560w
+
+    -   Lenovo
+
+        -   4178
+
+    -   Microsoft Corporation
+
+        -   Surface Pro 3
+
+The preceding folder names are selected because they match the actual make and model values that MDT reads from the machines during deployment. You can find out the model values for your machines via the following command in Windows PowerShell:
+
+``` syntax
+Get-WmiObject -Class:Win32_ComputerSystem
+```
+
+Or, you can use this command in a normal command prompt:
+
+``` syntax
+wmic csproduct get name
+```
+
+If you want a more standardized naming convention, try the ModelAliasExit.vbs script from the Deployment Guys blog post entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](http://go.microsoft.com/fwlink/p/?LinkId=619536).
+
+![figure 4](images/fig4-oob-drivers.png)
+
+Figure 4. The Out-of-Box Drivers structure in Deployment Workbench.
+
+### Create the selection profiles for boot image drivers
+
+By default, MDT adds any storage and network drivers that you import to the boot images. However, you should add only the drivers that are necessary to the boot image. You can control which drivers are added by using selection profiles.
+
+The drivers that are used for the boot images (Windows PE) are Windows 10 drivers. If you can’t locate Windows 10 drivers for your device, a Windows 7 or Windows 8.1 driver will most likely work, but Windows 10 drivers should be your first choice.
+
+1.  On MDT01, using the Deployment Workbench, in the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**.
+
+2.  In the New Selection Profile Wizard, create a selection profile with the following settings:
+
+    1.  Selection Profile name: WinPE x86
+
+    2.  Folders: Select the WinPE x86 folder in Out-of-Box Drivers.
+
+3.  Again, right-click the **Selection Profiles** node, and select **New Selection Profile**.
+
+4.  In the New Selection Profile Wizard, create a selection profile with the following settings:
+
+    1.  Selection Profile name: WinPE x64
+
+    2.  Folders: Select the WinPE x64 folder in Out-of-Box Drivers.
+
+![figure 5](images/fig5-selectprofile.png)
+
+Figure 5. Creating the WinPE x64 selection profile.
+
+### Extract and import drivers for the x64 boot image
+
+Windows PE supports all the hardware models that we have, but here you learn to add boot image drivers to accommodate any new hardware that might require additional drivers. In this example, you add the latest Intel network drivers to the x64 boot image.
+
+In these steps, we assume you have downloaded PROWinx64.exe from Intel.com and saved it to a temporary folder.
+
+1.  Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder.
+
+2.  Using File Explorer, create the **E:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
+
+3.  Copy the content of the **C:\\Tmp\\PROWinx64\\PRO1000\\Winx64\\NDIS64** folder to the **E:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
+
+4.  Using Deployment Workbench, expand the **Out-of-Box Drivers** node, right-click the **WinPE x64** node, and select **Import Drivers**. Use the following setting for the Import Drivers Wizard:
+
+    -   Driver source directory: **E:\\Drivers\\WinPE x64\\Intel PRO1000**
+
+### Download, extract, and import drivers
+
+### For the ThinkPad T420
+
+For the Lenovo T420 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo T420 model has the 4178B9G model name, meaning the Machine Type is 4178.
+
+To get the updates, you download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can download the drivers from the [Lenovo website](http://go.microsoft.com/fwlink/p/?LinkId=619543).
+
+In these steps, we assume you have downloaded and extracted the drivers using ThinkVantage Update Retriever v5.0 to the E:\\Drivers\\Lenovo\\ThinkPad T420 (4178) folder.
+
+1.  On MDT01, using the Deployment Workbench, in the **MDT Production** node, expand the **Out-Of-Box Drivers** node, and expand the **Lenovo** node.
+
+2.  Right-click the **4178** folder and select **Import Drivers**; use the following setting for the Import Drivers Wizard:
+
+    -   Driver source directory: **E:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkPad T420 (4178)**
+
+### For the Latitude E6440
+
+For the Dell Latitude E6440 model, you use the Dell Driver CAB file, which is accessible via the [Dell TechCenter website](http://go.microsoft.com/fwlink/p/?LinkId=619544).
+
+In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E6440 model to the E:\\Drivers\\Dell\\Latitude E6440 folder.
+
+1.  On **MDT01**, using the **Deployment Workbench**, in the **MDT Production** node, expand the **Out-Of-Box Drivers** node, and expand the **Dell** node.
+
+2.  Right-click the **Latitude E6440** folder and select **Import Drivers**; use the following setting for the Import Drivers Wizard:
+
+    -   Driver source directory: **E:\\Drivers\\Windows 10 x64\\Dell\\Latitude E6440**
+
+### For the HP EliteBook 8560w
+
+For the HP EliteBook 8560w, you use HP SoftPaq Download Manager to get the drivers. The HP SoftPaq Download Manager can be accessed on the [HP Support site](http://go.microsoft.com/fwlink/p/?LinkId=619545).
+
+In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the E:\\Drivers\\Windows 10 x64\\HP\\HP EliteBook 8560w folder.
+
+1.  On **MDT01**, using the **Deployment Workbench**, in the **MDT Production** node, expand the **Out-Of-Box Drivers** node, and expand the **Hewlett-Packard** node.
+
+2.  Right-click the **HP EliteBook 8560w** folder and select **Import Drivers**; use the following setting for the Import Drivers Wizard:
+
+    -   Driver source directory: **E:\\Drivers\\Windows 10 x64\\HP\\HP EliteBook 8560w**
+
+### For the Microsoft Surface Pro 3
+
+For the Microsoft Surface Pro model, you find the drivers on the Microsoft website. In these steps we assume you have downloaded and extracted the Surface Pro 3 drivers to the E:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Pro 3 folder.
+
+1.  On MDT01, using the Deployment Workbench, in the **MDT Production** node, expand the **Out-Of-Box Drivers** node, and expand the **Microsoft** node.
+
+2.  Right-click the **Surface Pro 3** folder and select **Import Drivers**; use the following setting for the Import Drivers Wizard:
+
+    -   Driver source directory: **E:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Pro 3**
+
+## <a href="" id="sec06"></a>Step 6: Create the deployment task sequence
+
+
+This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You will then configure the tasks sequence to enable patching via a Windows Server Update Services (WSUS) server.
+
+### Create a task sequence for Windows 10 Enterprise
+
+1.  Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**.
+
+2.  Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+
+    1.  Task sequence ID: W10-X64-001
+
+    2.  Task sequence name: Windows 10 Enterprise x64 RTM Custom Image
+
+    3.  Task sequence comments: Production Image
+
+    4.  Template: Standard Client Task Sequence
+
+    5.  Select OS: Windows 10 Enterprise x64 RTM Custom Image
+
+    6.  Specify Product Key: Do not specify a product key at this time
+
+    7.  Full Name: Contoso
+
+    8.  Organization: Contoso
+
+    9.  Internet Explorer home page: about:blank
+
+    10. Admin Password: Do not specify an Administrator Password at this time
+
+### Edit the Windows 10 task sequence
+
+1.  Right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**.
+
+2.  On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
+
+    1.  Preinstall. After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
+
+        1.  Name: Set DriverGroup001
+
+        2.  Task Sequence Variable: DriverGroup001
+
+        3.  Value: Windows 10 x64\\%Make%\\%Model%
+
+    2.  Configure the **Inject Drivers** action with the following settings:
+
+        1.  Choose a selection profile: Nothing
+
+        2.  Install all drivers from the selection profile
+
+            **Note**  
+            The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting.
+
+             
+
+    3.  State Restore. Enable the **Windows Update (Pre-Application Installation)** action.
+
+    4.  State Restore. Enable the **Windows Update (Post-Application Installation)** action.
+
+3.  Click **OK**.
+
+![figure 6](images/fig6-taskseq.png)
+
+Figure 6. The task sequence for production deployment.
+
+## <a href="" id="sec07"></a>Step 7: Configure the MDT production deployment share
+
+
+In this section, you will learn how to configure the MDT Build Lab deployment share with the rules required to create a simple and dynamic deployment process. This includes configuring commonly used rules and an explanation of how these rules work.
+
+### Configure the rules
+
+1.  On MDT01, using File Explorer, copy the following files from the **D:\\Setup\\Sample Files\\MDT Production\\Control** folder to **E:\\MDTProduction\\Control**. Overwrite the existing files.
+
+    1.  Bootstrap.ini
+
+    2.  CustomSettings.ini
+
+2.  Right-click the **MDT Production** deployment share and select **Properties**.
+
+3.  Select the **Rules** tab and modify using the following information:
+
+    ``` syntax
+    [Settings]
+    Priority=Default
+    [Default]
+    _SMSTSORGNAME=Contoso
+    OSInstall=YES
+    UserDataLocation=AUTO
+    TimeZoneName=Pacific Standard Time 
+    AdminPassword=P@ssw0rd
+    JoinDomain=contoso.com
+    DomainAdmin=CONTOSO\MDT_JD
+    DomainAdminPassword=P@ssw0rd
+    MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
+    SLShare=\\MDT01\Logs$
+    ScanStateArgs=/ue:*\* /ui:CONTOSO\*
+    USMTMigFiles001=MigApp.xml
+    USMTMigFiles002=MigUser.xml
+    HideShell=YES
+    ApplyGPOPack=NO
+    WSUSServer=mdt01.contoso.com:8530
+    SkipAppsOnUpgrade=NO
+    SkipAdminPassword=YES
+    SkipProductKey=YES
+    SkipComputerName=NO
+    SkipDomainMembership=YES
+    SkipUserData=YES
+    SkipLocaleSelection=YES
+    SkipTaskSequence=NO
+    SkipTimeZone=YES
+    SkipApplications=NO
+    SkipBitLocker=YES
+    SkipSummary=YES
+    SkipCapture=YES
+    SkipFinalSummary=NO
+    ```
+
+4.  Click **Edit Bootstrap.ini** and modify using the following information:
+
+    ``` syntax
+    [Settings]
+    Priority=Default
+    [Default]
+    DeployRoot=\\MDT01\MDTProduction$
+    UserDomain=CONTOSO
+    UserID=MDT_BA
+    SkipBDDWelcome=YES
+    ```
+
+5.  In the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
+
+6.  In the **General** sub tab, configure the following settings:
+
+    -   In the **Lite Touch Boot Image Settings** area:
+
+        1.  Image description: MDT Production x86
+
+        2.  ISO file name: MDT Production x86.iso
+
+        **Note**  
+        Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests.
+
+         
+
+7.  In the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option.
+
+8.  In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
+
+9.  In the **General** sub tab, configure the following settings:
+
+    -   In the **Lite Touch Boot Image Settings** area:
+
+        1.  Image description: MDT Production x64
+
+        2.  ISO file name: MDT Production x64.iso
+
+10. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
+
+11. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box.
+
+12. Click **OK**.
+
+**Note**  
+It will take a while for the Deployment Workbench to create the monitoring database and web service.
+
+ 
+
+![figure 8](images/mdt-07-fig08.png)
+
+Figure 7. The Windows PE tab for the x64 boot image.
+
+### The rules explained
+
+The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup and that you do not automate the logon.
+
+### The Bootstrap.ini file
+
+This is the MDT Production Bootstrap.ini without the user credentials (except domain information):
+
+``` syntax
+[Settings]
+Priority=Default
+[Default]
+DeployRoot=\\MDT01\MDTProduction$
+
+UserDomain=CONTOSO
+UserID=MDT_BA
+
+SkipBDDWelcome=YES
+```
+
+### The CustomSettings.ini file
+
+This is the CustomSettings.ini file with the new join domain information:
+
+``` syntax
+[Settings]
+Priority=Default
+[Default]
+_SMSTSORGNAME=Contoso
+OSInstall=Y
+UserDataLocation=AUTO
+TimeZoneName=Pacific Standard Time 
+AdminPassword=P@ssw0rd
+JoinDomain=contoso.com
+DomainAdmin=CONTOSO\MDT_JD
+DomainAdminPassword=P@ssw0rd
+MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
+SLShare=\\MDT01\Logs$
+ScanStateArgs=/ue:*\* /ui:CONTOSO\*
+USMTMigFiles001=MigApp.xml
+USMTMigFiles002=MigUser.xml
+HideShell=YES
+ApplyGPOPack=NO
+WSUSServer=http://mdt01.contoso.com:8530
+SkipAppsOnUpgrade=NO
+SkipAdminPassword=YES
+SkipProductKey=YES
+SkipComputerName=NO
+SkipDomainMembership=YES
+SkipUserData=YES
+SkipLocaleSelection=YES
+SkipTaskSequence=NO
+SkipTimeZone=YES
+SkipApplications=NO
+SkipBitLocker=YES
+SkipSummary=YES
+SkipCapture=YES
+SkipFinalSummary=NO
+EventService=http://MDT01:9800
+```
+
+The additional properties to use in the MDT Production rules file are as follows:
+
+-   **JoinDomain.** The domain to join.
+
+-   **DomainAdmin.** The account to use when joining the machine to the domain.
+
+-   **DomainAdminDomain.** The domain for the join domain account.
+
+-   **DomainAdminPassword.** The password for the join domain account.
+
+-   **MachineObjectOU.** The organizational unit (OU) to which to add the computer account.
+
+-   **ScanStateArgs.** Arguments for the User State Migration Tool (USMT) ScanState command.
+
+-   **USMTMigFiles(\*).** List of USMT templates (controlling what to backup and restore).
+
+-   **EventService.** Activates logging information to the MDT monitoring web service.
+
+### Optional deployment share configuration
+
+If your organization has a Microsoft Software Assurance agreement, you also can subscribe to the additional Microsoft Desktop Optimization Package (MDOP) license (at an additional cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you troubleshoot MDT deployments, as well as troubleshoot Windows itself.
+
+### Add DaRT 10 to the boot images
+
+If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#bkmk-update-deployment). To enable the remote connection feature in MDT 2013 Update 2, you need to do the following:
+
+-   Install DaRT 10 (part of MDOP 2015 R1).
+
+-   Copy the two tools CAB files (Toolsx86.cab and Toolsx64.cab) to the deployment share.
+
+-   Configure the deployment share to add DaRT.
+
+In these steps, we assume that you downloaded MDOP 2015 R1 and copied DaRT 10 to the E:\\Setup\\DaRT 10 folder on MDT01.
+
+1.  On MDT01, install DaRT 10 (MSDaRT10.msi) using the default settings.
+
+2.  Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder.
+
+3.  Copy the Toolsx64.cab file to **E:\\MDTProduction\\Tools\\x64**.
+
+4.  Copy the Toolsx86.cab file to **E:\\MDTProduction\\Tools\\x86**.
+
+5.  Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**.
+
+6.  In the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
+
+7.  In the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
+
+    ![figure 8](images/mdt-07-fig09.png)
+
+    Figure 8. Selecting the DaRT 10 feature in the deployment share.
+
+8.  In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
+
+9.  In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
+
+10. Click **OK**.
+
+### <a href="" id="bkmk-update-deployment"></a>Update the deployment share
+
+Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This is the process during which the Windows PE boot images are created.
+
+1.  Right-click the **MDT Production** deployment share and select **Update Deployment Share**.
+
+2.  Use the default options for the Update Deployment Share Wizard.
+
+**Note**  
+The update process will take 5 to 10 minutes.
+
+ 
+
+## <a href="" id="sec08"></a>Step 8: Deploy the Windows 10 client image
+
+
+These steps will walk you throug the process of using task sequences to deploy Windows 10 images through a fully automated process. First, you need to add the boot image to Windows Deployment Services (WDS) and then start the deployment. In contrast with deploying images from the MDT Build Lab deployment share, we recommend using the Pre-Installation Execution Environment (PXE) to start the full deployments in the datacenter, even though you technically can use an ISO/CD or USB to start the process.
+
+### Configure Windows Deployment Services
+
+You need to add the MDT Production Lite Touch x64 Boot image to WDS in preparation for the deployment. For the following steps, we assume that Windows Deployment Services has already been installed on MDT01.
+
+1.  Using the WDS console, right-click **Boot Images** and select **Add Boot Image**.
+
+2.  Browse to the E:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim file and add the image with the default settings.
+
+![figure 9](images/mdt-07-fig10.png)
+
+Figure 9. The boot image added to the WDS console.
+
+### Deploy the Windows 10 client
+
+At this point, you should have a solution ready for deploying the Windows 10 client. We recommend starting by trying a few deployments at a time until you are confident that your configuration works as expected. We find it useful to try some initial tests on virtual machines before testing on physical hardware. This helps rule out hardware issues when testing or troubleshooting. Here are the steps to deploy your Windows 10 image to a virtual machine:
+
+1.  Create a virtual machine with the following settings:
+
+    1.  Name: PC0005
+
+    2.  Location: C:\\VMs
+
+    3.  Generation: 2
+
+    4.  Memory: 2048 MB
+
+    5.  Hard disk: 60 GB (dynamic disk)
+
+2.  Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The machine will now load the Windows PE boot image from the WDS server.
+
+    ![figure 10](images/mdt-07-fig11.png)
+
+    Figure 10. The initial PXE boot process of PC0005.
+
+3.  After Windows PE has booted, complete the Windows Deployment Wizard using the following setting:
+
+    1.  Password: P@ssw0rd
+
+    2.  Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
+
+    3.  Computer Name: PC0005
+
+    4.  Applications: Select the Install - Adobe Reader XI - x86 application.
+
+4.  The setup now starts and does the following:
+
+    1.  Installs the Windows 10 Enterprise operating system.
+
+    2.  Installs the added application.
+
+    3.  Updates the operating system via your local Windows Server Update Services (WSUS) server.
+
+### Use the MDT 2013 monitoring feature
+
+Now that you have enabled the monitoring on the MDT Production deployment share, you can follow your deployment of PC0005 via the monitoring node.
+
+1.  On MDT01, using Deployment Workbench, expand the **MDT Production** deployment share folder.
+
+2.  Select the **Monitoring** node, and wait until you see PC0005.
+
+3.  Double-click PC0005, and review the information.
+
+![figure 11](images/mdt-07-fig13.png)
+
+Figure 11. The Monitoring node, showing the deployment progress of PC0005.
+
+### Use information in the Event Viewer
+
+When monitoring is enabled, MDT also writes information to the event viewer on MDT01. This information can be used to trigger notifications via scheduled tasks when deployment is completed. For example, you can configure scheduled tasks to send an email when a certain event is created in the event log.
+
+![figure 12](images/mdt-07-fig14.png)
+
+Figure 12. The Event Viewer showing a successful deployment of PC0005.
+
+## <a href="" id="sec09"></a>Multicast deployments
+
+
+Multicast deployment allows for image deployment with reduced network load during simultaneous deployments. Multicast is a useful operating system deployment feature in MDT deployments, however it is important to ensure that your network supports it and is designed for it.
+
+### Requirements
+
+Multicast requires that Windows Deployment Services (WDS) is running on Windows Server 2008 or later. In addition to the core MDT 2013 setup for multicast, the network needs to be configured to support multicast. In general, this means involving the organization networking team to make sure that Internet Group Management Protocol (IGMP) snooping is turned on and that the network is designed for multicast traffic. The multicast solution uses IGMPv3.
+
+### Set up MDT for multicast
+
+Setting up MDT for multicast is straightforward. You enable multicast on the deployment share, and MDT takes care of the rest.
+
+1.  On MDT01, right-click the **MDT Production** deployment share folder and select **Properties**.
+
+2.  In the **General** tab, select the **Enable multicast for this deployment share (requires Windows Server 2008 R2 Windows Deployment Services)** check box, and click **OK**.
+
+3.  Right-click the **MDT Production** deployment share folder and select **Update Deployment Share**.
+
+4.  After updating the deployment share, use the Windows Deployment Services console to, verify that the multicast namespace was created.
+
+![figure 13](images/mdt-07-fig15.png)
+
+Figure 13. The newly created multicast namespace.
+
+## <a href="" id="sec10"></a>Use offline media to deploy Windows 10
+
+
+In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can very easily generate an offline version of your deployment share - either the full deployment share or a subset of it - by the use of selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment.
+
+Offline media are useful not only when you do not have network connectivity to the deployment share, but also when you have limited connection to the deployment share and do not want to copy 5 GB of data over the wire. Offline media can still join the domain, but you save the transfer of operating system images, drivers, and applications over the wire.
+
+### Create the offline media selection profile
+
+To filter what is being added to the media, you create a selection profile. When creating selection profiles, you quickly realize the benefits of having created a good logical folder structure in the Deployment Workbench.
+
+1.  On MDT01, using Deployment Workbench, in the **MDT Production / Advanced Configuration** node, right-click **Selection Profile**, and select **New Selection Profile**.
+
+2.  Use the following settings for the New Selection Profile Wizard:
+
+    1.  General Settings
+
+        -   Selection profile name: Windows 10 Offline Media
+
+    2.  Folders
+
+        1.  Applications / Adobe
+
+        2.  Operating Systems / Windows 10
+
+        3.  Out-Of-Box Drivers / WinPE x64
+
+        4.  Out-Of-Box Drivers / Windows 10 x64
+
+        5.  Task Sequences / Windows 10
+
+### Create the offline media
+
+In these steps, you generate offline media from the MDT Production deployment share. To filter what is being added to the media, you use the previously created selection profile.
+
+1.  On MDT01, using File Explorer, create the **E:\\MDTOfflineMedia** folder.
+
+    **Note**  
+    When creating offline media, you need to create the target folder first. It is crucial that you do not create a subfolder inside the deployment share folder because it will break the offline media.
+
+     
+
+2.  Using Deployment Workbench, in the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**.
+
+3.  Use the following settings for the New Media Wizard:
+
+    -   General Settings
+
+        1.  Media path: **E:\\MDTOfflineMedia**
+
+        2.  Selection profile: Windows 10 Offline Media
+
+### Configure the offline media
+
+Offline media has its own rules, its own Bootstrap.ini and CustomSettings.ini files. These files are stored in the Control folder of the offline media; they also can be accessed via properties of the offline media in the Deployment Workbench.
+
+1.  On MDT01, using File Explorer, copy the CustomSettings.ini file from the **E:\\MDTBuildLab\\Control** folder to **E:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files.
+
+2.  Using Deployment Workbench, in the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**.
+
+3.  In the **General** tab, configure the following:
+
+    1.  Clear the Generate x86 boot image check box.
+
+    2.  ISO file name: Windows 10 Offline Media.iso
+
+4.  Still in the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
+
+5.  In the **General** sub tab, configure the following settings:
+
+    1.  In the **Lite Touch Boot Image Settings** area:
+
+        -   Image description: MDT Production x64
+
+    2.  In the **Windows PE Customizations** area, set the Scratch space size to 128.
+
+6.  In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
+
+7.  Click **OK**.
+
+### Generate the offline media
+
+You have now configured the offline media deployment share however the share has not yet been populated with the files required for deployment. Now everything is ready you populate the deployment share content folder and generate the offline media ISO.
+
+1.  On MDT01, using Deployment Workbench, navigate to the **MDT Production / Advanced Configuration / Media** node.
+
+2.  Right-click the **MEDIA001** media, and select **Update Media Content**. The Update Media Content process now generates the offline media in the **E:\\MDTOfflineMedia\\Content** folder.
+
+### Create a bootable USB stick
+
+The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it is often more efficient to use USB sticks instead since they are faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.)
+
+Follow these steps to create a bootable USB stick from the offline media content:
+
+1.  On a physical machine running Windows 7 or later, insert the USB stick you want to use.
+
+2.  Copy the content of the **MDTOfflineMedia\\Content** folder to the root of the USB stick.
+
+3.  Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**.
+
+4.  In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you really only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F.
+
+5.  In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter).
+
+6.  In the Diskpart utility, type **active**, and then type **exit**.
+
+## <a href="" id="sec11"></a>Unified Extensible Firmware Interface (UEFI)-based deployments
+
+
+As referenced in [Windows 10 deployment tools](http://go.microsoft.com/fwlink/p/?LinkId=619546), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you have an UEFI-based machine and creates the partitions UEFI requires. You do not need to update or change your task sequences in any way to accommodate UFEI.
+
+![figure 14](images/mdt-07-fig16.png)
+
+Figure 14. The partitions when deploying an UEFI-based machine.
+
+## Related topics
+
+
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+
+[Configure MDT settings](configure-mdt-2013-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md
new file mode 100644
index 0000000000..3ee3168fb2
--- /dev/null
+++ b/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -0,0 +1,67 @@
+---
+title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10)
+description: In this topic, you will learn how to deploy Windows 10 using Microsoft System Center 2012 R2 Configuration Manager deployment packages and task sequences.
+ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
+keywords: ["deployment, image, UEFI, task sequence"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Deploy Windows 10 using PXE and Configuration Manager
+
+
+**Applies to**
+
+-   Windows 10
+
+In this topic, you will learn how to deploy Windows 10 using Microsoft System Center 2012 R2 Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) machine named PC0001.
+
+For the purposes of this topic, we will use two additional machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+1.  Start the PC0001 machine. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot.
+
+    ![figure 31](images/mdt-06-fig36.png)
+
+    Figure 31. PXE booting PC0001.
+
+2.  On the **Welcome to the Task Sequence Wizard** page, type in the password **Passw0rd!** and click **Next**.
+
+3.  On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**.
+
+4.  On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**.
+
+![figure 32](images/mdt-06-fig37.png)
+
+Figure 32. Typing in the computer name.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
new file mode 100644
index 0000000000..747ea8bb0e
--- /dev/null
+++ b/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
@@ -0,0 +1,105 @@
+---
+title: Deploy Windows 10 with System Center 2012 R2 Configuration Manager (Windows 10)
+description: If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10.
+ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363
+keywords: ["deployment, custom, boot"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Deploy Windows 10 with System Center 2012 R2 Configuration Manager
+
+
+**Applies to**
+
+-   Windows 10
+
+If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2.
+
+For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+![figure 1](images/mdt-06-fig01.png)
+
+Figure 1. The machines used in this topic.
+
+## In this section
+
+
+-   [Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+
+-   [Prepare for Zero Touch Installation of Windows with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+-   [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+-   [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+-   [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+-   [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+-   [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+-   [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
+
+-   [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+-   [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
+
+-   [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+-   [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+## Components of Configuration Manager operating system deployment
+
+
+Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are additional components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which is not used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
+
+-   **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
+
+-   **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
+
+-   **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server.
+
+-   **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process.
+
+-   **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment.
+
+-   **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
+
+-   **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT 2013 Update 2 Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
+
+-   **Drivers.** Like MDT 2013 Update 2 Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
+
+-   **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT 2013 Update 2 Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT 2013 Update 2 provides additional task sequence templates to Configuration Manager.
+
+    **Note**  Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10.
+
+     
+
+## See also
+
+
+-   [Microsoft Deployment Toolkit downloads and resources](http://go.microsoft.com/fwlink/p/?LinkId=618117)
+
+-   [Windows deployment tools](windows-deployment-scenarios-and-tools.md)
+
+-   [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+
+-   [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+
+-   [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
+
+-   [Sideload Windows Store apps](http://technet.microsoft.com/library/dn613831.aspx)
+
+-   [Windows ADK for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=526803)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
new file mode 100644
index 0000000000..bcb0321bfd
--- /dev/null
+++ b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -0,0 +1,130 @@
+---
+title: Deploy Windows 10 with the Microsoft Deployment Toolkit (Windows 10)
+description: This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically.
+ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb
+keywords: ["deploy", "tools", "configure", "script"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Deploy Windows 10 with the Microsoft Deployment Toolkit
+
+
+**Applies to**
+
+-   Windows 10
+
+This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically.
+
+The Microsoft Deployment Toolkit is a unified collection of tools, processes, and guidance for automating desktop and server deployment. In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the Windows Assessment and Deployment Kit (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment.
+
+MDT 2013 Update 2 supports the deployment of Windows 10, as well as Windows 7, Windows 8, Windows 8.1, and Windows Server 2012 R2. It also includes support for zero-touch installation (ZTI) with Microsoft System Center 2012 R2 Configuration Manager.
+
+To download the latest version of MDT, visit the [MDT resource page](http://go.microsoft.com/fwlink/p/?LinkId=618117).
+
+## In this section
+
+
+-   [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+
+-   [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+
+-   [Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+
+-   [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+
+-   [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+
+-   [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+
+-   [Configure MDT settings](configure-mdt-2013-settings.md)
+
+## <a href="" id="proof"></a>Proof-of-concept environment
+
+
+For the purposes of this guide, and the topics discussed herein, we will use the following servers and client machines: DC01, MDT01, CM01, PC0001, and PC0002.
+
+![figure 1](images/mdt-01-fig01.png)
+
+Figure 1. The servers and machines used for examples in this guide.
+
+DC01 is a domain controller; the other servers and client machines are members of the domain contoso.com for the fictitious Contoso Corporation.
+
+![figure 2](images/mdt-01-fig02.jpg)
+
+Figure 2. The organizational unit (OU) structure used in this guide.
+
+### Server details
+
+-   **DC01.** A Windows Server 2012 R2 Standard machine, fully patched with the latest security updates, and configured as Active Directory Domain Controller, DNS Server, and DHCP Server in the contoso.com domain.
+
+    -   Server name: DC01
+
+    -   IP Address: 192.168.1.200
+
+    -   Roles: DNS, DHCP, and Domain Controller
+
+-   **MDT01.** A Windows Server 2012 R2 Standard machine, fully patched with the latest security updates, and configured as a member server in the contoso.com domain.
+
+    -   Server name: MDT01
+
+    -   IP Address: 192.168.1.210
+
+-   **CM01.** A Windows Server 2012 R2 Standard machine, fully patched with the latest security updates, and configured as a member server in the contoso.com domain.
+
+    -   Server name: CM01
+
+    -   IP Address: 192.168.1.214
+
+### Client machine details
+
+-   **PC0001.** A Windows 10 Enterprise x64 machine, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This machine is referenced as the admin workstation.
+
+    -   Client name: PC0001
+
+    -   IP Address: DHCP
+
+-   **PC0002.** A Windows 7 SP1 Enterprise x64 machine, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This machine is referenced during the migration scenarios.
+
+    -   Client name: PC0002
+
+    -   IP Address: DHCP
+
+## Sample files
+
+
+The information in this guide is designed to help you deploy Windows 10. In order to help you put the information you learn into practice more quickly, we recommend that you download a small set of sample files for the fictitious Contoso Corporation:
+
+-   [Gather.ps1](http://go.microsoft.com/fwlink/p/?LinkId=619361). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment.
+
+-   [Set-OUPermissions.ps1](http://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU.
+
+-   [MDTSample.zip](http://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT.
+
+## Related topics
+
+
+[Microsoft Deployment Toolkit downloads and resources](http://go.microsoft.com/fwlink/p/?LinkId=618117)
+
+[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
+
+[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
+
+[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
+
+[Deploy Windows To Go in your organization](deploy-windows-to-go.md)
+
+[Sideload apps in Windows 10](sideload-apps-in-windows-10.md)
+
+[Volume Activation for Windows 10](volume-activation-windows-10.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/deploy-windows-to-go.md b/windows/deploy/deploy-windows-to-go.md
new file mode 100644
index 0000000000..45666c4a6c
--- /dev/null
+++ b/windows/deploy/deploy-windows-to-go.md
@@ -0,0 +1,1035 @@
+---
+title: Deploy Windows To Go in your organization (Windows 10)
+description: This topic helps you to deploy Windows To Go in your organization.
+ms.assetid: cfe550be-ffbd-42d1-ab4d-80efae49b07f
+keywords: ["deployment, USB, device, BitLocker, workspace, security, data"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Deploy Windows To Go in your organization
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment.
+
+**Note**  
+This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. For more information, see [Using Cmdlets](http://go.microsoft.com/fwlink/p/?linkid=230693).
+
+ 
+
+## Deployment tips
+
+
+The following is a list of items that you should be aware of before you start the deployment process:
+
+-   Only use recommended USB drives for Windows To Go. Use of other drives is not supported. Check the list at [Windows To Go: feature overview](../plan/windows-to-go-overview.md) for the latest USB drives certified for use as Windows To Go drives.
+
+-   After you provision a new workspace, always eject a Windows To Go drive using the **Safely Remove Hardware and Eject Media** control that can be found in the notification area or in Windows Explorer. Removing the drive from the USB port without ejecting it first can cause the drive to become corrupted.
+
+-   When running a Windows To Go workspace, always shutdown the workspace before unplugging the drive.
+
+-   System Center 2012 Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. You can download Configuration Manager for evaluation from the [Microsoft TechNet Evaluation Center](http://go.microsoft.com/fwlink/p/?LinkId=618746). For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=619148).
+
+-   If you are planning on using a USB drive duplicator to duplicate Windows To Go drives, do not configure offline domain join or BitLocker on the drive.
+
+## Basic deployment steps
+
+
+Unless you are using a customized operating system image, your initial Windows To Go workspace will not be domain joined and will not contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications. This section describes the instructions for creating the correct disk layout on the USB drive, applying the operating system image and the core Windows To Go specific configurations to the drive. The following steps are used in both small-scale and large-scale Windows To Go deployment scenarios.
+
+Completing these steps will give you a generic Windows To Go drive that can be distributed to your users and then customized for their usage as needed. This drive is also appropriate for use with USB drive duplicators. Your specific deployment scenarios will involve more than just these basic steps but these additional deployment considerations are similar to traditional PC deployment and can be incorporated into your Windows To Go deployment plan. For additional information, see [Windows Deployment Options](http://go.microsoft.com/fwlink/p/?LinkId=619149).
+
+**Warning**  
+If you are planning to use the generic Windows To Go drive as the master drive in a USB duplicator, the drive should not be booted. If the drive has been booted inadvertently it should be reprovisioned prior to duplication.
+
+ 
+
+### Create the Windows To Go workspace
+
+In this step we are creating the operating system image that will be used on the Windows To Go drives. You can use the Windows To Go Creator Wizard or you can [do this manually](http://go.microsoft.com/fwlink/p/?LinkId=619174) using a combination of Windows PowerShell and command-line tools.
+
+**Warning**  
+The preferred method for creating a single Windows To Go drive is to use the Windows To Go Creator Wizard included in Windows 10 Enterprise and Windows 10 Education.
+
+ 
+
+**To create a Windows To Go workspace with the Windows To Go Creator Wizard**
+
+1.  Sign into your Windows PC using an account with Administrator privileges.
+
+2.  Insert the USB drive that you want to use as your Windows To Go drive into your PC.
+
+3.  Verify that the .wim file location (which can be a network share, a DVD , or a USB drive) is accessible and that it contains a valid Windows 10 Enterprise or Windows 10 Education image that has been generalized using sysprep. Many environments can use the same image for both Windows To Go and desktop deployments.
+
+    **Note**  
+    For more information about .wim files, see [Windows System Image Manager (Windows SIM) Technical Reference](http://go.microsoft.com/fwlink/p/?LinkId=619150). For more information about using sysprep, see [Sysprep Overview](http://go.microsoft.com/fwlink/p/?LinkId=619151).
+
+     
+
+4.  Using Cortana, search for **Windows To Go** and then press **Enter**. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. The **Windows To Go Creator Wizard** opens.
+
+5.  On the **Choose the drive you want to use** page select the drive that represents the USB drive you inserted previously, then click **Next.**
+
+6.  On the **Choose a Windows image** page, click **Add Search Location** and then navigate to the .wim file location and click select folder. The wizard will display the installable images present in the folder; select the Windows 10 Enterprise or Windows 10 Education image you wish to use and then click **Next**.
+
+7.  (Optional) On the **Set a BitLocker password (optional)** page, you can select **Use BitLocker with my Windows To Go Workspace** to encrypt your Windows To Go drive. If you do not wish to encrypt the drive at this time, click **Skip**. If you decide you want to add BitLocker protection later, see [Enable BitLocker protection for your Windows To Go drive](http://go.microsoft.com/fwlink/p/?LinkId=619152) for instructions.
+
+    **Warning**  
+    If you are planning to use a USB-Duplicator to create multiple Windows To Go drives, do not enable BitLocker. Drives protected with BitLocker should not be duplicated.
+
+     
+
+    If you choose to encrypt the Windows To Go drive now:
+
+    -   Type a password that is at least eight characters long and conforms to your organizations password complexity policy. This password will be provided before the operating system is started so any characters you use must be able to be interpreted by the firmware. Some firmware does not support non-ASCII characters.
+
+    -   Retype the password, and then click Next.
+
+        **Important**  
+        The BitLocker recovery password will be saved in the documents library of the computer used to create the workspace automatically. If your organization is using Active Directory Domain Services (AD DS) to store recovery passwords it will also be saved in AD DS under the computer account of the computer used to create the workspace. This password will be used only if you need to recover access to the drive because the BitLocker password specified in the previous step is not available, such as if a password is lost or forgotten. For more information about BitLocker and AD DS, see [Active Directory Domain Services considerations](http://go.microsoft.com/fwlink/p/?LinkId=619157).
+
+         
+
+8.  Verify that the USB drive inserted is the one you want to provision for Windows To Go and then click **Create** to start the Windows To Go workspace creation process.
+
+    **Warning**  
+    The USB drive identified will be reformatted as part of the Windows To Go provisioning process and any data on the drive will be erased.
+
+     
+
+9.  Wait for the creation process to complete, which can take 20 to 30 minutes. A completion page will be displayed that tells you when your Windows To Go workspace is ready to use. From the completion page you can configure the Windows To Go startup options to configure the current computer as a Windows To Go host computer.
+
+Your Windows To Go workspace is now ready to be started. You can now [prepare a host computer](http://go.microsoft.com/fwlink/p/?LinkId=619159) using the Windows To Go startup options and boot your Windows To Go drive.
+
+**Windows PowerShell equivalent commands**
+
+The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. This procedure can only be used on PCs that are running Windows 10. Before starting, ensure that only the USB drive that you want to provision as a Windows To Go drive is connected to the PC.
+
+1.  Using Cortana, search for **powershell**, right-click **Windows PowerShell**, and then select **Run as administrator**.
+
+2.  In the Windows PowerShell session type the following commands to partition a master boot record (MBR) disk for use with a FAT32 system partition and an NTFS-formatted operating system partition. This disk layout can support computers that use either UEFI or BIOS firmware:
+
+    ``` syntax
+# The following command will set $Disk to all USB drives with >20 GB of storage
+
+    $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
+
+#Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with ‘New-Partition…) Validate that this is the correct disk that you want to completely erase.
+# 
+# To skip the confirmation prompt, append –confirm:$False
+    Clear-Disk –InputObject $Disk[0] -RemoveData 
+
+# This command initializes a new MBR disk 
+    Initialize-Disk –InputObject $Disk[0] -PartitionStyle MBR
+
+# This command creates a 350 MB system partition
+    $SystemPartition = New-Partition –InputObject $Disk[0] -Size (350MB) -IsActive 
+
+# This formats the volume with a FAT32 Filesystem
+# To skip the confirmation dialog, append –Confirm:$False
+    Format-Volume -NewFileSystemLabel "UFD-System" -FileSystem FAT32 `
+    -Partition $SystemPartition
+
+# This command creates the Windows volume using the maximum space available on the drive. The Windows To Go drive should not be used for other file storage.
+    $OSPartition = New-Partition –InputObject $Disk[0] -UseMaximumSize
+    Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS `
+    -Partition $OSPartition
+
+# This command assigns drive letters to the new drive, the drive letters chosen should not already be in use.
+    Set-Partition -InputObject $SystemPartition -NewDriveLetter "S"
+    Set-Partition -InputObject $OSPartition -NewDriveLetter "W"
+
+# This command sets the NODEFAULTDRIVELETTER flag on the partition which prevents drive letters being assigned to either partition when inserted into a different computer.
+    Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE
+    ```
+
+3.  Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you just created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](http://go.microsoft.com/fwlink/p/?LinkId=619161) command-line tool (DISM):
+
+    **Tip**  
+    The index number must be set correctly to a valid Enterprise image in the .WIM file.
+
+     
+
+    ``` syntax
+#The WIM file must contain a sysprep generalized image.
+    dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ 
+    ```
+
+4.  Now use the [bcdboot](http://go.microsoft.com/fwlink/p/?LinkId=619163) command line tool to move the necessary boot components to the system partition on the disk. This helps ensure that the boot components, operating system versions, and architectures match. The `/f ALL` parameter indicates that boot components for UEFI and BIOS should be placed on the system partition of the disk. The following example illustrates this step:
+
+    ``` syntax
+    W:\Windows\System32\bcdboot W:\Windows /f ALL /s S:
+    ```
+
+5.  Apply SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. This is done by creating and saving a **san\_policy.xml** file on the disk. The following example illustrates this step:
+
+    ``` syntax
+    <?xml version='1.0' encoding='utf-8' standalone='yes'?>
+    <unattend xmlns="urn:schemas-microsoft-com:unattend">
+      <settings pass="offlineServicing">
+        <component
+            xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            language="neutral"
+            name="Microsoft-Windows-PartitionManager"
+            processorArchitecture="x86"
+            publicKeyToken="31bf3856ad364e35"
+            versionScope="nonSxS"
+            >
+          <SanPolicy>4</SanPolicy>
+        </component>
+       <component
+            xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            language="neutral"
+            name="Microsoft-Windows-PartitionManager"
+            processorArchitecture="amd64"
+            publicKeyToken="31bf3856ad364e35"
+            versionScope="nonSxS"
+            >
+          <SanPolicy>4</SanPolicy>
+        </component>
+     </settings>
+    </unattend>
+    ```
+
+6.  Place the **san\_policy.xml** file created in the previous step into the root directory of the Windows partition on the Windows To Go drive (W: from the previous examples) and run the following command:
+
+    ``` syntax
+    Dism.exe /Image:W:\ /Apply-Unattend:W:\san_policy.xml
+    ```
+
+7.  Create an answer file (unattend.xml) that disables the use of Windows Recovery Environment with Windows To Go. You can use the following code sample to create a new answer file or you can paste it into an existing answer file:
+
+    ``` syntax
+    <?xml version="1.0" encoding="utf-8"?>
+    <unattend xmlns="urn:schemas-microsoft-com:unattend">
+        <settings pass="oobeSystem">
+            <component name="Microsoft-Windows-WinRE-RecoveryAgent"
+              processorArchitecture="x86"
+              publicKeyToken="31bf3856ad364e35" language="neutral" 
+              versionScope="nonSxS"
+              xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" 
+              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+                <UninstallWindowsRE>true</UninstallWindowsRE>
+            </component>
+           <component name="Microsoft-Windows-WinRE-RecoveryAgent"
+              processorArchitecture="amd64"
+              publicKeyToken="31bf3856ad364e35" language="neutral" 
+              versionScope="nonSxS"
+              xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" 
+              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+                <UninstallWindowsRE>true</UninstallWindowsRE>
+            </component>
+        </settings>  
+    </unattend>
+    ```
+
+    Once the answer file has been saved, copy unattend.xml into the sysprep folder on the Windows To Go drive (for example, W:\\Windows\\System32\\sysprep\)
+
+    **Important**  
+    Setup unattend files are processed based on their location. Setup will place a temporary unattend file into the **%systemroot%\\panther** folder which is the first location that setup will check for installation information. You should make sure that folder does not contain a previous version of an unattend.xml file to ensure that the one you just created is used.
+
+    If you do not wish to boot your Windows To Go device on this computer and want to remove it to boot it on another PC, be sure to use the **Safely Remove Hardware and Eject Media** option to safely disconnect the drive before physically removing it from the PC.
+
+     
+
+Your Windows To Go workspace is now ready to be started. You can now [prepare a host computer](http://go.microsoft.com/fwlink/p/?LinkId=619165) using the Windows To Go startup options to test your workspace configuration, [configure the workspace for offline domain join](http://go.microsoft.com/fwlink/p/?LinkId=619166), or [enable BitLocker protection for your Windows To Go drive](http://go.microsoft.com/fwlink/p/?LinkId=619167).
+
+### To prepare a host computer
+
+Computers running Windows 8 and later can be configured as host computers that use Windows To Go automatically whenever a Windows To Go workspace is available at startup. When the Windows To Go startup options are enabled on a host computer, Windows will divert startup to the Windows To Go drive whenever it is attached to the computer. This makes it easy to switch from using the host computer to using the Windows To Go workspace.
+
+**Tip**  
+If you will be using a PC running Windows 7 as your host computer, see [Tips for configuring your BIOS settings to work with Windows To Go](http://go.microsoft.com/fwlink/p/?LinkId=618951) for information to help you prepare the host computer.
+
+ 
+
+If you want to use the Windows To Go workspace, simply shut down the computer, plug in the Windows To Go drive, and turn on the computer. To use the host computer, shut down the Windows To Go workspace, unplug the Windows To Go drive, and turn on the computer.
+
+To set the Windows To Go Startup options for host computers running Windows 10:
+
+1.  Using Cortana, search for **Windows To Go startup options** and then press **Enter**.
+
+2.  In the **Windows To Go Startup Options** dialog box, select **Yes**, and then click **Save Changes** to configure the computer to boot from USB
+
+For host computers running Windows 8 or Windows 8.1:
+
+1.  Press **Windows logo key+W**, search for **Windows To Go startup options**, and then press **Enter**.
+2.  In the **Windows To Go Startup Options** dialog box, select **Yes**, and then click **Save Changes** to configure the computer to boot from USB.
+
+You can configure your organization's computers to automatically start from the USB drive by enabling the following Group Policy setting:
+
+**\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\Windows To Go Default Startup Options**
+
+After this policy setting is enabled, automatic starting of a Windows To Go workspace will be attempted when a USB drive is connected to the computer when it is started. Users will not be able to use the Windows To Go Startup Options to change this behavior. If you disable this policy setting, booting to Windows To Go when a USB drive is connected will not occur unless a user configures the option manually in the firmware. If you do not configure this policy setting, users who are members of the Administrators group can enable or disable booting from a USB drive using the Windows To Go Startup Options.
+
+Your host computer is now ready to boot directly into Windows To Go workspace when it is inserted prior to starting the computer. Optionally you can perform [Configure Windows To Go workspace for offline domain join](http://go.microsoft.com/fwlink/p/?LinkId=619169) and [Enable BitLocker protection for your Windows To Go drive](http://go.microsoft.com/fwlink/p/?LinkId=619152).
+
+### Booting your Windows To Go workspace
+
+After you have configured your host PC to boot from USB, you can use the following procedure to boot your Windows To Go workspace:
+
+**To boot your workspace**
+
+1.  Make sure that the host PC is not in a sleep state. If the computer is in a sleep state, either shut it down or hibernate it.
+
+2.  Insert the Windows To Go USB drive directly into a USB 3.0 or USB 2.0 port on the PC. Do not use a USB hub or extender.
+
+3.  Turn on the PC. If your Windows To Go drive is protected with BitLocker you will be asked to type the password, otherwise the workspace will boot directly into the Windows To Go workspace.
+
+## Advanced deployment steps
+
+
+The following steps are used for more advanced deployments where you want to have further control over the configuration of the Windows To Go drives, ensure that they are correctly configured for remote access to your organizational resources, and have been protected with BitLocker Drive Encryption.
+
+### Configure Windows To Go workspace for remote access
+
+Making sure that Windows To Go workspaces are effective when used off premises is essential to a successful deployment. One of the key benefits of Windows To Go is the ability for your users to use the enterprise managed domain joined workspace on an unmanaged computer which is outside your corporate network. To enable this usage, typically you would provision the USB drive as described in the basic deployment instructions and then add the configuration to support domain joining of the workspace, installation of any line-of-business applications, and configuration of your chosen remote connectivity solution such as a virtual private network client or DirectAccess. Once these configurations have been performed the user can work from the workspace using a computer that is off-premises. The following procedure allows you to provision domain joined Windows To Go workspaces for workers that do not have physical access to your corporate network.
+
+**Prerequisites for remote access scenario**
+
+-   A domain-joined computer running Windows 8 or later and is configured as a Windows To Go host computer
+
+-   A Windows To Go drive that hasn’t been booted or joined to the domain using unattend settings.
+
+-   A domain user account with rights to add computer accounts to the domain and is a member of the Administrator group on the Windows To Go host computer
+
+-   [DirectAccess](http://go.microsoft.com/fwlink/p/?LinkId=619170) configured on the domain
+
+**To configure your Windows To Go workspace for remote access**
+
+1.  Start the host computer and sign in using a user account with privileges to add workstations to the domain and then run the following command from an elevated command prompt replacing the example placeholder parameters (denoted by &lt;&gt;) with the ones applicable for your environment:
+
+    ``` syntax
+    djoin /provision /domain <exampledomain.com> /machine <examplewindowstogo_workspace_name> /certtemplate <WorkstationAuthentication_template> /policynames <DirectAccess Client Policy: {GUID}> /savefile <C:\example\path\domainmetadatafile> /reuse   
+    ```
+
+    **Note**  
+    The /certtemplate parameter supports the use of certificate templates for distributing certificates for DirectAccess, if your organization is not using certificate templates you can omit this parameter. Additionally, if are using djoin.exe with Windows Server 2008-based Domain Controllers, append the /downlevel switch during provisioning. For more information see the [Offline Domain Join Step-by-Step guide](http://go.microsoft.com/fwlink/p/?LinkId=619171).
+
+     
+
+2.  Insert the Windows To Go drive.
+
+3.  Launch an elevated Windows PowerShell prompt by right-clicking the Windows PowerShell shortcut in the taskbar, and then clicking **Run as Administrator**.
+
+4.  From the Windows PowerShell command prompt run:
+
+    ``` syntax
+# The following command will set $Disk to all USB drives with >20 GB of storage
+
+    $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
+
+#Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with ‘New-Partition…) Validate that this is the correct disk that you want to completely erase.
+# 
+# To skip the confirmation prompt, append –confirm:$False
+    Clear-Disk –InputObject $Disk[0] -RemoveData 
+
+# This command initializes a new MBR disk 
+    Initialize-Disk –InputObject $Disk[0] -PartitionStyle MBR
+
+# This command creates a 350 MB system partition
+    $SystemPartition = New-Partition –InputObject $Disk[0] -Size (350MB) -IsActive 
+
+# This formats the volume with a FAT32 Filesystem
+# To skip the confirmation dialog, append –Confirm:$False
+    Format-Volume -NewFileSystemLabel "UFD-System" -FileSystem FAT32 `
+    -Partition $SystemPartition
+
+# This command creates the Windows volume using the maximum space available on the drive. The Windows To Go drive should not be used for other file storage.
+    $OSPartition = New-Partition –InputObject $Disk[0] -UseMaximumSize
+    Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS `
+    -Partition $OSPartition
+
+# This command assigns drive letters to the new drive, the drive letters chosen should not already be in use.
+    Set-Partition -InputObject $SystemPartition -NewDriveLetter "S"
+    Set-Partition -InputObject $OSPartition -NewDriveLetter "W"
+
+# This command toggles the NODEFAULTDRIVELETTER flag on the partition which prevents drive letters being assigned to either partition when inserted into a different computer.
+    Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE
+    ```
+
+5.  Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you just created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](http://go.microsoft.com/fwlink/p/?LinkId=619161) command-line tool (DISM):
+
+    **Tip**  
+    The index number must be set correctly to a valid Enterprise image in the .WIM file.
+
+     
+
+    ``` syntax
+#The WIM file must contain a sysprep generalized image.
+    dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ 
+    ```
+
+6.  Once those commands have completed, run the following command:
+
+    ``` syntax
+    djoin /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows   
+    ```
+
+7.  Next, we will need to edit the unattend.xml file to configure the first run (OOBE) settings. In this example we are hiding the Microsoft Software License Terms (EULA) page, configuring automatic updates to install important and recommended updates automatically, and identifying this workspace as part of a private office network. You can use other OOBE settings that you have configured for your organization if desired. For more information about the OOBE settings, see [OOBE](http://go.microsoft.com/fwlink/p/?LinkId=619172):
+
+    ``` syntax
+    <?xml version="1.0" encoding="utf-8"?>
+    <unattend xmlns="urn:schemas-microsoft-com:unattend">
+        <settings pass="oobeSystem">
+            <component name="Microsoft-Windows-WinRE-RecoveryAgent"
+              processorArchitecture="x86"
+              publicKeyToken="31bf3856ad364e35" language="neutral" 
+              versionScope="nonSxS"
+              xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" 
+              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+               <UninstallWindowsRE>true</UninstallWindowsRE>
+               <OOBE>
+                  <HideEULAPage>true</HideEULAPage>
+                  <ProtectYourPC>1</ProtectYourPC>
+                  <NetworkLocation>Work</NetworkLocation>
+                </OOBE>
+             </component>
+           <component name="Microsoft-Windows-WinRE-RecoveryAgent"
+              processorArchitecture="amd64"
+              publicKeyToken="31bf3856ad364e35" language="neutral" 
+              versionScope="nonSxS"
+              xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" 
+              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+               <UninstallWindowsRE>true</UninstallWindowsRE>
+               <OOBE>
+                  <HideEULAPage>true</HideEULAPage>
+                  <ProtectYourPC>1</ProtectYourPC>
+                  <NetworkLocation>Work</NetworkLocation>
+               </OOBE>
+    </component>
+        </settings>  
+    </unattend>
+    ```
+
+8.  Safely remove the Windows To Go drive.
+
+9.  From a host computer, either on or off premises, start the computer and boot the Windows To Go workspace.
+
+    1.  If on premises using a host computer with a direct network connection, sign on using your domain credentials.
+
+    2.  If off premises, join a wired or wireless network with internet access and then sign on again using your domain credentials.
+
+    **Note**  
+    Depending on your DirectAccess configuration you might be asked to insert your smart card to logon to the domain.
+
+     
+
+You should now be able to access your organization’s network resources and work from your Windows To Go workspace as you would normally work from your standard desktop computer on premises.
+
+### Enable BitLocker protection for your Windows To Go drive
+
+Enabling BitLocker on your Windows To Go drive will help ensure that your data is protected from unauthorized use and that if your Windows To Go drive is lost or stolen it will not be easy for an unauthorized person to obtain confidential data or use the workspace to gain access to protected resources in your organization. When BitLocker is enabled, each time you boot your Windows To Go drive, you will be asked to provide the BitLocker password to unlock the drive. The following procedure provides the steps for enabling BitLocker on your Windows To Go drive:
+
+**Prerequisites for enabling BitLocker scenario**
+
+-   A Windows To Go drive that can be successfully provisioned.
+
+-   A computer running Windows 8 configured as a Windows To Go host computer
+
+-   Review the following Group Policy settings for BitLocker Drive Encryption and modify the configuration as necessary:
+
+    **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Require additional authentication at startup**. This policy allows the use of a password key protector with an operating system drive; this policy must be enabled to configure BitLocker from within the Windows To Go workspace. This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). You must enable this setting and select the **Allow BitLocker without a compatible TPM** check box and then enable the **Configure use of passwords for operating system drives** setting.
+
+    **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Configure use of passwords for operating system drives**. This policy setting enables passwords to be used to unlock BitLocker-protected operating system drives and provides the means to configure complexity and length requirements on passwords for Windows To Go workspaces. For the complexity requirement setting to be effective the Group Policy setting **Password must meet complexity requirements** located in **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\** must be also enabled.
+
+    **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Enable use of BitLocker authentication requiring preboot keyboard input on slates**. This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability. If this setting is not enabled, passwords cannot be used to unlock BitLocker-protected operating system drives.
+
+You can choose to enable BitLocker protection on Windows To Go drives before distributing them to users as part of your provisioning process or you can allow your end-users to apply BitLocker protection to them after they have taken possession of the drive. A step-by-step procedure is provided for both scenarios.
+
+Enabling BitLocker during provisioning ensures that your operating system image is always protected by BitLocker. When enabling BitLocker during the provisioning process you can significantly reduce the time required for encrypting the drive by enabling BitLocker after configuring the disk and just prior to applying the image. If you use this method, you will need to give users their BitLocker password when you give then their Windows To Go workspace. Also, you should instruct your users to boot their workspace and change their BitLocker password as soon as possible (this can be done with standard user privileges).
+
+Enabling BitLocker after distribution requires that your users turn on BitLocker. This means that your Windows To Go workspaces are unprotected until the user enables BitLocker. Administrative rights on the Windows To Go workspace are required to enable BitLocker. For more information about BitLocker see the [BitLocker Overview](http://go.microsoft.com/fwlink/p/?LinkId=619173).
+
+**BitLocker recovery keys**
+
+BitLocker recovery keys are the keys that can be used to unlock a BitLocker protected drive if the standard unlock method fails. It is recommended that your BitLocker recovery keys be backed up to Active Directory Domain Services (AD DS). If you do not want to use AD DS to store recovery keys you can save recovery keys to a file or print them. How BitLocker recovery keys are managed differs depending on when BitLocker is enabled.
+
+-   If BitLocker protection is enabled during provisioning, the BitLocker recovery keys will be stored under the computer account of the computer used for provisioning the drives. If backing up recovery keys to AD DS is not used, the recovery keys will need to be printed or saved to a file for each drive. The IT administrator must track which keys were assigned to which Windows To Go drive.
+
+-   **Warning**  
+    If BitLocker is enabled after distribution, the recovery key will be backed up to AD DS under the computer account of the workspace. If backing up recovery keys to AD DS is not used, they can be printed or saved to a file by the user. If the IT administrator wants a central record of recovery keys, a process by which the user provides the key to the IT department must be put in place.
+
+     
+
+**To enable BitLocker during provisioning**
+
+1.  Start the host computer that is running Windows 8.
+
+2.  Insert your Windows To Go drive.
+
+3.  Launch an elevated Windows PowerShell prompt by right-clicking the Windows PowerShell shortcut in the taskbar, and then clicking **Run as Administrator**.
+
+4.  Provision the Windows To Go drive using the following cmdlets:
+
+    **Note**  
+    If you used the [manual method for creating a workspace](http://go.microsoft.com/fwlink/p/?LinkId=619174) you should have already provisioned the Windows To Go drive. If so, you can continue on to the next step.
+
+     
+
+    ``` syntax
+# The following command will set $Disk to all USB drives with >20 GB of storage
+
+    $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
+
+#Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with ‘New-Partition…) Validate that this is the correct disk that you want to completely erase.
+# 
+# To skip the confirmation prompt, append –confirm:$False
+    Clear-Disk –InputObject $Disk[0] -RemoveData 
+
+# This command initializes a new MBR disk 
+    Initialize-Disk –InputObject $Disk[0] -PartitionStyle MBR
+
+# This command creates a 350 MB system partition
+    $SystemPartition = New-Partition –InputObject $Disk[0] -Size (350MB) -IsActive 
+
+# This formats the volume with a FAT32 Filesystem
+# To skip the confirmation dialog, append –Confirm:$False
+    Format-Volume -NewFileSystemLabel "UFD-System" -FileSystem FAT32 `
+    -Partition $SystemPartition
+
+# This command creates the Windows volume using the maximum space available on the drive. The Windows To Go drive should not be used for other file storage.
+    $OSPartition = New-Partition –InputObject $Disk[0] -UseMaximumSize
+    Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS `
+    -Partition $OSPartition
+
+# This command assigns drive letters to the new drive, the drive letters chosen should not already be in use.
+    Set-Partition -InputObject $SystemPartition -NewDriveLetter "S"
+    Set-Partition -InputObject $OSPartition -NewDriveLetter "W"
+
+# This command toggles the NODEFAULTDRIVELETTER flag on the partition which prevents drive letters being assigned to either partition when inserted into a different computer.
+    Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE
+    ```
+
+    Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you just created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](http://go.microsoft.com/fwlink/p/?LinkId=619161) command-line tool (DISM):
+
+    **Tip**  
+    The index number must be set correctly to a valid Enterprise image in the .WIM file.
+
+     
+
+    ``` syntax
+#The WIM file must contain a sysprep generalized image.
+    dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ 
+    ```
+
+5.  In the same PowerShell session use the following cmdlet to add a recovery key to the drive:
+
+    ``` syntax
+    $BitlockerRecoveryProtector = Add-BitLockerKeyProtector W: -RecoveryPasswordProtector
+    ```
+
+6.  Next, use the following cmdlets to save the recovery key to a file:
+
+    ``` syntax
+#The BitLocker Recovery key is essential if for some reason you forget the BitLocker password
+#This recovery key can also be backed up into Active Directory using manage-bde.exe or the
+#PowerShell cmdlet Backup-BitLockerKeyProtector.
+    $RecoveryPassword = $BitlockerRecoveryProtector.KeyProtector.RecoveryPassword
+    $RecoveryPassword > WTG-Demo_Bitlocker_Recovery_Password.txt
+    ```
+
+7.  Then, use the following cmdlets to add the password as a secure string. If you omit the password the cmdlet will prompt you for the password before continuing the operation:
+
+    ``` syntax
+# Create a variable to store the password
+    $spwd = ConvertTo-SecureString -String <password> -AsplainText –Force 
+    Enable-BitLocker W: -PasswordProtector $spwd 
+    ```
+
+    **Warning**  
+    To have BitLocker only encrypt used space on the disk append the parameter `–UsedSpaceOnly` to the `Enable-BitLocker` cmdlet. As data is added to the drive BitLocker will encrypt additional space. Using this parameter will speed up the preparation process as a smaller percentage of the disk will require encryption. If you are in a time critical situation where you cannot wait for encryption to complete you can also safely remove the Windows To Go drive during the encryption process. The next time the drive is inserted in a computer it will request the BitLocker password. Once the password is supplied, the encryption process will continue. If you do this, make sure your users know that BitLocker encryption is still in process and that they will be able to use the workspace while the encryption completes in the background.
+
+     
+
+8.  Copy the numerical recovery password and save it to a file in a safe location. The recovery password will be required if the password is lost or forgotten.
+
+    **Warning**  
+    If the **Choose how BitLocker-protected removable data drives can be recovered** Group Policy setting has been configured to back up recovery information to Active Directory Domain Services, the recovery information for the drive will be stored under the account of the host computer used to apply the recovery key.
+
+    If you want to have the recovery information stored under the account of the Windows To Go workspace you can turn BitLocker from within the Windows To Go workspace using the BitLocker Setup Wizard from the BitLocker Control Panel item as described in [To enable BitLocker after distribution](#enable-bitlocker).
+
+     
+
+9.  Safely remove the Windows To Go drive.
+
+The Windows To Go drives are now ready to be distributed to users and are protected by BitLocker. When you distribute the drives, make sure the users know the following:
+
+-   Initial BitLocker password that they will need to boot the drives.
+
+-   Current encryption status.
+
+-   Instructions to change the BitLocker password after the initial boot.
+
+-   Instructions for how to retrieve the recovery password if necessary. This may be a help desk process, an automated password retrieval site, or a person to contact.
+
+<a href="" id="enable-bitlocker"></a>
+**To enable BitLocker after distribution**
+
+1.  Insert your Windows To Go drive into your host computer (that is currently shut down) and then turn on the computer and boot into your Windows To Go workspace
+
+2.  Press **Windows logo key+W** to open **Search Settings**, type BitLocker and then select the item for BitLocker Drive Encryption.
+
+3.  The drives on the workspace are displayed, click **Turn BitLocker On** for the C: drive. The **BitLocker Setup Wizard** appears.
+
+4.  Complete the steps in the **BitLocker Setup Wizard** selecting the password protection option.
+
+**Note**  
+If you have not configured the Group Policy setting **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Require additional authentication at startup** to specify **Allow BitLocker without a compatible TPM** you will not be able to enable BitLocker from within the Windows To Go workspace.
+
+ 
+
+### Advanced deployment sample script
+
+The following sample script supports the provisioning of multiple Windows To Go drives and the configuration of offline domain join.
+
+The sample script creates an unattend file that streamlines the deployment process so that the initial use of the Windows To Go drive does not prompt the end user for any additional configuration information before starting up.
+
+**Prerequisites for running the advanced deployment sample script**
+
+-   To run this sample script you must open a Windows PowerShell session as an administrator from a domain-joined computer using an account that has permission to create domain accounts.
+
+-   Using offline domain join is required by this script, since the script does not create a local administrator user account. However, domain membership will automatically put “Domain admins” into the local administrators group. Review your domain policies. If you are using DirectAccess you will need to modify the djoin.exe command to include the `policynames` and potentially the `certtemplate` parameters.
+
+-   The script needs to use drive letters, so you can only provision half as many drives as you have free drive letters.
+
+**To run the advanced deployment sample script**
+
+1.  Copy entire the code sample titled “Windows To Go multiple drive provisioning sample script” into a PowerShell script (.ps1) file.
+
+2.  Make the modifications necessary for it to be appropriate to your deployment and save the file.
+
+3.  Configure the PowerShell execution policy. By default PowerShell’s execution policy is set to Restricted; that means that scripts won’t run until you have explicitly given them permission to. To configure PowerShell’s execution policy to allow the script to run, use the following command from an elevated PowerShell prompt:
+
+    ``` syntax
+    Set-ExecutionPolicy RemoteSigned
+    ```
+
+    The RemoteSigned execution policy will prevent unsigned scripts from the internet from running on the computer, but will allow locally created scripts to run. For more information on execution policies, see [Set-ExecutionPolicy](http://go.microsoft.com/fwlink/p/?LinkId=619175).
+
+    **Tip**  
+    To get online help for any Windows PowerShell cmdlet, whether or not it is installed locally type the following cmdlet, replacing &lt;cmdlet-name&gt; with the name of the cmdlet you want to see the help for:
+
+    `Get-Help <cmdlet-name> -Online`
+
+    This command causes Windows PowerShell to open the online version of the help topic in your default Internet browser.
+
+     
+
+**Windows To Go multiple drive provisioning sample script**
+
+``` syntax
+<#
+.SYNOPSIS
+Windows To Go multiple drive provisioning sample script.
+
+.DESCRIPTION
+This sample script will provision one or more Windows To Go drives, configure offline domain join (using random machine names) and provides an option for BitLocker encryption. To provide a seamless first boot experience, an unattend file is created that will set the first run (OOBE) settings to defaults. To improve performance of the script, copy your install image to a local location on the computer used for provisioning the drives.
+
+.EXAMPLE
+.\WTG_MultiProvision.ps1 -InstallWIMPath c:\companyImages\amd64_enterprise.wim
+provision drives connected to your machine with the provided image.
+#>
+param (
+    [parameter(Mandatory=$true)]
+    [string]
+#Path to install wim.  If you have the full path to the wim or want to use a local file.
+    $InstallWIMPath,
+
+    [string]
+#Domain to which to join the Windows To Go workspaces.
+    $DomainName
+)
+
+
+<#
+  In order to set BitLocker Group Policies for our offline WTG image we need to create a Registry.pol file
+  in the System32\GroupPolicy folder. This file requires binary editing, which is not possible in PowerShell
+  directly so we have some C# code that we can use to add a type in our PowerShell instance that will write
+  the data for us.
+#>
+$Source = @"
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Text;
+
+namespace MS.PolicyFileEditor
+{
+    //The PolicyEntry represents the DWORD Registry Key/Value/Data entry that will
+    //be written into the file.
+    public class PolicyEntry
+    {
+        private List<byte> byteList;
+
+        public string KeyName { get; set; }
+        public string ValueName { get; set; }
+
+        internal List<byte> DataBytes
+        {
+            get { return this.byteList; }
+        }
+
+        public PolicyEntry(
+            string Key,
+            string Value,
+            uint data)
+        {
+            KeyName = Key;
+            ValueName = Value;
+            this.byteList = new List<byte>();
+            byte[] arrBytes = BitConverter.GetBytes(data);
+            if (BitConverter.IsLittleEndian == false) { Array.Reverse(arrBytes); }
+            this.byteList.AddRange(arrBytes);
+        }
+
+        ~PolicyEntry()
+        {
+            this.byteList = null;
+        }
+    }
+
+    public class PolicyFile
+    {
+        private Dictionary<string, PolicyEntry> entries;
+
+        public List<PolicyEntry> Entries
+        {
+            get
+            {
+                List<PolicyEntry> policyList = new List<PolicyEntry>(entries.Values);
+                return policyList;
+            }
+        }
+
+        public PolicyFile()
+        {
+            this.entries = new Dictionary<string, PolicyEntry>(StringComparer.OrdinalIgnoreCase);
+        }
+
+        public void SetDWORDValue(string key, string value, uint data)
+        {
+            PolicyEntry entry = new PolicyEntry(key, value, data);
+            this.entries[entry.KeyName + "\\" + entry.ValueName] = entry;
+        }
+
+        public void SaveFile(string file)
+        {
+            using (FileStream fs = new FileStream(file, FileMode.Create, FileAccess.Write))
+            {
+                fs.Write(new byte[] { 0x50, 0x52, 0x65, 0x67, 0x01, 0x00, 0x00, 0x00 }, 0, 8);
+                byte[] openBracket = UnicodeEncoding.Unicode.GetBytes("[");
+                byte[] closeBracket = UnicodeEncoding.Unicode.GetBytes("]");
+                byte[] semicolon = UnicodeEncoding.Unicode.GetBytes(";");
+                byte[] nullChar = new byte[] { 0, 0 };
+
+                byte[] bytes;
+
+                foreach (PolicyEntry entry in this.Entries)
+                {
+                    fs.Write(openBracket, 0, 2);
+                    bytes = UnicodeEncoding.Unicode.GetBytes(entry.KeyName);
+                    fs.Write(bytes, 0, bytes.Length);
+                    fs.Write(nullChar, 0, 2);
+
+                    fs.Write(semicolon, 0, 2);
+                    bytes = UnicodeEncoding.Unicode.GetBytes(entry.ValueName);
+                    fs.Write(bytes, 0, bytes.Length);
+                    fs.Write(nullChar, 0, 2);
+
+                    fs.Write(semicolon, 0, 2);
+                    bytes = BitConverter.GetBytes(4);
+                    if (BitConverter.IsLittleEndian == false) { Array.Reverse(bytes); }
+                    fs.Write(bytes, 0, 4);
+
+                    fs.Write(semicolon, 0, 2);
+                    byte[] data = entry.DataBytes.ToArray();
+                    bytes = BitConverter.GetBytes((uint)data.Length);
+                    if (BitConverter.IsLittleEndian == false) { Array.Reverse(bytes); }
+                    fs.Write(bytes, 0, 4);
+
+                    fs.Write(semicolon, 0, 2);
+                    fs.Write(data, 0, data.Length);
+                    fs.Write(closeBracket, 0, 2);
+                }
+                fs.Close();
+            }
+        }
+    }
+}
+"@
+
+########################################################################
+#
+# Helper Functions
+#
+Function CreateUnattendFile {
+param (
+    [parameter(Mandatory=$true)]
+    [string]
+    $Arch
+)
+
+    if ( Test-Path "WtgUnattend.xml" ) {
+      del .\WtgUnattend.xml
+    }
+    $unattendFile = New-Item "WtgUnattend.xml" -type File
+    $fileContent = @"
+<?xml version="1.0" encoding="utf-8"?>
+<unattend xmlns="urn:schemas-microsoft-com:unattend">
+    <settings pass="oobeSystem">
+        <component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="$Arch" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+            <OOBE>
+                <HideEULAPage>true</HideEULAPage>
+                <ProtectYourPC>1</ProtectYourPC>
+                <NetworkLocation>Work</NetworkLocation>
+            </OOBE>
+        </component>
+        <component name="Microsoft-Windows-International-Core" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="$Arch">
+          <InputLocale>en-US</InputLocale>
+          <SystemLocale>en-US</SystemLocale>
+          <UILanguage>en-US</UILanguage>
+          <UserLocale>en-US</UserLocale>
+        </component>
+        <component name="Microsoft-Windows-WinRE-RecoveryAgent" processorArchitecture="$Arch" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+            <UninstallWindowsRE>true</UninstallWindowsRE>
+        </component>
+    </settings>
+</unattend>
+"@
+
+    Set-Content $unattendFile $fileContent
+
+#return the file object
+    $unattendFile 
+}
+
+Function CreateRegistryPolicyFile {
+
+    $saveFileLocaiton = "" + (get-location) + "\registry.pol"
+
+    $policyFile = New-Object MS.PolicyFileEditor.PolicyFile 
+    $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "UseAdvancedStartup", 1)
+    $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "EnableBDEWithNoTPM", 1)
+    $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "UseTPM", 2)
+    $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "UseTPMPIN", 2)
+    $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "UseTPMKey", 2)
+    $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "UseTPMKeyPIN", 2)
+    $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "OSEnablePrebootInputProtectorsOnSlates", 1)
+    $policyFile.SaveFile($saveFileLocaiton) 
+
+    $saveFileLocaiton
+}
+
+########################################################################
+
+if ( Test-Path $installWIMPath ){
+  write-output "Image: $installWIMPath"
+}
+else{
+  write-output "Unable to find image: $installWIMPath" "Exiting the script"
+  exit
+}
+
+if ( (Get-WindowsImage -ImagePath $InstallWIMPath -Index 1).Architecture -eq 0 ){
+    $Arch = "x86"
+}
+else{
+    $Arch = "amd64"
+}
+
+$starttime = get-date
+
+#Add type information for modifing the Registy Policy file
+Add-Type -TypeDefinition $Source -Language CSharp  
+
+#Create helper files
+$unattendFile = CreateUnattendFile -Arch $Arch
+$registryPolFilePath = CreateRegistryPolicyFile
+
+$Disks = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
+if ($Disks -eq $null)
+{
+    Write-Output "No USB Disks found, exiting the script.  Please check that you have a device connected."
+    exit
+}
+
+#We want to make sure that all non-boot connected USB drives are online, writeable and cleaned.
+#This command will erase all data from all USB drives larger than 20Gb connected to your machine
+#To automate this step you can add: -confirm:$False
+Clear-Disk –InputObject $Disks -RemoveData -erroraction SilentlyContinue
+
+# Currently the provisioning script needs drive letters (for dism and bcdboot.exe) and the script is more
+# reliable when the main process determines all of the free drives and provides them to the sub-processes.
+# Use a drive index starting at 1, since we need 2 free drives to proceed. (system & operating system)
+$driveLetters =    68..90 | ForEach-Object { "$([char]$_):" } |
+    Where-Object {
+        (new-object System.IO.DriveInfo $_).DriveType -eq 'noRootdirectory'
+    }
+$driveIndex = 1
+
+foreach ($disk in $Disks)
+{
+
+    if ( $driveIndex  -lt $driveLetters.count )
+    {
+        Start-Job -ScriptBlock {
+            $installWIMPath = $args[0]
+            $unattendFile = $args[1]
+            $Disk = $args[2]
+            $SystemDriveLetter = $args[3]
+            $OSDriveLetter = $args[4]
+            $DomainName = $args[5]
+            $policyFilePath = $args[6]
+
+#For compatibility between UEFI and legacy BIOS we use MBR for the disk.
+            Initialize-Disk –InputObject $Disk -PartitionStyle MBR
+
+#A short sleep between creating a new partition and formatting helps ensure the partition
+#is ready before formatting.
+            $SystemPartition = New-Partition –InputObject $Disk -Size (350MB) -IsActive
+            Sleep 1
+            Format-Volume -Partition $SystemPartition -FileSystem FAT32 -NewFileSystemLabel "UFD-System" -confirm:$False | Out-Null
+
+            $OSPartition = New-Partition –InputObject $Disk -UseMaximumSize
+            Sleep 1
+            Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS -Partition $OSPartition -confirm:$False | Out-Null
+
+
+#The No default drive letter prevents other computers from displaying contents of the drive when connected as a Data drive.    
+            Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE
+            Set-Partition -InputObject $SystemPartition -NewDriveLetter $SystemDriveLetter 
+            Set-Partition -InputObject $OSPartition -NewDriveLetter $OSDriveLetter 
+
+            dism /apply-image /index:1 /applydir:${OSDriveLetter}:\ /imagefile:$InstallWIMPath
+            if (!$?){
+                write-output "DISM image application failed, exiting."
+                exit
+            }
+
+            copy $unattendFile ${OSDriveLetter}:\Windows\System32\sysprep\unattend.xml
+
+#Create the directory for the Machine Registry Policy file, surpressing the output and any error
+#and copy the pre-created Registry.pol file to that location.
+            write-output "Set BitLocker default policies for WindowsToGo"
+            md ${OSDriveLetter}:\windows\System32\GroupPolicy\Machine | out-null
+            copy $policyFilePath ${OSDriveLetter}:\windows\System32\GroupPolicy\Machine
+
+#modify the registry of the image to set SanPolicy.  This is also where you could set the default 
+#keyboard type for USB keyboards.
+            write-output "Modify SAN Policy"
+            reg load HKLM\PW-System ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log
+            reg add HKLM\PW-System\ControlSet001\Services\Partmgr\Parameters /v SanPolicy /d 4 /t REG_DWORD /f > info.log
+            reg unload HKLM\PW-System > info.log
+
+#We're running bcdboot from the newly applied image so we know that the correct boot files for the architecture and operating system are used.
+#This will fail if we try to run an amd64 bcdboot.exe on x86.
+            cmd /c "$OSDriveLetter`:\Windows\system32\bcdboot $OSDriveLetter`:\Windows /f ALL /s $SystemDriveLetter`:"
+            if (!$?){
+                write-output "BCDBOOT.exe failed, exiting script."
+                exit
+            }
+
+            <#
+               If a domain name was provided to the script, we will create a random computer name
+               and perform an offline domain join for the device.  With this command we also supress the
+               Add User OOBE screen.
+#>
+            if ($DomainName)
+            {
+#using get-random, we will create a random computer name for the drive. 
+                $suffix = Get-Random
+                $computername = "wtg-" + $suffix
+                djoin /provision /domain $DomainName /savefile ${OSDriveLetter}:\tempBLOB.bin /reuse /machine $computername 
+                djoin /requestodj /loadfile ${OSDriveLetter}:\tempBLOB.bin /windowspath  ${OSDriveLetter}:\windows > info.log
+                del ${OSDriveLetter}:\tempBLOB.bin
+
+#add offline registry key to skip user account screen
+                write-output "Add Offline Registry key for skipping UserAccount OOBE page."
+                reg load HKLM\PW-Temp${OSDriveLetter}   ${OSDriveLetter}:\Windows\System32\config\SOFTWARE > info.log
+                reg add HKLM\PW-Temp${OSDriveLetter}\Microsoft\Windows\CurrentVersion\Setup\OOBE /v UnattendCreatedUser /d 1 /t REG_DWORD > info.log
+                reg unload HKLM\PW-Temp${OSDriveLetter} > info.log
+            }
+
+            try
+            {
+                Write-VolumeCache -DriveLetter ${OSDriveLetter}
+                Write-Output "Disk is now ready to be removed."
+            }
+                catch [System.Management.Automation.CommandNotFoundException]
+            {
+                write-output "Flush Cache not supported, Be sure to safely remove the WTG device."
+            }
+ 
+
+       } -ArgumentList  @($installWIMPath, $unattendFile, $disk, $driveLetters[$driveIndex-1][0], $driveLetters[$driveIndex][0], $DomainName, $registryPolFilePath)
+    }
+    $driveIndex  = $driveIndex  + 2
+}
+#wait for all threads to finish
+get-job | wait-job
+
+#print output from all threads
+get-job | receive-job
+
+#delete the job objects
+get-job | remove-job
+
+
+#Cleanup helper files
+del .\WtgUnattend.xml
+del .\Registry.pol
+
+$finishtime = get-date
+$elapsedTime = new-timespan $starttime $finishtime
+write-output "Provsioning completed in: $elapsedTime  (hh:mm:ss.000)"
+write-output "" "Provisioning script complete."
+```
+
+## Considerations when using different USB keyboard layouts with Windows To Go
+
+
+Before provisioning your Windows To Go drive you need to consider if your workspace will boot on a computer with a non-English USB keyboard attached. As described in [KB article 927824](http://go.microsoft.com/fwlink/p/?LinkId=619176) there is a known issue where the plug and play ID causes the keyboard to be incorrectly identified as an English 101 key keyboard. To avoid this problem, you can modify the provisioning script to set the override keyboard parameters.
+
+In the PowerShell provisioning script, after the image has been applied, you can add the following commands that will correctly set the keyboard settings. The following example uses the Japanese keyboard layout:
+
+``` syntax
+            reg load HKLM\WTG-Keyboard ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log
+            reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v LayerDriver /d JPN:kbd106dll /t REG_SZ /f
+            reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardIdentifier /d PCAT_106KEY /t REG_SZ /f 
+            reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardSubtype /d 2 /t REG_DWORD /f
+            reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardType /d 7 /t REG_DWORD /f 
+            reg unload HKLM\WTG-Keyboard
+```
+
+## Related topics
+
+
+[Windows To Go: feature overview](../plan/windows-to-go-overview.md)
+
+[Windows 10 forums](http://go.microsoft.com/fwlink/p/?LinkId=618949)
+
+[Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md)
+
+[Deployment considerations for Windows To Go](../plan/deployment-considerations-for-windows-to-go.md)
+
+[Security and data protection considerations for Windows To Go](../plan/security-and-data-protection-considerations-for-windows-to-go.md)
+
+[BitLocker overview](http://go.microsoft.com/fwlink/p/?LinkId=619173)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
new file mode 100644
index 0000000000..3224e87eca
--- /dev/null
+++ b/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -0,0 +1,193 @@
+---
+title: Finalize the operating system configuration for Windows 10 deployment with Configuration Manager (Windows 10)
+description: This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enablement of the optional Microsoft Deployment Toolkit (MDT) monitoring for Microsoft System Center 2012 R2 Configuration Manager, logs folder creation, rules configuration, content distribution, and deployment of the previously created task sequence.
+ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e
+keywords: ["configure, deploy, upgrade"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Finalize the operating system configuration for Windows 10 deployment with Configuration Manager
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enablement of the optional Microsoft Deployment Toolkit (MDT) monitoring for Microsoft System Center 2012 R2 Configuration Manager, logs folder creation, rules configuration, content distribution, and deployment of the previously created task sequence.
+
+For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+## <a href="" id="sec01"></a>Enable MDT monitoring
+
+
+This section will walk you through the process of creating the E:\\MDTProduction deployment share using the MDT Deployment Workbench to enable monitoring for Configuration Manager.
+
+1.  On CM01, using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. Use the following settings for the New Deployment Share Wizard:
+
+    1.  Deployment share path: E:\\MDTProduction
+
+    2.  Share name: MDTProduction$
+
+    3.  Deployment share description: MDT Production
+
+    4.  Options: &lt;default settings&gt;
+
+2.  Right-click the **MDT Production** deployment share, and select **Properties**. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and click **OK**.
+
+![figure 26](images/mdt-06-fig31.png)
+
+Figure 26. Enabling MDT monitoring for Configuration Manager.
+
+## <a href="" id="sec02"></a>Create and share the Logs folder
+
+
+To support additional server-side logging in Configuration Manager, you create and share the E:\\Logs folder on CM01 using Windows PowerShell. Then in the next step, you enable server-side logging by modifying the CustomSettings.ini file used by the Configuration Manager task sequence.
+
+1.  On CM01, start an elevated Windows PowerShell prompt (run as Administrator).
+
+2.  Type the following commands, pressing **Enter** after each one:
+
+    ``` syntax
+    New-Item -Path E:\Logs -ItemType directory
+    New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE
+    icacls E:\Logs /grant '"CM_NAA":(OI)(CI)(M)'
+    ```
+
+## <a href="" id="sec03"></a>Configure the rules (Windows 10 x64 Settings package)
+
+
+This section will show you how to configure the rules (the Windows 10 x64 Settings package) to support the Contoso environment.
+
+1.  On CM01, using File Explorer, navigate to the **E:\\Sources\\OSD\\Settings\\Windows 10 x64 Settings** folder.
+
+2.  Using Notepad, edit the CustomSetting.ini file with the following settings:
+
+    ``` syntax
+    [Settings]
+    Priority=Default
+    Properties=OSDMigrateConfigFiles,OSDMigrateMode
+    [Default]
+    DoCapture=NO
+    ComputerBackupLocation=NONE
+    MachineObjectOU=ou=Workstations,ou=Computers,ou=Contoso,dc=contoso,dc=com
+    OSDMigrateMode=Advanced
+    OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\*
+    OSDMigrateConfigFiles=Miguser.xml,Migapp.xml
+    SLSHARE=\\CM01\Logs$
+    EventService=http://CM01:9800
+    ApplyGPOPack=NO
+    ```
+
+    ![figure 27](images/fig30-settingspack.png)
+
+    Figure 27. The Settings package, holding the rules and the Unattend.xml template used during deployment
+
+3.  Update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**.
+
+**Note**  
+Although you have not yet added a distribution point, you still need to select Update Distribution Points. That process also updates the Configuration Manager 2012 content library with changes.
+
+ 
+
+## <a href="" id="sec04"></a>Distribute content to the CM01 distribution portal
+
+
+In Configuration Manager, you can distribute all packages needed by a task sequence in a single task. In this section, you distribute packages that have not yet been distributed to the CM01 distribution point.
+
+1.  **On CM01, using the Configuration Manager Console**, select **Task Sequences**, right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content.**
+
+2.  In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
+
+3.  Using Configuration Manager Trace, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Do not continue until you see all the new packages being distributed successfully.
+
+## <a href="" id="sec05"></a>Create a deployment for the task sequence
+
+
+This sections provides steps to help you create a deployment for the task sequence.
+
+1.  On CM01, using the Configuration Manager Console, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**.
+
+2.  On the **General** page, select the **All Unknown Computers** collection and click **Next**.
+
+3.  On the **Deployment Settings** page, use the following settings and then click **Next**:
+
+    1.  Purpose: Available
+
+    2.  Make available to the following: Only media and PXE
+
+    ![figure 28](images/mdt-06-fig33.png)
+
+    Figure 28. Configure the deployment settings.
+
+4.  On the **Scheduling** page, accept the default settings and click **Next**.
+
+5.  On the **User Experience** page, accept the default settings and click **Next**.
+
+6.  On the **Alerts** page, accept the default settings and click **Next**.
+
+7.  On the **Distribution Points** page, accept the default settings, click **Next** twice, and then click **Close**.
+
+![figure 29](images/fig32-deploywiz.png)
+
+Figure 29. The Windows 10 Enterprise x64 RTM task sequence deployed to the All Unknown Computers collections available for media and PXE.
+
+## <a href="" id="sec06"></a>Configure Configuration Manager to prompt for the computer name during deployment (optional)
+
+
+You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more details on how to do this, see [Configure MDT settings](configure-mdt-2013-settings.md).
+
+This section provides steps to help you configure the All Unknown Computers collection to have Configuration Manager prompt for computer names.
+
+1.  Using the Configuration Manager Console, in the Asset and Compliance workspace, select **Device Collections**, right-click **All Unknown Computers**, and select **Properties**.
+
+2.  In the **Collection Variables** tab, create a new variable with the following settings:
+
+    1.  Name: OSDComputerName
+
+    2.  Clear the **Do not display this value in the Configuration Manager console** check box.
+
+3.  Click **OK**.
+
+**Note**  
+Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard.
+
+ 
+
+![figure 30](images/mdt-06-fig35.png)
+
+Figure 30. Configure a collection variable.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md
new file mode 100644
index 0000000000..57a20dea3e
--- /dev/null
+++ b/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md
@@ -0,0 +1,62 @@
+---
+title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10)
+description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 in particular, as part of a Windows operating system deployment.
+ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee
+keywords: ["deploy", "image", "feature", "install", "tools"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Get started with the Microsoft Deployment Toolkit (MDT)
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 in particular, as part of a Windows operating system deployment. MDT is one of the most important tools available to IT professionals today. You can use it to create reference images or as a complete deployment solution. MDT 2013 Update 2 also can be used to extend the operating system deployment features available in Microsoft System Center 2012 R2 Configuration Manager.
+
+In addition to familiarizing you with the features and options available in MDT 2013 Update 2, this topic will walk you through the process of preparing for deploying Windows 10 using MDT by configuring Active Directory, creating an organizational unit (OU) structure, creating service accounts, configuring log files and folders, and installing the tools needed to view the logs and continue with the deployment process.
+
+For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+
+![figure 1](images/mdt-05-fig01.png)
+
+Figure 1. The machines used in this topic.
+
+## In this section
+
+
+-   [Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)
+
+-   [MDT 2013 Update 2 Lite Touch components](mdt-2013-lite-touch-components.md)
+
+-   [Prepare for deployment with MDT 2013 Update 2](prepare-for-windows-deployment-with-mdt-2013.md)
+
+## Related topics
+
+
+[Microsoft Deployment Toolkit downloads and documentation](http://go.microsoft.com/fwlink/p/?LinkId=618117)
+
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+
+[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+
+[Configure MDT settings](configure-mdt-2013-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/getting-started-with-the-user-state-migration-tool.md b/windows/deploy/getting-started-with-the-user-state-migration-tool.md
new file mode 100644
index 0000000000..6cc2bf4352
--- /dev/null
+++ b/windows/deploy/getting-started-with-the-user-state-migration-tool.md
@@ -0,0 +1,113 @@
+---
+title: Getting Started with the User State Migration Tool (USMT) (Windows 10)
+description: Getting Started with the User State Migration Tool (USMT)
+ms.assetid: 506ff1d2-94b8-4460-8672-56aad963504b
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Getting Started with the User State Migration Tool (USMT)
+
+
+This topic outlines the general process that you should follow to migrate files and settings.
+
+## In this Topic
+
+
+-   [Step One: Plan Your Migration](#bkmk-planmig)
+
+-   [Step Two: Collect Files and Settings from the Source Computer](#bkmk-collectfiles)
+
+-   [Step Three: Prepare the Destination Computer and Restore Files and Settings](#bkmk-preparedestination)
+
+## <a href="" id="bkmk-planmig"></a>Step One: Plan Your Migration
+
+
+1.  [Plan Your Migration](usmt-plan-your-migration.md). Depending on whether your migration scenario is refreshing or replacing computers, you can choose an online migration or an offline migration using Windows Preinstallation Environment (WinPE) or the files in the Windows.old directory. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md).
+
+2.  [Determine What to Migrate](usmt-determine-what-to-migrate.md). Data you might consider migrating includes end-user information, applications settings, operating-system settings, files, folders, and registry keys.
+
+3.  Determine where to store data. Depending on the size of your migration store, you can store the data remotely, locally in a hard-link migration store or on a local external storage device, or directly on the destination computer. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md).
+
+4.  Use the **/GenMigXML** command-line option to determine which files will be included in your migration, and to determine whether any modifications are necessary. For more information see [ScanState Syntax](usmt-scanstate-syntax.md)
+
+5.  Modify copies of the Migration.xml and MigDocs.xml files and create custom .xml files, if it is required. To modify the migration behavior, such as migrating the **Documents** folder but not the **Music** folder, you can create a custom .xml file or modify the rules in the existing migration .xml files. The document finder, or **MigXmlHelper.GenerateDocPatterns** helper function, can be used to automatically find user documents on a computer without creating extensive custom migration .xml files.
+
+    **Important**  
+    We recommend that you always make and modify copies of the .xml files included in User State Migration Tool (USMT) 10.0. Never modify the original .xml files.
+
+     
+
+    You can use the MigXML.xsd file to help you write and validate the .xml files. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md).
+
+6.  Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, use the [ScanState Syntax](usmt-scanstate-syntax.md) option together with the other .xml files when you use the **ScanState** command. For example, the following command creates a Config.xml file by using the MigDocs and MigApp.xml files:
+
+    `scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scanstate.log`
+
+7.  Review the migration state of the components listed in the Config.xml file, and specify `migrate=no` for any components that you do not want to migrate.
+
+## <a href="" id="bkmk-collectfiles"></a>Step Two: Collect Files and Settings from the Source Computer
+
+
+1.  Back up the source computer.
+
+2.  Close all applications. If some applications are running when you run the **ScanState** command, USMT might not migrate all of the specified data. For example, if Microsoft® Office Outlook® is open, USMT might not migrate PST files.
+
+    **Note**  
+    USMT will fail if it cannot migrate a file or setting unless you specify the **/C** option. When you specify the **/C** option, USMT will ignore the errors, and log an error every time that it encounters a file that is being used that USMT did not migrate. You can use the **&lt;ErrorControl&gt;** section in the Config.xml file to specify which errors should be ignored, and which should cause the migration to fail.
+
+     
+
+3.  Run the **ScanState** command on the source computer to collect files and settings. You should specify all of the .xml files that you want the **ScanState** command to use. For example,
+
+    `scanstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log`
+
+    **Note**  
+    If the source computer is running Windows 7, or Windows 8, you must run the **ScanState** command in **Administrator** mode. To run in **Administrator** mode, right-click **Command Prompt**, and then click **Run As Administrator**. If the source computer is running Windows XP, you must run the **ScanState** command from an account that has administrative credentials. For more information about the how the **ScanState** command processes and stores the data, see [How USMT Works](usmt-how-it-works.md).
+
+     
+
+4.  Run the **USMTUtils** command with the **/Verify** option to ensure that the store you created is not corrupted.
+
+## <a href="" id="bkmk-preparedestination"></a>Step Three: Prepare the Destination Computer and Restore Files and Settings
+
+
+1.  Install the operating system on the destination computer.
+
+2.  Install all applications that were on the source computer. Although it is not always required, we recommend installing all applications on the destination computer before you restore the user state. This makes sure that migrated settings are preserved.
+
+    **Note**  
+    The application version that is installed on the destination computer should be the same version as the one on the source computer. USMT does not support migrating the settings for an older version of an application to a newer version. The exception to this is Microsoft® Office, which USMT can migrate from an older version to a newer version.
+
+     
+
+3.  Close all applications. If some applications are running when you run the **LoadState** command, USMT might not migrate all of the specified data. For example, if Microsoft Office Outlook is open, USMT might not migrate PST files.
+
+    **Note**  
+    Use **/C** to continue your migration if errors are encountered, and use the **&lt;ErrorControl&gt;** section in the Config.xml file to specify which errors should be ignored, and which errors should cause the migration to fail.
+
+     
+
+4.  Run the **LoadState** command on the destination computer. Specify the same set of .xml files that you specified when you used the **ScanState** command. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file by using the **LoadState** command. Then, the **LoadState** command will migrate only the files and settings that you want to migrate. For more information about the how the **LoadState** command processes and migrates data, see [How USMT Works](usmt-how-it-works.md).
+
+    For example, the following command migrates the files and settings:
+
+    `loadstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log`
+
+    **Note**  
+    Run the **LoadState** command in administrator mode. To do this, right-click **Command Prompt**, and then click **Run As Administrator**.
+
+     
+
+5.  Log off after you run the **LoadState** command. Some settings (for example, fonts, wallpaper, and screen saver settings) will not take effect until the next time that the user logs on.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/images/checkmark.png b/windows/deploy/images/checkmark.png
new file mode 100644
index 0000000000..04cc421e12
Binary files /dev/null and b/windows/deploy/images/checkmark.png differ
diff --git a/windows/deploy/images/crossmark.png b/windows/deploy/images/crossmark.png
new file mode 100644
index 0000000000..2b267dc802
Binary files /dev/null and b/windows/deploy/images/crossmark.png differ
diff --git a/windows/deploy/images/dep-win8-l-usmt-migrationcomparemigstores.gif b/windows/deploy/images/dep-win8-l-usmt-migrationcomparemigstores.gif
new file mode 100644
index 0000000000..c23cf5f98c
Binary files /dev/null and b/windows/deploy/images/dep-win8-l-usmt-migrationcomparemigstores.gif differ
diff --git a/windows/deploy/images/dep-win8-l-usmt-pcrefresh.jpg b/windows/deploy/images/dep-win8-l-usmt-pcrefresh.jpg
new file mode 100644
index 0000000000..79f874d895
Binary files /dev/null and b/windows/deploy/images/dep-win8-l-usmt-pcrefresh.jpg differ
diff --git a/windows/deploy/images/dep-win8-l-usmt-pcreplace.jpg b/windows/deploy/images/dep-win8-l-usmt-pcreplace.jpg
new file mode 100644
index 0000000000..507f783aff
Binary files /dev/null and b/windows/deploy/images/dep-win8-l-usmt-pcreplace.jpg differ
diff --git a/windows/deploy/images/dep-win8-l-vamt-findingcomputerdialog.gif b/windows/deploy/images/dep-win8-l-vamt-findingcomputerdialog.gif
new file mode 100644
index 0000000000..3d745d4a77
Binary files /dev/null and b/windows/deploy/images/dep-win8-l-vamt-findingcomputerdialog.gif differ
diff --git a/windows/deploy/images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif b/windows/deploy/images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif
new file mode 100644
index 0000000000..21fc338e12
Binary files /dev/null and b/windows/deploy/images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif differ
diff --git a/windows/deploy/images/dep-win8-l-vamt-image001-enterprise.jpg b/windows/deploy/images/dep-win8-l-vamt-image001-enterprise.jpg
new file mode 100644
index 0000000000..b7a1411562
Binary files /dev/null and b/windows/deploy/images/dep-win8-l-vamt-image001-enterprise.jpg differ
diff --git a/windows/deploy/images/dep-win8-l-vamt-makindependentactivationscenario.jpg b/windows/deploy/images/dep-win8-l-vamt-makindependentactivationscenario.jpg
new file mode 100644
index 0000000000..52203b7593
Binary files /dev/null and b/windows/deploy/images/dep-win8-l-vamt-makindependentactivationscenario.jpg differ
diff --git a/windows/deploy/images/dep-win8-l-vamt-makproxyactivationscenario.jpg b/windows/deploy/images/dep-win8-l-vamt-makproxyactivationscenario.jpg
new file mode 100644
index 0000000000..3a02a1f17e
Binary files /dev/null and b/windows/deploy/images/dep-win8-l-vamt-makproxyactivationscenario.jpg differ
diff --git a/windows/deploy/images/fig10-contosoinstall.png b/windows/deploy/images/fig10-contosoinstall.png
new file mode 100644
index 0000000000..ac4eaf2aa0
Binary files /dev/null and b/windows/deploy/images/fig10-contosoinstall.png differ
diff --git a/windows/deploy/images/fig10-unattend.png b/windows/deploy/images/fig10-unattend.png
new file mode 100644
index 0000000000..a9d2bc16df
Binary files /dev/null and b/windows/deploy/images/fig10-unattend.png differ
diff --git a/windows/deploy/images/fig13-captureimage.png b/windows/deploy/images/fig13-captureimage.png
new file mode 100644
index 0000000000..678a43ca73
Binary files /dev/null and b/windows/deploy/images/fig13-captureimage.png differ
diff --git a/windows/deploy/images/fig16-contentstatus.png b/windows/deploy/images/fig16-contentstatus.png
new file mode 100644
index 0000000000..5ea8ba275a
Binary files /dev/null and b/windows/deploy/images/fig16-contentstatus.png differ
diff --git a/windows/deploy/images/fig17-win10image.png b/windows/deploy/images/fig17-win10image.png
new file mode 100644
index 0000000000..d16eee554d
Binary files /dev/null and b/windows/deploy/images/fig17-win10image.png differ
diff --git a/windows/deploy/images/fig18-distwindows.png b/windows/deploy/images/fig18-distwindows.png
new file mode 100644
index 0000000000..d8525ddd3e
Binary files /dev/null and b/windows/deploy/images/fig18-distwindows.png differ
diff --git a/windows/deploy/images/fig2-gather.png b/windows/deploy/images/fig2-gather.png
new file mode 100644
index 0000000000..01ffca2770
Binary files /dev/null and b/windows/deploy/images/fig2-gather.png differ
diff --git a/windows/deploy/images/fig2-importedos.png b/windows/deploy/images/fig2-importedos.png
new file mode 100644
index 0000000000..ed72d2ef4d
Binary files /dev/null and b/windows/deploy/images/fig2-importedos.png differ
diff --git a/windows/deploy/images/fig2-taskseq.png b/windows/deploy/images/fig2-taskseq.png
new file mode 100644
index 0000000000..1da70bd6e7
Binary files /dev/null and b/windows/deploy/images/fig2-taskseq.png differ
diff --git a/windows/deploy/images/fig21-add-drivers.png b/windows/deploy/images/fig21-add-drivers.png
new file mode 100644
index 0000000000..f53fe672e2
Binary files /dev/null and b/windows/deploy/images/fig21-add-drivers.png differ
diff --git a/windows/deploy/images/fig22-createcategories.png b/windows/deploy/images/fig22-createcategories.png
new file mode 100644
index 0000000000..8912ad974f
Binary files /dev/null and b/windows/deploy/images/fig22-createcategories.png differ
diff --git a/windows/deploy/images/fig27-driverpackage.png b/windows/deploy/images/fig27-driverpackage.png
new file mode 100644
index 0000000000..c2f66669be
Binary files /dev/null and b/windows/deploy/images/fig27-driverpackage.png differ
diff --git a/windows/deploy/images/fig28-addapp.png b/windows/deploy/images/fig28-addapp.png
new file mode 100644
index 0000000000..a7ba6b3709
Binary files /dev/null and b/windows/deploy/images/fig28-addapp.png differ
diff --git a/windows/deploy/images/fig30-settingspack.png b/windows/deploy/images/fig30-settingspack.png
new file mode 100644
index 0000000000..3479184140
Binary files /dev/null and b/windows/deploy/images/fig30-settingspack.png differ
diff --git a/windows/deploy/images/fig32-deploywiz.png b/windows/deploy/images/fig32-deploywiz.png
new file mode 100644
index 0000000000..a1387b19d8
Binary files /dev/null and b/windows/deploy/images/fig32-deploywiz.png differ
diff --git a/windows/deploy/images/fig4-oob-drivers.png b/windows/deploy/images/fig4-oob-drivers.png
new file mode 100644
index 0000000000..b1f6924665
Binary files /dev/null and b/windows/deploy/images/fig4-oob-drivers.png differ
diff --git a/windows/deploy/images/fig5-selectprofile.png b/windows/deploy/images/fig5-selectprofile.png
new file mode 100644
index 0000000000..452ab4f581
Binary files /dev/null and b/windows/deploy/images/fig5-selectprofile.png differ
diff --git a/windows/deploy/images/fig6-taskseq.png b/windows/deploy/images/fig6-taskseq.png
new file mode 100644
index 0000000000..8696cc04c4
Binary files /dev/null and b/windows/deploy/images/fig6-taskseq.png differ
diff --git a/windows/deploy/images/fig8-cust-tasks.png b/windows/deploy/images/fig8-cust-tasks.png
new file mode 100644
index 0000000000..378215ee2b
Binary files /dev/null and b/windows/deploy/images/fig8-cust-tasks.png differ
diff --git a/windows/deploy/images/fig8-suspend.png b/windows/deploy/images/fig8-suspend.png
new file mode 100644
index 0000000000..8094f01274
Binary files /dev/null and b/windows/deploy/images/fig8-suspend.png differ
diff --git a/windows/deploy/images/fig9-resumetaskseq.png b/windows/deploy/images/fig9-resumetaskseq.png
new file mode 100644
index 0000000000..0a83019f69
Binary files /dev/null and b/windows/deploy/images/fig9-resumetaskseq.png differ
diff --git a/windows/deploy/images/figure4-deployment-workbench.png b/windows/deploy/images/figure4-deployment-workbench.png
new file mode 100644
index 0000000000..b5d0e7cc32
Binary files /dev/null and b/windows/deploy/images/figure4-deployment-workbench.png differ
diff --git a/windows/deploy/images/mdt-01-fig01.png b/windows/deploy/images/mdt-01-fig01.png
new file mode 100644
index 0000000000..d7f8c4e452
Binary files /dev/null and b/windows/deploy/images/mdt-01-fig01.png differ
diff --git a/windows/deploy/images/mdt-01-fig02.jpg b/windows/deploy/images/mdt-01-fig02.jpg
new file mode 100644
index 0000000000..1533bdd336
Binary files /dev/null and b/windows/deploy/images/mdt-01-fig02.jpg differ
diff --git a/windows/deploy/images/mdt-03-fig01.png b/windows/deploy/images/mdt-03-fig01.png
new file mode 100644
index 0000000000..fc68fb0c25
Binary files /dev/null and b/windows/deploy/images/mdt-03-fig01.png differ
diff --git a/windows/deploy/images/mdt-03-fig02.png b/windows/deploy/images/mdt-03-fig02.png
new file mode 100644
index 0000000000..d0fd979449
Binary files /dev/null and b/windows/deploy/images/mdt-03-fig02.png differ
diff --git a/windows/deploy/images/mdt-03-fig03.png b/windows/deploy/images/mdt-03-fig03.png
new file mode 100644
index 0000000000..ba1de39aa0
Binary files /dev/null and b/windows/deploy/images/mdt-03-fig03.png differ
diff --git a/windows/deploy/images/mdt-03-fig04.png b/windows/deploy/images/mdt-03-fig04.png
new file mode 100644
index 0000000000..26600a2036
Binary files /dev/null and b/windows/deploy/images/mdt-03-fig04.png differ
diff --git a/windows/deploy/images/mdt-03-fig05.png b/windows/deploy/images/mdt-03-fig05.png
new file mode 100644
index 0000000000..9c44837022
Binary files /dev/null and b/windows/deploy/images/mdt-03-fig05.png differ
diff --git a/windows/deploy/images/mdt-04-fig01.png b/windows/deploy/images/mdt-04-fig01.png
new file mode 100644
index 0000000000..8a90c1a934
Binary files /dev/null and b/windows/deploy/images/mdt-04-fig01.png differ
diff --git a/windows/deploy/images/mdt-05-fig01.png b/windows/deploy/images/mdt-05-fig01.png
new file mode 100644
index 0000000000..490f1579d9
Binary files /dev/null and b/windows/deploy/images/mdt-05-fig01.png differ
diff --git a/windows/deploy/images/mdt-05-fig02.png b/windows/deploy/images/mdt-05-fig02.png
new file mode 100644
index 0000000000..1223432581
Binary files /dev/null and b/windows/deploy/images/mdt-05-fig02.png differ
diff --git a/windows/deploy/images/mdt-05-fig03.png b/windows/deploy/images/mdt-05-fig03.png
new file mode 100644
index 0000000000..a0ffbec429
Binary files /dev/null and b/windows/deploy/images/mdt-05-fig03.png differ
diff --git a/windows/deploy/images/mdt-05-fig04.png b/windows/deploy/images/mdt-05-fig04.png
new file mode 100644
index 0000000000..778cbae1b7
Binary files /dev/null and b/windows/deploy/images/mdt-05-fig04.png differ
diff --git a/windows/deploy/images/mdt-05-fig05.png b/windows/deploy/images/mdt-05-fig05.png
new file mode 100644
index 0000000000..e172a29754
Binary files /dev/null and b/windows/deploy/images/mdt-05-fig05.png differ
diff --git a/windows/deploy/images/mdt-05-fig07.png b/windows/deploy/images/mdt-05-fig07.png
new file mode 100644
index 0000000000..135a2367c1
Binary files /dev/null and b/windows/deploy/images/mdt-05-fig07.png differ
diff --git a/windows/deploy/images/mdt-05-fig08.png b/windows/deploy/images/mdt-05-fig08.png
new file mode 100644
index 0000000000..1f4534e89b
Binary files /dev/null and b/windows/deploy/images/mdt-05-fig08.png differ
diff --git a/windows/deploy/images/mdt-05-fig09.png b/windows/deploy/images/mdt-05-fig09.png
new file mode 100644
index 0000000000..a3d0155096
Binary files /dev/null and b/windows/deploy/images/mdt-05-fig09.png differ
diff --git a/windows/deploy/images/mdt-05-fig10.png b/windows/deploy/images/mdt-05-fig10.png
new file mode 100644
index 0000000000..576da23ea6
Binary files /dev/null and b/windows/deploy/images/mdt-05-fig10.png differ
diff --git a/windows/deploy/images/mdt-06-fig01.png b/windows/deploy/images/mdt-06-fig01.png
new file mode 100644
index 0000000000..466cfda0f4
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig01.png differ
diff --git a/windows/deploy/images/mdt-06-fig03.png b/windows/deploy/images/mdt-06-fig03.png
new file mode 100644
index 0000000000..9d2786e46a
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig03.png differ
diff --git a/windows/deploy/images/mdt-06-fig04.png b/windows/deploy/images/mdt-06-fig04.png
new file mode 100644
index 0000000000..216e1f371b
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig04.png differ
diff --git a/windows/deploy/images/mdt-06-fig05.png b/windows/deploy/images/mdt-06-fig05.png
new file mode 100644
index 0000000000..3af74bb5ee
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig05.png differ
diff --git a/windows/deploy/images/mdt-06-fig06.png b/windows/deploy/images/mdt-06-fig06.png
new file mode 100644
index 0000000000..324c8960c1
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig06.png differ
diff --git a/windows/deploy/images/mdt-06-fig07.png b/windows/deploy/images/mdt-06-fig07.png
new file mode 100644
index 0000000000..399fac75f6
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig07.png differ
diff --git a/windows/deploy/images/mdt-06-fig08.png b/windows/deploy/images/mdt-06-fig08.png
new file mode 100644
index 0000000000..33cb90327a
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig08.png differ
diff --git a/windows/deploy/images/mdt-06-fig10.png b/windows/deploy/images/mdt-06-fig10.png
new file mode 100644
index 0000000000..1d92505b96
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig10.png differ
diff --git a/windows/deploy/images/mdt-06-fig12.png b/windows/deploy/images/mdt-06-fig12.png
new file mode 100644
index 0000000000..f33eca6174
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig12.png differ
diff --git a/windows/deploy/images/mdt-06-fig13.png b/windows/deploy/images/mdt-06-fig13.png
new file mode 100644
index 0000000000..ab578f69fe
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig13.png differ
diff --git a/windows/deploy/images/mdt-06-fig14.png b/windows/deploy/images/mdt-06-fig14.png
new file mode 100644
index 0000000000..13158231fd
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig14.png differ
diff --git a/windows/deploy/images/mdt-06-fig15.png b/windows/deploy/images/mdt-06-fig15.png
new file mode 100644
index 0000000000..2f1a0eba18
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig15.png differ
diff --git a/windows/deploy/images/mdt-06-fig16.png b/windows/deploy/images/mdt-06-fig16.png
new file mode 100644
index 0000000000..40cb46adbd
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig16.png differ
diff --git a/windows/deploy/images/mdt-06-fig20.png b/windows/deploy/images/mdt-06-fig20.png
new file mode 100644
index 0000000000..475fad7597
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig20.png differ
diff --git a/windows/deploy/images/mdt-06-fig21.png b/windows/deploy/images/mdt-06-fig21.png
new file mode 100644
index 0000000000..7cbd1d20bc
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig21.png differ
diff --git a/windows/deploy/images/mdt-06-fig26.png b/windows/deploy/images/mdt-06-fig26.png
new file mode 100644
index 0000000000..fc56839b14
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig26.png differ
diff --git a/windows/deploy/images/mdt-06-fig31.png b/windows/deploy/images/mdt-06-fig31.png
new file mode 100644
index 0000000000..5e98d623b1
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig31.png differ
diff --git a/windows/deploy/images/mdt-06-fig33.png b/windows/deploy/images/mdt-06-fig33.png
new file mode 100644
index 0000000000..18ae4c82dd
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig33.png differ
diff --git a/windows/deploy/images/mdt-06-fig35.png b/windows/deploy/images/mdt-06-fig35.png
new file mode 100644
index 0000000000..a68750925d
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig35.png differ
diff --git a/windows/deploy/images/mdt-06-fig36.png b/windows/deploy/images/mdt-06-fig36.png
new file mode 100644
index 0000000000..a8350244bd
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig36.png differ
diff --git a/windows/deploy/images/mdt-06-fig37.png b/windows/deploy/images/mdt-06-fig37.png
new file mode 100644
index 0000000000..5a89f2f431
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig37.png differ
diff --git a/windows/deploy/images/mdt-06-fig39.png b/windows/deploy/images/mdt-06-fig39.png
new file mode 100644
index 0000000000..650aec9a30
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig39.png differ
diff --git a/windows/deploy/images/mdt-06-fig42.png b/windows/deploy/images/mdt-06-fig42.png
new file mode 100644
index 0000000000..12b0e6817a
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig42.png differ
diff --git a/windows/deploy/images/mdt-06-fig43.png b/windows/deploy/images/mdt-06-fig43.png
new file mode 100644
index 0000000000..015edd21e3
Binary files /dev/null and b/windows/deploy/images/mdt-06-fig43.png differ
diff --git a/windows/deploy/images/mdt-07-fig01.png b/windows/deploy/images/mdt-07-fig01.png
new file mode 100644
index 0000000000..b2ccfec334
Binary files /dev/null and b/windows/deploy/images/mdt-07-fig01.png differ
diff --git a/windows/deploy/images/mdt-07-fig03.png b/windows/deploy/images/mdt-07-fig03.png
new file mode 100644
index 0000000000..c178d6a15d
Binary files /dev/null and b/windows/deploy/images/mdt-07-fig03.png differ
diff --git a/windows/deploy/images/mdt-07-fig08.png b/windows/deploy/images/mdt-07-fig08.png
new file mode 100644
index 0000000000..66e2969916
Binary files /dev/null and b/windows/deploy/images/mdt-07-fig08.png differ
diff --git a/windows/deploy/images/mdt-07-fig09.png b/windows/deploy/images/mdt-07-fig09.png
new file mode 100644
index 0000000000..ce320427ee
Binary files /dev/null and b/windows/deploy/images/mdt-07-fig09.png differ
diff --git a/windows/deploy/images/mdt-07-fig10.png b/windows/deploy/images/mdt-07-fig10.png
new file mode 100644
index 0000000000..7aff3c2d76
Binary files /dev/null and b/windows/deploy/images/mdt-07-fig10.png differ
diff --git a/windows/deploy/images/mdt-07-fig11.png b/windows/deploy/images/mdt-07-fig11.png
new file mode 100644
index 0000000000..905f8bd572
Binary files /dev/null and b/windows/deploy/images/mdt-07-fig11.png differ
diff --git a/windows/deploy/images/mdt-07-fig13.png b/windows/deploy/images/mdt-07-fig13.png
new file mode 100644
index 0000000000..849949a2f2
Binary files /dev/null and b/windows/deploy/images/mdt-07-fig13.png differ
diff --git a/windows/deploy/images/mdt-07-fig14.png b/windows/deploy/images/mdt-07-fig14.png
new file mode 100644
index 0000000000..cfe7843eeb
Binary files /dev/null and b/windows/deploy/images/mdt-07-fig14.png differ
diff --git a/windows/deploy/images/mdt-07-fig15.png b/windows/deploy/images/mdt-07-fig15.png
new file mode 100644
index 0000000000..5271690c89
Binary files /dev/null and b/windows/deploy/images/mdt-07-fig15.png differ
diff --git a/windows/deploy/images/mdt-07-fig16.png b/windows/deploy/images/mdt-07-fig16.png
new file mode 100644
index 0000000000..80e0925a40
Binary files /dev/null and b/windows/deploy/images/mdt-07-fig16.png differ
diff --git a/windows/deploy/images/mdt-08-fig01.png b/windows/deploy/images/mdt-08-fig01.png
new file mode 100644
index 0000000000..7f795c42d4
Binary files /dev/null and b/windows/deploy/images/mdt-08-fig01.png differ
diff --git a/windows/deploy/images/mdt-08-fig02.png b/windows/deploy/images/mdt-08-fig02.png
new file mode 100644
index 0000000000..50c97d8d0c
Binary files /dev/null and b/windows/deploy/images/mdt-08-fig02.png differ
diff --git a/windows/deploy/images/mdt-08-fig03.png b/windows/deploy/images/mdt-08-fig03.png
new file mode 100644
index 0000000000..e80b242192
Binary files /dev/null and b/windows/deploy/images/mdt-08-fig03.png differ
diff --git a/windows/deploy/images/mdt-08-fig05.png b/windows/deploy/images/mdt-08-fig05.png
new file mode 100644
index 0000000000..62ae133bb8
Binary files /dev/null and b/windows/deploy/images/mdt-08-fig05.png differ
diff --git a/windows/deploy/images/mdt-08-fig06.png b/windows/deploy/images/mdt-08-fig06.png
new file mode 100644
index 0000000000..97d83a20fb
Binary files /dev/null and b/windows/deploy/images/mdt-08-fig06.png differ
diff --git a/windows/deploy/images/mdt-08-fig14.png b/windows/deploy/images/mdt-08-fig14.png
new file mode 100644
index 0000000000..21b358d1f8
Binary files /dev/null and b/windows/deploy/images/mdt-08-fig14.png differ
diff --git a/windows/deploy/images/mdt-08-fig15.png b/windows/deploy/images/mdt-08-fig15.png
new file mode 100644
index 0000000000..2a8bc4252e
Binary files /dev/null and b/windows/deploy/images/mdt-08-fig15.png differ
diff --git a/windows/deploy/images/mdt-09-fig01.png b/windows/deploy/images/mdt-09-fig01.png
new file mode 100644
index 0000000000..0549174435
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig01.png differ
diff --git a/windows/deploy/images/mdt-09-fig02.png b/windows/deploy/images/mdt-09-fig02.png
new file mode 100644
index 0000000000..dd69922d80
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig02.png differ
diff --git a/windows/deploy/images/mdt-09-fig03.png b/windows/deploy/images/mdt-09-fig03.png
new file mode 100644
index 0000000000..56102b2031
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig03.png differ
diff --git a/windows/deploy/images/mdt-09-fig04.png b/windows/deploy/images/mdt-09-fig04.png
new file mode 100644
index 0000000000..f123d85af5
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig04.png differ
diff --git a/windows/deploy/images/mdt-09-fig06.png b/windows/deploy/images/mdt-09-fig06.png
new file mode 100644
index 0000000000..49042d95f3
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig06.png differ
diff --git a/windows/deploy/images/mdt-09-fig07.png b/windows/deploy/images/mdt-09-fig07.png
new file mode 100644
index 0000000000..431f212f80
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig07.png differ
diff --git a/windows/deploy/images/mdt-09-fig08.png b/windows/deploy/images/mdt-09-fig08.png
new file mode 100644
index 0000000000..c73ef398e4
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig08.png differ
diff --git a/windows/deploy/images/mdt-09-fig09.png b/windows/deploy/images/mdt-09-fig09.png
new file mode 100644
index 0000000000..14614aaa42
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig09.png differ
diff --git a/windows/deploy/images/mdt-09-fig10.png b/windows/deploy/images/mdt-09-fig10.png
new file mode 100644
index 0000000000..c8dbe11eac
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig10.png differ
diff --git a/windows/deploy/images/mdt-09-fig11.png b/windows/deploy/images/mdt-09-fig11.png
new file mode 100644
index 0000000000..dd38911dfc
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig11.png differ
diff --git a/windows/deploy/images/mdt-09-fig12.png b/windows/deploy/images/mdt-09-fig12.png
new file mode 100644
index 0000000000..ed363ae01a
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig12.png differ
diff --git a/windows/deploy/images/mdt-09-fig13.png b/windows/deploy/images/mdt-09-fig13.png
new file mode 100644
index 0000000000..5155b0ecf0
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig13.png differ
diff --git a/windows/deploy/images/mdt-09-fig14.png b/windows/deploy/images/mdt-09-fig14.png
new file mode 100644
index 0000000000..f294a8d69f
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig14.png differ
diff --git a/windows/deploy/images/mdt-09-fig15.png b/windows/deploy/images/mdt-09-fig15.png
new file mode 100644
index 0000000000..f8de66afbd
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig15.png differ
diff --git a/windows/deploy/images/mdt-09-fig16.png b/windows/deploy/images/mdt-09-fig16.png
new file mode 100644
index 0000000000..ad04b64077
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig16.png differ
diff --git a/windows/deploy/images/mdt-09-fig17.png b/windows/deploy/images/mdt-09-fig17.png
new file mode 100644
index 0000000000..fe4503b950
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig17.png differ
diff --git a/windows/deploy/images/mdt-09-fig18.png b/windows/deploy/images/mdt-09-fig18.png
new file mode 100644
index 0000000000..4f087172d9
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig18.png differ
diff --git a/windows/deploy/images/mdt-09-fig19.png b/windows/deploy/images/mdt-09-fig19.png
new file mode 100644
index 0000000000..917444c811
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig19.png differ
diff --git a/windows/deploy/images/mdt-09-fig20.png b/windows/deploy/images/mdt-09-fig20.png
new file mode 100644
index 0000000000..6c2d1c4dba
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig20.png differ
diff --git a/windows/deploy/images/mdt-09-fig21.png b/windows/deploy/images/mdt-09-fig21.png
new file mode 100644
index 0000000000..628ea98ad9
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig21.png differ
diff --git a/windows/deploy/images/mdt-09-fig22.png b/windows/deploy/images/mdt-09-fig22.png
new file mode 100644
index 0000000000..9d71f62796
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig22.png differ
diff --git a/windows/deploy/images/mdt-09-fig23.png b/windows/deploy/images/mdt-09-fig23.png
new file mode 100644
index 0000000000..4cd29dc389
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig23.png differ
diff --git a/windows/deploy/images/mdt-09-fig24.png b/windows/deploy/images/mdt-09-fig24.png
new file mode 100644
index 0000000000..89cb67a048
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig24.png differ
diff --git a/windows/deploy/images/mdt-09-fig25.png b/windows/deploy/images/mdt-09-fig25.png
new file mode 100644
index 0000000000..fb308c0be5
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig25.png differ
diff --git a/windows/deploy/images/mdt-09-fig26.png b/windows/deploy/images/mdt-09-fig26.png
new file mode 100644
index 0000000000..681c6516cd
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig26.png differ
diff --git a/windows/deploy/images/mdt-09-fig27.png b/windows/deploy/images/mdt-09-fig27.png
new file mode 100644
index 0000000000..396290346d
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig27.png differ
diff --git a/windows/deploy/images/mdt-09-fig28.png b/windows/deploy/images/mdt-09-fig28.png
new file mode 100644
index 0000000000..d36dda43fa
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig28.png differ
diff --git a/windows/deploy/images/mdt-09-fig29.png b/windows/deploy/images/mdt-09-fig29.png
new file mode 100644
index 0000000000..404842d49c
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig29.png differ
diff --git a/windows/deploy/images/mdt-09-fig30.png b/windows/deploy/images/mdt-09-fig30.png
new file mode 100644
index 0000000000..be962f40ec
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig30.png differ
diff --git a/windows/deploy/images/mdt-09-fig31.png b/windows/deploy/images/mdt-09-fig31.png
new file mode 100644
index 0000000000..a40aa9d3bb
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig31.png differ
diff --git a/windows/deploy/images/mdt-09-fig32.png b/windows/deploy/images/mdt-09-fig32.png
new file mode 100644
index 0000000000..446812a3e8
Binary files /dev/null and b/windows/deploy/images/mdt-09-fig32.png differ
diff --git a/windows/deploy/images/mdt-10-fig01.png b/windows/deploy/images/mdt-10-fig01.png
new file mode 100644
index 0000000000..8a3ebd9711
Binary files /dev/null and b/windows/deploy/images/mdt-10-fig01.png differ
diff --git a/windows/deploy/images/mdt-10-fig02.png b/windows/deploy/images/mdt-10-fig02.png
new file mode 100644
index 0000000000..d9e5930152
Binary files /dev/null and b/windows/deploy/images/mdt-10-fig02.png differ
diff --git a/windows/deploy/images/mdt-10-fig03.png b/windows/deploy/images/mdt-10-fig03.png
new file mode 100644
index 0000000000..f652db736c
Binary files /dev/null and b/windows/deploy/images/mdt-10-fig03.png differ
diff --git a/windows/deploy/images/mdt-10-fig04.png b/windows/deploy/images/mdt-10-fig04.png
new file mode 100644
index 0000000000..f98c0501df
Binary files /dev/null and b/windows/deploy/images/mdt-10-fig04.png differ
diff --git a/windows/deploy/images/mdt-10-fig05.png b/windows/deploy/images/mdt-10-fig05.png
new file mode 100644
index 0000000000..64c0c4a6ee
Binary files /dev/null and b/windows/deploy/images/mdt-10-fig05.png differ
diff --git a/windows/deploy/images/mdt-10-fig06.png b/windows/deploy/images/mdt-10-fig06.png
new file mode 100644
index 0000000000..91dc7c5c33
Binary files /dev/null and b/windows/deploy/images/mdt-10-fig06.png differ
diff --git a/windows/deploy/images/mdt-10-fig07.png b/windows/deploy/images/mdt-10-fig07.png
new file mode 100644
index 0000000000..8613d905a4
Binary files /dev/null and b/windows/deploy/images/mdt-10-fig07.png differ
diff --git a/windows/deploy/images/mdt-10-fig08.png b/windows/deploy/images/mdt-10-fig08.png
new file mode 100644
index 0000000000..ee00637019
Binary files /dev/null and b/windows/deploy/images/mdt-10-fig08.png differ
diff --git a/windows/deploy/images/mdt-10-fig09.png b/windows/deploy/images/mdt-10-fig09.png
new file mode 100644
index 0000000000..ccdd05f34e
Binary files /dev/null and b/windows/deploy/images/mdt-10-fig09.png differ
diff --git a/windows/deploy/images/mdt-11-fig05.png b/windows/deploy/images/mdt-11-fig05.png
new file mode 100644
index 0000000000..b03c414fb8
Binary files /dev/null and b/windows/deploy/images/mdt-11-fig05.png differ
diff --git a/windows/deploy/images/mdt-11-fig06.png b/windows/deploy/images/mdt-11-fig06.png
new file mode 100644
index 0000000000..b5944d909e
Binary files /dev/null and b/windows/deploy/images/mdt-11-fig06.png differ
diff --git a/windows/deploy/images/mdt-11-fig07.png b/windows/deploy/images/mdt-11-fig07.png
new file mode 100644
index 0000000000..b80f0908ab
Binary files /dev/null and b/windows/deploy/images/mdt-11-fig07.png differ
diff --git a/windows/deploy/images/mdt-11-fig08.png b/windows/deploy/images/mdt-11-fig08.png
new file mode 100644
index 0000000000..9c258bdd3e
Binary files /dev/null and b/windows/deploy/images/mdt-11-fig08.png differ
diff --git a/windows/deploy/images/mdt-11-fig09.png b/windows/deploy/images/mdt-11-fig09.png
new file mode 100644
index 0000000000..49b3d0b88f
Binary files /dev/null and b/windows/deploy/images/mdt-11-fig09.png differ
diff --git a/windows/deploy/images/mdt-11-fig10.png b/windows/deploy/images/mdt-11-fig10.png
new file mode 100644
index 0000000000..e5c71225f7
Binary files /dev/null and b/windows/deploy/images/mdt-11-fig10.png differ
diff --git a/windows/deploy/images/mdt-11-fig11.png b/windows/deploy/images/mdt-11-fig11.png
new file mode 100644
index 0000000000..e3e2c70516
Binary files /dev/null and b/windows/deploy/images/mdt-11-fig11.png differ
diff --git a/windows/deploy/images/mdt-11-fig12.png b/windows/deploy/images/mdt-11-fig12.png
new file mode 100644
index 0000000000..1e1a7888d6
Binary files /dev/null and b/windows/deploy/images/mdt-11-fig12.png differ
diff --git a/windows/deploy/images/mdt-11-fig13.png b/windows/deploy/images/mdt-11-fig13.png
new file mode 100644
index 0000000000..36554c72a6
Binary files /dev/null and b/windows/deploy/images/mdt-11-fig13.png differ
diff --git a/windows/deploy/images/mdt-11-fig14.png b/windows/deploy/images/mdt-11-fig14.png
new file mode 100644
index 0000000000..075d331bc1
Binary files /dev/null and b/windows/deploy/images/mdt-11-fig14.png differ
diff --git a/windows/deploy/images/mdt-11-fig15.png b/windows/deploy/images/mdt-11-fig15.png
new file mode 100644
index 0000000000..302847c2a6
Binary files /dev/null and b/windows/deploy/images/mdt-11-fig15.png differ
diff --git a/windows/deploy/images/mdt-11-fig16.png b/windows/deploy/images/mdt-11-fig16.png
new file mode 100644
index 0000000000..608c161797
Binary files /dev/null and b/windows/deploy/images/mdt-11-fig16.png differ
diff --git a/windows/deploy/images/upgradecfg-fig2-upgrading.png b/windows/deploy/images/upgradecfg-fig2-upgrading.png
new file mode 100644
index 0000000000..c53de79c29
Binary files /dev/null and b/windows/deploy/images/upgradecfg-fig2-upgrading.png differ
diff --git a/windows/deploy/images/upgradecfg-fig3-upgrade.png b/windows/deploy/images/upgradecfg-fig3-upgrade.png
new file mode 100644
index 0000000000..d0c1ceaaf9
Binary files /dev/null and b/windows/deploy/images/upgradecfg-fig3-upgrade.png differ
diff --git a/windows/deploy/images/upgrademdt-fig1-machines.png b/windows/deploy/images/upgrademdt-fig1-machines.png
new file mode 100644
index 0000000000..38129332e6
Binary files /dev/null and b/windows/deploy/images/upgrademdt-fig1-machines.png differ
diff --git a/windows/deploy/images/upgrademdt-fig2-importedos.png b/windows/deploy/images/upgrademdt-fig2-importedos.png
new file mode 100644
index 0000000000..93b92efd93
Binary files /dev/null and b/windows/deploy/images/upgrademdt-fig2-importedos.png differ
diff --git a/windows/deploy/images/upgrademdt-fig3-tasksequence.png b/windows/deploy/images/upgrademdt-fig3-tasksequence.png
new file mode 100644
index 0000000000..1ad66c2098
Binary files /dev/null and b/windows/deploy/images/upgrademdt-fig3-tasksequence.png differ
diff --git a/windows/deploy/images/upgrademdt-fig4-selecttask.png b/windows/deploy/images/upgrademdt-fig4-selecttask.png
new file mode 100644
index 0000000000..dcbc73871a
Binary files /dev/null and b/windows/deploy/images/upgrademdt-fig4-selecttask.png differ
diff --git a/windows/deploy/images/upgrademdt-fig5-winupgrade.png b/windows/deploy/images/upgrademdt-fig5-winupgrade.png
new file mode 100644
index 0000000000..f3bc05508a
Binary files /dev/null and b/windows/deploy/images/upgrademdt-fig5-winupgrade.png differ
diff --git a/windows/deploy/images/vamtuserinterfaceupdated.jpg b/windows/deploy/images/vamtuserinterfaceupdated.jpg
new file mode 100644
index 0000000000..32ce362c60
Binary files /dev/null and b/windows/deploy/images/vamtuserinterfaceupdated.jpg differ
diff --git a/windows/deploy/images/volumeactivationforwindows81-01.jpg b/windows/deploy/images/volumeactivationforwindows81-01.jpg
new file mode 100644
index 0000000000..f6042a82a9
Binary files /dev/null and b/windows/deploy/images/volumeactivationforwindows81-01.jpg differ
diff --git a/windows/deploy/images/volumeactivationforwindows81-02.jpg b/windows/deploy/images/volumeactivationforwindows81-02.jpg
new file mode 100644
index 0000000000..630d9a03e2
Binary files /dev/null and b/windows/deploy/images/volumeactivationforwindows81-02.jpg differ
diff --git a/windows/deploy/images/volumeactivationforwindows81-03.jpg b/windows/deploy/images/volumeactivationforwindows81-03.jpg
new file mode 100644
index 0000000000..27962b207c
Binary files /dev/null and b/windows/deploy/images/volumeactivationforwindows81-03.jpg differ
diff --git a/windows/deploy/images/volumeactivationforwindows81-04.jpg b/windows/deploy/images/volumeactivationforwindows81-04.jpg
new file mode 100644
index 0000000000..d5b572f1aa
Binary files /dev/null and b/windows/deploy/images/volumeactivationforwindows81-04.jpg differ
diff --git a/windows/deploy/images/volumeactivationforwindows81-05.jpg b/windows/deploy/images/volumeactivationforwindows81-05.jpg
new file mode 100644
index 0000000000..a4bd9776ac
Binary files /dev/null and b/windows/deploy/images/volumeactivationforwindows81-05.jpg differ
diff --git a/windows/deploy/images/volumeactivationforwindows81-06.jpg b/windows/deploy/images/volumeactivationforwindows81-06.jpg
new file mode 100644
index 0000000000..c29a628b05
Binary files /dev/null and b/windows/deploy/images/volumeactivationforwindows81-06.jpg differ
diff --git a/windows/deploy/images/volumeactivationforwindows81-07.jpg b/windows/deploy/images/volumeactivationforwindows81-07.jpg
new file mode 100644
index 0000000000..346cbaa5c1
Binary files /dev/null and b/windows/deploy/images/volumeactivationforwindows81-07.jpg differ
diff --git a/windows/deploy/images/volumeactivationforwindows81-08.jpg b/windows/deploy/images/volumeactivationforwindows81-08.jpg
new file mode 100644
index 0000000000..eff421d6bb
Binary files /dev/null and b/windows/deploy/images/volumeactivationforwindows81-08.jpg differ
diff --git a/windows/deploy/images/volumeactivationforwindows81-09.jpg b/windows/deploy/images/volumeactivationforwindows81-09.jpg
new file mode 100644
index 0000000000..1e3cf9c0d8
Binary files /dev/null and b/windows/deploy/images/volumeactivationforwindows81-09.jpg differ
diff --git a/windows/deploy/images/volumeactivationforwindows81-10.jpg b/windows/deploy/images/volumeactivationforwindows81-10.jpg
new file mode 100644
index 0000000000..d3cd196c34
Binary files /dev/null and b/windows/deploy/images/volumeactivationforwindows81-10.jpg differ
diff --git a/windows/deploy/images/volumeactivationforwindows81-11.jpg b/windows/deploy/images/volumeactivationforwindows81-11.jpg
new file mode 100644
index 0000000000..72e4b613da
Binary files /dev/null and b/windows/deploy/images/volumeactivationforwindows81-11.jpg differ
diff --git a/windows/deploy/images/volumeactivationforwindows81-12.jpg b/windows/deploy/images/volumeactivationforwindows81-12.jpg
new file mode 100644
index 0000000000..9e44ec24f0
Binary files /dev/null and b/windows/deploy/images/volumeactivationforwindows81-12.jpg differ
diff --git a/windows/deploy/images/volumeactivationforwindows81-13.jpg b/windows/deploy/images/volumeactivationforwindows81-13.jpg
new file mode 100644
index 0000000000..e599fcd528
Binary files /dev/null and b/windows/deploy/images/volumeactivationforwindows81-13.jpg differ
diff --git a/windows/deploy/images/volumeactivationforwindows81-14.jpg b/windows/deploy/images/volumeactivationforwindows81-14.jpg
new file mode 100644
index 0000000000..3b3cbc18cb
Binary files /dev/null and b/windows/deploy/images/volumeactivationforwindows81-14.jpg differ
diff --git a/windows/deploy/images/volumeactivationforwindows81-15.jpg b/windows/deploy/images/volumeactivationforwindows81-15.jpg
new file mode 100644
index 0000000000..792b24b282
Binary files /dev/null and b/windows/deploy/images/volumeactivationforwindows81-15.jpg differ
diff --git a/windows/deploy/images/volumeactivationforwindows81-16.jpg b/windows/deploy/images/volumeactivationforwindows81-16.jpg
new file mode 100644
index 0000000000..facdf1d084
Binary files /dev/null and b/windows/deploy/images/volumeactivationforwindows81-16.jpg differ
diff --git a/windows/deploy/images/volumeactivationforwindows81-17.jpg b/windows/deploy/images/volumeactivationforwindows81-17.jpg
new file mode 100644
index 0000000000..0f4c683b7e
Binary files /dev/null and b/windows/deploy/images/volumeactivationforwindows81-17.jpg differ
diff --git a/windows/deploy/images/volumeactivationforwindows81-18.jpg b/windows/deploy/images/volumeactivationforwindows81-18.jpg
new file mode 100644
index 0000000000..8728697ed8
Binary files /dev/null and b/windows/deploy/images/volumeactivationforwindows81-18.jpg differ
diff --git a/windows/deploy/images/volumeactivationforwindows81-19.jpg b/windows/deploy/images/volumeactivationforwindows81-19.jpg
new file mode 100644
index 0000000000..db97a0ba0e
Binary files /dev/null and b/windows/deploy/images/volumeactivationforwindows81-19.jpg differ
diff --git a/windows/deploy/images/win-10-adk-select.png b/windows/deploy/images/win-10-adk-select.png
new file mode 100644
index 0000000000..1dfaa23175
Binary files /dev/null and b/windows/deploy/images/win-10-adk-select.png differ
diff --git a/windows/deploy/images/windows-icd.png b/windows/deploy/images/windows-icd.png
new file mode 100644
index 0000000000..4bc8a18f4c
Binary files /dev/null and b/windows/deploy/images/windows-icd.png differ
diff --git a/windows/deploy/import-export-vamt-data.md b/windows/deploy/import-export-vamt-data.md
new file mode 100644
index 0000000000..717f65634e
--- /dev/null
+++ b/windows/deploy/import-export-vamt-data.md
@@ -0,0 +1,57 @@
+---
+title: Import and Export VAMT Data (Windows 10)
+description: Import and Export VAMT Data
+ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Import and Export VAMT Data
+You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a Computer Information List (.cilx or .cil) file into SQL Server, and to export product-activation data into a .cilx file. A .cilx file is an XML file that stores computer and product-activation data. You can import data or export data during the following scenarios:
+
+-   Import and merge data from previous versions of VAMT.
+
+-   Export data to use to perform proxy activations.
+
+**Warning**  
+Editing a .cilx file using an application other than VAMT can corrupt the .cilx file and is not supported.
+
+## Import VAMT Data
+
+**To import data into VAMT**
+
+1.  Open VAMT.
+
+2.  In the right-side **Actions** pane, click **Import list** to open the **Import List** dialog box.
+
+3.  In the **Import List** dialog box, navigate to the .cilx file location, select the file, and click **Open**.
+
+4.  In the **Volume Activation Management Tool** dialog box, click **OK** to begin the import. VAMT displays a progress message while the file is being imported. Click **OK** when a message appears and confirms that the import has completed successfully.
+
+## Export VAMT Data
+Exporting VAMT data from a non-Internet-connected VAMT host computer is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a .cilx file:
+
+1.  In the left-side pane, you can click a product you want to export data for, or click **Products** if the list contains data for all products.
+
+2.  If you want to export only part of the data in a product list, in the product list view in the center pane select the products you want to export.
+
+3.  In the right-side **Actions** pane on, click **Export list** to open the **Export List** dialog box.
+
+4.  In the **Export List** dialog box, click **Browse** to navigate to the .cilx file.
+
+5.  Under **Export options**, select one of the following data-type options:
+
+    -   Export products and product keys
+
+    -   Export products only
+
+    -   Export proxy activation data only. Selecting this option ensures that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is checked.
+
+6.  If you have selected products to export, select the **Export selected product rows only** check box.
+
+7.  Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully.
+
+## Related topics
+- [Perform Proxy Activation](proxy-activation-vamt.md)
\ No newline at end of file
diff --git a/windows/deploy/index.md b/windows/deploy/index.md
new file mode 100644
index 0000000000..a3b28ded45
--- /dev/null
+++ b/windows/deploy/index.md
@@ -0,0 +1,41 @@
+---
+title: Deploy Windows 10 (Windows 10)
+description: Learn about deploying Windows 10 for IT professionals.
+ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Deploy Windows 10
+Learn about deploying Windows 10 for IT professionals.
+
+## In this section
+
+|Topic |Description |
+|------|------------|
+|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
+|[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
+|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. |
+|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. |
+|[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. |
+|[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. |
+|[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
+|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
+|[Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md) |Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. |
+|[Sideload apps in Windows 10](sideload-apps-in-windows-10.md) |Sideload line-of-business apps in Windows 10. |
+|[Volume Activation [client]](volume-activation-windows-10.md) |This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. |
+|[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) |Learn about the tools available to deploy Windows 10. |
+
+## Related topics
+- [Windows 10 and Windows 10 Mobile](../index.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/install-configure-vamt.md b/windows/deploy/install-configure-vamt.md
new file mode 100644
index 0000000000..f067221d22
--- /dev/null
+++ b/windows/deploy/install-configure-vamt.md
@@ -0,0 +1,31 @@
+---
+title: Install and Configure VAMT (Windows 10)
+description: Install and Configure VAMT
+ms.assetid: 5c7ae9b9-0dbc-4277-bc4f-8b3e4ab0bf50
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Install and Configure VAMT
+This section describes how to install and configure the Volume Activation Management Tool (VAMT).
+
+## In this Section
+|Topic |Description |
+|------|------------|
+|[VAMT Requirements](vamt-requirements.md) |Provides system requirements for installing VAMT on a host computer. |
+|[Install VAMT](install-vamt.md) |Describes how to get and install VAMT. |
+|[Configure Client Computers](configure-client-computers-vamt.md) |Describes how to configure client computers on your network to work with VAMT. |
+
+## Related topics
+- [Introduction to VAMT](introduction-vamt.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/install-kms-client-key-vamt.md b/windows/deploy/install-kms-client-key-vamt.md
new file mode 100644
index 0000000000..87139b0c7e
--- /dev/null
+++ b/windows/deploy/install-kms-client-key-vamt.md
@@ -0,0 +1,44 @@
+---
+title: Install a KMS Client Key (Windows 10)
+description: Install a KMS Client Key
+ms.assetid: d234468e-7917-4cf5-b0a8-4968454f7759
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Install a KMS Client Key
+You can use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. For example, if you are converting a MAK-activated product to KMS activation.
+
+**Note**  
+By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products.
+
+**To install a KMS Client key**
+
+1.  Open VAMT.
+
+2.  In the left-side pane click **Products** to open the product list view in the center pane.
+
+3.  In the products list view in the center pane, select the products that need to have GVLKs installed. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+
+4.  In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+
+    -   To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    -   To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+
+5.  Click **Filter**. VAMT displays the filtered list in the center pane.
+
+6.  Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
+
+7.  The **Install Product Key** dialog box displays the keys that are available to be installed.
+
+8.  Select the **Automatically select an AD or KMS client key** option and then click **Install Key**.
+
+    VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+
+    The same status is shown under the **Status of Last Action** column in the product list view in the center pane.
+
+## Related topics
+- [Perform KMS Activation](kms-activation-vamt.md)
\ No newline at end of file
diff --git a/windows/deploy/install-product-key-vamt.md b/windows/deploy/install-product-key-vamt.md
new file mode 100644
index 0000000000..2e55911707
--- /dev/null
+++ b/windows/deploy/install-product-key-vamt.md
@@ -0,0 +1,53 @@
+---
+title: Install a Product Key (Windows 10)
+description: Install a Product Key
+ms.assetid: 78812c87-2208-4f8b-9c2c-5a8a18b2d648
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Install a Product Key
+You can use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK).
+
+**To install a Product key**
+
+1.  Open VAMT.
+
+2.  In the left-side pane, click the product that you want to install keys onto.
+
+3.  You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+
+4.  In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+
+    -   To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    -   To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+
+5.  Click **Filter**.
+
+6.  In the products list view in the center pane, sort the list if needed and then select the products that need to have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
+
+7.  Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
+
+8.  The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAK based on the selected products. You can select a recommended product key or a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key you want to install, click **Install Key**. Note that only one key can be installed at a time.
+
+9.  VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+
+    The same status is shown under the **Status of Last Action** column in the product list view in the center pane.
+
+    **Note**  
+    Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct MAK or KMS Host key (CSVLK), see [How to Choose the Right Volume License Key for Windows](http://go.microsoft.com/fwlink/p/?linkid=238382).
+
+## Related topics
+- [Manage Product Keys](manage-product-keys-vamt.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/install-vamt.md b/windows/deploy/install-vamt.md
new file mode 100644
index 0000000000..025b2747b9
--- /dev/null
+++ b/windows/deploy/install-vamt.md
@@ -0,0 +1,57 @@
+---
+title: Install VAMT (Windows 10)
+description: Install VAMT
+ms.assetid: 2eabd3e2-0a68-43a5-8189-2947e46482fc
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Install VAMT
+This topic describes how to install the Volume Activation Management Tool (VAMT).
+
+## Install VAMT
+You can install VAMT as part of the [Windows Assessment and Deployment Kit (ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526740) for Windows 10.
+
+**Important**  
+VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator. 
+
+**Note**  
+The VAMT Microsoft Management Console snap-in ships as an x86 package. 
+
+After you install VAMT, if you have a computer information list (CIL) that was created in a previous version of VAMT, you must import the list into a SQL database. If you do not have SQL installed, you can download a free copy of Microsoft SQL Server Express and create a new database into which you can import the CIL. To install SQL Server Express:
+1.  Install the Windows ADK.
+
+2.  Ensure that **Volume Activation Management Tool** and **Microsoft® SQL Server® 2012 Express** are selected to be installed.
+
+3.  Click **Install**.
+
+
+## Select a Database
+**Using a SQL database installed during ADK setup**
+
+If SQL Server 2012 Express was installed during ADK setup, the default database name will be **ADK**.By default, VAMT is configure to use a SQL database that is installed on the local machine during ADK setup and displays the server name as **.\\ADK**. If the SQL database was installed on another machine, you must configure the database to allow remote connections and you must provide the corresponding server name. If a new VAMT database needs to be created, provide a name for the new database.
+
+**Using a SQL database installed outside of ADK setup**
+
+You must configure SQL installation to allow remote connections and you must provide the corresponding server name in the format: *Machine Name\\SQL Server Name*. If a new VAMT database needs to be created, provide a name for the new database.
+
+## Uninstall VAMT
+To uninstall VAMT via the **Programs and Features** Control Panel:
+
+1.  Open the **Control Panel** and select **Programs and Features**.
+
+2.  Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT.
+
+## Related topics
+- [Install and Configure VAMT](install-configure-vamt.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md
new file mode 100644
index 0000000000..3ad425ec3f
--- /dev/null
+++ b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md
@@ -0,0 +1,136 @@
+---
+title: Integrate Configuration Manager with MDT 2013 Update 2 (Windows 10)
+description: This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system.
+ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5
+keywords: ["deploy, image, customize, task sequence"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Integrate Configuration Manager with MDT 2013 Update 2
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system.
+
+MDT 2013 is a free, supported download from Microsoft that adds approximately 280 enhancements to Windows operating system deployment with System Center 2012 R2 Configuration Manager SP1. It is, therefore, recommended that you utilize MDT when deploying the Windows operating system with Configuration Manager SP1. In addition to integrating MDT with Configuration Manager, we also recommend using MDT Lite Touch to create the Windows 10 reference images used in Configuration Manager. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
+
+## <a href="" id="sec01"></a>Why integrate MDT 2013 Update 2 with Configuration Manager
+
+
+As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT 2013 Update 2 adds to Configuration Manager.
+
+### MDT enables dynamic deployment
+
+When MDT is integrated with Configuration Manager, the task sequence takes additional instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used.
+
+The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples:
+
+-   The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is a HP EliteBook 8570w. Note that you don't have to add the package to the task sequence.
+
+    ``` syntax
+    [Settings] 
+    Priority=Model
+    [HP EliteBook 8570w] 
+    Packages001=PS100010:Install HP Hotkeys
+    ```
+
+-   The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop.
+
+    ``` syntax
+    [Settings]
+    Priority= ByLaptopType, ByDesktopType
+    [ByLaptopType]
+    Subsection=Laptop-%IsLaptop%
+    [ByDesktopType]
+    Subsection=Desktop-%IsDesktop%
+    [Laptop-True]
+    Packages001=PS100012:Install Cisco VPN Client
+    OSDComputerName=LT-%SerialNumber%
+    MachineObjectOU=ou=laptops,ou=Contoso,dc=contoso,dc=com
+    [Desktop-True]
+    OSDComputerName=DT-%SerialNumber%
+    MachineObjectOU=ou=desktops,ou=Contoso,dc=contoso,dc=com
+    ```
+
+![figure 2](images/fig2-gather.png)
+
+Figure 2. The Gather action in the task sequence is reading the rules.
+
+### MDT adds an operating system deployment simulation environment
+
+When testing a deployment, it is important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested very quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](configure-mdt-2013-settings.md).
+
+![figure 3](images/mdt-06-fig03.png)
+
+Figure 3. The folder that contains the rules, a few scripts from MDT, and a custom script (Gather.ps1).
+
+### MDT adds real-time monitoring
+
+With MDT integration, you can follow your deployments in real time, and if you have access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information.
+
+![figure 4](images/mdt-06-fig04.png)
+
+Figure 4. View the real-time monitoring data with PowerShell.
+
+### MDT adds an optional deployment wizard
+
+For some deployment scenarios, you may need to prompt the user for information during deployment such as the computer name, the correct organizational unit (OU) for the computer, or which applications should be installed by the task sequence. With MDT integration, you can enable the User-Driven Installation (UDI) wizard to gather the required information, and customize the wizard using the UDI Wizard Designer.
+
+![figure 5](images/mdt-06-fig05.png)
+
+Figure 5. The optional UDI wizard open in the UDI Wizard Designer.
+
+MDT Zero Touch simply extends Configuration Manager with many useful built-in operating system deployment components. By providing well-established, supported solutions, MDT reduces the complexity of deployment in Configuration Manager.
+
+## <a href="" id="sec02"></a>Why use MDT Lite Touch to create reference images
+
+
+You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons:
+
+-   In a deployment project, it is typically much faster to create a reference image using MDT Lite Touch than Configuration Manager.
+
+-   You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center 2012 R2 Virtual Machine Manager (SCVMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more.
+
+-   Microsoft System Center 2012 R2 performs deployment in the LocalSystem context. This means that you cannot configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
+
+-   The Configuration Manager task sequence does not suppress user interface interaction.
+
+-   MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it is automatically captured.
+
+-   MDT Lite Touch does not require any infrastructure and is easy to delegate.
+
+## Related topics
+
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/introduction-vamt.md b/windows/deploy/introduction-vamt.md
new file mode 100644
index 0000000000..7a3deda46b
--- /dev/null
+++ b/windows/deploy/introduction-vamt.md
@@ -0,0 +1,74 @@
+---
+title: Introduction to VAMT (Windows 10)
+description: Introduction to VAMT
+ms.assetid: 0439685e-0bae-4967-b0d4-dd84ca6d7fa7
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Introduction to VAMT
+The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012.
+
+**Note**  
+VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
+
+## In this Topic
+-   [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
+
+-   [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
+
+-   [Enterprise Environment](#bkmk-enterpriseenvironment)
+
+-   [VAMT User Interface](#bkmk-userinterface)
+
+## Managing Multiple Activation Key (MAK) and Retail Activation
+You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
+
+-   **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
+
+-   **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
+
+## Managing Key Management Service (KMS) Activation
+In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.
+
+VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.
+
+## Enterprise Environment
+VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab.
+
+![VAMT in the enterprise](images/dep-win8-l-vamt-image001-enterprise.jpg)
+
+In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
+
+The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab.
+
+## VAMT User Interface
+The following screenshot shows the VAMT graphical user interface.
+
+![VAMT user interface](images/vamtuserinterfaceupdated.jpg)
+
+VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as:
+
+-   **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
+
+-   **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
+
+-   **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
+
+-   **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
+
+-   **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
+
+## Related topics
+- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/key-features-in-mdt-2013.md b/windows/deploy/key-features-in-mdt-2013.md
new file mode 100644
index 0000000000..cf864d189c
--- /dev/null
+++ b/windows/deploy/key-features-in-mdt-2013.md
@@ -0,0 +1,91 @@
+---
+title: Key features in MDT 2013 Update 2 (Windows 10)
+description: The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0.
+ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868
+keywords: ["deploy, feature, tools, upgrade, migrate, provisioning"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Key features in MDT 2013 Update 2
+
+
+**Applies to**
+
+-   Windows 10
+
+The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment.
+
+MDT 2013 has many useful features, the most important of which are:
+
+-   **Windows Client support.** Supports Windows 7, Windows 8, Windows 8.1, and Windows 10.
+
+-   **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.
+
+-   **Additional operating systems support.** Supports Windows Thin PC and Windows Embedded POSReady 7, as well as Windows 8.1 Embedded Industry.
+
+-   **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1.
+
+-   **GPT support.** Supports deployment to machines that require the new GUID (globally unique identifier) partition table (GPT) format. This is related to UEFI.
+
+-   **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts.
+
+    ![figure 2](images/mdt-05-fig02.png)
+
+    Figure 2. The deployment share mounted as a standard PSDrive allows for administration using PowerShell.
+
+-   **Add local administrator accounts.** Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard.
+
+-   **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER).
+
+-   **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence.
+
+-   **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file.
+
+-   **Improved deployment wizard.** Provides additional progress information and a cleaner UI for the Lite Touch Deployment Wizard.
+
+-   **Monitoring.** Allows you to see the status of currently running deployments.
+
+-   **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM).
+
+-   **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure.
+
+-   **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time.
+
+-   **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment.
+
+    ![figure 3](images/mdt-05-fig03.png)
+
+    Figure 3. The offline USMT backup in action.
+
+-   **Install or uninstall Windows roles or features.** Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features.
+
+-   **Microsoft System Center 2012 Orchestrator integration.** Provides the capability to use Orchestrator runbooks as part of the task sequence.
+
+-   **Support for DaRT.** Supports optional integration of the DaRT components into the boot image.
+
+-   **Support for Office 2013.** Provides added support for deploying Microsoft Office Professional Plus 2013.
+
+-   **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later.
+
+-   **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts.
+
+-   **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](http://go.microsoft.com/fwlink/p/?LinkId=618117).
+
+## Related topics
+
+
+[Prepare for deployment with MDT 2013 Update 2](prepare-for-windows-deployment-with-mdt-2013.md)
+
+[MDT 2013 Update 2 Lite Touch components](mdt-2013-lite-touch-components.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/kms-activation-vamt.md b/windows/deploy/kms-activation-vamt.md
new file mode 100644
index 0000000000..ea79345364
--- /dev/null
+++ b/windows/deploy/kms-activation-vamt.md
@@ -0,0 +1,70 @@
+---
+title: Perform KMS Activation (Windows 10)
+description: Perform KMS Activation
+ms.assetid: 5a3ae8e6-083e-4153-837e-ab0a225c1d10
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Perform KMS Activation
+The Volume Activation Management Tool (VAMT) can be used to perform volume activation using the Key Management Service (KMS). You can use VAMT to activate Generic Volume Licensing Keys, or KMS client keys, on products accessible to VAMT. GVLKs are the default product keys used by the volume-license editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft Office 2010. GVLKs are already installed in volume-license editions of these products.
+
+## Requirements
+Before configuring KMS activation, ensure that your network and VAMT installation meet the following requirements:
+
+-   KMS host is set up and enabled.
+
+-   KMS clients can access the KMS host.
+
+-   VAMT is installed on a central computer with network access to all client computers.
+
+-   The products to be activated have been added to VAMT. For more information on adding product keys, see [Install a KMS Client Key](install-kms-client-key-vamt.md).
+
+-   VAMT has administrative permissions on all computers to be activated, and Windows Management Instrumentation (WMI) is accessible through the Windows Firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+
+## To configure devices for KMS activation
+
+**To configure devices for KMS activation**
+
+1.  Open VAMT.
+
+2.  If necessary, set up the KMS activation preferences. If you don’t need to set up the preferences, skip to step 6 in this procedure. Otherwise, continue to step 2.
+
+3.  To set up the preferences, on the menu bar click **View**, then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box.
+
+4.  Under **Key Management Services host selection**, select one of the following options:
+
+    -   **Find a KMS host automatically using DNS (default)**. If you choose this option, VAMT first clears any previously configured KMS host on the target computer and instructs the computer to query the Domain Name Service (DNS) to locate a KMS host and attempt activation.
+
+    -   **Find a KMS host using DNS in this domain for supported products**. Enter the domain name. If you choose this option, VAMT first clears any previously configured KMS host on the target computer and instructs the computer to query the DNS in the specified domain to locate a KMS host and attempt activation.
+
+    -   **Use specific KMS host**. Enter the KMS host name and KMS host port. For environments which do not use DNS for KMS host identification, VAMT sets the specified KMS host name and KMS host port on the target computer, and then instructs the computer to attempt activation with the specific KMS host.
+
+5.  Click **Apply**, and then click **OK** to close the **Volume Activation Management Tool Preferences** dialog box.
+
+6.  Select the products to be activated by selecting individual products in the product list view in the center pane. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+
+    -   To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    -   To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+
+7.  Click **Filter**. VAMT displays the filtered list in the center pane.
+
+8.  In the right-side pane, click **Activate** in the **Selected Items** menu, and then click **Volume activate**.
+
+9.  Click a credential option. Choose **Alternate credentials** only if you are activating products that require administrator credentials different from the ones you are currently using.
+
+10. If you are supplying alternate credentials, at the prompt, type the appropriate user name and password and click **OK**.
+
+VAMT displays the **Volume Activation** dialog box until it completes the requested action. When the process is finished, the updated activation status of each product appears in the product list view in the center pane.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/local-reactivation-vamt.md b/windows/deploy/local-reactivation-vamt.md
new file mode 100644
index 0000000000..d8a5f6f9db
--- /dev/null
+++ b/windows/deploy/local-reactivation-vamt.md
@@ -0,0 +1,52 @@
+---
+title: Perform Local Reactivation (Windows 10)
+description: Perform Local Reactivation
+ms.assetid: aacd5ded-da11-4d27-a866-3f57332f5dec
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Perform Local Reactivation
+If you reinstall Windows® or Microsoft® Office 2010 on a computer that was initially activated using proxy activation (MAK, retail, or CSLVK (KMS host)), and have not made significant changes to the hardware, use this local reactivation procedure to reactivate the program on that computer.
+
+Local reactivation relies upon data that was created during the initial proxy activation and stored in the Volume Activation Management Tool (VAMT) database. The database contains the installation ID (IID) and confirmation ID (Pending CID). Local reactivation uses this data to reapply the CID and reactivate those products. Reapplying the same CID conserves the remaining activations on the key.
+
+**Note**  
+During the initial proxy activation, the CID is bound to a digital “fingerprint”, which is calculated from values assigned to several different hardware components in the computer. If the computer has had significant hardware changes, this fingerprint will no longer match the CID. In this case, you must obtain a new CID for the computer from Microsoft.
+
+## To Perform a Local Reactivation
+
+**To perform a local reactivation**
+
+1.  Open VAMT. Make sure that you are connected to the desired database.
+
+2.  In the left-side pane, click the product you want to reactivate to display the products list.
+
+3.  In the product list view in the center pane, select the desired products to be reactivated. You can sort the list by computer name by clicking on the **Computer Name** heading. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+
+4.  In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+
+    -   To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    -   To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+
+5.  Click **Filter**. VAMT displays the filtered list in the center pane.
+
+6.  In the right-side pane, click **Activate**, and then click **Apply Confirmation ID**.
+
+7.  Click a credential option. Choose **Alternate credentials** only if you are reactivating products that require administrator credentials different from the ones you are currently using.
+
+8.  If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**.
+    
+    VAMT displays the **Apply Confirmation ID** dialog box.
+
+10. If you are using a different product key than the product key used for initial activation, you must complete a new activation to obtain a new CID.
+
+11. If you are activating a product that requires administrator credentials different from the ones you are currently using, select the **Use Alternate Credentials** check box.
+
+12. Click **OK**.
+
+## Related topics
+- [Manage Activations](manage-activations-vamt.md)
\ No newline at end of file
diff --git a/windows/deploy/manage-activations-vamt.md b/windows/deploy/manage-activations-vamt.md
new file mode 100644
index 0000000000..45355c6033
--- /dev/null
+++ b/windows/deploy/manage-activations-vamt.md
@@ -0,0 +1,34 @@
+---
+title: Manage Activations (Windows 10)
+description: Manage Activations
+ms.assetid: 53bad9ed-9430-4f64-a8de-80613870862c
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Manage Activations
+This section describes how to activate a client computer, by using a variety of activation methods.
+
+## In this Section
+
+|Topic |Description |
+|------|------------|
+|[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. |
+|[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that do not have Internet access. |
+|[Perform KMS Activation](kms-activation-vamt.md) |Describes how perform volume activation using the Key Management Service (KMS). |
+|[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. |
+|[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to online activate an Active Directory forest. |
+|[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that is not connected to the Internet. |
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/manage-product-keys-vamt.md b/windows/deploy/manage-product-keys-vamt.md
new file mode 100644
index 0000000000..0d97b1fce6
--- /dev/null
+++ b/windows/deploy/manage-product-keys-vamt.md
@@ -0,0 +1,30 @@
+---
+title: Manage Product Keys (Windows 10)
+description: Manage Product Keys
+ms.assetid: 4c6c4216-b4b7-437c-904e-4cb257f913cd
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Manage Product Keys
+This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product or products you select in the VAMT database.
+
+## In this Section
+
+|Topic |Description |
+|------|------------|
+|[Add and Remove a Product Key](add-remove-product-key-vamt.md) |Describes how to add a product key to the VAMT database. |
+|[Install a Product Key](install-product-key-vamt.md) |Describes how to install a product key for specific product. |
+|[Install a KMS Client Key](install-kms-client-key-vamt.md) |Describes how to install a GVLK (KMS client) key. |
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/manage-vamt-data.md b/windows/deploy/manage-vamt-data.md
new file mode 100644
index 0000000000..ce2e7dc5ca
--- /dev/null
+++ b/windows/deploy/manage-vamt-data.md
@@ -0,0 +1,19 @@
+---
+title: Manage VAMT Data (Windows 10)
+description: Manage VAMT Data
+ms.assetid: 233eefa4-3125-4965-a12d-297a67079dc4
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Manage VAMT Data
+This section describes how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT).
+
+## In this Section
+
+|Topic |Description |
+|------|------------|
+|[Import and Export VAMT Data](import-export-vamt-data.md) |Describes how to import and export VAMT data. |
+|[Use VAMT in Windows PowerShell](use-vamt-in-windows-powershell.md) |Describes how to access Windows PowerShell and how to import the VAMT PowerShell module. |
\ No newline at end of file
diff --git a/windows/deploy/mdt-2013-lite-touch-components.md b/windows/deploy/mdt-2013-lite-touch-components.md
new file mode 100644
index 0000000000..0bfae9889e
--- /dev/null
+++ b/windows/deploy/mdt-2013-lite-touch-components.md
@@ -0,0 +1,167 @@
+---
+title: MDT 2013 Update 2 Lite Touch components (Windows 10)
+description: This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) 2013 Update 2 that support Lite Touch Installation (LTI) for Windows 10.
+ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089
+keywords: ["deploy, install, deployment, boot, log, monitor"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# MDT 2013 Update 2 Lite Touch components
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) 2013 Update 2 that support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc.
+
+When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command.
+
+![figure 4](images/mdt-05-fig04.png)
+
+Figure 4. If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task.
+
+## <a href="" id="sec01"></a>Deployment shares
+
+
+A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get additional settings for the deployment. For Lite Touch deployments, it is common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it is common to have only the deployment share for creating reference images because Microsoft System Center 2012 R2 Configuration Manager deploys the image in the production environment.
+
+## <a href="" id="sec02"></a>Rules
+
+
+The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed:
+
+-   Computer name
+
+-   Domain to join, and organizational unit (OU) in Active Directory to hold the computer object
+
+-   Whether to enable BitLocker
+
+-   Regional settings
+
+You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](http://go.microsoft.com/fwlink/p/?LinkId=618117).
+
+![figure 5](images/mdt-05-fig05.png)
+
+Figure 5. Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number
+
+## <a href="" id="sec03"></a>Boot images
+
+
+Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment share on the server and start the deployment.
+
+## <a href="" id="sec04"></a>Operating systems
+
+
+Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you have created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments.
+
+## <a href="" id="sec05"></a>Applications
+
+
+Using the Deployment Workbench, you also add the applications you want to deploy. MDT supports virtually every executable Windows file type. The file can be a standard .exe file with command-line switches for an unattended install, a Microsoft Windows Installer (MSI) package, a batch file, or a VBScript. In fact, it can be just about anything that can be executed unattended. MDT also supports the new Universal Windows apps.
+
+## <a href="" id="sec06"></a>Driver repository
+
+
+You also use the Deployment Workbench to import the drivers your hardware needs into a driver repository that lives on the server, not in the image.
+
+## <a href="" id="sec07"></a>Packages
+
+
+With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that are not available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts.
+
+## <a href="" id="sec08"></a>Task sequences
+
+
+Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence.
+
+You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows:
+
+-   **Gather.** Reads configuration settings from the deployment server.
+
+-   **Format and Partition.** Creates the partition(s) and formats them.
+
+-   **Inject Drivers.** Finds out which drivers the machine needs and downloads them from the central driver repository.
+
+-   **Apply Operating System.** Uses ImageX to apply the image.
+
+-   **Windows Update.** Connects to a WSUS server and updates the machine.
+
+## <a href="" id="sec09"></a>Task sequence templates
+
+
+MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they will be available when you create a new task sequence.
+
+-   **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer.
+
+    **Note**  
+    It is preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture cannot.
+
+     
+
+-   **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production.
+
+-   **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned.
+
+-   **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action).
+
+-   **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it does not contain any USMT actions because USMT is not supported on servers.
+
+-   **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature.
+
+-   **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Very useful for server deployments but not often used for client deployments.
+
+-   **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file.
+
+-   **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers.
+
+-   **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers.
+
+## <a href="" id="sec10"></a>Selection profiles
+
+
+Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to:
+
+-   Control which drivers and packages are injected into the Lite Touch (and generic) boot images.
+
+-   Control which drivers are injected during the task sequence.
+
+-   Control what is included in any media that you create.
+
+-   Control what is replicated to other deployment shares.
+
+-   Filter which task sequences and applications are displayed in the Deployment Wizard.
+
+## <a href="" id="sec11"></a>Logging
+
+
+MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well.
+
+**Note**  
+The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [System Center 2012 R2 Configuration Manager Toolkit](http://go.microsoft.com/fwlink/p/?LinkId=734717).
+
+ 
+
+## <a href="" id="sec12"></a>Monitoring
+
+
+On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench.
+
+## Related topics
+
+
+[Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)
+
+[Prepare for deployment with MDT 2013 Update 2](prepare-for-windows-deployment-with-mdt-2013.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/migrate-application-settings.md b/windows/deploy/migrate-application-settings.md
new file mode 100644
index 0000000000..af79e440f7
--- /dev/null
+++ b/windows/deploy/migrate-application-settings.md
@@ -0,0 +1,167 @@
+---
+title: Migrate Application Settings (Windows 10)
+description: Migrate Application Settings
+ms.assetid: 28f70a83-0a3e-4a6b-968a-2b78ccd3cc07
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Migrate Application Settings
+
+
+You can create a custom .xml file to migrate specific line-of-business application settings or to change the default migration behavior of the User State Migration Tool (USMT) 10.0. For ScanState and LoadState to use this file, you must specify the custom .xml file on both command lines.
+
+This topic defines how to author a custom migration .xml file that migrates the settings of an application that is not migrated by default using MigApp.xml. You should migrate the settings after you install the application, but before the user runs the application for the first time.
+
+This topic does not contain information about how to migrate applications that store settings in an application-specific store, only the applications that store the information in files or in the registry. It also does not contain information about how to migrate the data that users create using the application. For example, if the application creates .doc files using a specific template, this topic does not discuss how to migrate the .doc files and templates themselves.
+
+## <a href="" id="createxmlmigappsettings"></a>In this Topic
+
+
+-   [Before You Begin](#bkmk-beforebegin)
+
+-   [Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer](#bkmk-step1).
+
+-   [Step 2: Identify settings to collect and determine where each setting is stored on the computer](#bkmk-step2).
+
+-   [Step 3: Identify how to apply the gathered settings](#bkmk-step3).
+
+-   [Step 4: Create the migration XML component for the application](#bkmk-step4).
+
+-   [Step 5: Test the application settings migration](#bkmk-step5).
+
+## <a href="" id="bkmk-beforebegin"></a>Before You Begin
+
+
+You should identify a test computer that contains the operating system of your source computers, and the application whose settings you want to migrate. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 7 on your test computer and then install the application.
+
+## <a href="" id="bkmk-step1"></a>Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer.
+
+
+Before USMT migrates the settings, you need it to check whether the application is installed on the source computer, and that it is the correct version. If the application is not installed on the source computer, you probably do not want USMT to spend time searching for the application’s settings. More importantly, if USMT collects settings for an application that is not installed, it may migrate settings that will cause the destination computer to function incorrectly. You should also investigate whether there is more than one version of the application. This is because the new version may not store the settings in the same place, which may lead to unexpected results on the destination computer.
+
+There are many ways to detect if an application is installed. The best practice is to check for an application uninstall key in the registry, and then search the computer for the executable file that installed the application. It is important that you check for both of these items, because sometimes different versions of the same application share the same uninstall key. So even if the key is there, it may not correspond to the version of the application that you want.
+
+### Check the registry for an application uninstall key.
+
+When many applications are installed (especially those installed using the Microsoft® Windows® Installer technology), an application uninstall key is created under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall**. For example, when Adobe Acrobat Reader 7 is installed, it creates a key named **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall \\{AC76BA86-7AD7-1033-7B44-A70000000000}**. Therefore, if a computer contains this key, then Adobe Acrobat Reader 7 is installed on the computer. You can check for the existence of a registry key using the **DoesObjectExist** helper function.
+
+Usually, you can find this key by searching under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** for the name of the application, the name of the application executable file, or for the name of the company that makes the application. You can use the Registry Editor (**Regedit.exe** located in the %**SystemRoot**%) to search the registry.
+
+### Check the file system for the application executable file.
+
+You should also check the application binaries for the executable that installed the application. To do this, you will first need to determine where the application is installed and what the name of the executable is. Most applications store the installation location of the application binaries in the registry. You should search the registry for the name of the application, the name of the application executable, or for the name of the company that makes the application, until you find the registry value that contains the installation path. Once you have determined the path to the application executable, you can use the **DoesFileVersionMatch** helper function to check for the correct version of the application executable. For an example of how to do this, see the Windows Live™ Messenger section of the MigApp.xml file.
+
+## <a href="" id="bkmk-step2"></a>Step 2: Identify settings to collect and determine where each setting is stored on the computer.
+
+
+Next, you should go through the user interface and make a list of all of the available settings. You can reduce the list if there are settings that you do not want to migrate. To determine where each setting is stored, you will need to change each setting and monitor the activity on the registry and the file system. You do not need to migrate the binary files and registry settings that are made when the application is installed. This is because you will need to reinstall the application onto the destination computer. You only need to migrate those settings that are customizable.
+
+### <a href="" id="bkmkdetermine"></a>
+
+**How To Determine Where Each Setting is Stored**
+
+1.  Download a file and registry monitoring tool, such as the Regmon and Filemon tools, from the [Windows Sysinternals Web site](http://go.microsoft.com/fwlink/p/?linkid=36109).
+
+2.  Shut down as many applications as possible to limit the registry and file system activity on the computer.
+
+3.  Filter the output of the tools so it only displays changes being made by the application.
+
+    **Note**  
+    Most applications store their settings under the user profile. That is, the settings stored in the file system are under the %**UserProfile**% directory, and the settings stored in the registry are under the **HKEY\_CURRENT\_USER** hive. For these applications you can filter the output of the file and registry monitoring tools to show activity only under these locations. This will considerably reduce the amount of output that you will need to examine.
+
+     
+
+4.  Start the monitoring tool(s), change a setting, and look for registry and file system writes that occurred when you changed the setting. Make sure the changes you make actually take effect. For example, if you are changing a setting in Microsoft Word by selecting a check box in the **Options** dialog box, the change typically will not take effect until you close the dialog box by clicking **OK**.
+
+5.  When the setting is changed, note the changes to the file system and registry. There may be more than one file or registry values for each setting. You should identify the minimal set of file and registry changes that are required to change this setting. This set of files and registry keys is what you will need to migrate in order to migrate the setting.
+
+    **Note**  
+    Changing an application setting invariably leads to writing to registry keys. If possible, filter the output of the file and registry monitor tool to display only writes to files and registry keys/values.
+
+     
+
+## <a href="" id="bkmk-step3"></a>Step 3: Identify how to apply the gathered settings.
+
+
+If the version of the application on the source computer is the same as the one on the destination computer, then you do not have to modify the collected files and registry keys. By default, USMT migrates the files and registry keys from the source location to the corresponding location on the destination computer. For example, if a file was collected from the C:\\Documents and Settings\\User1\\My Documents folder and the profile directory on the destination computer is located at D:\\Users\\User1, then USMT will automatically migrate the file to D:\\Users\\User1\\My Documents. However, you may need to modify the location of some settings in the following three cases:
+
+### Case 1: The version of the application on the destination computer is newer than the one on the source computer.
+
+In this case, the newer version of the application may be able to read the settings from the source computer without modification. That is, the data collected from an older version of the application is sometimes compatible with the newer version of the application. However, you may need to modify the setting location if either of the following is true:
+
+-   **The newer version of the application has the ability to import settings from an older version.** This mapping usually happens the first time a user runs the newer version after the settings have been migrated. Some applications do this automatically after settings are migrated; however, other applications will only do this if the application was upgraded from the older version. When the application is upgraded, a set of files and/or registry keys is installed that indicates the older version of the application was previously installed. If you perform a clean installation of the newer version (which is the case in most migrations), the computer does not contain this set of files and registry keys so the mapping does not occur. In order to trick the newer version of the application into initiating this import process, your migration script may need to create these files and/or registry keys on the destination computer.
+
+    To identify which files and/or registry keys/values need to be created to cause the import, you should upgrade the older version of the application to the newer one and monitor the changes made to the file system and registry by using the same process described in [How To determine where each setting is stored](#bkmkdetermine). Once you know the set of files that the computer needs, you can use the &lt;`addObjects`&gt; element to add them to the destination computer.
+
+-   [The newer version of the application cannot read settings from the source computer and it is also unable to import the settings into the new format.](#bkmkdetermine) In this case, you will need to create a mapping for each setting from the old locations to the new locations. To do this, determine where the newer version stores each setting using the process described in How to determine where each setting is stored. After you have created the mapping, apply the settings to the new location on the destination computer using the &lt;`locationModify`&gt; element, and the **RelativeMove** and **ExactMove** helper functions.
+
+### Case 2: The destination computer already contains settings for the application.
+
+We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. If you must install the application before the migration, you should delete any existing settings using the &lt;`destinationCleanup`&gt; element. If for any reason you want to preserve the settings that are on the destination computer, you can use the &lt;`merge`&gt; element and **DestinationPriority** helper function.
+
+### Case 3: The application overwrites settings when it is installed.
+
+We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. Also, when some applications are installed, they overwrite any existing settings that are on the computer. In this scenario, if you migrated the data before you installed the application, your customized settings would be overwritten. This is common for applications that store settings in locations that are outside of the user profile (typically these are settings that apply to all users). These universal settings are sometimes overwritten when an application is installed, and they are replaced by default values. To avoid this, you must install these applications before migrating the files and settings to the destination computer. By default with USMT, data from the source computer overwrites data that already exists in the same location on the destination computer.
+
+## <a href="" id="bkmk-step4"></a>Step 4: Create the migration XML component for the application
+
+
+After you have completed steps 1 through 3, you will need to create a custom migration .xml file that migrates the application based on the information that you now have. You can use the MigApp.xml file as a model because it contains examples of many of the concepts discussed in this topic. You can also see [Custom XML Examples](usmt-custom-xml-examples.md) for another sample .xml file.
+
+**Note**  
+We recommend that you create a separate .xml file instead of adding your script to the **MigApp.xml** file. This is because the **MigApp.xml** file is a very large file and it will be difficult to read and edit. In addition, if you reinstall USMT for some reason, the **MigApp.xml** file will be overwritten by the default version of the file and you will lose your customized version.
+
+ 
+
+**Important**  
+Some applications store information in the user profile that should not be migrated (for example, application installation paths, the computer name, and so on). You should make sure to exclude these files and registry keys from the migration.
+
+ 
+
+Your script should do the following:
+
+1.  Check whether the application and correct version is installed by:
+
+    -   Searching for the installation uninstall key under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** using the **DoesObjectExist** helper function.
+
+    -   Checking for the correct version of the application executable file using the **DoesFileVersionMatch** helper function.
+
+2.  If the correct version of the application is installed, then ensure that each setting is migrated to the appropriate location on the destination computer.
+
+    -   If the versions of the applications are the same on both the source and destination computers, migrate each setting using the &lt;`include`&gt; and &lt;`exclude`&gt; elements.
+
+    -   If the version of the application on the destination computer is newer than the one on the source computer, and the application cannot import the settings, your script should either 1) add the set of files that trigger the import using the &lt;`addObjects`&gt; element or 2) create a mapping that applies the old settings to the correct location on the destination computer using the &lt;`locationModify`&gt; element, and the **RelativeMove** and **ExactMove** helper functions.
+
+    -   If you must install the application before migrating the settings, delete any settings that are already on the destination computer using the &lt;`destinationCleanup`&gt; element.
+
+For information about the .xml elements and helper functions, see [XML Elements Library](usmt-xml-elements-library.md).
+
+## <a href="" id="bkmk-step5"></a>Step 5: Test the application settings migration
+
+
+On a test computer, install the operating system that will be installed on the destination computers. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 10 and the application. Next, run LoadState on the test computer and verify that all settings migrate. Make corrections if necessary and repeat the process until all the necessary settings are migrated correctly.
+
+To speed up the time it takes to collect and migrate the data, you can migrate only one user at a time, and you can exclude all other components from the migration except the application that you are testing. To specify only User1 in the migration, type: **/ue:\*\\\* /ui:user1**. For more information, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md) and User options in the [ScanState Syntax](usmt-scanstate-syntax.md) topic. To troubleshoot a problem, check the progress log, and the ScanState and LoadState logs, which contain warnings and errors that may point to problems with the migration.
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+[Conflicts and Precedence](usmt-conflicts-and-precedence.md)
+
+[XML Elements Library](usmt-xml-elements-library.md)
+
+[Log Files](usmt-log-files.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/migration-store-types-overview.md b/windows/deploy/migration-store-types-overview.md
new file mode 100644
index 0000000000..cf0c52812e
--- /dev/null
+++ b/windows/deploy/migration-store-types-overview.md
@@ -0,0 +1,76 @@
+---
+title: Migration Store Types Overview (Windows 10)
+description: Migration Store Types Overview
+ms.assetid: 3b6ce746-76c6-43ff-8cd5-02ed0ae0cf70
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Migration Store Types Overview
+
+
+When planning your migration, you should determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers. You should also determine the space needed to create and host the migration store, whether you are using a local share, network share, or storage device.
+
+## In This Topic
+
+
+[Migration Store Types](#bkmk-types)
+
+[Local Store vs. Remote Store](#bkmk-localvremote)
+
+[The /localonly Command-Line Option](#bkmk-localonly)
+
+## <a href="" id="bkmk-types"></a>Migration Store Types
+
+
+This section describes the three migration store types available in USMT.
+
+### Uncompressed (UNC)
+
+The uncompressed (UNC) migration store is an uncompressed directory with a mirror image of the folder hierarchy being migrated. Each directory and file retains the same access permissions that it has on the local file system. You can use Windows Explorer to view this migration store type. Settings are stored in a catalog file that also describes how to restore files on the destination computer.
+
+### Compressed
+
+The compressed migration store is a single image file that contains all files being migrated and a catalog file. This image file is often encrypted and protected with a password, and cannot be navigated with Windows Explorer.
+
+### Hard-Link
+
+A hard-link migration store functions as a map that defines how a collection of bits on the hard disk are “wired” into the file system. You use the new USMT hard-link migration store in the PC Refresh scenario only. This is because the hard-link migration store is maintained on the local computer while the old operating system is removed and the new operating system is installed. Using a hard-link migration store saves network bandwidth and minimizes the server use needed to accomplish the migration.
+
+You use a command-line option,**/hardlink** , to create a hard-link migration store, which functions the same as an uncompressed migration store. Files are not duplicated on the local computer when user state is captured, nor are they duplicated when user state is restored. For more information, see [Hard-Link Migration Store](usmt-hard-link-migration-store.md).
+
+The following flowchart illustrates the procedural differences between a local migration store and a remote migration store. In this example, a hard-link migration store is used for the local store.
+
+![migration store comparison](images/dep-win8-l-usmt-migrationcomparemigstores.gif)
+
+## <a href="" id="bkmk-localvremote"></a>Local Store vs. Remote Store
+
+
+If you have enough space and you are migrating the user state back to the same computer, storing data on a local device is normally the best option to reduce server storage costs and network performance issues. You can store the data locally either on a different partition or on a removable device such as a USB flash drive (UFD). Also, depending on the imaging technology that you are using, you might be able to store the data on the partition that is being re-imaged, if the data will be protected from deletion during the process. To increase performance, store the data on high-speed drives that use a high-speed network connection. It is also good practice to ensure that the migration is the only task the server is performing.
+
+If there is not enough local disk space, or if you are moving the user state to another computer, then you must store the data remotely. For example, you can store it in on a shared folder, on removable media such as a UFD drive, or you can store it directly on the destination computer. For example, create and share C:\\store on the destination computer. Then run the ScanState command on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store. Then, run the **LoadState** command on the destination computer and specify **C:\\Store** as the store location. By doing this, you do not need to save the files to a server.
+
+**Important**  
+If possible, have users store their data within their %UserProfile%\\My Documents and %UserProfile%\\Application Data folders. This will reduce the chance of USMT missing critical user data that is located in a directory that USMT is not configured to check.
+
+ 
+
+### <a href="" id="bkmk-localonly"></a>The /localonly Command-Line Option
+
+You should use this option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify **/LocalOnly**, see [ScanState Syntax](usmt-scanstate-syntax.md).
+
+## Related topics
+
+
+[Plan Your Migration](usmt-plan-your-migration.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/monitor-activation-client.md b/windows/deploy/monitor-activation-client.md
new file mode 100644
index 0000000000..bd48f813f0
--- /dev/null
+++ b/windows/deploy/monitor-activation-client.md
@@ -0,0 +1,51 @@
+---
+title: Monitor activation (Windows 10)
+ms.assetid: 264a3e86-c880-4be4-8828-bf4c839dfa26
+description: 
+keywords: ["vamt", "volume activation", "activation", "windows activation"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Monitor activation
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012 R2
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+**Looking for retail activation?**
+
+-   [Get Help Activating Microsoft Windows](http://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+You can monitor the success of the activation process for a computer running Windows 8.1 in several ways. The most popular methods include:
+
+-   Using the Volume Licensing Service Center website to track use of MAK keys.
+
+-   Using the **Slmgr /dlv** command on a client computer or on the KMS host. (For a full list of options, see [Slmgr.vbs Options](http://technet.microsoft.com/library/ff793433.aspx).)
+
+-   Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it is available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.)
+
+-   Most licensing actions and events are recorded in the Event log.
+
+-   Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager.
+
+-   The VAMT provides a single site from which to manage and monitor volume activations. This is explained in the next section.
+
+## See also
+-   [Volume Activation for Windows 10](volume-activation-windows-10.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md
new file mode 100644
index 0000000000..6b38847674
--- /dev/null
+++ b/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md
@@ -0,0 +1,83 @@
+---
+title: Monitor the Windows 10 deployment with Configuration Manager (Windows 10)
+description: In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench.
+ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce
+keywords: ["deploy, upgrade"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Monitor the Windows 10 deployment with Configuration Manager
+
+
+**Applies to**
+
+-   Windows 10
+
+In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. You will also use the Deployment Workbench to access the computer remotely via the Microsoft Diagnostics and Recovery Toolkit (DaRT) Remote Connection feature.
+
+For the purposes of this topic, we will use four machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0001 is a Unified Extensible Firmware Interface (UEFI) machine to which Windows 10 Enterprise has been deployed. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+To monitor an operating system deployment conducted through System Center 2012 R2 Configuration Manager, you will use the Deployment Workbench in MDT as follows:
+
+1.  On CM01, using the Deployment Workbench, expand **MDT Production**, and use the **Monitoring** node to view the deployment process (press **F5** to refresh).
+
+    **Note**  
+    It takes a little while for the task sequence to start reporting monitor information, so if PC0001 does not appear when you press F5 the first time, wait 20 seconds and try again.
+
+     
+
+    ![figure 33](images/mdt-06-fig39.png)
+
+    Figure 33. PC0001 being deployed by Configuration Manager.
+
+2.  When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option.
+
+3.  The task sequence will now run and do the following:
+
+    1.  Install the Windows 10 operating system.
+
+    2.  Install the Configuration Manager client and the client hotfix.
+
+    3.  Join the machine to the domain.
+
+    4.  Install the application added to the task sequence.
+
+    **Note**  
+    You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress.
+
+     
+
+4.  If time permits, allow the deployment of PC0001 to complete. Then log in as Administrator in the CONTOSO domain and verify that Adobe Reader XI was installed.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/offline-migration-reference.md b/windows/deploy/offline-migration-reference.md
new file mode 100644
index 0000000000..6ad60f1704
--- /dev/null
+++ b/windows/deploy/offline-migration-reference.md
@@ -0,0 +1,263 @@
+---
+title: Offline Migration Reference (Windows 10)
+description: Offline Migration Reference
+ms.assetid: f347547c-d601-4c3e-8f2d-0138edeacfda
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Offline Migration Reference
+
+
+Offline migration enables the ScanState tool to run inside a different Windows® operating system than the Windows operating system from which ScanState is gathering files and settings. There are two primary offline scenarios:
+
+-   **Windows PE.** The ScanState tool can be run from within Windows PE, gathering files and settings from the offline Windows operating system on that machine.
+
+-   **Windows.old.** The ScanState tool can now gather files and settings from the Windows.old directory that is created during Windows installation on a partition that contains a previous installation of Windows. For example, the ScanState tool can run in Windows 10, gathering files from a previous Windows 7or Windows 8 installation contained in the Windows.old directory.
+
+When you use User State Migration Tool (USMT) 10.0 to gather and restore user state, offline migration reduces the cost of deployment by:
+
+-   **Reducing complexity.** In computer-refresh scenarios, migrations from the Windows.old directory reduce complexity by eliminating the need for the ScanState tool to be run before the operating system is deployed. Also, migrations from the Windows.old directory enable ScanState and LoadState to be run successively.
+
+-   **Improving performance.** When USMT runs in an offline Windows Preinstallation Environment (WinPE) environment, it has better access to the hardware resources. This may increase performance on older machines with limited hardware resources and numerous installed software applications.
+
+-   **New recovery scenario.** In scenarios where a machine no longer restarts properly, it might be possible to gather user state with the ScanState tool from within WinPE.
+
+## In This Topic
+
+
+-   [What Will Migrate Offline?](#bkmk-whatwillmigrate)
+
+-   [What Offline Environments are Supported?](#bkmk-offlineenvironments)
+
+-   [User-Group Membership and Profile Control](#bkmk-usergroupmembership)
+
+-   [Command-Line Options](#bkmk-commandlineoptions)
+
+-   [Environment Variables](#bkmk-environmentvariables)
+
+-   [Offline.xml Elements](#bkmk-offlinexml)
+
+## <a href="" id="bkmk-whatwillmigrate"></a>What Will Migrate Offline?
+
+
+The following user data and settings migrate offline, similar to an online migration:
+
+-   Data and registry keys specified in MigXML
+
+-   User accounts
+
+-   Application settings
+
+-   Limited set of operating-system settings
+
+-   EFS files
+
+-   Internet Explorer® Favorites
+
+For exceptions to what you can migrate offline, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
+
+## <a href="" id="bkmk-offlineenvironments"></a>What Offline Environments are Supported?
+
+
+The following table defines the supported combination of online and offline operating systems in USMT.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Running Operating System</th>
+<th align="left">Offline Operating System</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>WinPE 5.0 or greater, with the MSXML library</p></td>
+<td align="left"><p>Windows Vista, Windows 7, Windows 8, Windows 10</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows 7, Windows 8, Windows 10</p></td>
+<td align="left"><p>Windows.old directory</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Note**  
+It is possible to run the ScanState tool while the drive remains encrypted by suspending Windows BitLocker Drive Encryption before booting into WinPE. For more information, see [this Microsoft site](http://go.microsoft.com/fwlink/p/?LinkId=190314).
+
+ 
+
+## <a href="" id="bkmk-usergroupmembership"></a>User-Group Membership and Profile Control
+
+
+User-group membership is not preserved during offline migrations. You must configure a **&lt;ProfileControl&gt;** section in the Config.xml file to specify the groups that the migrated users should be made members of. The following example places all migrated users into the Users group:
+
+``` syntax
+<Configuration>
+<ProfileControl>
+    <localGroups>
+      <mappings>
+         <changeGroup from="*" to="Users" appliesTo="MigratedUsers">
+            <include>
+            <pattern>*</pattern>
+            </include>
+         </changeGroup>
+      </mappings>
+   </localGroups>
+  </ProfileControl>
+</Configuration>
+```
+
+For information about the format of a Config.xml file, see [Config.xml File](usmt-configxml-file.md).
+
+## <a href="" id="bkmk-commandlineoptions"></a>Command-Line Options
+
+
+An offline migration can either be enabled by using a configuration file on the command line, or by using one of the following command line options:
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Component</th>
+<th align="left">Option</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>ScanState.exe</p></td>
+<td align="left"><p><strong>/offline:</strong><em>&lt;path to offline.xml&gt;</em></p></td>
+<td align="left"><p>This command-line option enables the offline-migration mode and requires a path to an Offline.xml configuration file.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>ScanState.exe</p></td>
+<td align="left"><p><strong>/offlineWinDir:</strong><em>&lt;Windows directory&gt;</em></p></td>
+<td align="left"><p>This command-line option enables the offline-migration mode and starts the migration from the location specified. It is only for use in WinPE offline scenarios where the migration is occurring from a Windows directory.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>ScanState.exe</p></td>
+<td align="left"><p><strong>/OfflineWinOld:</strong><em>&lt;Windows.old directory&gt;</em></p></td>
+<td align="left"><p>This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+You can use only one of the **/offline**,**/offlineWinDir** , or **/OfflineWinOld** command-line options at a time; USMT does not support using more than one together.
+
+## <a href="" id="bkmk-environmentvariables"></a>Environment Variables
+
+
+The following system environment variables are necessary in the scenarios outlined below.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Variable</th>
+<th align="left">Value</th>
+<th align="left">Scenario</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>USMT_WORKING_DIR</p></td>
+<td align="left"><p>Full path to a working directory</p></td>
+<td align="left"><p>Required when USMT binaries are located on read-only media, which does not support the creation of log files or temporary storage. To set the system environment variable, at a command prompt type the following:</p>
+<pre class="syntax" space="preserve"><code>Set USMT_WORKING_DIR=[path to working directory]</code></pre></td>
+</tr>
+<tr class="even">
+<td align="left"><p>MIG_OFFLINE_PLATFORM_ARCH</p></td>
+<td align="left"><p>32 or 64</p></td>
+<td align="left"><p>While operating offline, this environment variable defines the architecture of the offline system, if the system does not match the WinPE and Scanstate.exe architecture. This environment variable enables the 32-bit ScanState application to gather data from a computer with 64-bit architecture, or the 64-bit ScanState application to gather data from a computer with 32-bit architecture. This is required when auto-detection of the offline architecture doesn’t function properly, for example, when the source system is running a 64-bit version of Windows XP. For example, to set this system environment variable for a 32-bit architecture, at a command prompt type the following:</p>
+<pre class="syntax" space="preserve"><code>Set MIG_OFFLINE_PLATFORM_ARCH=32</code></pre></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-offlinexml"></a>Offline.xml Elements
+
+
+Use an offline.xml file when running the ScanState tool on a computer that has multiple Windows directories. The offline.xml file specifies which directories to scan for windows files. An offline.xml file can be used with the /offline option as an alternative to specifying a single Windows directory path with the /offlineDir option.
+
+### <a href="" id="-offline-"></a>&lt;offline&gt;
+
+This element contains other elements that define how an offline migration is to be performed.
+
+Syntax: &lt;offline&gt; &lt;/offline&gt;
+
+### <a href="" id="-windir-"></a>&lt;winDir&gt;
+
+This element is a required child of **&lt;offline&gt;** and contains information about how the offline volume can be selected. The migration will be performed from the first element of **&lt;winDir&gt;** that contains a valid Windows system volume.
+
+Syntax: &lt; winDir &gt; &lt;/ winDir &gt;
+
+### <a href="" id="-path-"></a>&lt;path&gt;
+
+This element is a required child of **&lt;winDir&gt;** and contains a file path pointing to a valid Windows directory. Relative paths are interpreted from the ScanState tool’s working directory.
+
+Syntax: &lt;path&gt; c:\\windows &lt;/path&gt;
+
+-or-
+
+Syntax, when used with the **&lt;mappings&gt;** element: &lt;path&gt; C:\\, D:\\ &lt;/path&gt;
+
+### <a href="" id="-mappings-"></a>&lt;mappings&gt;
+
+This element is an optional child of **&lt;offline&gt;**. When specified, the **&lt;mappings&gt;** element will override the automatically detected WinPE drive mappings. Each child **&lt;path&gt;** element will provide a mapping from one system volume to another. Additionally, mappings between folders can be provided, since an entire volume can be mounted to a specific folder.
+
+Syntax: &lt;mappings&gt; &lt;/mappings&gt;
+
+### <a href="" id="-failonmultiplewindir-"></a>&lt;failOnMultipleWinDir&gt;
+
+This element is an optional child of **&lt;offline&gt;**. The **&lt;failOnMultipleWinDir&gt;** element allows the user to specify that the migration should fail when USMT detects that there are multiple instances of Windows installed on the source machine. When the **&lt;failOnMultipleWinDir&gt;** element isn’t present, the default behavior is that the migration does not fail.
+
+Syntax: &lt;failOnMultipleWinDir&gt;1&lt;/failOnMultipleWinDir&gt; or Syntax: &lt;failOnMultipleWinDir&gt;0&lt;/failOnMultipleWinDir&gt;
+
+### Offline .xml Example
+
+The following XML example illustrates some of the elements discussed earlier in this topic.
+
+``` syntax
+<offline>
+     <winDir>
+          <path>C:\Windows</path> 
+          <path>D:\Windows</path> 
+          <path>E:\</path> 
+     </winDir>
+     <failOnMultipleWinDir>1</failOnMultipleWinDir>
+</offline>
+```
+
+## Related topics
+
+
+[Plan Your Migration](usmt-plan-your-migration.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/online-activation-vamt.md b/windows/deploy/online-activation-vamt.md
new file mode 100644
index 0000000000..233b91c84b
--- /dev/null
+++ b/windows/deploy/online-activation-vamt.md
@@ -0,0 +1,59 @@
+---
+title: Perform Online Activation (Windows 10)
+description: Perform Online Activation
+ms.assetid: 8381792b-a454-4e66-9b4c-e6e4c9303823
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Perform Online Activation
+You can use the Volume Activation Management Tool (VAMT) to enable client products to be activated over the Internet. You can install the client products with any kind of product key that is eligible for online activation—Multiple Activation Key (MAK), retail, and Windows Key Management Services (KMS) host key.
+
+## Requirements
+Before performing online activation, ensure that the network and the VAMT installation meet the following requirements:
+
+-   VAMT is installed on a central computer that has network access to all client computers.
+
+-   Both the VAMT host and client computers have Internet access.
+
+-   The products that you want to activate are added to VAMT.
+
+-   VAMT has administrative permissions on all computers that you intend to activate, and that Windows Management Instrumentation (WMI) can be accessed through the Windows firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+
+The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking **Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs.
+
+## To Perform an Online Activation
+**To perform an online activation**
+
+1.  Open VAMT.
+
+2.  In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+
+3.  In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+
+    -   To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    -   To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+
+4.  Click **Filter**. VAMT displays the filtered list in the center pane.
+
+5.  Select the products that you want to activate. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
+
+6.  Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane and then point to **Activate**. If the **Actions** pane is not displayed, click the Show/Hide Action Pane button, which is located on the toolbar to the right of the Help button.
+
+7.  Point to **Online activate**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
+
+8.  VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+
+    The same status is shown under the **Status of Last Action** column in the products list view in the center pane.
+
+    **Note**  
+    Online activation does not enable you to save the Confirmation IDs (CIDs). As a result, you cannot perform local reactivation.
+    
+    **Note**  
+    You can use online activation to select products that have different key types and activate the products at the same time.
+
+## Related topics
+- [Manage Activations](manage-activations-vamt.md)
\ No newline at end of file
diff --git a/windows/deploy/plan-for-volume-activation-client.md b/windows/deploy/plan-for-volume-activation-client.md
new file mode 100644
index 0000000000..6a396d19f6
--- /dev/null
+++ b/windows/deploy/plan-for-volume-activation-client.md
@@ -0,0 +1,240 @@
+---
+title: Plan for volume activation (Windows 10)
+description: Product activation is the process of validating software with the manufacturer after it has been installed on a specific computer.
+ms.assetid: f84b005b-c362-4a70-a84e-4287c0d2e4ca
+keywords: ["vamt", "volume activation", "activation", "windows activation"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Plan for volume activation
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012 R2
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+**Looking for retail activation?**
+
+-   [Get Help Activating Microsoft Windows](http://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+*Product activation* is the process of validating software with the manufacturer after it has been installed on a specific computer. Activation confirms that the product is genuine—not a fraudulent copy—and that the product key or serial number is valid and has not been compromised or revoked. Activation also establishes a link or relationship between the product key and the particular installation.
+
+During the activation process, information about the specific installation is examined. In the case of online activations, this information is sent to a server at Microsoft. This information may include the software version, the product key, the IP address of the computer, and information about the device. The activation methods that Microsoft uses are designed to help protect user privacy, and they cannot be used to track back to the computer or user. The gathered data confirms that the software is a legally licensed copy, and this data is used for statistical analysis. Microsoft does not use this information to identify or contact the user or the organization.
+
+**Note**  
+The IP address is used only to verify the location of the request, because some editions of Windows (such as “Starter” editions) can only be activated within certain geographical target markets.
+
+## Distribution channels and activation
+In general, Microsoft software is obtained through three main channels: retail, original equipment manufacturer (OEM), and volume licensing agreements. Different activations methods are available through each channel. Because organizations are free to obtain software through multiple channels (for example, buying some at retail and others through a volume licensing program) most organizations choose to use a combination of activation methods.
+
+### Retail activations
+The retail activation method has not changed in several versions of Windows and Windows Server. Each purchased copy comes with one unique product key (often referred to as a retail key). The user enters this key during product installation. The computer uses this retail key to complete the activation after the installation is complete. Most activations are performed online, but telephone activation is also available.
+
+Recently, retail keys have been expanded into new distribution scenarios. Product key cards are available to activate products that have been preinstalled or downloaded. Programs such as Windows Anytime Upgrade and Get Genuine allow users to acquire legal keys separately from the software. These electronically distributed keys may come with media that contains software, they can come as a software shipment, or they may be provided on a printed card or electronic copy. Products are activated the same way with any of these retail keys.
+
+### Original equipment manufacturer
+Most original equipment manufacturers (OEMs) sell systems that include a standard build of the Windows operating system. The hardware vendor activates Windows by associating the operating system with the firmware (BIOS) of the computer. This occurs before the computer is sent to the customer, and no additional actions are required.
+
+OEM activation is valid as long as the customer uses the OEM-provided image on the system. OEM activation is available only for computers that are purchased through OEM channels and have the Windows operating system preinstalled.
+
+### Volume licensing
+Volume licensing offers customized programs that are tailored to the size and purchasing preference of the organization. To become a volume licensing customer, the organization must set up a volume licensing agreement with Microsoft.There is a common misunderstanding about acquiring licenses for a new computer through volume licensing. There are two legal ways to acquire a full Windows client license for a new computer:
+
+-   Have the license preinstalled through the OEM.
+
+-   Purchase a fully packaged retail product.
+
+The licenses that are provided through volume licensing programs such as Open License, Select License, and Enterprise Agreements cover upgrades to Windows client operating systems only. An existing retail or OEM operating system license is needed for each computer running Windows 10, Windows 8.1 Pro, Windows 8 Pro, Windows 7 Professional or Ultimate, or Windows XP Professional before the upgrade rights obtained through volume licensing can be exercised.
+
+Volume licensing is also available through certain subscription or membership programs, such as the Microsoft Partner Network and MSDN. These volume licenses may contain specific restrictions or other changes to the general terms applicable to volume licensing.
+
+**Note**  
+Some editions of the operating system, such as Windows 10 Enterprise, and some editions of application software are available only through volume licensing agreements or subscriptions.
+
+## Activation models
+For a user or IT department, there are no significant choices about how to activate products that are acquired through retail or OEM channels. The OEM performs the activation at the factory, and the user or the IT department need take no activation steps.
+
+With a retail product, the Volume Activation Management Tool (VAMT), which is discussed later in this guide, helps you track and manage keys. For each retail activation, you can choose:
+
+-   Online activation
+
+-   Telephone activation
+
+-   VAMT proxy activation
+
+Telephone activation is primarily used in situations where a computer is isolated from all networks. VAMT proxy activation (with retail keys) is sometimes used when an IT department wants to centralize retail activations or when a computer with a retail version of the operating system is isolated from the Internet but connected to the LAN. For volume-licensed products, however, you must determine the best method or combination of methods to use in your environment. For Windows 10 Pro and Enterprise, you can choose from three models:
+
+-   MAKs
+
+-   KMS
+
+-   Active Directory-based activation
+
+**Note**  
+A specialized method, Token-based activation, is available for specific situations when approved customers rely on a public key infrastructure in a completely isolated, and usually high-security, environment. For more information, contact your Microsoft Account Team or your service representative.
+
+### Multiple activation key
+A Multiple Activation Key (MAK) is commonly used in small- or mid-sized organizations that have a volume licensing agreement, but they do not meet the requirements to operate a KMS or they prefer a simpler approach. A MAK also allows permanent activation of computers that are isolated from the KMS or are part of an isolated network that does not have enough computers to use the KMS.
+
+To use a MAK, the computers to be activated must have a MAK installed. The MAK is used for one-time activation with the Microsoft online hosted activation services, by telephone, or by using VAMT proxy activation.
+
+In the simplest terms, a MAK acts like a retail key, except that a MAK is valid for activating multiple computers. Each MAK can be used a specific number of times. The VAMT can assist in tracking the number of activations that have been performed with each key and how many remain.
+
+Organizations can download MAK and KMS keys from the [Volume Licensing Service Center](http://go.microsoft.com/fwlink/p/?LinkId=618213) website. Each MAK has a preset number of activations, which are based on a percentage of the count of licenses the organization purchases; however, you can increase the number of activations that are available with your MAK by calling Microsoft.
+
+### Key Management Service
+With the Key Management Service (KMS), IT pros can complete activations on their local network, eliminating the need for individual computers to connect to Microsoft for product activation. The KMS is a lightweight service that does not require a dedicated system and can easily be cohosted on a system that provides other services.
+
+Volume editions of Windows 10 and Windows Server 2012 R2 (in addition to volume editions of operating system editions since Windows Vista and Windows Server 2008) automatically connect to a system that hosts the KMS to request activation. No action is required from the user.
+
+The KMS requires a minimum number of computers (physical computers or virtual machines) in a network environment. The organization must have at least five computers to activate Windows Server 2012 R2 and at least 25 computers to activate client computers that are running Windows 10. These minimums are referred to as *activation thresholds*.
+
+Planning to use the KMS includes selecting the best location for the KMS host and how many KMS hosts to have. One KMS host can handle a large number of activations, but organizations will often deploy two KMS hosts to ensure availability. Only rarely would more than two KMS hosts be used. The KMS can be hosted on a client computer or on a server, and it can be run on older versions of the operating system if proper configuration steps are taken. Setting up your KMS is discussed later in this guide.
+
+### Active Directory-based activation
+Active Directory-based activation is the newest type of volume activation, and it was introduced in Windows 8. In many ways, Active Directory-based activation is similar to activation by using the KMS, but the activated computer does not need to maintain periodic connectivity with the KMS host. Instead, a domain-joined computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 queries AD DS for a volume activation object that is stored in the domain. The operating system checks the digital signatures that are contained in the activation object, and then activates the device.
+
+Active Directory-based activation allows enterprises to activate computers through a connection to their domain. Many companies have computers at remote or branch locations, where it is impractical to connect to a KMS, or would not reach the KMS activation threshold. Rather than use MAKs, Active Directory-based activation provides a way to activate computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 as long as the computers can contact the company’s domain. Active Directory-based activation offers the advantage of extending volume activation services everywhere you already have a domain presence.
+
+## Network and connectivity
+A modern business network has many nuances and interconnections. This section examines evaluating your network and the connections that are available to determine how volume activations will occur.
+
+### Core network
+Your core network is that part of your network that enjoys stable, high-speed, reliable connectivity to infrastructure servers. In many cases, the core network is also connected to the Internet, although that is not a requirement to use the KMS or Active Directory-based activation after the KMS server or AD DS is configured and active. Your core network likely consists of many network segments. In many organizations, the core network makes up the vast majority of the business network.
+
+In the core network, a centralized KMS solution is usually recommended. You can also use Active Directory-based activation, but in many organizations, KMS will still be required to activate older client computers and computers that are not joined to the domain. Some administrators prefer to run both solutions to have the most flexibility, while others prefer to choose only a KMS-based solution for simplicity. Active Directory-based activation as the only solution is workable if all of the clients in your organization are running Windows 10, Windows 8.1, or Windows 8.
+
+A typical core network that includes a KMS host is shown in Figure 1.
+
+![Typical core network](images/volumeactivationforwindows81-01.jpg)
+
+**Figure 1**. Typical core network
+
+### Isolated networks
+In a large network, it is all but guaranteed that some segments will be isolated, either for security reasons or because of geography or connectivity issues.
+
+**Isolated for security**<p>
+Sometimes called a *high-security zone*, a particular network segment may be isolated from the core network by a firewall or disconnected from other networks totally. The best solution for activating computers in an isolated network depends on the security policies in place in the organization.
+
+If the isolated network can access the core network by using outbound requests on TCP port 1688, and it is allowed to receive remote procedure calls (RPCs), you can perform activation by using the KMS in the core network, thereby avoiding the need to reach additional activation thresholds.
+
+If the isolated network participates fully in the corporate forest, and it can make typical connections to domain controllers, such as using Lightweight Directory Access Protocol (LDAP) for queries and Domain Name Service (DNS) for name resolution, this is a good opportunity to use Active Directory-based activation for Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012 R2.
+
+If the isolated network cannot communicate with the core network’s KMS server, and it cannot use Active Directory-based activation, you can set up a KMS host in the isolated network. This configuration is shown in Figure 2. However, if the isolated network contains only a few computers, it will not reach the KMS activation threshold. In that case, you can activate by using MAKs.
+
+If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they are placed in the isolated network.
+
+![New KMS host in an isolated network](images/volumeactivationforwindows81-02.jpg)
+
+**Figure 2**. New KMS host in an isolated network
+
+**Branch offices and distant networks**
+From mining operations to ships at sea, organizations often have a few computers that are not easily connected to the core network or the Internet. Some organizations have network segments at branch offices that are large and well-connected internally, but have a slow or unreliable WAN link to the rest of the organization. In these situations, you have several options:
+
+-   **Active Directory-based activation**. In any site where the client computers are running Windows 10, Active Directory-based activation is supported, and it can be activated by joining the domain.
+
+-   **Local KMS**. If a site has 25 or more client computers, it can activate against a local KMS server.
+
+-   **Remote (core) KMS**. If the remote site has connectivity to an existing KMS (perhaps through a virtual private network (VPN) to the core network), that KMS can be used. Using the existing KMS means that you only need to meet the activation threshold on that server.
+
+-   **MAK activation**. If the site has only a few computers and no connectivity to an existing KMS host, MAK activation is the best option.
+
+### Disconnected computers
+Some users may be in remote locations or may travel to many locations. This scenario is common for roaming clients, such as the computers that are used by salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection to the core network. You can consider this an “isolated network,” where the number of computers is one. Disconnected computers can use Active Directory-based activation, the KMS, or MAK depending on the client version and how often the computers connect to the core network.
+
+If the computer is joined to the domain and running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 8, you can use Active Directory-based activation—directly or through a VPN—at least once every 180 days. If the computer connects to a network with a KMS host at least every 180 days, but it does not support Active Directory-based activation, you can use KMS activation. Otherwise for computers that rarely or never connect to the network, use MAK independent activation (by using the telephone or the Internet).
+
+### Test and development labs
+Lab environments often have large numbers of virtual machines, and physical computers and virtual machines in labs are reconfigured frequently. Therefore, first determine whether the computers in test and development labs require activation. Editions of Windows 10 that include volume licensing will operate normally, even if they cannot activate immediately.
+
+If you have ensured that your test or development copies of the operating system are within the license agreement, you may not need to activate the lab computers if they will be rebuilt frequently. If you require that the lab computers be activated, treat the lab as an isolated network and use the methods described earlier in this guide.
+
+In labs that have a high turnover of computers and a small number of KMS clients, you must monitor the KMS activation count. You might need to adjust the time that the KMS caches the activation requests. The default is 30 days.
+
+## Mapping your network to activation methods
+Now it’s time to assemble the pieces into a working solution. By evaluating your network connectivity, the numbers of computers you have at each site, and the operating system versions in use in your environment, you have collected the information you need to determine which activation methods will work best for you. You can fill-in information in Table 1 to help you make this determination.
+
+**Table 1**. Criteria for activation methods
+
+|Criterion |Activation method |
+|----------|------------------|
+|Number of domain-joined computers that support Active Directory-based activation (computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2) and will connect to a domain controller at least every 180 days. Computers can be mobile, semi-isolated, or located in a branch office or the core network. |Active Directory-based activation |
+|Number of computers in the core network that will connect (directly or through a VPN) at least every 180 days<p><strong>Note</strong><br>The core network must meet the KMS activation threshold. |KMS (central) |
+|Number of computers that do not connect to the network at least once every 180 days (or if no network meets the activation threshold) |MAM |
+|Number of computers in semi-isolated networks that have connectivity to the KMS in the core network |KMS (central) |
+|Number of computers in isolated networks where the KMS activation threshold is met |KMS (local) |
+|Number of computers in isolated networks where the KMS activation threshold is not met |MAK |
+|Number of computers in test and development labs that will not be activated |None|
+|Number of computers that do not have a retail volume license |Retail (online or phone) |
+|Number of computers that do not have an OEM volume license |OEM (at factory) |
+|Total number of computer activations<p><strong>Note</strong><br>This total should match the total number of licensed computers in your organization. | |
+
+## Choosing and acquiring keys
+When you know which keys you need, you must obtain them. Generally speaking, volume licensing keys are collected in two ways:
+
+-   Go to the **Product Keys** section of the [Volume Licensing Service Center](http://go.microsoft.com/fwlink/p/?LinkID=618213) for the following agreements: Open, Open Value, Select, Enterprise, and Services Provider License.
+
+-   Contact your [Microsoft Activation Center](http://go.microsoft.com/fwlink/p/?LinkId=618264).
+
+### KMS host keys
+A KMS host needs a key that activates, or authenticates, the KMS host with Microsoft. This key is usually referred to as the *KMS host key*, but it is formally known as a *Microsoft Customer Support Volume License Key* (CSVLK). Most documentation and Internet references earlier than Windows 8.1 use the term KMS key, but CSVLK is becoming more common in current documentation and management tools.
+
+A KMS host running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate both Windows Server and Windows client operating systems. A KMS host key is also needed to create the activation objects in AD DS, as described later in this guide. You will need a KMS host key for any KMS that you want to set up and if you are going to use Active Directory-based activation.
+
+### Generic volume licensing keys
+When you create installation media or images for client computers that will be activated by KMS or Active Directory-based activation, install a generic volume license key (GVLK) for the edition of Windows you are creating. GVLKs are also referred to as KMS client setup keys.
+
+Installation media from Microsoft for Enterprise editions of the Windows operating system may already contain the GVLK. One GVLK is available for each type of installation. Note that the GLVK will not activate the software against Microsoft activation servers, only against a KMS or Active Directory-based activation object. In other words, the GVLK does not work unless a valid KMS host key can be found. GVLKs are the only product keys that do not need to be kept confidential.
+
+Typically, you will not need to manually enter a GVLK unless a computer has been activated with a MAK or a retail key and it is being converted to a KMS activation or to Active Directory-based activation. If you need to locate the GVLK for a particular client edition, see [Appendix A: KMS Client Setup Keys](http://technet.microsoft.com/library/jj612867.aspx).
+
+### Multiple activation keys
+You will also need MAK keys with the appropriate number of activations available. You can see how many times a MAK has been used on the Volume Licensing Service Center website or in the VAMT.
+
+## Selecting a KMS host
+The KMS does not require a dedicated server. It can be cohosted with other services, such as AD DS domain controllers and read-only domain controllers.
+
+KMS hosts can run on physical computers or virtual machines that are running any supported Windows operating system. A KMS host that is running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate any Windows client or server operating system that supports volume activation. A KMS host that is running Windows 10 can activate only computers running Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista.
+
+A single KMS host can support unlimited numbers of KMS clients, but Microsoft recommends deploying a minimum of two KMS hosts for failover purposes. However, as more clients are activated through Active Directory-based activation, the KMS and the redundancy of the KMS will become less important. Most organizations can use as few as two KMS hosts for their entire infrastructure.
+
+The flow of KMS activation is shown in Figure 3, and it follows this sequence:
+
+1.  An administrator uses the VAMT console to configure a KMS host and install a KMS host key.
+
+2.  Microsoft validates the KMS host key, and the KMS host starts to listen for requests.
+
+3.  The KMS host updates resource records in DNS to allow clients to locate the KMS host. (Manually adding DNS records is required if your environment does not support DNS dynamic update protocol.)
+
+4.  A client configured with a GVLK uses DNS to locate the KMS host.
+
+5.  The client sends one packet to the KMS host.
+
+6.  The KMS host records information about the requesting client (by using a client ID). Client IDs are used to maintain the count of clients and detect when the same computer is requesting activation again. The client ID is only used to determine whether the activation thresholds are met. The IDs are not stored permanently or transmitted to Microsoft. If the KMS is restarted, the client ID collection starts again.
+
+7.  If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host.
+
+8.  If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold has not yet been met, the client will try again.
+
+![KMS activation flow](images/volumeactivationforwindows81-03.jpg)
+
+**Figure 3**. KMS activation flow
+
+## See also
+-   [Volume Activation for Windows 10](volume-activation-windows-10.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
new file mode 100644
index 0000000000..4e0d835ea6
--- /dev/null
+++ b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
@@ -0,0 +1,180 @@
+---
+title: Prepare for deployment with MDT 2013 Update 2 (Windows 10)
+description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT) 2013 Update 2.
+ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226
+keywords: ["deploy, system requirements"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Prepare for deployment with MDT 2013 Update 2
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT) 2013 Update 2. It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the files system and in Active Directory.
+
+For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+
+## <a href="" id="sec01"></a>System requirements
+
+
+MDT 2013 Update 2 requires the following components:
+
+-   Any of the following operating systems:
+
+    -   Windows 7
+
+    -   Windows 8
+
+    -   Windows 8.1
+
+    -   Windows 10
+
+    -   Windows Server 2008 R2
+
+    -   Windows Server 2012
+
+    -   Windows Server 2012 R2
+
+-   Windows Assessment and Deployment Kit (ADK) for Windows 10
+
+-   Windows PowerShell
+
+-   Microsoft .NET Framework
+
+## <a href="" id="sec02"></a>Install Windows ADK for Windows 10
+
+
+These steps assume that you have the MDT01 member server installed and configured and that you have downloaded [Windows ADK for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=526803) to the E:\\Downloads\\ADK folder.
+
+1.  On MDT01, log on as Administrator in the CONTOSO domain using a password of **P@ssw0rd**.
+
+2.  Start the **ADK Setup** (E:\\Downloads\\ADK\\adksetup.exe), and on the first wizard page, click **Continue**.
+
+3.  On the **Select the features you want to change** page, select the features below and complete the wizard using the default settings:
+
+    1.  Deployment Tools
+
+    2.  Windows Preinstallation Environment (Windows PE)
+
+    3.  User State Migration Tool (UMST)
+
+## <a href="" id="sec03"></a>Install MDT 2013 Update 2
+
+
+These steps assume that you have downloaded [MDT 2013 Update 2](http://go.microsoft.com/fwlink/p/?LinkId=618117 ) to the E:\\Downloads\\MDT 2013 folder on MDT01.
+
+1.  On MDT01, log on as Administrator in the CONTOSO domain using a password of **P@ssw0rd**.
+
+2.  Install **MDT** (E:\\Downloads\\MDT 2013\\MicrosoftDeploymentToolkit2013\_x64.msi) with the default settings.
+
+## <a href="" id="sec04"></a>Create the OU structure
+
+
+If you do not have an organizational unit (OU) structure in your Active Directory, you should create one. In this section, you create an OU structure and a service account for MDT 2013 Update 2.
+
+1.  On DC01, using Active Directory User and Computers, in the contoso.com domain level, create a top-level OU named **Contoso**.
+
+2.  In the **Contoso** OU, create the following OUs:
+
+    1.  Accounts
+
+    2.  Computers
+
+    3.  Groups
+
+3.  In the **Contoso / Accounts** OU, create the following underlying OUs:
+
+    1.  Admins
+
+    2.  Service Accounts
+
+    3.  Users
+
+4.  In the **Contoso / Computers** OU, create the following underlying OUs:
+
+    1.  Servers
+
+    2.  Workstations
+
+5.  In the **Contoso / Groups** OU, create the following OU:
+
+    -   Security Groups
+
+![figure 6](images/mdt-05-fig07.png)
+
+Figure 6. A sample of how the OU structure will look after all the OUs are created.
+
+## <a href="" id="sec05"></a>Create the MDT service account
+
+
+When creating a reference image, you need an account for MDT. The MDT Build Account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.
+
+1.  On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**.
+
+2.  Select the **Service Accounts** OU and create the **MDT\_BA** account using the following settings:
+
+    1.  Name: MDT\_BA
+
+    2.  User logon name: MDT\_BA
+
+    3.  Password: P@ssw0rd
+
+    4.  User must change password at next logon: Clear
+
+    5.  User cannot change password: Selected
+
+    6.  Password never expires: Selected
+
+## <a href="" id="sec06"></a>Create and share the logs folder
+
+
+By default MDT stores the log files locally on the client. In order to capture a reference image, you will need to enable server-side logging and, to do that, you will need to have a folder in which to store the logs. For more information, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
+
+1.  On MDT01, log on as **CONTOSO\\Administrator**.
+
+2.  Create and share the **E:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt:
+
+    ``` syntax
+    New-Item -Path E:\Logs -ItemType directory
+    New-SmbShare ?Name Logs$ ?Path E:\Logs -ChangeAccess EVERYONE
+    icacls E:\Logs /grant '"MDT_BA":(OI)(CI)(M)'
+    ```
+
+![figure 7](images/mdt-05-fig08.png)
+
+Figure 7. The Sharing tab of the E:\\Logs folder after sharing it with PowerShell.
+
+## <a href="" id="sec07"></a>Use CMTrace to read log files (optional)
+
+
+The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace (CMTrace), which is available as part [of Microsoft System Center 2012 R2 Configuration Manager Toolkit](http://go.microsoft.com/fwlink/p/?LinkId=734717). You can use Notepad, but CMTrace formatting makes the logs easier to read.
+
+![figure 8](images/mdt-05-fig09.png)
+
+Figure 8. An MDT log file opened in Notepad.
+
+![figure 9](images/mdt-05-fig10.png)
+
+Figure 9. The same log file, opened in CMTrace, is much easier to read.
+
+## Related topics
+
+
+[Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)
+
+[MDT 2013 Update 2 Lite Touch components](mdt-2013-lite-touch-components.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
new file mode 100644
index 0000000000..ca1a31fd3a
--- /dev/null
+++ b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -0,0 +1,277 @@
+---
+title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager (Windows 10)
+description: This topic will walk you through the process of integrating Microsoft System Center 2012 R2 Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 2, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE).
+ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08
+keywords: ["install, configure, deploy, deployment"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Prepare for Zero Touch Installation of Windows 10 with Configuration Manager
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic will walk you through the process of integrating Microsoft System Center 2012 R2 Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 2, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE).
+
+## Prerequisites
+
+
+In this topic, you will use an existing Configuration Manager server structure to prepare for operating system deployment. In addition to the base setup, the following configurations should be made in the Configuration Manager environment:
+
+-   Active Directory Schema has been extended and System Management container created.
+
+-   Active Directory Forest Discovery and Active Directory System Discovery have been enabled.
+
+-   IP range boundaries and a boundary group for content and site assignment have been created.
+
+-   The Configuration Manager reporting services point role has been added and configured
+
+-   A file system folder structure for packages has been created.
+
+-   A Configuration Manager console folder structure for packages has been created.
+
+-   System Center 2012 R2 Configuration Manager SP1 and any additional Windows 10 prerequisites are installed.
+
+For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01 and CM01 are both members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+## <a href="" id="sec01"></a>Create the Configuration Manager service accounts
+
+
+To configure permissions for the various service accounts needed for operating system deployment in Configuration Manager, you use a role-based model. To create the Configuration Manager Join Domain account as well as the Configuration Manager Network Access account, follow these steps:
+
+1.  On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**.
+
+2.  Select the Service Accounts OU and create the CM\_JD account using the following settings:
+
+    1.  Name: CM\_JD
+
+    2.  User logon name: CM\_JD
+
+    3.  Password: P@ssw0rd
+
+    4.  User must change password at next logon: Clear
+
+    5.  User cannot change password: Select
+
+    6.  Password never expires: Select
+
+3.  Repeat the step, but for the CM\_NAA account.
+
+4.  After creating the accounts, assign the following descriptions:
+
+    1.  CM\_JD: Configuration Manager Join Domain Account
+
+    2.  CM\_NAA: Configuration Manager Network Access Account
+
+![figure 6](images/mdt-06-fig06.png)
+
+Figure 6. The Configuration Manager service accounts used for operating system deployment.
+
+## <a href="" id="sec02"></a>Configure Active Directory permissions
+
+
+In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain you need to configure permissions in Active Directory. These steps assume you have downloaded the sample [Set-OUPermissions.ps1 script](http://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01.
+
+1.  On DC01, log on as Administrator in the CONTOSO domain using the password **P@ssw0rd**.
+
+2.  In an elevated Windows PowerShell prompt (run as Administrator), run the following commands, pressing **Enter** after each command:
+
+    ``` syntax
+    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
+
+    Set-Location C:\Setup\Scripts
+
+    .\Set-OUPermissions.ps1 -Account CM_JD 
+    -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
+    ```
+
+3.  The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following is a list of the permissions being granted:
+
+    1.  Scope: This object and all descendant objects
+
+    2.  Create Computer objects
+
+    3.  Delete Computer objects
+
+    4.  Scope: Descendant Computer objects
+
+    5.  Read All Properties
+
+    6.  Write All Properties
+
+    7.  Read Permissions
+
+    8.  Modify Permissions
+
+    9.  Change Password
+
+    10. Reset Password
+
+    11. Validated write to DNS host name
+
+    12. Validated write to service principal name
+
+## <a href="" id="sec03"></a>Review the Sources folder structure
+
+
+To support the packages you create in this section, the following folder structure should be created on the Configuration Manager primary site server (CM01):
+
+**Note**  
+In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server.
+
+ 
+
+-   E:\\Sources
+
+-   E:\\Sources\\OSD
+
+-   E:\\Sources\\OSD\\Boot
+
+-   E:\\Sources\\OSD\\DriverPackages
+
+-   E:\\Sources\\OSD\\DriverSources
+
+-   E:\\Sources\\OSD\\MDT
+
+-   E:\\Sources\\OSD\\OS
+
+-   E:\\Sources\\OSD\\Settings
+
+-   E:\\Sources\\Software
+
+-   E:\\Sources\\Software\\Adobe
+
+-   E:\\Sources\\Software\\Microsoft
+
+![figure 7](images/mdt-06-fig07.png)
+
+Figure 7. The E:\\Sources\\OSD folder structure.
+
+## <a href="" id="sec04"></a>Integrate Configuration Manager with MDT
+
+
+To extend the Configuration Manager console with MDT 2013 Update 2 wizards and templates, you install MDT 2013 Update 2 in the default location and run the integration setup. In these steps, we assume you have downloaded MDT 2013 Update 2 to the C:\\Setup\\MDT2013 folder on CM01.
+
+1.  On CM01, log on as Administrator in the CONTOSO domain using the password **P@ssw0rd**.
+
+2.  Make sure the Configuration Manager Console is closed before continuing.
+
+3.  Using File Explorer, navigate to the **C:\\Setup\\MDT 2013** folder.
+
+4.  Run the MDT 2013 setup (MicrosoftDeploymentToolkit2013\_x64.msi), and use the default options in the setup wizard.
+
+5.  From the Start screen, run Configure ConfigManager Integration with the following settings:
+
+    1.  Site Server Name: CM01.contoso.com
+
+    2.  Site code: PS1
+
+![figure 8](images/mdt-06-fig08.png)
+
+Figure 8. Set up the MDT 2013 Update 2 integration with Configuration Manager.
+
+## <a href="" id="sec06"></a>Configure the client settings
+
+
+Most organizations want to display their name during deployment. In this section, you configure the default Configuration Manager client settings with the Contoso organization name.
+
+1.  On CM01, using the Configuration Manager Console, in the Administration workspace, select **Client Settings**.
+
+2.  In the right pane, right-click **Default Client Settings**, and select **Properties**.
+
+3.  In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, type in **Contoso** and click **OK**.
+
+![figure 9](images/mdt-06-fig10.png)
+
+Figure 9. Configure the organization name in client settings.
+
+![figure 10](images/fig10-contosoinstall.png)
+
+Figure 10. The Contoso organization name displayed during deployment.
+
+## <a href="" id="sec07"></a>Configure the Network Access account
+
+
+Configuration Manager uses the Network Access account during the Windows 10 deployment process to access content on the distribution point(s). In this section, you configure the Network Access account.
+
+1.  Using the Configuration Manager Console, in the Administration workspace, expand **Site Configuration** and select **Sites**.
+
+2.  Right-click **PS1 - Primary Site 1**, select **Configure Site Components**, and then select **Software Distribution**.
+
+3.  In the **Network Access Account** tab, configure the **CONTOSO\\CM\_NAA** user account (select New Account) as the Network Access account. Use the new **Verify** option to verify that the account can connect to the **\\\\DC01\\sysvol** network share.
+
+![figure 11](images/mdt-06-fig12.png)
+
+Figure 11. Test the connection for the Network Access account.
+
+## <a href="" id="sec08"></a>Enable PXE on the CM01 distribution point
+
+
+Configuration Manager has many options for starting a deployment, but starting via PXE is certainly the most flexible in a large environment. In this section, you enable PXE on the CM01 distribution point.
+
+1.  In the Configuration Manager Console, in the Administration workspace, select **Distribution Points**.
+
+2.  Right-click the **\\\\CM01.CONTOSO.COM distribution point** and select **Properties**.
+
+3.  In the **PXE** tab, select the following settings:
+
+    1.  Enable PXE support for clients
+
+    2.  Allow this distribution point to respond to incoming PXE requests
+
+    3.  Enable unknown computer support
+
+    4.  Require a password when computers use PXE
+
+    5.  Password and Confirm password: Passw0rd!
+
+    ![figure 12](images/mdt-06-fig13.png)
+
+    Figure 12. Configure the CM01 distribution point for PXE.
+
+4.  Using the Configuration Manager Trace Log Tool, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines.
+
+    ![figure 13](images/mdt-06-fig14.png)
+
+    Figure 13. The distmgr.log displays a successful configuration of PXE on the distribution point.
+
+5.  Verify that you have seven files in each of the folders **E:\\RemoteInstall\\SMSBoot\\x86** and **E:\\RemoteInstall\\SMSBoot\\x64**.
+
+    ![figure 14](images/mdt-06-fig15.png)
+
+    Figure 14. The contents of the E:\\RemoteInstall\\SMSBoot\\x64 folder after you enable PXE.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/proxy-activation-vamt.md b/windows/deploy/proxy-activation-vamt.md
new file mode 100644
index 0000000000..8866da1596
--- /dev/null
+++ b/windows/deploy/proxy-activation-vamt.md
@@ -0,0 +1,76 @@
+---
+title: Perform Proxy Activation (Windows 10)
+description: Perform Proxy Activation
+ms.assetid: 35a919ed-f1cc-4d10-9c88-9bd634549dc3
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Perform Proxy Activation
+You can use the Volume Activation Management Tool (VAMT) to perform activation for client computers that do not have Internet access. The client products can be installed with any type of product key that is eligible for proxy activation: Multiple activation Key (MAK), KMS Host key (CSVLK), or retail key.
+
+In a typical proxy-activation scenario, the VAMT host computer distributes a MAK to one or more client computers and collects the installation ID (IID) from each computer. The VAMT host computer sends the IIDs to Microsoft on behalf of the client computers and obtains the corresponding Confirmation IDs (CIDs). The VAMT host computer then installs the CIDs on the client computer to complete the activation. Using this activation method, only the VAMT host computer needs Internet access.
+
+**Note**  
+For workgroups that are completely isolated from any larger network, you can still perform MAK, KMS Host key (CSVLK), or retail proxy activation. This requires installing a second instance of VAMT on a computer within the isolated group and using removable media to transfer activation data between that computer and another VAMT host computer that has Internet access. For more information about this scenario, see [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md). Similarly, you can proxy activate a KMS Host key (CSVLK) located in an isolated network. You can also proxy activate a KMS Host key (CSVLK) in the core network if you do not want the KMS host computer to connect to Microsoft over the Internet. 
+
+## Requirements
+Before performing proxy activation, ensure that your network and the VAMT installation meet the following requirements:
+
+-   There is an instance of VAMT that is installed on a computer that has Internet access. If you are performing proxy activation for an isolated workgroup, you also need to have VAMT installed on one of the computers in the workgroup.
+
+-   The products to be activated have been added to VAMT and are installed with a retail product key, a KMS Host key (CSVLK) or a MAK. If the products have not been installed with a proper product key, refer to the steps in the [Add and Remove a Product Key](add-remove-product-key-vamt.md) section for instructions on how to install a product key.
+
+-   VAMT has administrative permissions on all products to be activated and Windows Management Instrumentation (WMI) is accessible through the Windows firewall.
+
+-   For workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+
+The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking **Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs.
+
+## To Perform Proxy Activation
+
+**To perform proxy activation**
+
+1.  Open VAMT.
+
+2.  If necessary, install product keys. For more information see:
+
+    -   [Install a Product Key](install-product-key-vamt.md) to install retail, MAK, or KMS Host key (CSVLK).
+
+    -   [Install a KMS Client Key](install-kms-client-key-vamt.md) to install GVLK (KMS client) keys.
+
+3.  In the **Products** list in the center pane, select the individual products to be activated. You can use the **Filter** function to narrow your search for products by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+
+4.  In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+
+    -   To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    -   To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+
+5.  Click **Filter**. VAMT displays the filtered list in the center pane.
+
+6.  In the right-side pane, click **Activate** and then click **Proxy activate** to open the **Proxy Activate** dialog box.
+
+7.  In the **Proxy Activate** dialog box click **Apply Confirmation ID, apply to selected machine(s) and activate**.
+
+8.  If you are activating products that require administrator credentials different from the ones you are currently using, select the **Use Alternate Credentials** checkbox.
+
+9.  Click **OK**.
+
+10. VAMT displays the **Activating products** dialog box until it completes the requested action. If you selected the **Alternate Credentials** option, you will be prompted to enter the credentials.
+
+    **Note**  
+    You can use proxy activation to select products that have different key types and activate the products at the same time.
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
new file mode 100644
index 0000000000..374661ead5
--- /dev/null
+++ b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -0,0 +1,149 @@
+---
+title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
+description: This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2.
+ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7
+keywords: ["upgrade, install, installation, computer refresh"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. When refreshing a machine to a later version, it appears as an upgrade to the end user, but technically it is not an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. For more information, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md).
+
+A computer refresh with System Center 2012 R2 Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager involves the following steps:
+
+1.  Data and settings are backed up locally in a backup folder.
+
+2.  The partition is wiped, except for the backup folder.
+
+3.  The new operating system image is applied.
+
+4.  Other applications are installed.
+
+5.  Data and settings are restored.
+
+For the purposes of this topic, we will use three machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0003 is a machine with Windows 7 SP1, on which Windows 10 will be deployed. DC01, CM01, and PC003 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+In this topic, we assume that you have a Windows 7 SP1 client named PC0003 with the Configuration Manager client installed.
+
+## <a href="" id="sec01"></a>Create a device collection and add the PC0003 computer
+
+
+1.  On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
+
+    1.  General
+
+    2.  Name: Install Windows 10 Enterprise x64
+
+    3.  Limited Collection: All Systems
+
+    4.  Membership rules:
+
+    5.  Direct rule
+
+    6.  Resource Class: System Resource
+
+    7.  Attribute Name: Name
+
+    8.  Value: PC0003
+
+    9.  Select **Resources**
+
+    10. Select **PC0003**
+
+2.  Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection.
+
+**Note**  
+It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
+
+ 
+
+## <a href="" id="sec02"></a>Create a new deployment
+
+
+Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. Use the following settings:
+
+-   General
+
+    -   Collection: Install Windows 10 Enterprise x64
+
+-   Deployment Settings
+
+    -   Purpose: Available
+
+    -   Make available to the following: Configuration Manager clients, media and PXE
+
+    **Note**  
+    It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
+
+     
+
+-   Scheduling
+
+    -   &lt;default&gt;
+
+-   User Experience
+
+    -   &lt;default&gt;
+
+-   Alerts
+
+    -   &lt;default&gt;
+
+-   Distribution Points
+
+    -   &lt;default&gt;
+
+## <a href="" id="sec03"></a>Initiate a computer refresh
+
+
+Now you can start the computer refresh on PC0003.
+
+1.  Using the Configuration Manager console, in the Asset and Compliance workspace, in the Install Windows 10 Enterprise x64 collection, right-click **PC0003** and select **Client Notification / Download Computer Policy**. Click **OK**.
+
+    **Note**  
+    The Client Notification feature is new in Configuration Manager.
+
+     
+
+2.  On PC0003, using the Software Center (begin using the Start screen, or click the **New software is available** balloon in the system tray), select the **Windows 10 Enterprise x64 RTM** deployment and click **INSTALL**.
+
+3.  In the **Software Center** warning dialog box, click **INSTALL OPERATING SYSTEM**.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
new file mode 100644
index 0000000000..fee360b2f4
--- /dev/null
+++ b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
@@ -0,0 +1,162 @@
+---
+title: Refresh a Windows 7 computer with Windows 10 (Windows 10)
+description: This topic will show you how to use MDT 2013 Update 2 Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process.
+ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f
+keywords: ["reinstallation, customize, template, script, restore"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Refresh a Windows 7 computer with Windows 10
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic will show you how to use MDT 2013 Update 2 Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. The refresh scenario, or computer refresh, is a reinstallation of an operating system on the same machine. You can refresh the machine to the same operating system as it is currently running, or to a later version.
+
+For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 Standard server. PC0001 is a machine with Windows 7 Service Pack 1 (SP1) that is going to be refreshed into a Windows 10 machine, with data and settings restored. MDT01 and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+
+![figure 1](images/mdt-04-fig01.png)
+
+Figure 1. The machines used in this topic.
+
+## <a href="" id="sec01"></a>The computer refresh process
+
+
+Even though a computer will appear, to the end user, to be upgraded, a computer refresh is not, technically, an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation.
+
+For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh you will:
+
+1.  Back up data and settings locally, in a backup folder.
+
+2.  Wipe the partition, except for the backup folder.
+
+3.  Apply the new operating system image.
+
+4.  Install other applications.
+
+5.  Restore data and settings.
+
+During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are simply linked in the file system, which allows for fast migration, even when there is a lot of data.
+
+**Note**  
+In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file will contain the entire volume from the computer, and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire machine is not a supported scenario.
+
+ 
+
+### Multi-user migration
+
+By default, ScanState in USMT backs up all profiles on the machine, including local computer profiles. If you have a machine that has been in your environment for a while, it likely has several domain-based profiles on it, including those of former users. You can limit which profiles are backed up by configuring command-line switches to ScanState (added as rules in MDT).
+
+As an example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\*
+
+**Note**  
+You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
+
+ 
+
+### Support for additional settings
+
+In addition to the command-line switches that control which profiles to migrate, the XML templates control exactly what data is being migrated. You can control data within and outside the user profiles
+
+## <a href="" id="sec02"></a>Create a custom User State Migration Tool (USMT) template
+
+
+In this section, you learn to migrate additional data using a custom template. You configure the environment to use a custom USMT XML template that will:
+
+1.  Back up the **C:\\Data** folder (including all files and folders).
+
+2.  Scan the local disk for PDF documents (\*.pdf files) and restore them into the **C:\\Data\\PDF Documents** folder on the destination machine.
+
+The custom USMT template is named MigContosoData.xml, and you can find it in the sample files for this documentation, which include:
+
+-   [Gather script](http://go.microsoft.com/fwlink/p/?LinkId=619361)
+
+-   [Set-OUPermissions](http://go.microsoft.com/fwlink/p/?LinkId=619362) script
+
+-   [MDT Sample Web Service](http://go.microsoft.com/fwlink/p/?LinkId=619363)
+
+### Add the custom XML template
+
+In order to use the custom MigContosoData.xml USMT template, you need to copy it to the MDT Production deployment share and update the CustomSettings.ini file. In these steps, we assume you have downloaded the MigContosoData.xml file.
+
+1.  Using File Explorer, copy the MigContosoData.xml file to the **E:\\MDTProduction\\Tools\\x64\\USMT5** folder.
+
+2.  Using Notepad, edit the E:\\MDTProduction\\Control\\CustomSettings.ini file. After the USMTMigFiles002=MigUser.xml line add the following line:
+
+    ``` syntax
+    USMTMigFiles003=MigContosoData.xml
+    ```
+
+3.  Save the CustomSettings.ini file.
+
+## <a href="" id="sec03"></a>Refresh a Windows 7 SP1 client
+
+
+After adding the additional USMT template and configuring the CustomSettings.ini file to use it, you are now ready to refresh a Windows 7 SP1 client to Windows 10. In these steps, we assume you have a Windows 7 SP1 client named PC0001 in your environment that is ready for a refresh to Windows 10.
+
+**Note**  
+MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property in the [MDT resource page](http://go.microsoft.com/fwlink/p/?LinkId=618117).
+
+ 
+
+### Upgrade (refresh) a Windows 7 SP1 client
+
+1.  On PC0001, log on as **CONTOSO\\Administrator**. Start the Lite Touch Deploy Wizard by executing **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. Complete the deployment guide using the following settings:
+
+    1.  Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
+
+    2.  Computer name: &lt;default&gt;
+
+    3.  Specify where to save a complete computer backup: Do not back up the existing computer
+
+        **Note**  
+        Skip this optional full WIM backup. The USMT backup will still run.
+
+         
+
+2.  Select one or more applications to install: Install - Adobe Reader XI - x86
+
+3.  The setup now starts and does the following:
+
+    1.  Backs up user settings and data using USMT.
+
+    2.  Installs the Windows 10 Enterprise x64 operating system.
+
+    3.  Installs the added application(s).
+
+    4.  Updates the operating system via your local Windows Server Update Services (WSUS) server.
+
+    5.  Restores user settings and data using USMT.
+
+![figure 2](images/fig2-taskseq.png)
+
+Figure 2. Starting the computer refresh from the running Windows 7 SP1 client.
+
+## Related topics
+
+
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+
+[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+
+[Configure MDT settings](configure-mdt-2013-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/remove-products-vamt.md b/windows/deploy/remove-products-vamt.md
new file mode 100644
index 0000000000..1ee6fa653c
--- /dev/null
+++ b/windows/deploy/remove-products-vamt.md
@@ -0,0 +1,44 @@
+---
+title: Remove Products (Windows 10)
+description: Remove Products
+ms.assetid: 4d44379e-dda1-4a8f-8ebf-395b6c0dad8e
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Remove Products
+To remove one or more products from the Volume Activation Management Tool (VAMT), you can delete them from the product list view in the center pane.
+
+**To delete one or more products**
+
+1.  Click a product node in the left-side pane.
+
+2.  You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+
+3.  In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+
+    -   To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    -   To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+
+4.  Click **Filter**. VAMT displays the filtered list in the center pane.
+
+5.  Select the products you want to delete.
+
+6.  Click **Delete** in the **Selected Items** menu in the right-side pane.
+
+7.  On the **Confirm Delete Selected Products** dialog box, click **OK**.
+
+## Related topics
+- [Add and Manage Products](add-manage-products-vamt.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
new file mode 100644
index 0000000000..b9c865b739
--- /dev/null
+++ b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -0,0 +1,231 @@
+---
+title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
+description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft System Center 2012 R2 Configuration Manager.
+ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
+keywords: ["upgrade, install, installation, replace computer, setup"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
+
+
+**Applies to**
+
+-   Windows 10
+
+In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft System Center 2012 R2 Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the machine, you have to run the backup job separately from the deployment of Windows 10.
+
+For the purposes of this topic, we will use three machines: DC01, CM01, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0004 is a machine with Windows 7 SP1 that will be replaced with a new machine running Windows 10. DC01, CM01, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+In this topic, you will create a backup-only task sequence that you run on PC0004, the machine you are replacing. For more information, see [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md).
+
+## <a href="" id="sec01"></a>Create a replace task sequence
+
+
+1.  On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
+
+2.  On the **Choose Template** page, select the **Client Replace Task Sequence** template and click **Next**.
+
+3.  On the **General** page, assign the following settings and click **Next**:
+
+    1.  Task sequence name: Replace Task Sequence
+
+    2.  Task sequence comments: USMT backup only
+
+4.  On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
+
+5.  On the **MDT Package** page, browse and select the **OSD / MDT 2013** package. Then click **Next**.
+
+6.  On the **USMT Package** page, browse and select the O**SD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**.
+
+7.  On the **Settings Package** page, browse and select the **OSD / Windows 10 x64 Settings** package. Then click **Next**.
+
+8.  On the **Summary** page, review the details and then click **Next**.
+
+9.  On the **Confirmation** page, click **Finish**.
+
+10. Review the Replace Task Sequence. Note: This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence.
+
+![figure 34](images/mdt-06-fig42.png)
+
+Figure 34. The backup-only task sequence (named Replace Task Sequence).
+
+## <a href="" id="sec02"></a>Associate the new machine with the old computer
+
+
+This section walks you through the process of associating a blank machine, PC0006, with an old machine, PC0004, for the purpose of replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine.
+
+1.  Make a note of the PC0006 machine's MAC Address. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96.
+
+2.  Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Devices**, and then select **Import Computer Information**.
+
+3.  On the **Select Source** page, select **Import single computer** and click **Next**.
+
+4.  On the **Single Computer** page, use the following settings and then click **Next**:
+
+    1.  Computer Name: PC0006
+
+    2.  MAC Address: &lt;the mac address from step 1&gt;
+
+    3.  Source Computer: PC0004
+
+    ![figure 35](images/mdt-06-fig43.png)
+
+    Figure 35. Creating the computer association between PC0004 and PC0006.
+
+5.  On the **User Accounts** page, select **Capture and restore all user accounts** and click **Next**.
+
+6.  On the **Data Preview** page, click **Next**.
+
+7.  On the **Choose Target Collection** page, select the **Install Windows 10 Enterprise x64** collection and click **Next**.
+
+8.  On the **Summary** page, click **Next**, and then click **Close**.
+
+9.  Select the **User State Migration** node and review the computer association in the right pane.
+
+10. Right-click the **PC0004/PC0006** association and select **View Recovery Information**. Note that a recovery key has been assigned already, but a user state store location has not.
+
+11. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0006 machine in the collection. You might have to update and refresh the collection again.
+
+## <a href="" id="sec03"></a>Create a device collection and add the PC0004 computer
+
+
+1.  On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings.
+
+    1.  General
+
+    2.  Name: USMT Backup (Replace)
+
+    3.  Limited Collection: All Systems
+
+    4.  Membership rules:
+
+    5.  Direct rule
+
+    6.  Resource Class: System Resource
+
+    7.  Attribute Name: Name
+
+    8.  Value: PC0004
+
+    9.  Select **Resources**
+
+    10. Select **PC0004**
+
+2.  Review the USMT Backup (Replace) collection. Do not continue until you see the PC0004 machine in the collection.
+
+## <a href="" id="sec04"></a>Create a new deployment
+
+
+Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings:
+
+-   General
+
+    -   Collection: USMT Backup (Replace)
+
+-   Deployment Settings
+
+    -   Purpose: Available
+
+    -   Make available to the following: Only Configuration Manager Clients
+
+-   Scheduling
+
+    -   &lt;default&gt;
+
+-   User Experience
+
+    -   &lt;default&gt;
+
+-   Alerts
+
+    -   &lt;default&gt;
+
+-   Distribution Points
+
+    -   &lt;default&gt;
+
+## <a href="" id="sec05"></a>Verify the backup
+
+
+This section assumes that you have a machine named PC0004 with the Configuration Manager 2012 client installed.
+
+1.  Start the PC0004 machine, and using the Control Panel, start the Configuration Manager applet.
+
+2.  In the **Actions** tab, select the **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and click **OK**.
+
+    **Note**  
+    You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
+
+     
+
+3.  Using the Software Center, select the **Replace Task Sequence** deployment and click **INSTALL**.
+
+4.  In the **Software Center** dialog box, click **INSTALL OPERATING SYSTEM**.
+
+5.  Allow the Replace Task Sequence to complete. It should only take about five minutes.
+
+6.  On CM01, in the **D:\\MigData** folder, verify that a folder was created containing the USMT backup.
+
+7.  Using the Configuration Manager console, in the Asset and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location.
+
+**Note**  
+It may take a few minutes for the user state store location to be populated.
+
+ 
+
+## <a href="" id="sec06"></a>Deploy the new computer
+
+
+1.  Start the PC0006 virtual machine, press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings:
+
+    1.  Password: P@ssw0rd
+
+    2.  Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image
+
+2.  The setup now starts and does the following:
+
+    1.  Installs the Windows 10 operating system
+
+    2.  Installs the Configuration Manager client
+
+    3.  Joins it to the domain
+
+    4.  Installs the applications
+
+    5.  Restores the PC0004 backup
+
+When the process is complete, you will have a new Windows 10 machine in your domain with user data and settings restored.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
new file mode 100644
index 0000000000..5dd918cbc5
--- /dev/null
+++ b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
@@ -0,0 +1,181 @@
+---
+title: Replace a Windows 7 computer with a Windows 10 computer (Windows 10)
+description: A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10; however, because you are replacing a machine, you cannot store the backup on the old computer.
+ms.assetid: acf091c9-f8f4-4131-9845-625691c09a2a
+keywords: ["deploy, deployment, replace"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Replace a Windows 7 computer with a Windows 10 computer
+
+
+**Applies to**
+
+-   Windows 10
+
+A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10; however, because you are replacing a machine, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it.
+
+For the purposes of this topic, we will use four machines: DC01, MDT01, PC0002, and PC0007. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. PC0002 is an old machine running Windows 7 SP1. It is going to be replaced by a new Windows 10 machine, PC0007. User State Migration Tool (USMT) will be used to backup and restore data and settings. MDT01, PC0002, and PC0007 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+
+![figure 1](images/mdt-03-fig01.png)
+
+Figure 1. The machines used in this topic.
+
+## <a href="" id="sec01"></a>Prepare for the computer replace
+
+
+When preparing for the computer replace, you need to create a folder in which to store the backup, and a backup only task sequence that you run on the old computer.
+
+### Configure the rules on the Microsoft Deployment Toolkit (MDT) Production share
+
+1.  On MDT01, using the Deployment Workbench, update the MDT Production deployment share rules.
+
+2.  Change the **SkipUserData=YES** option to **NO**, and click **OK**.
+
+### Create and share the MigData folder
+
+1.  On MDT01, log on as **CONTOSO\\Administrator**.
+
+2.  Create and share the **E:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt:
+
+    ``` syntax
+    New-Item -Path E:\MigData -ItemType directory
+    New-SmbShare ?Name MigData$ ?Path E:\MigData 
+    -ChangeAccess EVERYONE
+    icacls E:\MigData /grant '"MDT_BA":(OI)(CI)(M)'
+    ```
+
+### Create a backup only (replace) task sequence
+
+1.  On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node and create a new folder named **Other**.
+
+2.  Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+
+    1.  Task sequence ID: REPLACE-001
+
+    2.  Task sequence name: Backup Only Task Sequence
+
+    3.  Task sequence comments: Run USMT to backup user data and settings
+
+    4.  Template: Standard Client Replace Task Sequence
+
+3.  In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions.
+
+    ![figure 2](images/mdt-03-fig02.png)
+
+    Figure 2. The Backup Only Task Sequence action list.
+
+## <a href="" id="sec02"></a>Perform the computer replace
+
+
+During a computer replace, these are the high-level steps that occur:
+
+1.  On the computer you are replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Window Imaging (WIM) backup.
+
+2.  On the new machine, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored.
+
+### Execute the replace task sequence
+
+1.  On PC0002, log on as **CONTOSO\\Administrator**.
+
+2.  Verify that you have write access to the **\\\\MDT01\\MigData$** share.
+
+3.  Execute **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**.
+
+4.  Complete the Windows Deployment Wizard using the following settings:
+
+    1.  Select a task sequence to execute on this computer: Backup Only Task Sequence
+
+        1.  Specify where to save your data and settings: Specify a location
+
+        2.  Location: \\\\MDT01\\MigData$\\PC0002
+
+        **Note**  
+        If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
+
+         
+
+    2.  Specify where to save a complete computer backup: Do not back up the existing computer
+
+    3.  Password: P@ssw0rd
+
+    The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the machine.
+
+    ![figure 3](images/mdt-03-fig03.png)
+
+    Figure 3. The new task sequence running the Capture User State action on PC0002.
+
+5.  On MDT01, verify that you have an USMT.MIG compressed backup file in the **E:\\MigData\\PC0002\\USMT** folder.
+
+    ![figure 4](images/mdt-03-fig04.png)
+
+    Figure 4. The USMT backup of PC0002.
+
+### Deploy the PC0007 virtual machine
+
+1.  Create a virtual machine with the following settings:
+
+    1.  Name: PC0007
+
+    2.  Location: C:\\VMs
+
+    3.  Generation: 2
+
+    4.  Memory: 2048 MB
+
+    5.  Hard disk: 60 GB (dynamic disk)
+
+2.  Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The machine will now load the Windows PE boot image from the WDS server.
+
+    ![figure 5](images/mdt-03-fig05.png)
+
+    Figure 5. The initial PXE boot process of PC0005.
+
+3.  After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
+
+    1.  Password: P@ssw0rd
+
+    2.  Select a task sequence to execute on this computer:
+
+        1.  Windows 10 Enterprise x64 RTM Custom Image
+
+        2.  Computer Name: PC0007
+
+        3.  Applications: Select the Install - Adobe Reader XI - x86 application.
+
+4.  The setup now starts and does the following:
+
+    1.  Installs the Windows 10 Enterprise operating system.
+
+    2.  Installs the added application.
+
+    3.  Updates the operating system via your local Windows Server Update Services (WSUS) server.
+
+    4.  Restores the USMT backup from PC0002.
+
+## Related topics
+
+
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+
+[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
+
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+
+[Configure MDT settings](configure-mdt-2013-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/scenario-kms-activation-vamt.md b/windows/deploy/scenario-kms-activation-vamt.md
new file mode 100644
index 0000000000..e128768cb3
--- /dev/null
+++ b/windows/deploy/scenario-kms-activation-vamt.md
@@ -0,0 +1,69 @@
+---
+title: Scenario 3 KMS Client Activation (Windows 10)
+description: Scenario 3 KMS Client Activation
+ms.assetid: 72b04e8f-cd35-490c-91ab-27ea799b05d0
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Scenario 3: KMS Client Activation
+
+
+In this scenario, you use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs). This can be performed on either Core Network or Isolated Lab computers. By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. You do not have to enter a key to activate a product as a GVLK, unless you are converting a MAK-activated product to a KMS activation. For more information, see [Install a KMS Client Key](install-kms-client-key-vamt.md).
+
+The procedure that is described below assumes the following:
+
+-   The KMS Service is enabled and available to all KMS clients.
+
+-   VAMT has been installed and computers have been added to the VAMT database. See Parts 1 through 4 in either [Scenario 1: Online Activation](scenario-online-activation-vamt.md) or [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) for more information.
+
+## Activate KMS Clients
+
+
+1.  Open VAMT.
+
+2.  To set the KMS activation options, on the menu bar click **View**. Then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box.
+
+3.  In the **Volume Activation Management Tool Preferences** dialog box, under **KMS Management Services host selection** select from the following options:
+
+    -   **Find a KMS host automatically using DNS**. This is the default setting. VAMT will instruct the computer to query the Domain Name Service (DNS) to locate a KMS host and perform activation. If the client contains a registry key with a valid KMS host, that value will be used instead.
+
+    -   **Find a KMS host using DNS in this domain for supported products**. Select this option if you use a specific domain, and enter the name of the domain.
+
+    -   **Use specific KMS host**. Select this option for environments which do not use DNS for KMS host identification, and manually enter the KMS host name and select the KMS host port. VAMT will set the specified KMS host name and KMS host port on the target computer, and then instruct the computer to perform activation with the specific KMS host.
+
+4.  In the left-side pane, in the **Products** node, click the product that you want to activate.
+
+5.  In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+
+6.  In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+
+    -   To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    -   To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+
+7.  Click **Filter**. VAMT displays the filtered list in the center pane.
+
+8.  Select the products that you want to activate.
+
+9.  Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane, click **Activate**, point to **Volume activate**, and then click the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
+
+10. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+
+The same status is shown under the **Status of Last Action** column in the products list view in the center pane.
+
+## Related topics
+
+
+[VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/scenario-online-activation-vamt.md b/windows/deploy/scenario-online-activation-vamt.md
new file mode 100644
index 0000000000..dc3fed1186
--- /dev/null
+++ b/windows/deploy/scenario-online-activation-vamt.md
@@ -0,0 +1,179 @@
+---
+title: Scenario 1 Online Activation (Windows 10)
+description: Scenario 1 Online Activation
+ms.assetid: 94dba40e-383a-41e4-b74b-9e884facdfd3
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Scenario 1: Online Activation
+In this scenario, the Volume Activation Management Tool (VAMT) is deployed in the Core Network environment. VAMT is installed on a central computer that has network access to all of the client computers. Both the VAMT host and the client computers have Internet access. The following illustration shows a diagram of an online activation scenario for Multiple Activation Keys (MAKs). You can use this scenario for online activation of the following key types:
+
+-   Multiple Activation Key (MAK)
+
+-   Windows Key Management Service (KMS) keys:
+
+    -   KMS Host key (CSVLK)
+
+    -   Generic Volume License Key (GVLK), or KMS client key
+
+-   Retail
+
+The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
+
+![VAMT firewall configuration for multiple subnets](images/dep-win8-l-vamt-makindependentactivationscenario.jpg)
+
+## In This Topic
+-   [Install and start VAMT on a networked host computer](#bkmk-partone)
+
+-   [Configure the Windows Management Instrumentation firewall exception on target computers](#bkmk-parttwo)
+
+-   [Connect to VAMT database](#bkmk-partthree)
+
+-   [Discover products](#bkmk-partfour)
+
+-   [Sort and filter the list of computers](#bkmk-partfive)
+
+-   [Collect status information from the computers in the list](#bkmk-partsix)
+
+-   [Add product keys and determine the remaining activation count](#bkmk-partseven)
+
+-   [Install the product keys](#bkmk-parteight)
+
+-   [Activate the client products](#bkmk-partnine)
+
+## <a href="" id="bkmk-partone"></a>Step 1: Install and start VAMT on a networked host computer
+
+1.  Install VAMT on the host computer.
+
+2.  Click the VAMT icon in the **Start** menu to open VAMT.
+
+## <a href="" id="bkmk-parttwo"></a>Step 2: Configure the Windows Management Instrumentation firewall exception on target computers
+
+-   Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+
+    **Note**  
+    To retrieve product license status, VAMT must have administrative permissions on the remote computers and WMI must be available through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+
+## <a href="" id="bkmk-partthree"></a>Step 3: Connect to a VAMT database
+
+1.  If you are not already connected to a database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database where the keys that must be activated are located.
+
+2.  Click **Connect**.
+
+3.  If you are already connected to a database, VAMT displays an inventory of the products and product keys in the center pane, and a license overview of the computers in the database. If you need to connect to a different database, click **Successfully connected to Server** to open **the Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data](manage-vamt-data.md)
+
+## <a href="" id="bkmk-partfour"></a>Step 4: Discover products
+
+1.  In the left-side pane, in the **Products** node Products, click the product that you want to activate.
+
+2.  To open the **Discover Products** dialog box, click **Discover products** in the **Actions** menu in the right-side pane.
+
+3.  In the **Discover Products** dialog box, click **Search for computers in the Active Directory** to display the search options, and then click the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general Lightweight Directory Access Protocol (LDAP) query:
+
+    -   To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names click the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only those computer names that start with the letter "a".
+
+    -   To search by individual computer name or IP address, click **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that VAMT supports both IPv4 and IPV6 addressing.
+
+    -   To search for computers in a workgroup, click **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, click the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
+
+    -   To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without additional checks.
+
+4.  Click **Search**.
+
+    When the search is complete, the products that VAMT discovers appear in the product list view in the center pane.
+
+## <a href="" id="bkmk-partfive"></a>Step 5: Sort and filter the list of computers
+You can sort the list of products so that it is easier to find the computers that require product keys to be activated:
+
+1.  On the menu bar at the top of the center pane, click **Group by**, and then click **Product**, **Product Key Type**, or **License Status**.
+
+2.  To sort the list further, you can click one of the column headings to sort by that column.
+
+3.  You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+
+4.  In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+
+    -   To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    -   To filter the list by product name, product key type, or license status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+
+5.  Click **Filter**. VAMT displays the filtered list in the product list view in the center pane.
+
+## <a href="" id="bkmk-partsix"></a>Step 6: Collect status information from the computers in the list
+To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods:
+
+-   To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key.
+
+-   To select computers which are not listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information.
+
+**To collect status information from the selected computers**
+
+1.  In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to log on to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box, type the appropriate user name and password and then click **OK**.
+
+2.  VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane.
+
+    **Note**  
+    If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading.
+
+## <a href="" id="bkmk-partseven"></a>Step 7: Add product keys and determine the remaining activation count
+1.  Click the **Product Keys** node in the left-side pane, and then click **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box.
+
+2.  In the **Add Product Key** dialog box, you can select from one of the following methods to add product keys:
+
+    -   To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys, and then click **Add Key(s)**.
+
+    -   To import a Comma Separated Values File (CSV) that contains a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**.
+
+    The keys that you have added appear in the **Product Keys** list view in the center pane.
+
+    **Important**  
+    If you are activating many products with a MAK, refresh the activation count of the MAK to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and then click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs.
+
+## <a href="" id="bkmk-parteight"></a>Step 8: Install the product keys
+1.  In the left-side pane, click the product that you want to install keys on to.
+
+2.  If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Step 5: Sort and filter the list of computers](#bkmk-partfive).
+
+3.  In the **Products** list view pane, select the individual products which must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
+
+4.  Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
+
+5.  The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you are installing a MAK you can select a recommended product key or any other MAK from the **All Product Keys List**. If you are not installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you want to view the **Description** for each key. When you have selected the product key that you want to install, click **Install Key**. Note that only one key can be installed at a time.
+
+6.  VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+
+    The same status appears under the **Status of Last Action** column in the product list view in the center pane.
+
+    **Note**  
+    Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](http://go.microsoft.com/fwlink/p/?linkid=238382)
+
+## <a href="" id="bkmk-partnine"></a>Step 9: Activate the client products
+1.  Select the individual products that you want to activate in the list-view pane.
+
+2.  On the menu bar, click **Action**, point to **Activate** and point to **Online activate**. You can also right-click the selected computers(s) to display the **Action** menu, point to **Activate** and point to **Online activate**. You can also click **Activate** in the **Selected Items** menu in the right-hand pane to access the **Activate** option.
+
+3.  If you are activating product keys using your current credential, click **Current credential** and continue to step 5. If you are activating products that require an administrator credential that is different from the one you are currently using, click the **Alternate credential** option.
+
+4.  Enter your alternate user name and password and click **OK**.
+
+5.  The **Activate** option contacts the Microsoft product-activation server over the Internet and requests activation for the selected products. VAMT displays the **Activating products** dialog box until the requested actions are completed.
+
+    **Note**  
+    Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network.
+    
+    RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and volume editions of Office 2010 will not enter RFM.
+
+## Related topics
+- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/scenario-proxy-activation-vamt.md b/windows/deploy/scenario-proxy-activation-vamt.md
new file mode 100644
index 0000000000..645a6cbbe1
--- /dev/null
+++ b/windows/deploy/scenario-proxy-activation-vamt.md
@@ -0,0 +1,252 @@
+---
+title: Scenario 2 Proxy Activation (Windows 10)
+description: Scenario 2 Proxy Activation
+ms.assetid: ed5a8a56-d9aa-4895-918f-dd1898cb2c1a
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Scenario 2: Proxy Activation
+
+
+In this scenario, the Volume Activation Management Tool (VAMT) is used to activate products that are installed on workgroup computers in an isolated lab environment. For workgroups which are isolated from the larger network, you can perform proxy activation of Multiple Activation Keys (MAKs), KMS Host keys (CSVLKs), Generic Volume License Keys (GVLKs) (or KMS client keys), or retail keys. Proxy activation is performed by installing a second instance of VAMT on a computer in the isolated workgroup. You can then use removable media to transfer VAMT Computer Information Lists (CILXs) between the instance of VAMT in the isolated workgroup and another VAMT host that has Internet access. The following diagram shows a Multiple Activation Key (MAK) proxy activation scenario:
+
+![vamt mak proxy activation scenario](images/dep-win8-l-vamt-makproxyactivationscenario.jpg)
+
+## Part 1: Install VAMT on a Workgroup Computer in the Isolated Lab
+
+
+1.  Install VAMT on a host computer in the isolated lab workgroup. This computer can be running Windows 7, Windows 8, Windows 10, Windows Server 2008 R2, or Windows Server® 2012.
+
+2.  Click the VAMT icon in the **Start** menu to open VAMT.
+
+## Part 2: Configure the Windows Management Instrumentation Firewall Exception on Target Computers
+
+
+-   Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+
+**Note**  
+To retrieve the license status on the selected computers, VAMT must have administrative permissions on the remote computers and WMI must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+
+ 
+
+## Part 3: Connect to a VAMT Database
+
+
+1.  If the host computer in the isolated lab workgroup is not already connected to the database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database that contains the computers in the workgroup.
+
+2.  Click **Connect**.
+
+3.  If you are already connected to a database, in the center pane VAMT displays an inventory of the products and product keys, and a license overview of the computers in the database. If you need to connect to a different database, click **Successfully connected to the Server** to open the **Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data.](manage-vamt-data.md)
+
+## <a href="" id="part-4--discover-products-"></a>Part 4: Discover Products
+
+
+1.  In the left-side pane, in the **Products** node, click the product that you want to activate.
+
+2.  To open the **Discover Products** dialog box, click **Discover products** in the right-side pane.
+
+3.  In the **Discover Products** dialog box, click **Search for computers in the Active Directory** to display the search options, and then click the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query:
+
+    -   To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names, click the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
+
+    -   To search by individual computer name or IP address, click **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that both IPv4 and IPv6addressing are supported.
+
+    -   To search for computers in a workgroup, click **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, click the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only those computer names that start with the letter "a".
+
+    -   To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without additional checks.
+
+4.  Click **Search**.
+
+The **Finding Computers** window appears and displays the search progress as the computers are located.
+
+When the search is complete, the products that VAMT discovers appear in the list view in the center pane.
+
+## <a href="" id="bkmk-step5"></a>Part 5: Sort and Filter the List of Computers
+
+
+You can sort the list of products so that it is easier to find the computers that require product keys to be activated:
+
+1.  On the menu bar at the top of the center pane, click **Group by**, and then click **Product**, **Product Key Type**, or **License Status**.
+
+2.  To sort the list further, you can click one of the column headings to sort by that column.
+
+3.  You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+
+4.  In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+
+    -   To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    -   To filter the list by product name, product key type, or license status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+
+5.  Click **Filter**. VAMT displays the filtered list in the product list view in the center pane.
+
+## Part 6: Collect Status Information from the Computers in the Isolated Lab
+
+
+To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods:
+
+-   To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key.
+
+-   To select computers which are not listed consecutively, hold down the **Ctrl** ley and select each computer for which you want to collect the status information.
+
+To collect status information from the selected computers:
+
+1.  In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to log on to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and then click **OK**.
+
+2.  VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane.
+
+**Note**  
+If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading.
+
+ 
+
+## Part 7: Add Product Keys
+
+
+1.  Click the **Product Keys** node in the left-side pane, and then click **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box.
+
+2.  In the **Add Product Keys** dialog box, you can select from one of the following methods to add product keys:
+
+    -   To add a single product key, click **Enter product key(s) separated by line breaks**, enter one or more product keys, and then click **Add key(s)**.
+
+    -   To import a Comma Separated Values File (CSV) that contains a list of product keys, click **Select a product key to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**.
+
+    The keys that you have added appear in the **Product Keys** list view in the center pane.
+
+## Part 8: Install the Product Keys on the Isolated Lab Computers
+
+
+1.  In the left-side pane, in the **Products** node click the product that you want to install keys onto.
+
+2.  If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Step 5: Sort the list of computers](#bkmk-step5).
+
+3.  In the **Products** list view pane, select the individual products which must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
+
+4.  Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
+
+5.  The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you are installing a MAK you can select a recommended product key or any other MAK from the **All Product Keys List**. If you are not installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key that you want to install, click **Install Key**. Note that only one key can be installed at a time.
+
+6.  VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+
+    The same status appears under the **Status of Last Action** column in the product list view in the center pane.
+
+**Note**  
+Product key installation will fail if VAMT finds mismatched key types or editions. VAMT displays the failure status and continues the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](http://go.microsoft.com/fwlink/p/?linkid=238382)
+
+ 
+
+**Note**  
+Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network. RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, and volume editions of Office 2010 will not enter RFM.
+
+ 
+
+## Part 9: Export VAMT Data to a .cilx File
+
+
+In this step, you export VAMT from the workgroup’s host computer and save it in a .cilx file. Then you copy the .cilx file to removable media so that you can take it to a VAMT host computer that is connected to the Internet. In MAK proxy activation, it is critical to retain this file, because VAMT uses it to apply the Confirmation IDs (CIDs) to the proper products.
+
+1.  Select the individual products that successfully received a product key in Part 8. If needed, sort and filter the list to find the products.
+
+2.  In the right-side **Actions** pane, click **Export list** to open the **Export List** dialog box.
+
+3.  In the **Export List** dialog box, click **Browse** to navigate to the .cilx file, or enter the name of the .cilx file to which you want to export the data.
+
+4.  Under **Export options**, select one of the following data-type options:
+
+    -   Export products and product keys.
+
+    -   Export products only.
+
+    -   Export proxy activation data only. Selecting this option ensures that the export contains only the license information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is selected. This option should be used when an enterprise’s security policy states that no information that could identify a specific computer or user may be transferred out of the isolated lab and, therefore, this type of data must be excluded from the .cilx file that is transferred to the Core Network VAMT host.
+
+5.  If you have selected products to export, and not the entire set of data from the database, select the **Export selected product rows only** check box.
+
+6.  Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully.
+
+7.  If you exported the list to a file on the host computer’s hard drive, copy the file to removable media, such as a disk drive, CD/DVD, or USB storage device.
+
+**Important**  
+Choosing the **Export proxy activation data only** option excludes Personally Identifiable Information (PII) from being saved in the .cilx file. Therefore, the .cilx file must be re-imported into the SQL Server database on the isolated lab workgroup’s VAMT host computer, so that the CIDs that are requested from Microsoft (discussed in Part 10) can be correctly assigned to the computers in the isolated lab group.
+
+ 
+
+## Part 10: Acquire Confirmation IDs from Microsoft on the Internet-Connected Host Computer
+
+
+1.  Insert the removable media into the VAMT host that has Internet access.
+
+2.  Open VAMT. Make sure you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane.
+
+3.  In the right-side **Actions** pane, click **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box.
+
+4.  In the **Acquire confirmation IDs for file** dialog box, browse to the location of the .cilx file that you exported from the isolated lab host computer, select the file, and then click **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and collects the CIDs.
+
+5.  When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows the number of confirmation IDs that were successfully acquired, and the name of the file where the IDs were saved. Click **OK** to close the message.
+
+## Part 11: Import the .cilx File onto the VAMT Host within the Isolated Lab Workgroup
+
+
+1.  Remove the storage device that contains the .cilx file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated lab.
+
+2.  Open VAMT and verify that you are connected to the database that contains the computer with the product keys that you are activating.
+
+3.  In the right-side **Actions** pane, click **Import list** to open the **Import List** dialog box.
+
+4.  In the **Import list** dialog box, browse to the location of the .cilx file that contains the CIDs, select the file, and then click **Open**.
+
+5.  Click **OK** to import the file and to overwrite any conflicting data in the database with data from the file.
+
+6.  VAMT displays a progress message while the data is being imported. Click **OK** when a message appears and confirms that the data has been successfully imported.
+
+## Part 12: Apply the CIDs and Activate the Isolated Lab Computers
+
+
+1.  Select the products to which you want to apply CIDs. If needed, sort and filter the list to find the products.
+
+2.  In the right-side **Selected Items** menu, click **Activate**, click **Apply Confirmation ID**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
+
+VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Sataus** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+
+The same status appears under the **Status of Last Action** column in the product list view in the center pane.
+
+## <a href="" id="part-13---optional--reactivating-reimaged-computers-in-the-isolated-lab-"></a>Part 13: (Optional) Reactivating Reimaged Computers in the Isolated Lab
+
+
+If you have captured new images of the computers in the isolated lab, but the underlying hardware of those computers has not changed, VAMT can reactivate those computers using the CIDs that are stored in the database.
+
+1.  Redeploy products to each computer, using the same computer names as before.
+
+2.  Open VAMT.
+
+3.  In the right-side **Selected Items** menu, click **Activate**, click **Apply Confirmation ID**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
+
+VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+
+The same status appears under the **Status of Last Action** column in the product list view in the center pane.
+
+**Note**  
+Installing a MAK and overwriting the GVLK on the client products must be done with care. If the Windows activation initial grace period has expired, Windows will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are accessible on the network. RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, and volume editions of Office 2010 will not enter RFM.
+
+ 
+
+**Note**  
+Reapplying the same CID conserves the remaining activations on the MAK.
+
+ 
+
+## Related topics
+
+
+[VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/set-up-mdt-2013-for-bitlocker.md b/windows/deploy/set-up-mdt-2013-for-bitlocker.md
new file mode 100644
index 0000000000..23cf6ecf88
--- /dev/null
+++ b/windows/deploy/set-up-mdt-2013-for-bitlocker.md
@@ -0,0 +1,218 @@
+---
+title: Set up MDT for BitLocker (Windows 10)
+ms.assetid: 386e6713-5c20-4d2a-a220-a38d94671a38
+description: 
+keywords: ["disk, encryption, TPM, configure, secure, script"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Set up MDT for BitLocker
+
+
+This topic will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:
+
+-   A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password. Technically, you also can use a USB stick to store the protector, but it's not a practical approach as the USB stick can be lost or stolen. We, therefore, recommend that you instead use a TPM chip and/or a password.
+
+-   Multiple partitions on the hard drive.
+
+To configure your environment for BitLocker, you will need to do the following:
+
+1.  Configure Active Directory for BitLocker.
+
+2.  Download the various BitLocker scripts and tools.
+
+3.  Configure the operating system deployment task sequence for BitLocker.
+
+4.  Configure the rules (CustomSettings.ini) for BitLocker.
+
+**Note**  
+Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](http://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
+
+ 
+
+For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+
+## <a href="" id="sec01"></a>Configure Active Directory for BitLocker
+
+
+To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.
+
+**Note**  
+Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.
+
+ 
+
+In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.
+
+![figure 2](images/mdt-09-fig02.png)
+
+Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.
+
+### Add the BitLocker Drive Encryption Administration Utilities
+
+The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):
+
+1.  On DC01, log on as **CONTOSO\\Administrator**, and, using Server Manager, click **Add roles and features**.
+
+2.  On the **Before you begin** page, click **Next**.
+
+3.  On the **Select installation type** page, select **Role-based or feature-based installation**, and click **Next**.
+
+4.  On the **Select destination server** page, select **DC01.contoso.com** and click **Next**.
+
+5.  On the **Select server roles** page, click **Next**.
+
+6.  On the **Select features** page, expand **Remote Server Administration Tools**, expand **Feature Administration Tools**, select the following features, and then click **Next**:
+
+    1.  BitLocker Drive Encryption Administration Utilities
+
+    2.  BitLocker Drive Encryption Tools
+
+    3.  BitLocker Recovery Password Viewer
+
+7.  On the **Confirm installation selections** page, click **Install** and then click **Close**.
+
+![figure 3](images/mdt-09-fig03.png)
+
+Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.
+
+### Create the BitLocker Group Policy
+
+Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.
+
+1.  On DC01, using Group Policy Management, right-click the **Contoso** organizational unit (OU), and select **Create a GPO in this domain, and Link it here**.
+
+2.  Assign the name **BitLocker Policy** to the new Group Policy.
+
+3.  Expand the **Contoso** OU, right-click the **BitLocker Policy**, and select **Edit**. Configure the following policy settings:
+
+    Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives
+
+    1.  Enable the **Choose how BitLocker-protected operating system drives can be recovered** policy, and configure the following settings:
+
+        1.  Allow data recovery agent (default)
+
+        2.  Save BitLocker recovery information to Active Directory Domain Services (default)
+
+        3.  Do not enable BitLocker until recovery information is stored in AD DS for operating system drives
+
+    2.  Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy.
+
+    3.  Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy.
+
+        Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services
+
+    4.  Enable the **Turn on TPM backup to Active Directory Domain Services** policy.
+
+**Note**  
+If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using.
+
+ 
+
+### Set permissions in Active Directory for BitLocker
+
+In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](http://go.microsoft.com/fwlink/p/?LinkId=167133) from Microsoft to C:\\Setup\\Scripts on DC01.
+
+1.  On DC01, start an elevated PowerShell prompt (run as Administrator).
+
+2.  Configure the permissions by running the following command:
+
+    ``` syntax
+    cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
+    ```
+
+![figure 4](images/mdt-09-fig04.png)
+
+Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.
+
+## <a href="" id="sec02"></a>Add BIOS configuration tools from Dell, HP, and Lenovo
+
+
+If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper.
+
+### Add tools from Dell
+
+The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:
+
+``` syntax
+cctk.exe --tpm=on --valsetuppwd=Password1234
+```
+
+### Add tools from HP
+
+The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:
+
+``` syntax
+BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234
+```
+
+And the sample content of the TPMEnable.REPSET file:
+
+``` syntax
+English
+Activate Embedded Security On Next Boot
+*Enable
+Embedded Security Activation Policy
+*No prompts
+F1 to Boot
+Allow user to reject
+Embedded Security Device Availability
+*Available
+```
+
+### Add tools from Lenovo
+
+The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools:
+
+``` syntax
+cscript.exe SetConfig.vbs SecurityChip Active
+```
+
+## <a href="" id="sec03"></a>Configure the Windows 10 task sequence to enable BitLocker
+
+
+When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In this task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](http://go.microsoft.com/fwlink/p/?LinkId=619549). In the following task sequence, we have added five actions:
+
+-   **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false.
+
+-   **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf.
+
+    **Note**  
+    It is common for organizations wrapping these tools in scripts to get additional logging and error handling.
+
+     
+
+-   **Restart computer.** Self-explanatory, reboots the computer.
+
+-   **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time.
+
+-   **Enable BitLocker.** Runs the built-in action to activate BitLocker.
+
+## Related topics
+
+
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+
+[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
+
+[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
+
+[Use web services in MDT](use-web-services-in-mdt-2013.md)
+
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/sideload-apps-in-windows-10.md b/windows/deploy/sideload-apps-in-windows-10.md
new file mode 100644
index 0000000000..63f3fe6fef
--- /dev/null
+++ b/windows/deploy/sideload-apps-in-windows-10.md
@@ -0,0 +1,118 @@
+---
+title: Sideload LOB apps in Windows 10 (Windows 10)
+description: Sideload line-of-business apps in Windows 10.
+ms.assetid: C46B27D0-375B-4F7A-800E-21595CF1D53D
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Sideload LOB apps in Windows 10
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+"Line-of-Business" (LOB) apps are present in a wide range of businesses and organizations. Organizations value these apps because they solve problems unique to each business.
+
+When you sideload an app, you deploy a signed app package to a device. You maintain the signing, hosting, and deployment of these apps. Sideloading was also available with Windows 8 and Windows 8.1
+
+In Windows 10, sideloading is different than in earlier versions of Windows:
+
+-   You can unlock a device for sideloading using an enterprise policy, or through **Settings**
+
+-   License keys are not required
+
+-   Devices do not have to be joined to a domain
+
+## Requirements
+Here's what you'll need to have:
+
+-   Devices need to be unlocked for sideloading (unlock policy enabled)
+
+-   Certificate assigned to app
+
+-   Signed app package
+
+And here's what you'll need to do:
+
+-   Turn on sideloading - you can push a policy with an MDM provider, or you can use **Settings**.
+
+-   Trust the app - import the security certificate to the local device.
+
+-   Install the app - use PowerShell to install the app package.
+
+## How do I sideload an app on desktop
+You can sideload apps on managed or unmanaged devices.
+
+**To turn on sideloading for managed devices**
+
+-   Deploy an enterprise policy.
+
+**To turn on sideloading for unmanaged devices**
+
+1.  Open **Settings**.
+
+2.  Click **Update & Security** &gt; **For developers**.
+
+3.  On **Use developer features**, select **Sideload apps**.
+
+**To import the security certificate**
+
+1.  Open the security certificate for the appx package, and select **Install Certificate**.
+
+2.  On the **Certificate Import Wizard**, select **Local Machine**.
+
+3.  Import the certificate to the **Trusted Root Certification Authorities** folder.
+
+    -OR-
+
+    You can use a runtime provisioning package to import a security certificate. For information about applying a provisioning package to a Windows 10 device, see runtime instructions on [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=619162).
+
+**To install the app**
+-   From the folder with the appx package, run the PowerShell `Add-AppxPackage` command to install the appx package.
+
+## How do I sideload an app on mobile
+You can sideload apps on managed or unmanaged devices.
+
+**To turn on sideloading for a managed device**
+
+-   Deploy an enterprise policy.
+
+**To turn on sideloading for unmanaged devices**
+
+1.  Open **Settings**.
+
+2.  Click **Update & Security** &gt; **For developers**.
+
+3.  On **Use developer features**, select **Sideload apps**.
+
+**To import the security certificate for managed devices**
+
+1.  Open the security certificate for the appx package, and select **Install Certificate**.
+
+2.  On the **Certificate Import Wizard**, select **Local Machine**.
+
+3.  Import the certificate to the **Trusted Root Certification Authorities** folder.
+
+**To import the security certificate for unmanaged devices**
+
+-   You can use a runtime provisioning package to import a security certificate. For information about applying a provisioning package to a Windows 10 mobile device, see runtime instructions on [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=619164).
+
+**To install the app**
+
+-   From an email, tap a xap, appx, or appx bundle package.
+
+    -OR-
+
+    With your mobile device tethered to a desktop, click a xap, appx, or appx bundle package from the files system to install the app.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md
new file mode 100644
index 0000000000..9afc652d9c
--- /dev/null
+++ b/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md
@@ -0,0 +1,91 @@
+---
+title: Simulate a Windows 10 deployment in a test environment (Windows 10)
+description: This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT.
+ms.assetid: 2de86c55-ced9-4078-b280-35e0329aea9c
+keywords: ["deploy, script,"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Simulate a Windows 10 deployment in a test environment
+
+
+This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. When working with advanced settings and rules, especially those like database calls, it is most efficient to be able to test the settings without having to run through a complete deployment. Luckily, MDT enables you to perform a simulated deployment by running the Gather process by itself. The simulation works best when you are using a domain-joined machine (client or server). In the following example, you use the PC0001 Windows 10 client.
+
+For the purposes of this topic, you already will have either downloaded and installed the free Microsoft System Center 2012 R2 Configuration Manager Toolkit, or copied Configuration Manager Trace (CMTrace) if you have access to the System Center 2012 R2 Configuration Manager media. We also assume that you have downloaded the [sample Gather.ps1 script](http://go.microsoft.com/fwlink/p/?LinkId=619361) from the TechNet gallery.
+
+1.  On PC0001, log on as **CONTOSO\\Administrator** using the password **P@ssw0rd**.
+
+2.  Using Computer Management, add the **CONTOSO\\MDT\_BA** user account to the local **Administrators** group.
+
+3.  Log off, and then log on to PC0001 as **CONTOSO\\MDT\_BA**.
+
+4.  Using File Explorer, create a folder named **C:\\MDT**.
+
+5.  Copy the downloaded Gather.ps1 script to the **C:\\MDT** folder.
+
+6.  From the **\\\\MDT01\\MDTProduction$\\Scripts** folder, copy the following files to **C:\\MDT**:
+
+    1.  ZTIDataAccess.vbs
+
+    2.  ZTIGather.wsf
+
+    3.  ZTIGather.xml
+
+    4.  ZTIUtility.vbs
+
+7.  From the **\\\\MDT01\\MDTProduction$\\Control** folder, copy the CustomSettings.ini file to **C:\\MDT**.
+
+8.  In the **C:\\MDT** folder, create a subfolder named **X64**.
+
+9.  From the **\\\\MDT01\\MDTProduction$\\Tools\\X64** folder, copy the Microsoft.BDD.Utility.dll file to **C:\\MDT\\X64**.
+
+    ![figure 6](images/mdt-09-fig06.png)
+
+    Figure 6. The C:\\MDT folder with the files added for the simulation environment.
+
+10. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press Enter after each command:
+
+    ``` syntax
+    Set-Location C:\MDT
+    .\Gather.ps1
+    ```
+
+11. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder.
+
+**Note**  
+Warnings or errors with regard to the Wizard.hta are expected. If the log file looks okay, you are ready to try a real deployment.
+
+ 
+
+![figure 7](images/mdt-09-fig07.png)
+
+Figure 7. The ZTIGather.log file from PC0001, displaying some of its hardware capabilities.
+
+## Related topics
+
+
+[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
+
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+
+[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
+
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
+
+[Use web services in MDT](use-web-services-in-mdt-2013.md)
+
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/understanding-migration-xml-files.md b/windows/deploy/understanding-migration-xml-files.md
new file mode 100644
index 0000000000..528c77f8d3
--- /dev/null
+++ b/windows/deploy/understanding-migration-xml-files.md
@@ -0,0 +1,536 @@
+---
+title: Understanding Migration XML Files (Windows 10)
+description: Understanding Migration XML Files
+ms.assetid: d3d1fe89-085c-4da8-9657-fd54b8bfc4b7
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Understanding Migration XML Files
+
+
+You can modify the behavior of a basic User State Migration Tool (USMT)10.0 migration by using XML files; these files provide instructions on where and how the USMT tools should gather and apply files and settings. USMT includes three XML files that you can use to customize a basic migration: the MigDocs.xml and MigUser.xml files, which modify how files are discovered on the source computer, and the MigApps.xml file, which is required in order to migrate supported application settings. You can also create and edit custom XML files and a Config.xml file to further customize your migration.
+
+This topic provides an overview of the default and custom migration XML files and includes guidelines for creating and editing a customized version of the MigDocs.xml file. The MigDocs.xml file uses the new **GenerateDocPatterns** function available in USMT to automatically find user documents on a source computer.
+
+## In This Topic
+
+
+[Overview of the Config.xml file](#bkmk-config)
+
+[Overview of the MigApp.xml file](#bkmk-migapp)
+
+[Overview of the MigDocs.xml file](#bkmk-migdocs)
+
+[Overview of the MigUser.xml file](#bkmk-miguser)
+
+[Using multiple XML files](#bkmk-multiple)
+
+[XML rules for migrating user files](#bkmk-userfiles)
+
+[The GenerateDocPatterns function](#bkmk-generate)
+
+[Understanding the system and user context](#bkmk-context)
+
+[Sample migration rules for customized versions of XML files](#bkmk-samples)
+
+[Exclude rules usage examples](#bkmk-exclude)
+
+[Include rules usage examples](#bkmk-include)
+
+[Next Steps](#bkmk-next)
+
+## <a href="" id="bkmk-config"></a>Overview of the Config.xml file
+
+
+The Config.xml file is the configuration file created by the `/genconfig` option of the ScanState tool; it can be used to modify which operating-system components are migrated by USMT. The Config.xml file can be used in conjunction with other XML files, such as in the following example: `scanstate /i:migapps.xml /i:migdocs.xml /genconfig:c:\myFolder\config.xml`. When used this way, the Config.xml file tightly controls aspects of the migration, including user profiles, data, and settings, without modifying or creating other XML files. For more information about the Config.xml file, see [Customize USMT XML Files](usmt-customize-xml-files.md) and [Config.xml File](usmt-configxml-file.md).
+
+**Note**  
+When modifying the XML elements in the Config.xml file, you should edit an element and set the **migrate** property to **no**, rather than deleting the element from the file. If you delete the element instead of setting the property, the component may still be migrated by rules in other XML files.
+
+ 
+
+## <a href="" id="bkmk-migapp"></a>Overview of the MigApp.xml file
+
+
+The MigApp.xml file installed with USMT includes instructions to migrate the settings for the applications listed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md). You must include the MigApp.xml file when using the ScanState and LoadState tools, by using the `/i` option in order to migrate application settings. The MigDocs.xml and MigUser.xml files do not migrate application settings. You can create a custom XML file to include additional applications. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md).
+
+**Important**  
+The MigApps.xml file will only detect and migrate .pst files that are linked to Microsoft Office Outlook. See the [Sample migration rules for customized versions of XML files](#bkmk-samples) section of this document for more information about migrating .pst files that are not linked to Outlook.
+
+ 
+
+## <a href="" id="bkmk-migdocs"></a>Overview of the MigDocs.xml file
+
+
+The MigDocs.xml file uses the new **GenerateDocPatterns** helper function to create instructions for USMT to migrate files from the source computer, based on the location of the files. You can use the MigDocs.xml file with the ScanState and LoadState tools to perform a more targeted migration than using USMT without XML instructions.
+
+The default MigDocs.xml file migrates the following:
+
+-   All files on the root of the drive except %WINDIR%, %PROGRAMFILES%, %PROGRAMDATA%, or %USERS%.
+
+-   All folders in the root directory of all fixed drives. For example: c:\\data\_mail\\\*\[\*\]
+
+-   All files from the root of the Profiles folder, except for files in the system profile. For example: c:\\users\\name\[mail.pst\]
+
+-   All folders from the root of the Profiles folder, except for the system-profile folders. For example: c:\\users\\name\\new folder\\\*\[\*\]
+
+-   Standard shared folders:
+
+    -   CSIDL\_COMMON\_DESKTOPDIRECTORY
+
+    -   CSIDL\_COMMON\_FAVORITES
+
+    -   CSIDL\_COMMON\_DOCUMENTS
+
+    -   CSIDL\_COMMON\_MUSIC
+
+    -   CSIDL\_COMMON\_PICTURES
+
+    -   CSIDL\_COMMON\_VIDEO
+
+    -   FOLDERID\_PublicDownloads
+
+-   Standard user-profile folders for each user:
+
+    -   CSIDL\_MYDOCUMENTS
+
+    -   CSIDL\_MYPICTURES
+
+    -   FOLDERID\_OriginalImages
+
+    -   CSIDL\_MYMUSIC
+
+    -   CSIDL\_MYVIDEO
+
+    -   CSIDL\_FAVORITES
+
+    -   CSIDL\_DESKTOP
+
+    -   CSIDL\_QUICKLAUNCH
+
+    -   FOLDERID\_Contacts
+
+    -   FOLDERID\_Libraries
+
+    -   FOLDERID\_Downloads
+
+    -   FOLDERID\_SavedGames
+
+    -   FOLDERID\_RecordedTV
+
+The default MigDocs.xml file will not migrate the following:
+
+-   Files tagged with both the **hidden** and **system** attributes.
+
+-   Files and folders on removable drives.
+
+-   Data from the %WINDIR%, %PROGRAMDATA%, and %PROGRAMFILES% folders.
+
+-   Folders that contain installed applications.
+
+You can also use the **/genmigxml** option with the ScanState tool to review and modify what files will be migrated.
+
+## <a href="" id="bkmk-miguser"></a>Overview of the MigUser.xml file
+
+
+The MigUser.xml file includes instructions for USMT to migrate user files based on file name extensions. You can use the MigUser.xml file with the ScanState and LoadState tools to perform a more targeted migration than using USMT without XML instructions. The MigUser.xml file will gather all files from the standard user-profile folders, as well as any files on the computer with the specified file name extensions.
+
+The default MigUser.xml file migrates the following:
+
+-   All files from the standard user-profile folders which are described as:
+
+    -   CSIDL\_MYVIDEO
+
+    -   CSIDL\_MYMUSIC
+
+    -   CSIDL\_DESKTOP
+
+    -   CSIDL\_STARTMENU
+
+    -   CSIDL\_PERSONAL
+
+    -   CSIDL\_MYPICTURES
+
+    -   CSIDL\_FAVORITES
+
+    -   CSIDL\_QUICK LAUNCH
+
+-   Files with the following extensions:
+
+    .qdf, .qsd, .qel, .qph, .doc\*, .dot\*, .rtf, .mcw, .wps, .scd, .wri, .wpd, .xl\*, .csv, .iqy, .dqy, .oqy, .rqy, .wk\*, .wq1, .slk, .dif, .ppt\*, .pps\*, .pot\*, .sh3, .ch3, .pre, .ppa, .txt, .pst, .one\*, .vl\*, .vsd, .mpp, .or6, .accdb, .mdb, .pub
+
+The default MigUser.xml file does not migrate the following:
+
+-   Files tagged with both the **hidden** and **system** attributes.
+
+-   Files and folders on removable drives,
+
+-   Data from the %WINDIR%, %PROGRAMFILES%, %PROGRAMDATA% folders.
+
+-   ACLS for files in folders outside the user profile.
+
+You can make a copy of the MigUser.xml file and modify it to include or exclude standard user-profile folders and file name extensions. If you know all of the extensions for the files you want to migrate from the source computer, use the MigUser.xml file to move all of your relevant data, regardless of the location of the files. However, this may result in a migration that contains more files than intended. For example, if you choose to migrate all .jpg files, you may migrate image files such as thumbnails and logos from legacy applications that are installed on the source computer.
+
+**Note**  
+Each file name extension you include in the rules within the MigUser.xml file increases the amount of time needed for the ScanState tool to gather the files for the migration. If you are migrating more than three hundred file types, you may experience a slow migration. For more information about other ways to organize the migration of your data, see the [Using multiple XML files](#bkmk-multiple) section of this document.
+
+ 
+
+## <a href="" id="bkmk-multiple"></a>Using multiple XML files
+
+
+You can use multiple XML files with the ScanState and LoadState tools. Each of the default XML files included with or generated by USMT is configured for a specific component of the migration. You can also use custom XML files to supplement these default files with additional migration rules.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">XML migration file</th>
+<th align="left">Modifies the following components:</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Config.xml file</p></td>
+<td align="left"><p>Operating-system components such as desktop wallpaper and background theme.</p>
+<p>You can also overload config.xml to include some application and document settings by generating the config.xml file with the other default XML files. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md) and [Config.xml File](usmt-configxml-file.md).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>MigApps.xml file</p></td>
+<td align="left"><p>Applications settings.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>MigUser.xml or MigDocs.xml files</p></td>
+<td align="left"><p>User files and profile settings.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Custom XML files</p></td>
+<td align="left"><p>Application settings, user profile settings, or user files, beyond the rules contained in the other XML files.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For example, you can use all of the XML migration file types for a single migration, as in the following example:
+
+``` syntax
+Scanstate <store> /config:c:\myFolder\config.xml /i:migapps.xml /i:migdocs.xml /i:customrules.xml
+```
+
+### <a href="" id="bkmk-userfiles"></a>XML rules for migrating user files
+
+**Important**  
+You should not use the MigUser.xml and MigDocs.xml files together in the same command. Using both XML files can result in duplication of some migrated files. This occurs when conflicting target-location instructions are given in each XML file. The target file will be stored once during the migration, but will be applied by each XML file to a different location on the destination computer.
+
+ 
+
+If your data set is unknown or if many files are stored outside of the standard user-profile folders, the MigDocs.xml is a better choice than the MigUser.xml file, because the MigDocs.xml file will gather a broader scope of data. The MigDocs.xml file migrates folders of data based on location. The MigUser.xml file migrates only the files with the specified file name extensions.
+
+If you want more control over the migration, you can create custom XML files. See the [Creating and editing a custom ,xml file](#bkmk-createxml) section of this document.
+
+## <a href="" id="bkmk-createxml"></a>Creating and editing a custom XML file
+
+
+You can use the **/genmigxml** command-line option to determine which files will be included in your migration. The **/genmigxml** option creates a file in a location you specify, so that you can review the XML rules and make modifications as necessary.
+
+**Note**  
+If you reinstall USMT, the default migration XML files will be overwritten and any customizations you make directly to these files will be lost. Consider creating separate XML files for your custom migration rules and saving them in a secure location.
+
+ 
+
+To generate the XML migration rules file for a source computer:
+
+1.  Click **Start**, click **All Programs**, click **Accessories**, right-click **Command Prompt**, and then click **Run as**.
+
+2.  Select an account with administrator privileges, supply a password, and then click **OK**.
+
+3.  At the command prompt, type:
+
+    ``` syntax
+    cd /d <USMTpath>
+    scanstate.exe /genmigxml: <filepath.xml>
+    ```
+
+    Where *&lt;USMTpath&gt;* is the location on your source computer where you have saved the USMT files and tools, and *&lt;filepath.xml&gt;* is the full path to a file where you can save the report. For example, type:
+
+    ``` syntax
+    cd /d c:\USMT
+    scanstate.exe /genmigxml:"C:\Documents and Settings\USMT Tester\Desktop\genMig.xml"
+    ```
+
+### <a href="" id="bkmk-generate"></a>The GenerateDocPatterns function
+
+The MigDocs.xml file calls the **GenerateDocPatterns** function, which takes three Boolean values. You can change the settings to modify the way the MigDocs.xml file generates the XML rules for migration.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Value</th>
+<th align="left">Default Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>ScanProgramFiles</p></td>
+<td align="left"><p>The <em>ScanProgramFiles</em> argument is valid only when the <strong>GenerateDocPatterns</strong> function is called in a system context. This argument determines whether or not to scan the Program Files directory to gather registered file name extensions for known applications.</p>
+<p>For example, when set to <strong>TRUE</strong>, the function discovers and migrates .doc files under the Microsoft Office directory, because .doc is a file name extension registered to a Microsoft Office application. The <strong>GenerateDocPatterns</strong> function generates this inclusion pattern for .doc files:</p>
+<pre class="syntax" space="preserve"><code>&lt;pattern type=&quot;File&quot;&gt;C:\Program Files\Microsoft Office\*[*.doc]&lt;/pattern&gt;</code></pre>
+<p>If a child folder of an included folder contains an installed application, ScanProgramFiles will also create an exclusion rule for the child folder. All folders under the application folder will be scanned recursively for registered file name extensions.</p></td>
+<td align="left"><p>False</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>IncludePatterns</p></td>
+<td align="left"><p>The <em>IncludePatterns</em> argument determines whether to generate exclude or include patterns in the XML. When this argument is set to <strong>TRUE</strong>, the <strong>GenerateDocPatterns</strong> function generates include patterns and the function must be added under the &lt;include&gt; element. Changing this argument to <strong>FALSE</strong> generates exclude patterns and the function must be added under the &lt;exclude&gt; element.</p></td>
+<td align="left"><p>True</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>SystemDrive</p></td>
+<td align="left"><p>The <em>SystemDrive</em> argument determines whether to generate patterns for all fixed drives or only for the system drive. Changing this argument to <strong>TRUE</strong> restricts all patterns to the system drive.</p></td>
+<td align="left"><p>False</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Usage:**
+
+``` syntax
+MigXmlHelper.GenerateDocPatterns ("<ScanProgramFiles>", "<IncludePatterns>", "<SystemDrive>")
+```
+
+To create include data patterns for only the system drive:
+
+``` syntax
+<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
+     <objectSet>
+        <script>MigXmlHelper.GenerateDocPatterns ("FALSE","TRUE","TRUE")</script>
+     </objectSet>
+</include>
+```
+
+To create an include rule to gather files for registered extensions from the %PROGRAMFILES% directory:
+
+``` syntax
+<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
+     <objectSet>
+        <script>MigXmlHelper.GenerateDocPatterns ("TRUE","TRUE","FALSE")</script>
+     </objectSet>
+</include>
+```
+
+To create exclude data patterns:
+
+``` syntax
+<exclude filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
+     <objectSet>
+        <script>MigXmlHelper.GenerateDocPatterns ("FALSE","FALSE","FALSE")</script>
+     </objectSet>
+</exclude>
+```
+
+### <a href="" id="bkmk-context"></a>Understanding the system and user context
+
+The migration XML files contain two &lt;component&gt; elements with different **context** settings. The system context applies to files on the computer that are not stored in the User Profiles directory, while the user context applies to files that are particular to an individual user.
+
+**System context**
+
+The system context includes rules for data outside of the User Profiles directory. For example, when called in a system context in the MigDocs.xml file, the **GenerateDocPatterns** function creates patterns for all common shell folders, files in the root directory of hard drives, and folders located at the root of hard drives. The following folders are included:
+
+-   CSIDL\_COMMON\_DESKTOPDIRECTORY
+
+-   CSIDL\_COMMON\_FAVORITES
+
+-   CSIDL\_COMMON\_DOCUMENTS
+
+-   CSIDL\_COMMON\_MUSIC
+
+-   CSIDL\_COMMON\_PICTURES
+
+-   CSIDL\_COMMON\_VIDEO
+
+-   FOLDERID\_PublicDownloads
+
+**User context**
+
+The user context includes rules for data in the User Profiles directory. When called in a user context in the MigDocs.xml file, the **GenerateDocPatterns** function creates patterns for all user shell folders, files located at the root of the profile, and folders located at the root of the profile. The following folders are included:
+
+-   CSIDL\_MYDOCUMENTS
+
+-   CSIDL\_MYPICTURES
+
+-   FOLDERID\_OriginalImages
+
+-   CSIDL\_MYMUSIC
+
+-   CSIDL\_MYVIDEO
+
+-   CSIDL\_FAVORITES
+
+-   CSIDL\_DESKTOP
+
+-   CSIDL\_QUICKLAUNCH
+
+-   FOLDERID\_Contacts
+
+-   FOLDERID\_Libraries
+
+-   FOLDERID\_Downloads
+
+-   FOLDERID\_SavedGames
+
+-   FOLDERID\_RecordedTV
+
+**Note**  
+Rules contained in a component that is assigned the user context will be run for each user profile on the computer. Files that are scanned multiple times by the MigDocs.xml files will only be copied to the migration store once; however, a large number of rules in the user context can slow down the migration. Use the system context when it is applicable.
+
+ 
+
+### <a href="" id="bkmk-samples"></a>Sample migration rules for customized versions of XML files
+
+**Note**  
+For best practices and requirements for customized XML files in USMT, see [Customize USMT XML Files](usmt-customize-xml-files.md) and [General Conventions](usmt-general-conventions.md).
+
+ 
+
+### <a href="" id="bkmk-exclude"></a>Exclude rules usage examples
+
+In the examples below, the source computer has a .txt file called "new text document" in a directory called "new folder". The default MigDocs.xml behavior migrates the new text document.txt file and all files contained in the "new folder" directory. The rules generated by the function are:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Rule 1</p></td>
+<td align="left"><pre class="syntax" space="preserve"><code>&lt;pattern type=&quot;File&quot;&gt;d:\new folder\[new text document.txt]&lt;/pattern&gt;</code></pre></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Rule 2</p></td>
+<td align="left"><pre class="syntax" space="preserve"><code>&lt;pattern type=&quot;File&quot;&gt;d:\new folder\*[*]&lt;/pattern&gt;</code></pre></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+To exclude the new text document.txt file as well as any .txt files in “new folder”, you can do the following:
+
+**Example 1: Exclude all .txt files in a folder**
+
+To exclude Rule 1, there needs to be an exact match of the file name. However, for Rule 2, you can create a pattern to exclude files by using the file name extension.
+
+``` syntax
+<exclude>
+     <objectSet>
+        <pattern type="File">D:\Newfolder\[new text document.txt]</pattern>
+         <pattern type="File">D:\New folder\*[*.txt]</pattern>
+     </objectSet>
+</exclude>
+```
+
+**Example 2: Use the UnconditionalExclude element to give a rule precedence over include rules**
+
+If you do not know the file name or location of the file, but you do know the file name extension, you can use the **GenerateDrivePatterns** function. However, the rule will be less specific than the default include rule generated by the MigDocs.xml file, so it will not have precedence. You must use the &lt;UnconditionalExclude&gt; element to give this rule precedence over the default include rule. For more information about the order of precedence for XML migration rules, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+``` syntax
+<unconditionalExclude>
+     <objectSet>
+        <script>MigXmlHelper.GenerateDrivePatterns ("*[*.txt]", "Fixed")</script>
+     </objectSet>
+</unconditionalExclude>
+```
+
+**Example 3 : Use a UserandSystem context component to run rules in both contexts**
+
+If you want the &lt;UnconditionalExclude&gt; element to apply to both the system and user context, you can create a third component using the **UserandSystem** context. Rules in this component will be run in both contexts.
+
+``` syntax
+<component type="Documents" context="UserandSystem">
+   <displayName>MigDocExcludes</displayName>
+   <role role="Data">
+     <rules>
+       <unconditionalExclude>
+         <objectSet>
+                <script>MigXmlHelper.GenerateDrivePatterns ("*[*.txt]", "Fixed")</script>
+         </objectSet>
+       </unconditionalExclude>
+     </rules>
+   </role>
+</component>
+```
+
+For more examples of exclude rules that you can use in custom migration XML files, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md).
+
+### <a href="" id="bkmk-include"></a>Include rules usage examples
+
+The application data directory is the most common location that you would need to add an include rule for. The **GenerateDocPatterns** function excludes this location by default. If your company uses an application that saves important data to this location, you can create include rules to migrate the data. For example, the default location for .pst files is: `%CSIDL_LOCAL_APPDATA%\Microsoft\Outlook`. The Migapp.xml file contains migration rules to move only those .pst files that are linked to Microsoft Outlook. To include .pst files that are not linked, you can do the following:
+
+**Example 1: Include a file name extension in a known user folder**
+
+This rule will include .pst files that are located in the default location, but are not linked to Microsoft Outlook. Use the user context to run this rule for each user on the computer.
+
+``` syntax
+<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
+     <objectSet>
+        <pattern type="File">%CSIDL_LOCAL_APPDATA%\Microsoft\Outlook\*[*.pst]</pattern>
+     </objectSet>
+</include>
+```
+
+**Example 2: Include a file name extension in Program Files**
+
+For locations outside the user profile, such as the Program Files folder, you can add the rule to the system context component.
+
+``` syntax
+<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
+     <objectSet>
+        <pattern type="File">%CSIDL_PROGRAM_FILES%\*[*.pst]</pattern>
+     </objectSet>
+</include>
+```
+
+For more examples of include rules that you can use in custom migration XML files, see [Include Files and Settings](usmt-include-files-and-settings.md).
+
+**Note**  
+For more information about the order of precedence for XML migration rules, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+ 
+
+## <a href="" id="bkmk-next"></a>Next steps
+
+
+You can include additional rules for the migration in the MigDocs.xml file or other XML migration files. For example, you can use the &lt;locationModify&gt; element to move files from the folder where they were gathered to a different folder, when they are applied to the destination computer.
+
+You can use an XML schema (MigXML.xsd) file to validate the syntax of your customized XML files. For more information, see [USMT Resources](usmt-resources.md).
+
+## Related topics
+
+
+[Exclude Files and Settings](usmt-exclude-files-and-settings.md)
+
+[Include Files and Settings](usmt-include-files-and-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/update-product-status-vamt.md b/windows/deploy/update-product-status-vamt.md
new file mode 100644
index 0000000000..1548c85d6f
--- /dev/null
+++ b/windows/deploy/update-product-status-vamt.md
@@ -0,0 +1,36 @@
+---
+title: Update Product Status (Windows 10)
+description: Update Product Status
+ms.assetid: 39d4abd4-801a-4e8f-9b8c-425a24a96764
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Update Product Status
+After you add computers to the VAMT database, you need to use the **Update license status** function to add the products that are installed on the computers. You can also use the **Update license status** at any time to retrieve the most current license status for any products in the VAMT database.
+
+To retrieve license status, VAMT must have administrative permissions on all selected computers and Windows Management Instrumentation (WMI) must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+
+**Note**  
+The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated.
+
+## Update the license status of a product
+1.  Open VAMT.
+
+2.  In the **Products** list, select one or more products that need to have their status updated.
+
+3.  In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer.
+
+4.  If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**.
+
+    VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane.
+
+    **Note**  
+    If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view.
+
+ 
+
+## Related topics
+- [Add and Manage Products](add-manage-products-vamt.md)
\ No newline at end of file
diff --git a/windows/deploy/update-windows-10-images-with-provisioning-packages.md b/windows/deploy/update-windows-10-images-with-provisioning-packages.md
new file mode 100644
index 0000000000..4a553d8b90
--- /dev/null
+++ b/windows/deploy/update-windows-10-images-with-provisioning-packages.md
@@ -0,0 +1,123 @@
+---
+title: Update Windows 10 images with provisioning packages (Windows 10)
+description: Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image.
+ms.assetid: 3CA345D2-B60A-4860-A3BF-174713C3D3A6
+keywords: ["provisioning", "bulk deployment", "image"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Update Windows 10 images with provisioning packages
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image.
+
+In Windows 10, you can apply a provisioning package at any time. A provisioning package can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
+
+You can include provisioning packages when you build a Windows image. This way, you can create a single provisioning package that you can add to different hardware-specific images.
+
+You can also put a provisioning package on a USB drive or SD card to apply to off-the-shelf devices. You can even send the provisioning package to someone in email.
+
+Rather than wiping a device and applying a new system image when you need to change configuration, you can reset the device to its original state and then apply a new provisioning package.
+
+For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
+
+## Advantages
+-   You can configure new devices without reimaging.
+
+-   Works on both mobile and desktop devices.
+
+-   No network connectivity required.
+
+-   Simple for people to apply.
+
+-   Ensure compliance and security before a device is enrolled in MDM.
+
+## Create package
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
+
+1.  Open Windows ICD (by default, `%windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`).
+
+2.  Choose **New provisioning package**.
+
+3.  Name your project, and click **Next**.
+
+4.  Choose **Common to all Windows editions** and click **Next**.
+
+5.  On **New project**, click **Finish**. The workspace for your package opens.
+
+6.  Configure settings. [Learn more about specific settings in provisioning packages.]( http://go.microsoft.com/fwlink/p/?LinkId=615916)
+
+7.  On the **File** menu, select **Save.**
+
+8.  On the **Export** menu, select **Provisioning package**.
+
+9.  Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+
+10. Set a value for **Package Version**.
+
+    **Tip**  
+    You can make changes to existing packages and change the version number to update previously applied packages.
+
+11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+
+    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
+
+        **Important**  
+        We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. 
+
+12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.<p>
+Optionally, you can click **Browse** to change the default output location.
+
+13. Click **Next**.
+
+14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.<p>
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.<p>
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+    
+    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
+
+    -   Shared network folder
+
+    -   SharePoint site
+
+    -   Removable media (USB/SD)
+
+    -   Email
+
+    -   USB tether (mobile only)
+
+    -   NFC (mobile only)
+
+## Add package to image
+**To add a provisioning package to Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)**
+
+-   Follow the steps in the "To build an image for Windows 10 for desktop editions" section in [Use the Windows ICD command-line interface]( http://go.microsoft.com/fwlink/p/?LinkId=617371).
+
+**To add a provisioning package to a Windows 10 Mobile image**
+
+-   Follow the steps in the "To build an image for Windows 10 Mobile or Windows 10 IoT Core (IoT Core)" section in [Use the Windows ICD command-line interface]( http://go.microsoft.com/fwlink/p/?LinkId=617371).<p>
+The provisioning package is placed in the FFU image and is flashed or sector written to the device. During device setup time, the provisioning engine starts and consumes the packages.
+
+## Learn more
+-   [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651)
+
+-   [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+-   [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
+
+## Related topics
+- [Configure devices without MDM](../manage/configure-devices-without-mdm.md)
\ No newline at end of file
diff --git a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md
new file mode 100644
index 0000000000..d0f0ff8e73
--- /dev/null
+++ b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md
@@ -0,0 +1,211 @@
+---
+title: Upgrade to Windows 10 with System Center Configuration Manager (Windows 10)
+description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process.
+ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878
+keywords: ["upgrade, update, task sequence, deploy"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+author: CFaw
+---
+
+# Upgrade to Windows 10 with System Center Configuration Manager
+
+
+**Applies to**
+
+-   Windows 10
+
+The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process.
+
+## Proof-of-concept environment
+
+
+For the purposes of this topic, we will use four machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0003 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+![figure 1](images/upgrademdt-fig1-machines.png)
+
+Figure 1. The machines used in this topic.
+
+## Upgrade to Windows 10 with System Center 2012 R2 Configuration Manager
+
+
+System Center 2012 R2 Configuration Manager SP1 adds support to manage and deploy Windows 10. Although it does not include built-in support to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 to Windows 10, you can build a custom task sequence to perform the necessary tasks.
+
+## Create the task sequence
+
+
+To help with this process, the Configuration Manager team has published [a blog](http://go.microsoft.com/fwlink/p/?LinkId=620179) that provides a sample task sequence, as well as the [original blog that includes the instructions for setting up the task sequence](http://go.microsoft.com/fwlink/p/?LinkId=620180). To summarize, here are the tasks you need to perform:
+
+1.  Download the [Windows10Upgrade1506.zip](http://go.microsoft.com/fwlink/p/?LinkId=620182) file that contains the sample task sequence and related scripts. Extract the contents onto a network share.
+2.  Copy the Windows 10 Enterprise RTM x64 media into the extracted but empty **Windows vNext Upgrade Media** folder.
+3.  Using the Configuration Manager Console, right-click the **Task Sequences** node, and then choose **Import Task Sequence**. Select the **Windows-vNextUpgradeExport.zip** file that you extracted in Step 1.
+4.  Distribute the two created packages (one contains the Windows 10 Enterprise x64 media, the other contains the related scripts) to the Configuration Manager distribution point.
+
+For full details and an explanation of the task sequence steps, review the full details of the two blogs that are referenced above.
+
+## Create a device collection
+
+
+After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0003 machine running Windows 7 SP1, with the Configuration Manager client installed.
+
+1.  On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
+    -   General
+
+        -   Name: Windows 10 Enterprise x64 Upgrade
+
+        -   Limited Collection: All Systems
+
+    -   Membership rules:
+
+        -   Direct rule
+
+            -   Resource Class: System Resource
+
+            -   Attribute Name: Name
+
+            -   Value: PC0003
+
+        -   Select Resources
+
+        -   Select PC0003
+
+2.  Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0003 machine in the collection.
+
+## Deploy the Windows 10 upgrade
+
+
+In this section, you create a deployment for the Windows 10 Enterprise x64 Update application.
+
+1.  On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Windows vNext Upgrade** task sequence, and then select **Deploy**.
+2.  On the **General** page, select the **Windows 10 Enterprise x64 Upgrade** collection, and then click **Next**.
+3.  On the **Content** page, click **Next**.
+4.  On the **Deployment Settings** page, select the following settings, and then click **Next**:
+    -   Action: Install
+
+    -   Purpose: Available
+
+5.  On the **Scheduling** page, accept the default settings, and then click **Next**.
+6.  On the **User Experience** page, accept the default settings, and then click **Next**.
+7.  On the **Alerts** page, accept the default settings, and then click **Next**.
+8.  On the **Summary** page, click **Next**, and then click **Close**.
+
+## Start the Windows 10 upgrade
+
+
+In this section, you start the Windows 10 Upgrade task sequence on PC0003 (currently running Windows 7 SP1).
+
+1.  On PC0003, start the **Software Center**.
+2.  Select the **Windows vNext Upgrade** task sequence, and then click **Install**.
+
+When the task sequence begins, it will automatically initiate the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
+
+![figure 2](images/upgradecfg-fig2-upgrading.png)
+
+Figure 2. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequence.
+
+After the task sequence finishes, the computer will be fully upgraded to Windows 10.
+
+## Upgrade to Windows 10 with the next version of System Center Configuration Manager
+
+
+With the next release of System Center Configuration Manager (currently planned for Q4 of 2015), new built-in functionality will be provided to make it even easier to upgrade existing Windows 7, Windows 8, and Windows 8.1 PCs to Windows 10.
+
+**Note**  
+For more details about the next version of Configuration Manager, see the [Configuration Manager Team blog](http://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](http://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released.
+
+ 
+
+### Create the OS upgrade package
+
+First, you need to create an operating system upgrade package that contains the full Windows 10 Enterprise x64 installation media.
+
+1.  On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Operating System Upgrade Packages** node, then select **Add Operating System Upgrade Package**.
+2.  On the **Data Source** page, specify the UNC path to the Windows 10 Enterprise x64 media, and then click **Next**.
+3.  On the **General** page, specify Windows 10 Enterprise x64 Upgrade, and then click **Next**.
+4.  On the **Summary** page, click **Next**, and then click **Close**.
+5.  Right-click the created **Windows 10 Enterprise x64 Update** package, and then select **Distribute Content**. Choose the CM01 distribution point.
+
+### Create the task sequence
+
+To create an upgrade task sequence, perform the following steps:
+
+1.  On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Task Sequences** node, and then select **Create Task Sequence**.
+2.  On the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**.
+3.  On the **Task Sequence Information** page, specify **Windows 10 Enterprise x64 Upgrade**, and then click **Next**.
+4.  On the **Upgrade the Windows operating system** page, select the **Windows 10 Enterprise x64 Upgrade operating system upgrade** package, and then click **Next**.
+5.  Click **Next** through the remaining wizard pages, and then click **Close**.
+
+![figure 3](images/upgradecfg-fig3-upgrade.png)
+
+Figure 3. The Configuration Manager vNext upgrade task sequence.
+
+### Create a device collection
+
+After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0003 machine running Windows 7 SP1, with the next version of System Center Configuration Manager client installed.
+
+1.  On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
+    -   General
+
+        -   Name: Windows 10 Enterprise x64 Upgrade
+
+        -   Limited Collection: All Systems
+
+    -   Membership rules:
+
+        -   Direct rule
+
+            -   Resource Class: System Resource
+
+            -   Attribute Name: Name
+
+            -   Value: PC0003
+
+        -   Select Resources
+
+        -   Select PC0003
+
+2.  Review the Windows 10 Enterprise x64 Upgrade collection. Do not continue until you see the PC0003 machine in the collection.
+
+### Deploy the Windows 10 upgrade
+
+In this section, you create a deployment for the Windows 10 Enterprise x64 Update application.
+
+1.  On CM01, using the Configuration Manager console, in the Software Library workspace, right-click the **Windows vNext Upgrade** task sequence, and then select **Deploy**.
+2.  On the **General** page, select the **Windows 10 Enterprise x64 Upgrade** collection, and then click **Next**.
+3.  On the **Content** page, click **Next**.
+4.  On the **Deployment Settings** page, select the following settings and click **Next**:
+    -   Action: Install
+
+    -   Purpose: Available
+
+5.  On the **Scheduling** page, accept the default settings, and then click **Next**.
+6.  On the **User Experience** page, accept the default settings, and then click **Next**.
+7.  On the **Alerts** page, accept the default settings, and then click **Next**.
+8.  On the **Summary** page, click **Next**, and then click **Close**.
+
+### Start the Windows 10 upgrade
+
+In this section, you start the Windows 10 Upgrade task sequence on PC0003 (currently running Windows 7 SP1).
+
+1.  On PC0003, start the **Software Center**.
+2.  Select the **Windows vNext Upgrade** task sequence, and then click **Install.**
+
+When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
+
+After the task sequence completes, the computer will be fully upgraded to Windows 10.
+
+## Related topics
+
+
+[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
+
+[Configuration Manager Team blog](http://go.microsoft.com/fwlink/p/?LinkId=620109)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
new file mode 100644
index 0000000000..2fa1a8e500
--- /dev/null
+++ b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -0,0 +1,130 @@
+---
+title: Upgrade to Windows 10 with the Microsoft Deployment Toolkit (Windows 10)
+description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
+ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460
+keywords: ["upgrade, update, task sequence, deploy"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Upgrade to Windows 10 with the Microsoft Deployment Toolkit
+
+
+**Applies to**
+
+-   Windows 10
+
+The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process.
+
+## Proof-of-concept environment
+
+
+For the purposes of this topic, we will use four machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+![fig 1](images/upgrademdt-fig1-machines.png)
+
+Figure 1. The machines used in this topic.
+
+## Set up the upgrade task sequence
+
+
+MDT 2013 Update 2 adds support for Windows 10 deployment, including a new in-place upgrade task sequence template that makes the process really simple.
+
+## Create the MDT production deployment share
+
+
+The steps to create the deployment share for production are the same as when you created the deployment share to create the custom reference image:
+
+1.  On MDT01, log on as Administrator in the CONTOSO domain with a password of **P@ssw0rd**.
+2.  Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**.
+3.  On the **Path** page, in the **Deployment share path** text box, type **E:\\MDTProduction**, and then click **Next**.
+4.  On the **Share** page, in the **Share name** text box, type **MDTProduction$**, and then click **Next**.
+5.  On the **Descriptive Name** page, in the **Deployment share** description text box, type **MDT Production**, and then click **Next**.
+6.  On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**.
+7.  Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
+
+## Add Windows 10 Enterprise x64 (full source)
+
+
+In these steps we assume that you have copied the content of a Windows 10 Enterprise x64 ISO to the E:\\Downloads\\Windows 10 Enterprise x64 folder.
+
+1.  Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**.
+2.  Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
+3.  Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
+    -   Full set of source files
+
+    -   Source directory: E:\\Downloads\\Windows 10 Enterprise x64
+
+    -   Destination directory name: W10EX64RTM
+
+4.  After you add the operating system, in the **Operating Systems / Windows 10** folder, double-click the added operating system name in the **Operating System** node and change the name to the following: **Windows 10 Enterprise x64 RTM Default Image**
+
+![figure 2](images/upgrademdt-fig2-importedos.png)
+
+Figure 2. The imported Windows 10 operating system after you rename it.
+
+## Create a task sequence to upgrade to Windows 10 Enterprise
+
+
+1.  Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**.
+2.  Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+    -   Task sequence ID: W10-X64-UPG
+
+    -   Task sequence name: Windows 10 Enterprise x64 RTM Upgrade
+
+    -   Template: Standard Client Upgrade Task Sequence
+
+    -   Select OS: Windows 10 Enterprise x64 RTM RTM Default Image
+
+    -   Specify Product Key: Do not specify a product key at this time
+
+    -   Full Name: Contoso
+
+    -   Organization: Contoso
+
+    -   Internet Explorer home page: about:blank
+
+    -   Admin Password: Do not specify an Administrator Password at this time
+
+![figure 3](images/upgrademdt-fig3-tasksequence.png)
+
+Figure 3. The task sequence to upgrade to Windows 10.
+
+## Perform the Windows 10 upgrade
+
+
+To initiate the in-place upgrade, perform the following steps on PC0003 (currently running Windows 7 SP1).
+
+1.  Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**
+2.  Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then click **Next**.![figure 4](images/upgrademdt-fig4-selecttask.png)
+
+    Figure 4. Upgrade task sequence.
+
+3.  On the **Credentials** tab, specify the **MDT\_BA** account, **P@ssw0rd** password, and **CONTOSO** for the domain. (Some or all of these values can be specified in Bootstrap.ini so they are automatically populated.)
+4.  On the **Ready** tab, click **Begin** to start the task sequence.
+
+When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
+
+![figure 5](images/upgrademdt-fig5-winupgrade.png)
+
+Figure 5. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequence.
+
+After the task sequence completes, the computer will be fully upgraded to Windows 10.
+
+## Related topics
+
+
+[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
+
+[Microsoft Deployment Toolkit downloads and resources](http://go.microsoft.com/fwlink/p/?LinkId=618117)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md
new file mode 100644
index 0000000000..58b322dba8
--- /dev/null
+++ b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md
@@ -0,0 +1,250 @@
+---
+title: Use Orchestrator runbooks with MDT (Windows 10)
+description: This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
+ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f
+keywords: ["web services, database"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Use Orchestrator runbooks with MDT
+
+
+This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
+
+MDT can integrate with System Center 2012 R2 Orchestrator, which is a component that ties the Microsoft System Center products together, as well as other products from both Microsoft and third-party vendors. The difference between using Orchestrator and "normal" web services, is that with Orchestrator you have a rich drag-and-drop style interface when building the solution, and little or no coding is required.
+
+**Note**  
+If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](http://go.microsoft.com/fwlink/p/?LinkId=619553) website.
+
+ 
+
+## <a href="" id="sec01"></a>Orchestrator terminology
+
+
+Before diving into the core details, here is a quick course in Orchestrator terminology:
+
+-   **Orchestrator Server.** This is a server that executes runbooks.
+
+-   **Runbooks.** A runbook is similar to a task sequence; it is a series of instructions based on conditions. Runbooks consist of workflow activities; an activity could be Copy File, Get User from Active Directory, or even Write to Database.
+
+-   **Orchestrator Designer.** This is where you build the runbooks. In brief, you do that by creating an empty runbook, dragging in the activities you need, and then connecting them in a workflow with conditions and subscriptions.
+
+-   **Subscriptions.** These are variables that come from an earlier activity in the runbook. So if you first execute an activity in which you type in a computer name, you can then subscribe to that value in the next activity. All these variables are accumulated during the execution of the runbook.
+
+-   **Orchestrator Console.** This is the Microsoft Silverlight-based web page you can use interactively to execute runbooks. The console listens to TCP port 81 by default.
+
+-   **Orchestrator web services.** These are the web services you use in the Microsoft Deployment Toolkit to execute runbooks during deployment. The web services listen to TCP port 82 by default.
+
+-   **Integration packs.** These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few.
+
+**Note**  
+To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](http://go.microsoft.com/fwlink/p/?LinkId=619554).
+
+ 
+
+## <a href="" id="sec02"></a>Create a sample runbook
+
+
+This section assumes you have Orchestrator 2012 R2 installed on a server named OR01. In this section, you create a sample runbook, which is used to log some of the MDT deployment information into a text file on OR01.
+
+1.  On OR01, using File Explorer, create the **E:\\Logfile** folder, and grant Users modify permissions (NTFS).
+
+2.  In the **E:\\Logfile** folder, create the DeployLog.txt file.
+
+    **Note**  
+    Make sure File Explorer is configured to show known file extensions so the file is not named DeployLog.txt.txt.
+
+     
+
+    ![figure 23](images/mdt-09-fig23.png)
+
+    Figure 23. The DeployLog.txt file.
+
+3.  Using System Center 2012 R2 Orchestrator Runbook Designer, in the **Runbooks** node, create the **1.0 MDT** folder.
+
+    ![figure 24](images/mdt-09-fig24.png)
+
+    Figure 24. Folder created in the Runbooks node.
+
+4.  In the **Runbooks** node, right-click the **1.0 MDT** folder, and select **New / Runbook**.
+
+5.  On the ribbon bar, click **Check Out**.
+
+6.  Right-click the **New Runbook** label, select **Rename**, and assign the name **MDT Sample**.
+
+7.  Add (using a drag-and-drop operation) the following items from the **Activities** list to the middle pane:
+
+    1.  Runbook Control / Initialize Data
+
+    2.  Text File Management / Append Line
+
+8.  Connect **Initialize Data** to **Append Line**.
+
+    ![figure 25](images/mdt-09-fig25.png)
+
+    Figure 25. Activities added and connected.
+
+9.  Right-click the **Initialize Data** activity, and select **Properties**
+
+10. On **the Initialize Data Properties** page, click **Add**, change **Parameter 1** to **OSDComputerName**, and then click **Finish**.
+
+    ![figure 26](images/mdt-09-fig26.png)
+
+    Figure 26. The Initialize Data Properties window.
+
+11. Right-click the **Append Line** activity, and select **Properties**.
+
+12. On the **Append Line Properties** page, in the **File** text box, type **E:\\Logfile\\DeployLog.txt**.
+
+13. In the **File** encoding drop-down list, select **ASCII**.
+
+14. In the **Append** area, right-click inside the **Text** text box and select **Expand**.
+
+    ![figure 27](images/mdt-09-fig27.png)
+
+    Figure 27. Expanding the Text area.
+
+15. In the blank text box, right-click and select **Subscribe / Published Data**.
+
+    ![figure 28](images/mdt-09-fig28.png)
+
+    Figure 28. Subscribing to data.
+
+16. In the **Published Data** window, select the **OSDComputerName** item, and click **OK**.
+
+17. After the **{OSDComputerName from "Initialize Data"}** text, type in **has been deployed at** and, once again, right-click and select **Subscribe / Published Data**.
+
+18. In the **Published Data** window, select the **Show common Published Data** check box, select the **Activity end time** item, and click **OK**.
+
+    ![figure 29](images/mdt-09-fig29.png)
+
+    Figure 29. The expanded text box after all subscriptions have been added.
+
+19. On the **Append Line Properties** page, click **Finish**.
+
+## <a href="" id="sec03"></a>Test the demo MDT runbook
+
+
+After the runbook is created, you are ready to test it.
+
+1.  On the ribbon bar, click **Runbook Tester**.
+
+2.  Click **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then click **OK**:
+
+    -   OSDComputerName: PC0010
+
+3.  Verify that all activities are green (for additional information, see each target).
+
+4.  Close the **Runbook Tester**.
+
+5.  On the ribbon bar, click **Check In**.
+
+![figure 30](images/mdt-09-fig30.png)
+
+Figure 30. All tests completed.
+
+## Use the MDT demo runbook from MDT
+
+
+1.  On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node, and create a folder named **Orchestrator**.
+
+2.  Right-click the **Orchestrator** node, and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+
+    1.  Task sequence ID: OR001
+
+    2.  Task sequence name: Orchestrator Sample
+
+    3.  Task sequence comments: &lt;blank&gt;
+
+    4.  Template: Custom Task Sequence
+
+3.  In the **Orchestrator** node, double-click the **Orchestrator Sample** task sequence, and then select the **Task Sequence** tab.
+
+4.  Remove the default **Application Install** action.
+
+5.  Add a **Gather** action and select the **Gather only local data (do not process rules)** option.
+
+6.  After the **Gather** action, add a **Set Task Sequence Variable** action with the following settings:
+
+    1.  Name: Set Task Sequence Variable
+
+    2.  Task Sequence Variable: OSDComputerName
+
+    3.  Value: %hostname%
+
+7.  After the **Set Task Sequence Variable** action, add a new **Execute Orchestrator Runbook** action with the following settings:
+
+    1.  Orchestrator Server: OR01.contoso.com
+
+    2.  Use Browse to select **1.0 MDT / MDT Sample**.
+
+8.  Click **OK**.
+
+![figure 31](images/mdt-09-fig31.png)
+
+Figure 31. The ready-made task sequence.
+
+## Run the orchestrator sample task sequence
+
+
+Since this task sequence just starts a runbook, you can test this on the PC0001 client that you used for the MDT simulation environment.
+
+**Note**  
+Make sure the account you are using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](http://go.microsoft.com/fwlink/p/?LinkId=619555).
+
+ 
+
+1.  On PC0001, log on as **CONTOSO\\MDT\_BA**.
+
+2.  Using an elevated command prompt (run as Administrator), type the following command:
+
+    ``` syntax
+    cscript \\MDT01\MDTProduction$\Scripts\Litetouch.vbs
+    ```
+
+3.  Complete the Windows Deployment Wizard using the following information:
+
+    1.  Task Sequence: Orchestrator Sample
+
+    2.  Credentials:
+
+        1.  User Name: MDT\_BA
+
+        2.  Password: P@ssw0rd
+
+        3.  Domain: CONTOSO
+
+4.  Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated.
+
+![figure 32](images/mdt-09-fig32.png)
+
+Figure 32. The ready-made task sequence.
+
+## Related topics
+
+
+[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
+
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+
+[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
+
+[Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
+
+[Use web services in MDT](use-web-services-in-mdt-2013.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md
new file mode 100644
index 0000000000..ee21e399db
--- /dev/null
+++ b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md
@@ -0,0 +1,127 @@
+---
+title: Use the MDT database to stage Windows 10 deployment information (Windows 10)
+description: This topic is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini).
+ms.assetid: 8956ab54-90ba-45d3-a384-4fdec72c4d46
+keywords: ["database, permissions, settings, configure, deploy"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Use the MDT database to stage Windows 10 deployment information
+
+
+This topic is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). You can use this process, for example, to add the client machines you want to deploy, specify their computer names and IP addresses, indicate applications to be deployed, and determine many additional settings for the machines.
+
+## <a href="" id="sec01"></a>Database prerequisites
+
+
+MDT can use either SQL Server Express or full SQL Server, but since the deployment database isn't big, even in large enterprise environments, we recommend using the free SQL Server 2012 SP1 Express database in your environment.
+
+**Note**  
+Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database.
+
+ 
+
+## <a href="" id="sec02"></a>Create the deployment database
+
+
+The MDT database is by default created and managed from the Deployment Workbench. In these steps, we assume you have installed SQL Server 2012 SP1 Express on MDT01.
+
+**Note**  
+Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01.
+
+ 
+
+1.  On MDT01, using Deployment Workbench, expand the MDT Production deployment share, expand **Advanced Configuration**, right-click **Database**, and select **New Database**.
+
+2.  In the New DB Wizard, on the **SQL Server Details** page, enter the following settings and click **Next**:
+
+    1.  SQL Server Name: MDT01
+
+    2.  Instance: SQLEXPRESS
+
+    3.  Port: &lt;blank&gt;
+
+    4.  Network Library: Named Pipes
+
+3.  On the **Database** page, select **Create a new database**; in the **Database** field, type **MDT** and click **Next**.
+
+4.  On the **SQL Share** page, in the **SQL Share** field, type **Logs$** and click **Next**. Click **Next** again and then click **Finish**.
+
+![figure 8](images/mdt-09-fig08.png)
+
+Figure 8. The MDT database added to MDT01.
+
+## <a href="" id="sec03"></a>Configure database permissions
+
+
+After creating the database, you need to assign permissions to it. In MDT, the account you used to run the deployment is used to access the database. In this environment, the network access account is MDT\_BA.
+
+1.  On MDT01, start SQL Server Management Studio.
+
+2.  In the **Connect to Server** dialog box, in the **Server name** list, select **MDT01\\SQLEXPRESS** and click **Connect**.
+
+3.  In the **Object Explorer** pane, expand the top-level **Security** node, right-click **Logins**, and select **New Login**.
+
+    ![figure 9](images/mdt-09-fig09.png)
+
+    Figure 9. The top-level Security node.
+
+4.  On the **Login - New** page, next to the **Login** name field, click **Search**, and search for **CONTOSO\\MDT\_BA**. Then in the left pane, select **User Mapping**. Select the **MDT** database, and assign the following roles:
+
+    1.  db\_datareader
+
+    2.  public (default)
+
+5.  Click **OK**, and close SQL Server Management Studio.
+
+![figure 10](images/mdt-09-fig10.png)
+
+Figure 10. Creating the login and settings permissions to the MDT database.
+
+## <a href="" id="sec04"></a>Create an entry in the database
+
+
+To start using the database, you add a computer entry and assign a description and computer name. Use the computer's MAC Address as the identifier.
+
+1.  On MDT01, using the Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration**, and expand **Database**.
+
+2.  Right-click **Computers**, select **New**, and add a computer entry with the following settings:
+
+    1.  Description: New York Site - PC00075
+
+    2.  MacAddress: &lt;PC00075 MAC Address in the 00:00:00:00:00:00 format&gt;
+
+    3.  Details Tab / OSDComputerName: PC00075
+
+![figure 11](images/mdt-09-fig11.png)
+
+Figure 11. Adding the PC00075 computer to the database.
+
+## Related topics
+
+
+[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
+
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+
+[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
+
+[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
+
+[Use web services in MDT](use-web-services-in-mdt-2013.md)
+
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/use-the-volume-activation-management-tool-client.md b/windows/deploy/use-the-volume-activation-management-tool-client.md
new file mode 100644
index 0000000000..5cba8c8157
--- /dev/null
+++ b/windows/deploy/use-the-volume-activation-management-tool-client.md
@@ -0,0 +1,83 @@
+---
+title: Use the Volume Activation Management Tool (Windows 10)
+description: The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys.
+ms.assetid: b11f0aee-7b60-44d1-be40-c960fc6c4c47
+keywords: ["vamt", "volume activation", "activation", "windows activation"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Use the Volume Activation Management Tool
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012 R2
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+**Looking for retail activation?**
+
+-   [Get Help Activating Microsoft Windows](http://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys.
+
+By using the VAMT, you can automate and centrally manage the volume, retail, and MAK activation process for Windows, Office, and select other Microsoft products. The VAMT can manage volume activation by using MAKs or KMS. It is a standard Microsoft Management Console snap-in, and it can be installed on any computer running Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2.
+
+The VAMT is distributed as part of the Windows Assessment and Deployment Kit (Windows ADK), which is a free download available from Microsoft Download Center. For more information, see [Windows Assessment and Deployment Kit (Windows ADK) for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=526740).
+
+In Windows Server 2012 R2, you can install the VAMT directly from Server Manager without downloading the Windows ADK by selecting the Volume Activation Services role or the Remote Server Administration Tools/Role Administration Tools/Volume Activation Tools feature.
+
+## Activating with the Volume Activation Management Tool
+You can use the VAMT to complete the activation process in products by using MAK and retail keys, and you can work with computers individually or in groups. The VAMT enables two activation scenarios:
+
+-   **Online activation**. Online activation enables you to activate over the Internet any products that are installed with MAK, KMS host, or retail product keys. You can activate one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
+
+-   **Proxy activation**. This activation method enables you to perform volume activation for products that are installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS host key, or retail product key to one or more client products and collects the installation ID from each client product. The VAMT host sends the installation IDs to Microsoft on behalf of the client products and obtains the corresponding confirmation IDs. The VAMT host then installs the confirmation IDs on the client products to complete their activation.
+
+    By using this method, only the VAMT host computer requires Internet access. Proxy activation by using the VAMT is beneficial for isolated network segments and for cases where your organization has a mix of retail, MAK, and KMS-based activations.
+
+## Tracking products and computers with the Volume Activation Management Tool
+The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing.
+
+![VAMT showing the licensing status of multiple computers](images/volumeactivationforwindows81-18.jpg)
+
+**Figure 18**. The VAMT showing the licensing status of multiple computers
+
+## Tracking key usage with the Volume Activation Management Tool
+The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it is and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage.
+
+![VAMT showing key types and usage](images/volumeactivationforwindows81-19.jpg)
+
+**Figure 19**. The VAMT showing key types and usage
+
+## Other Volume Activation Management Tool features
+The VAMT stores information in a Microsoft SQL Server database for performance and flexibility, and it provides a single graphical user interface for managing activations and performing other activation-related tasks, such as:
+
+-   **Adding and removing computers**. You can use the VAMT to discover computers in the local environment. The VAMT can discover computers by querying AD DS, workgroups, or individual computer names or IP addresses, or through a general LDAP query.
+
+-   **Discovering products**. You can use the VAMT to discover Windows, Windows Server, Office, and select other products that are installed on the client computers.
+
+-   **Managing activation data**. The VAMT stores activation data in a SQL Server database. The tool can export this data in XML format to other VAMT hosts or to an archive.
+
+For more information, see:
+
+-   [Volume Activation Management Tool (VAMT) Overview](http://go.microsoft.com/fwlink/p/?LinkId=618266)
+
+-   [VAMT Step-by-Step Scenarios](http://go.microsoft.com/fwlink/p/?LinkId=618267)
+
+## See also
+-   [Volume Activation for Windows 10](volume-activation-windows-10.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/use-vamt-in-windows-powershell.md b/windows/deploy/use-vamt-in-windows-powershell.md
new file mode 100644
index 0000000000..bda44f5b30
--- /dev/null
+++ b/windows/deploy/use-vamt-in-windows-powershell.md
@@ -0,0 +1,85 @@
+---
+title: Use VAMT in Windows PowerShell (Windows 10)
+description: Use VAMT in Windows PowerShell
+ms.assetid: 13e0ceec-d827-4681-a5c3-8704349e3ba9
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Use VAMT in Windows PowerShell
+The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to perform the same functions as the Vamt.exe command-line tool.
+
+**To install PowerShell 3.0**
+
+-   VAMT PowerShell cmdlets require Windows PowerShell, which is included in Windows 10, Windows 8 and Windows Server® 2012. You can download PowerShell for Windows 7 or other operating systems from the [Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkId=218356).
+
+**To install the Windows Assessment and Deployment Kit**
+
+-   In addition to PowerShell, you must import the VAMT PowerShell module. The module is included in the VAMT 3.0 folder after you install the Windows Assessment and Deployment Kit (Windows ADK).
+
+**To prepare the VAMT PowerShell environment**
+
+1.  To open PowerShell with administrative credentials, click **Start** and type “PowerShell” to locate the program. Right-click **Windows PowerShell**, and then click **Run as administrator**. To open PowerShell in Windows 7, click **Start**, click **All Programs**, click **Accessories**, click **Windows PowerShell**, right-click **Windows PowerShell**, and then click **Run as administrator**.
+
+    **Important**  
+    If you are using a computer that has an 64-bit processor, select **Windows PowerShell (x86)**. VAMT PowerShell cmdlets are supported for the x86 architecture only. You must use an x86 version of Windows PowerShell to import the VAMT module, which are available in these directories:
+
+    -   The x86 version of PowerShell is available in C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
+
+    -   The x86 version of the PowerShell ISE is available in C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell\_ise.exe
+
+2.  For all supported operating systems you can use the VAMT PowerShell module included with the Windows ADK. By default, the module is installed with the Windows ADK in the VAMT folder. Change directories to the directory where VAMT is located.
+
+    For example, if the Windows ADK is installed in the default location of `C:\Program Files(x86)\Windows Kits\10`, type:
+    
+    ``` ps1
+    cd “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0”
+    ```
+3.  Import the VAMT PowerShell module. To import the module, type the following at a command prompt:
+
+    ``` syntax
+    Import-Module .\VAMT.psd1
+    ```
+    Where **Import-Module** imports a module only into the current session. To import the module into all sessions, add an **Import-Module** command to a Windows PowerShell profile. For more information about profiles, type `get-help about_profiles`.
+
+## To Get Help for VAMT PowerShell cmdlets
+You can view all of the help sections for a VAMT PowerShell cmdlet, or you can view only the section that you are interested in. To view all of the Help content for a VAMT cmdlet, type:
+
+``` ps1
+get-help <cmdlet name> -all
+```
+For example, type:
+
+``` ps1
+get-help get-VamtProduct -all
+```
+
+**Warning**  
+The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the -online option with the get-help cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](http://go.microsoft.com/fwlink/p/?LinkId=242278).
+
+**To view VAMT PowerShell Help sections**
+
+1.  To get the syntax to use with a cmdlet, type the following at a command prompt:
+
+    ``` ps1
+    get-help <cmdlet name>
+    ```
+    For example, type:
+
+    ``` ps1
+    get-help get-VamtProduct 
+    ```
+
+2.  To see examples using a cmdlet, type:
+
+    ``` ps1
+    get-help <cmdlet name> -examples
+    ```
+
+    For example, type:
+
+    ``` ps1
+    get-help get-VamtProduct -examples
+    ```
\ No newline at end of file
diff --git a/windows/deploy/use-web-services-in-mdt-2013.md b/windows/deploy/use-web-services-in-mdt-2013.md
new file mode 100644
index 0000000000..09d35ecef9
--- /dev/null
+++ b/windows/deploy/use-web-services-in-mdt-2013.md
@@ -0,0 +1,178 @@
+---
+title: Use web services in MDT (Windows 10)
+description: In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment.
+ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522
+keywords: ["deploy, web apps"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Use web services in MDT
+
+
+In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. Web services provide a powerful way to assign settings during a deployment. Simply put, web services are web applications that run code on the server side, and MDT has built-in functions to call these web services.
+
+Using a web service in MDT is straightforward, but it does require that you have enabled the Web Server (IIS) role on the server. Developing web services involves a little bit of coding, but for most web services used with MDT, you can use the free Microsoft Visual Studio Express 2013 for Web.
+
+## <a href="" id="sec01"></a>Create a sample web service
+
+
+In these steps we assume you have installed Microsoft Visual Studio Express 2013 for Web on PC0001 (the Windows 10 client) and downloaded the [MDT Sample Web Service](http://go.microsoft.com/fwlink/p/?LinkId=619363) from the Microsoft Download Center and extracted it to C:\\Projects.
+
+1.  On PC0001, using Visual Studio Express 2013 for Web, open the C:\\Projects\\MDTSample\\ MDTSample.sln solution file.
+
+2.  On the ribbon bar, verify that Release is selected.
+
+3.  In the **Debug** menu, select the **Build MDTSample** action.
+
+4.  On MDT01, create a folder structure for **E:\\MDTSample\\bin**.
+
+5.  From PC0001, copy the C:\\Projects\\MDTSample\\obj\\Release\\MDTSample.dll file to the **E:\\MDTSample\\bin** folder on MDT01.
+
+6.  From PC0001, copy the following files from C:\\Projects\\MDTSample file to the **E:\\MDTSample** folder on MDT01:
+
+    1.  Web.config
+
+    2.  mdtsample.asmx
+
+![figure 15](images/mdt-09-fig15.png)
+
+Figure 15. The sample project in Microsoft Visual Studio Express 2013 for Web.
+
+## <a href="" id="sec02"></a>Create an application pool for the web service
+
+
+This section assumes that you have enabled the Web Server (IIS) role on MDT01.
+
+1.  On MDT01, using Server Manager, install the **IIS Management Console** role (available under Web Server (IIS) / Management Tools).
+
+2.  Using Internet Information Services (IIS) Manager, expand the **MDT01 (CONTOSO\\Administrator)** node. If prompted with the "Do you want to get started with Microsoft Web Platform?" question, select the **Do not show this message** check box and then click **No**.
+
+3.  Right-click **Application Pools**, select **Add Application Pool**, and configure the new application pool with the following settings:
+
+    1.  Name: MDTSample
+
+    2.  .NET Framework version: .NET Framework 4.0.30319
+
+    3.  Manage pipeline mode: Integrated
+
+    4.  Select the **Start application pool immediately** check box.
+
+    5.  Click **OK**.
+
+![figure 16](images/mdt-09-fig16.png)
+
+Figure 16. The new MDTSample application.
+
+## <a href="" id="sec03"></a>Install the web service
+
+
+1.  On MDT01, using Internet Information Services (IIS) Manager, expand **Sites**, right-click **Default Web Site**, and select **Add Application**. Use the following settings for the application:
+
+    1.  Alias: MDTSample
+
+    2.  Application pool: MDTSample
+
+    3.  Physical Path: E:\\MDTSample
+
+    ![figure 17](images/mdt-09-fig17.png)
+
+    Figure 17. Adding the MDTSample web application.
+
+2.  In the **Default Web Site** node, select the MDTSample web application, and in the right pane, double-click **Authentication**. Use the following settings for the **Authentication** dialog box:
+
+    1.  Anonymous Authentication: Enabled
+
+    2.  ASP.NET Impersonation: Disabled
+
+![figure 18](images/mdt-09-fig18.png)
+
+Figure 18. Configuring Authentication for the MDTSample web service.
+
+## <a href="" id="sec04"></a>Test the web service in Internet Explorer
+
+
+1.  On PC0001, using Internet Explorer, navigate to: **http://MDT01/MDTSample/mdtsample.asmx**.
+
+2.  Click the **GetComputerName** link.
+
+    ![figure 19](images/mdt-09-fig19.png)
+
+    Figure 19. The MDT Sample web service.
+
+3.  On the **GetComputerName** page, type in the following settings, and click **Invoke**:
+
+    1.  Model: Hewlett-Packard
+
+    2.  SerialNumber: 123456789
+
+![figure 20](images/mdt-09-fig20.png)
+
+Figure 20. The result from the MDT Sample web service.
+
+## <a href="" id="sec05"></a>Test the web service in the MDT simulation environment
+
+
+After verifying the web service using Internet Explorer, you are ready to do the same test in the MDT simulation environment.
+
+1.  On PC0001, edit the CustomSettings.ini file in the **C:\\MDT** folder to look like the following:
+
+    ``` syntax
+    [Settings]
+    Priority=Default, GetComputerName
+
+    [Default]
+    OSInstall=YES
+
+    [GetComputerName]
+    WebService=http://mdt01/MDTSample/mdtsample.asmx/GetComputerName
+    Parameters=Model,SerialNumber
+    OSDComputerName=string
+    ```
+
+    ![figure 21](images/mdt-09-fig21.png)
+
+    Figure 21. The updated CustomSettings.ini file.
+
+2.  Save the CustomSettings.ini file.
+
+3.  Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command:
+
+    ``` syntax
+    Set-Location C:\MDT
+    .\Gather.ps1
+    ```
+
+4.  Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder.
+
+![figure 22](images/mdt-09-fig22.png)
+
+Figure 22. The OSDCOMPUTERNAME value obtained from the web service.
+
+## Related topics
+
+
+[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
+
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+
+[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
+
+[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
+
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-best-practices.md b/windows/deploy/usmt-best-practices.md
new file mode 100644
index 0000000000..b8772fe9f4
--- /dev/null
+++ b/windows/deploy/usmt-best-practices.md
@@ -0,0 +1,153 @@
+---
+title: USMT Best Practices (Windows 10)
+description: USMT Best Practices
+ms.assetid: e3cb1e78-4230-4eae-b179-e6e9160542d2
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# USMT Best Practices
+
+
+This topic discusses general and security-related best practices when using User State Migration Tool (USMT) 10.0.
+
+## General Best Practices
+
+
+-   **Install applications before running the LoadState tool**
+
+    Though it is not always essential, it is best practice to install all applications on the destination computer before restoring the user state. This helps ensure that migrated settings are preserved.
+
+-   **Do not use MigUser.xml and MigDocs.xml together**
+
+    If you use both .xml files, some migrated files may be duplicated if conflicting instructions are given about target locations. You can use the **/genmigxml** command-line option to determine which files will be included in your migration, and to determine if any modifications are necessary. For more information, see [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md).
+
+-   **Use MigDocs.xml for a better migration experience**
+
+    If your data set is unknown or if many files are stored outside of the standard user-profile folders, the MigDocs.xml file is a better choice than the MigUser.xml file, because the MigDocs.xml file will gather a broader scope of data. The MigDocs.xml file migrates folders of data based on location, and on registered file type by querying the registry for registered application extensions. The MigUser.xml file migrates only the files with the specified file extensions.
+
+-   **Close all applications before running either the ScanState or LoadState tools**
+
+    Although using the **/vsc** switch can allow the migration of many files that are open with another application it is a best practice to close all applications in order to ensure all files and settings migrate. Without the **/vsc** or **/c** switch USMT will fail when it cannot migrate a file or setting. When you use the **/c** option USMT will ignore any files or settings that it cannot migrate and log an error each time.
+
+-   **Log off after you run the LoadState**
+
+    Some settings, such as fonts, wallpaper, and screensaver settings, will not take effect until the next time the user logs on. For this reason, you should log off after you run the LoadState tool.
+
+-   **Managed environment**
+
+    To create a managed environment, you can move all of the end user’s documents into My Documents (%CSIDL\_PERSONAL%). We recommend that you migrate files into the smallest-possible number of folders on the destination computer. This will help you to clean up files on the destination computer, if the LoadState command fails before completion.
+
+-   **Chkdsk.exe**
+
+    We recommend that you run Chkdsk.exe before running the ScanState and LoadState tools. Chkdsk.exe creates a status report for a hard disk drive and lists and corrects common errors. For more information about the Chkdsk.exe tool, see [Chkdsk](http://go.microsoft.com/fwlink/p/?LinkId=140244).
+
+-   **Migrate in groups**
+
+    If you decide to perform the migration while users are using the network, it is best to migrate user accounts in groups. To minimize the impact on network performance, determine the size of the groups based on the size of each user account. Migrating in phases also allows you to make sure each phase is successful before starting the next phase. Using this method, you can make any necessary modifications to your plan between groups.
+
+## Security Best Practices
+
+
+As the authorized administrator, it is your responsibility to protect the privacy of the users and maintain security during and after the migration. In particular, you must consider the following issues:
+
+-   **Encrypting File System (EFS)**
+
+    Take extreme caution when migrating encrypted files, because the end user does not need to be logged on to capture the user state. By default, USMT fails if an encrypted file is found. For more information about EFS best practices, see this article in the [Microsoft Knowledge Base](http://go.microsoft.com/fwlink/p/?linkid=163). For specific instructions about EFS best practices, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md).
+
+    **Important**  
+    If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration.
+
+     
+
+-   **Encrypt the store**
+
+    Consider using the **/encrypt** option with the ScanState command and the **/decrypt** option with the LoadState command. However, use extreme caution with this set of options, because anyone who has access to the ScanState command-line script also has access to the encryption key.
+
+-   **Virus Scan**
+
+    We recommend that you scan both the source and destination computers for viruses before running USMT. In addition, you should scan the destination computer image. To help protect data from viruses, we strongly recommend running an antivirus utility before migration.
+
+-   **Maintain security of the file server and the deployment server**
+
+    We recommend that you manage the security of the file and deployment servers. It is important to make sure that the file server where you save the store is secure. You must also secure the deployment server, to ensure that the user data that is in the log files is not exposed. We also recommend that you only transmit data over a secure Internet connection, such as a virtual private network. For more information about network security, see [Microsoft Security Compliance Manager](http://go.microsoft.com/fwlink/p/?LinkId=215657).
+
+-   **Password Migration**
+
+    To ensure the privacy of the end users, USMT does not migrate passwords, including those for applications such as Windows Live™ Mail, Microsoft Internet Explorer®, as well as Remote Access Service (RAS) connections and mapped network drives. It is important to make sure that end users know their passwords.
+
+-   **Local Account Creation**
+
+    Before you migrate local accounts, see the Migrating Local Accounts section in the [Identify Users](usmt-identify-users.md) topic.
+
+## <a href="" id="bkmk-bestpractices"></a>XML File Best Practices
+
+
+-   **Specify the same set of mig\*.xml files in both the ScanState and the LoadState tools**
+
+    If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool.
+
+-   **The &lt;CustomFileName&gt; in the migration urlid should match the name of the file**
+
+    Although it is not a requirement, it is good practice for &lt;CustomFileName&gt; to match the name of the file. For example, the following is from the MigApp.xml file:
+
+    ``` syntax
+    <?xml version="1.0" encoding="UTF-8"?>
+    <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/migapp">
+    ```
+
+-   **TUse the XML Schema (MigXML.xsd) when authoring .xml files to validate synta**
+
+    The MigXML.xsd schema file should not be included on the command line or in any of the .xml files.
+
+-   **Use the default migration XML files as models**
+
+    To create a custom .xml file, you can use the migration .xml files as models to create your own. If you need to migrate user data files, model your custom .xml file on MigUser.xml. To migrate application settings, model your custom .xml file on the MigApp.xml file.
+
+-   **Consider the impact on performance when using the &lt;context&gt; parameter**
+
+    Your migration performance can be affected when you use the &lt;context&gt; element with the &lt;component&gt; element; for example, as in when you want to encapsulate logical units of file- or path-based &lt;include&gt; and &lt;exclude&gt; rules.
+
+    In the **User** context, a rule is processed one time for each user on the system.
+
+    In the **System** context, a rule is processed one time for the system.
+
+    In the **UserAndSystem** context, a rule is processed one time for each user on the system and one time for the system.
+
+    **Note**  
+    The number of times a rule is processed does not affect the number of times a file is migrated. The USMT migration engine ensures that each file migrates only once.
+
+     
+
+-   **We recommend that you create a separate .xml file instead of adding your .xml code to one of the existing migration .xml files**
+
+    For example, if you have code that migrates the settings for an application, you should not just add the code to the MigApp.xml file.
+
+-   **You should not create custom .xml files to alter the operating system settings that are migrated**
+
+    These settings are migrated by manifests and you cannot modify those files. If you want to exclude certain operating system settings from the migration, you should create and modify a Config.xml file.
+
+-   **You can use the asterisk (\*) wildcard character in any migration XML file that you create**
+
+    **Note**  
+    The question mark is not valid as a wildcard character in USMT .xml files.
+
+     
+
+## Related topics
+
+
+[Migration Store Encryption](usmt-migration-store-encryption.md)
+
+[Plan Your Migration](usmt-plan-your-migration.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-choose-migration-store-type.md b/windows/deploy/usmt-choose-migration-store-type.md
new file mode 100644
index 0000000000..3e3f520ceb
--- /dev/null
+++ b/windows/deploy/usmt-choose-migration-store-type.md
@@ -0,0 +1,60 @@
+---
+title: Choose a Migration Store Type (Windows 10)
+description: Choose a Migration Store Type
+ms.assetid: 4e163e90-9c57-490b-b849-2ed52ab6765f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Choose a Migration Store Type
+
+
+One of the main considerations for planning your migration is to determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers, and how much space is needed to create and host the migration store, whether you are using a local share, network share, or storage device. The final consideration is ensuring that user date integrity is maintained by encrypting the migration store.
+
+## In This Section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Migration Store Types Overview](migration-store-types-overview.md)</p></td>
+<td align="left"><p>Choose the migration store type that works best for your needs and migration scenario.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Estimate Migration Store Size](usmt-estimate-migration-store-size.md)</p></td>
+<td align="left"><p>Estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Hard-Link Migration Store](usmt-hard-link-migration-store.md)</p></td>
+<td align="left"><p>Learn about hard-link migration stores and the scenarios in which they are used.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Migration Store Encryption](usmt-migration-store-encryption.md)</p></td>
+<td align="left"><p>Learn about the using migration store encryption to protect user data integrity during a migration.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Plan Your Migration](usmt-plan-your-migration.md)
+
+[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-command-line-syntax.md b/windows/deploy/usmt-command-line-syntax.md
new file mode 100644
index 0000000000..8e62c88e30
--- /dev/null
+++ b/windows/deploy/usmt-command-line-syntax.md
@@ -0,0 +1,49 @@
+---
+title: User State Migration Tool (USMT) Command-line Syntax (Windows 10)
+description: User State Migration Tool (USMT) Command-line Syntax
+ms.assetid: f9d205c9-e824-46c7-8d8b-d7e4b52fd514
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# User State Migration Tool (USMT) Command-line Syntax
+
+
+The User State Migration Tool (USMT) 10.0 migrates user files and settings during large deployments of Windows. To improve and simplify the migration process, USMT captures desktop, network, and application settings in addition to a user's files. USMT then migrates these items to a new Windows installation.
+
+## In This Section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[ScanState Syntax](usmt-scanstate-syntax.md)</p></td>
+<td align="left"><p>Lists the command-line options for using the ScanState tool.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[LoadState Syntax](usmt-loadstate-syntax.md)</p></td>
+<td align="left"><p>Lists the command-line options for using the LoadState tool.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[UsmtUtils Syntax](usmt-utilities.md)</p></td>
+<td align="left"><p>Lists the command-line options for using the UsmtUtils tool.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-common-issues.md b/windows/deploy/usmt-common-issues.md
new file mode 100644
index 0000000000..d1865b8873
--- /dev/null
+++ b/windows/deploy/usmt-common-issues.md
@@ -0,0 +1,307 @@
+---
+title: Common Issues (Windows 10)
+description: Common Issues
+ms.assetid: 5a37e390-8617-4768-9eee-50397fbbb2e1
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Common Issues
+
+
+The following sections discuss common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools. USMT produces log files that describe in further detail any errors that occurred during the migration process. These logs can be used to troubleshoot migration failures.
+
+## In This Topic
+
+
+[User Account Problems](#user)
+
+[Command-line Problems](#command)
+
+[XML File Problems](#xml)
+
+[Migration Problems](#migration)
+
+[Offline Migration Problems](#bkmk-offline)
+
+[Hard Link Migration Problems](#bkmk-hardlink)
+
+## General Guidelines for Identifying Migration Problems
+
+
+When you encounter a problem or error message during migration, you can use the following general guidelines to help determine the source of the problem:
+
+-   Examine the ScanState, LoadState, and UsmtUtils logs to obtain the exact USMT error messages and Windows® application programming interface (API) error messages. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). For more information about Windows API error messages, type **nethelpmsg** on the command line.
+
+    In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v***:5* option when testing your migration. This verbosity level can be adjusted in a production migration; however, reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a verbosity level higher than 5 if you want the log files output to go to a debugger.
+
+    **Note**  
+    Running the ScanState and LoadState tools with the **/v***:5* option creates a detailed log file. Although this option makes the log file large, the extra detail can help you determine where migration errors occurred.
+
+     
+
+-   Use the **/Verify** option in the UsmtUtils tool to determine whether any files in a compressed migration store are corrupted. For more information, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md).
+
+-   Use the **/Extract** option in the UsmtUtils tool to extract files from a compressed migration store. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md).
+
+-   Create a progress log using the **/Progress** option to monitor your migration.
+
+-   For the source and destination computers, obtain operating system information, and versions of applications such as Internet Explorer and any other relevant programs. Then verify the exact steps that are needed to reproduce the problem. This information might help you to understand what is wrong and to reproduce the issue in your testing environment.
+
+-   Log off after you run the LoadState tool. Some settings—for example, fonts, desktop backgrounds, and screen-saver settings—will not take effect until the next time the end user logs on.
+
+-   Close all applications before running ScanState or LoadState tools. If some applications are running during the ScanState or LoadState process, USMT might not migrate some data. For example, if Microsoft Outlook® is open, USMT might not migrate PST files.
+
+    **Note**  
+    USMT will fail if it cannot migrate a file or setting unless you specify the **/c** option. When you specify the **/c** option, USMT ignores errors. However, it logs an error when it encounters a file that is in use that did not migrate.
+
+     
+
+## <a href="" id="user"></a>User Account Problems
+
+
+The following sections describe common user account problems. Expand the section to see recommended solutions.
+
+### I'm having problems creating local accounts on the destination computer.
+
+**Resolution:** For more information about creating accounts and migrating local accounts, see [Migrate User Accounts](usmt-migrate-user-accounts.md).
+
+### Not all of the user accounts were migrated to the destination computer.
+
+**Causes/Resolutions** There are two possible causes for this problem:
+
+When running the ScanState tool on Windows Vista, or the ScanState and LoadState tools on Windows 7, Windows 8, or Windows 10, you must run them in Administrator mode from an account with administrative credentials to ensure that all specified users are migrated. To run in Administrator mode:
+
+1.  Click **Start**.
+
+2.  Click **All Programs**.
+
+3.  Click **Accessories**.
+
+4.  Right-click **Command Prompt**.
+
+5.  Click **Run as administrator**.
+
+Then specify your LoadState or ScanState command. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration.
+
+Any user accounts on the computer that have not been used will not be migrated. For example, if you add User1 to the computer, but User1 never logs on, then USMT will not migrate the User1 account.
+
+### User accounts that I excluded were migrated to the destination computer.
+
+**Cause:** The command that you specified might have had conflicting **/ui** and **/ue** options. If a user is specified with the **/ui** option and is also specified to be excluded with either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:domain1\* /ue:domain1\user1`, then User1 will be migrated because the **/ui** option takes precedence.
+
+**Resolution:** For more information about how to use the **/ui** and **/ue** options together, see the examples in the [ScanState Syntax](usmt-scanstate-syntax.md) topic.
+
+### I am using the /uel option, but many accounts are still being included in the migration.
+
+**Cause** The **/uel** option depends on the last modified date of the users' NTUser.dat file. There are scenarios in which this last modified date might not match the users' last logon date.
+
+**Resolution** This is a limitation of the **/uel** option. You might need to exclude these users manually with the **/ue** option.
+
+### The LoadState tool reports an error as return code 71 and fails to restore a user profile during a migration test.
+
+**Cause:** During a migration test, if you run the ScanState tool on your test computer and then delete user profiles in order to test the LoadState tool on the same computer, you may have a conflicting key present in the registry. Using the **net use** command to remove a user profile will delete folders and files associated with that profile, but will not remove the registry key.
+
+**Resolution:** To delete a user profile, use the **User Accounts** item in Control Panel. To correct an incomplete deletion of a user profile:
+
+1.  Open the registry editor by typing `regedit` at an elevated command prompt.
+
+2.  Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList`.
+
+    Each user profile is stored in a System Identifier key under `ProfileList`.
+
+3.  Delete the key for the user profile you are trying to remove.
+
+### Files that were not encrypted before the migration are now encrypted with the account used to run the LoadState tool.
+
+**Cause:** The ScanState tool was run using the **/EFS: copyraw** option to migrate encrypted files and Encrypting File System (EFS) certificates. The encryption attribute was set on a folder that was migrated, but the attribute was removed from file contents of that folder prior to migration.
+
+**Resolution:** Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you can run the Cipher tool at the command prompt to review and change encryption settings on files and folders. You must remove the encryption attribute from folders that contain unencrypted files or encrypt the contents of all files within an encrypted folder.
+
+To remove encryption from files that have already been migrated incorrectly, you must log on to the computer with the account that you used to run the LoadState tool and then remove the encryption from the affected files.
+
+### The LoadState tool reports an error as return code 71 and a Windows Error 2202 in the log file.
+
+**Cause:** The computer name was changed during an offline migration of a local user profile.
+
+**Resolution:** You can use the **/mu** option when you run the LoadState tool to specify a new name for the user. For example,
+
+``` syntax
+loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore 
+/progress:prog.log /l:load.log /mu:fareast\user1:farwest\user1
+```
+
+## <a href="" id="command"></a>Command-line Problems
+
+
+The following sections describe common command-line problems. Expand the section to see recommended solutions.
+
+### I received the following error message: "Usage Error: You cannot specify a file path with any of the command-line options that exceeds 256 characters."
+
+**Cause:** You might receive this error message in some cases even if you do not specify a long store or file path, because the path length is calculated based on the absolute path. For example, if you run the **scanstate.exe /o store** command from C:\\Program Files\\USMT40, then each character in "`C:\Program Files\USMT40`" will be added to the length of "store" to get the length of the path.
+
+**Resolution:** Ensure that the total path length—the store path plus the current directory—does not exceed 256 characters.
+
+### I received the following error message: "USMT was unable to create the log file(s). Ensure that you have write access to the log directory."
+
+**Cause:** If you are running the ScanState or LoadState tools from a shared network resource, you will receive this error message if you do not specify **/l**.
+
+**Resolution:** To fix this issue in this scenario, specify the **/l:scan.log** or **/l:load.log** option.
+
+## <a href="" id="xml"></a>XML File Problems
+
+
+The following sections describe common XML file problems. Expand the section to see recommended solutions.
+
+### I used the /genconfig option to create a Config.xml file, but I see only a few applications and components that are in MigApp.xml. Why does Config.xml not contain all of the same applications?
+
+**Cause:** Config.xml will contain only operating system components, applications, and the user document sections that are in both of the .xml files and are installed on the computer when you run the **/genconfig** option. Otherwise, these applications and components will not appear in the Config.xml file.
+
+**Resolution:** Install all of the desired applications on the computer before running the **/genconfig** option. Then run ScanState with all of the .xml files. For example, run the following:
+
+`scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:scanstate.log`
+
+### I am having problems with a custom .xml file that I authored, and I cannot verify that the syntax is correct.
+
+**Resolution:** You can load the XML schema (MigXML.xsd), included with USMT, into your XML authoring tool. For examples, see the [Visual Studio Development Center](http://go.microsoft.com/fwlink/p/?LinkId=74513). Then, load your .xml file in the authoring tool to see if there is a syntax error. In addition, see [USMT XML Reference](usmt-xml-reference.md) for more information about using the XML elements.
+
+### <a href="" id="i-am-using-a-migxml-helper-function--but-the-migration-isn-t-working-the-way-i-expected-it-to---how-do-i-troubleshoot-this-issue-"></a>I am using a MigXML helper function, but the migration isn’t working the way I expected it to.  How do I troubleshoot this issue?
+
+**Cause:** Typically, this issue is caused by incorrect syntax used in a helper function. You receive a Success return code, but the files you wanted to migrate did not get collected or applied, or weren’t collected or applied in the way you expected.
+
+**Resolution:** You should search the ScanState or LoadState log for either the component name which contains the MigXML helper function, or the MigXML helper function title, so that you can locate the related warning in the log file.
+
+## <a href="" id="migration"></a>Migration Problems
+
+
+The following sections describe common migration problems. Expand the section to see recommended solutions.
+
+### Files that I specified to exclude are still being migrated.
+
+**Cause:** There might be another rule that is including the files. If there is a more specific rule or a conflicting rule, the files will be included in the migration.
+
+**Resolution:** For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md) and the Diagnostic Log section in [Log Files](usmt-log-files.md).
+
+### I specified rules to move a folder to a specific location on the destination computer, but it has not migrated correctly.
+
+**Cause:** There might be an error in the XML syntax.
+
+**Resolution:** You can use the USMT XML schema (MigXML.xsd) to write and validate migration .xml files. Also see the XML examples in the following topics:
+
+[Conflicts and Precedence](usmt-conflicts-and-precedence.md)
+
+[Exclude Files and Settings](usmt-exclude-files-and-settings.md)
+
+[Reroute Files and Settings](usmt-reroute-files-and-settings.md)
+
+[Include Files and Settings](usmt-include-files-and-settings.md)
+
+[Custom XML Examples](usmt-custom-xml-examples.md)
+
+### After LoadState completes, the new desktop background does not appear on the destination computer.
+
+There are three typical causes for this issue.
+
+**Cause \#1:**: Some settings such as fonts, desktop backgrounds, and screen-saver settings are not applied by LoadState until after the destination computer has been restarted.
+
+**Resolution:** To fix this issue, log off, and then log back on to see the migrated desktop background.
+
+**Cause \#2:** If the source computer was running Windows® XP and the desktop background was stored in the *Drive*:\\WINDOWS\\Web\\Wallpaper folder—the default folder where desktop backgrounds are stored in Windows XP—the desktop background will not be migrated. Instead, the destination computer will have the default Windows® desktop background. This will occur even if the desktop background was a custom picture that was added to the \\WINDOWS\\Web\\Wallpaper folder. However, if the end user sets a picture as the desktop background that was saved in another location, for example, My Pictures, then the desktop background will migrate.
+
+**Resolution:** Ensure that the desktop background images that you want to migrate are not in the \\WINDOWS\\Web\\Wallpaper folder on the source computer.
+
+**Cause \#3:** If ScanState was not run on Windows XP from an account with administrative credentials, some operating system settings will not migrate. For example, desktop background settings, screen-saver selections, modem options, media-player settings, and Remote Access Service (RAS) connection phone book (.pbk) files and settings will not migrate.
+
+**Resolution:** Run the ScanState and LoadState tools from within an account with administrative credentials.
+
+### <a href="" id="i-included-migapp-xml-in-the-migration--but-some-pst-files-aren-t-migrating-"></a>I included MigApp.xml in the migration, but some PST files aren’t migrating.
+
+**Cause:** The MigApp.xml file migrates only the PST files that are linked to Outlook profiles.
+
+**Resolution:** To migrate PST files that are not linked to Outlook profiles, you must create a separate migration rule to capture these files.
+
+## <a href="" id="bkmk-offline"></a>Offline Migration Problems
+
+
+The following sections describe common offline migration problems. Expand the section to see recommended solutions.
+
+### Some of my system settings do not migrate in an offline migration.
+
+**Cause:** Some system settings, such as desktop backgrounds and network printers, are not supported in an offline migration. For more information, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
+
+**Resolution:** In an offline migration, these system settings must be restored manually.
+
+### The ScanState tool fails with return code 26.
+
+**Cause:** A common cause of return code 26 is that a temp profile is active on the source computer. This profile maps to c:\\users\\temp. The ScanState log shows a MigStartupOfflineCaught exception that includes the message "User profile duplicate SID error".
+
+**Resolution:** You can reboot the computer to get rid of the temp profile or you can set MIG\_FAIL\_ON\_PROFILE\_ERROR=0 to skip the error and exclude the temp profile.
+
+### Include and Exclude rules for migrating user profiles do not work the same offline as they do online.
+
+**Cause:** When offline, the DNS server cannot be queried to resolve the user name and SID mapping.
+
+**Resolution:** Use a Security Identifier (SID) to include a user when running the ScanState tool. For example:
+
+``` syntax
+Scanstate /ui:S1-5-21-124525095-708259637-1543119021*
+```
+
+The wild card (\*) at the end of the SID will migrate the *SID*\_Classes key as well.
+
+You can also use patterns for SIDs that identify generic users or groups. For example, you can use the */ue:\*-500* option to exclude the local administrator accounts. For more information about Windows SIDs, see [this Microsoft Web site](http://go.microsoft.com/fwlink/p/?LinkId=190277).
+
+### My script to wipe the disk fails after running the ScanState tool on a 64-bit system.
+
+**Cause:** The HKLM registry hive is not unloaded after the ScanState tool has finished running.
+
+**Resolution:** Reboot the computer or unload the registry hive at the command prompt after the ScanState tool has finished running. For example, at a command prompt, type:
+
+``` syntax
+reg.exe unload hklm\$dest$software
+```
+
+## <a href="" id="bkmk-hardlink"></a>Hard-Link Migration Problems
+
+
+The following sections describe common hard-link migration problems. Expand the section to see recommended solutions.
+
+### EFS files are not restored to the new partition.
+
+**Cause:** EFS files cannot be moved to a new partition with a hard link. The **/efs:hardlink** command-line option is only applicable to files migrated on the same partition.
+
+**Resolution:** Use the **/efs:copyraw** command-line option to copy EFS files during the migration instead of creating hard links, or manually copy the EFS files from the hard-link store.
+
+### The ScanState tool cannot delete a previous hard-link migration store.
+
+**Cause:** The migration store contains hard links to locked files.
+
+**Resolution:** Use the UsmtUtils tool to delete the store or change the store name. For example, at a command prompt, type:
+
+``` syntax
+USMTutils /rd <storedir>
+```
+
+You should also reboot the machine.
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+
+[Frequently Asked Questions](usmt-faq.md)
+
+[Return Codes](usmt-return-codes.md)
+
+[UsmtUtils Syntax](usmt-utilities.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-common-migration-scenarios.md b/windows/deploy/usmt-common-migration-scenarios.md
new file mode 100644
index 0000000000..dd61667933
--- /dev/null
+++ b/windows/deploy/usmt-common-migration-scenarios.md
@@ -0,0 +1,149 @@
+---
+title: Common Migration Scenarios (Windows 10)
+description: Common Migration Scenarios
+ms.assetid: 1d8170d5-e775-4963-b7a5-b55e8987c1e4
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Common Migration Scenarios
+
+
+You use the User State Migration Tool (USMT) 10.0 when hardware and/or operating system upgrades are planned for a large number of computers. USMT manages the migration of an end-user's digital identity by capturing the user's operating-system settings, application settings, and personal files from a source computer and reinstalling them on a destination computer after the upgrade has occurred.
+
+One common scenario when only the operating system, and not the hardware, is being upgraded is referred to as *PC refresh*. A second common scenario is known as *PC replacement*, where one piece of hardware is being replaced, typically by newer hardware and a newer operating system.
+
+## In This Topic
+
+
+[PC Refresh](#bkmk-pcrefresh)
+
+[Scenario One: PC-refresh offline using Windows PE and a hard-link migration store](#bkmk-onepcrefresh)
+
+[Scenario Two: PC-refresh using a compressed migration store](#bkmk-twopcrefresh)
+
+[Scenario Three: PC-refresh using a hard-link migration store](#bkmk-threepcrefresh)
+
+[Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store](#bkmk-fourpcrefresh)
+
+[PC Replacement](#bkmk-pcreplace)
+
+[Scenario One: Offline migration using Windows PE and an external migration store](#bkmk-onepcreplace)
+
+[Scenario Two: Manual network migration](#bkmk-twopcreplace)
+
+[Scenario Three: Managed network migration](#bkmk-threepcreplace)
+
+## <a href="" id="bkmk-pcrefresh"></a>PC-Refresh
+
+
+The following diagram shows a PC-refresh migration, also known as a computer refresh migration. First, the administrator migrates the user state from a source computer to an intermediate store. After installing the operating system, the administrator migrates the user state back to the source computer.
+
+ 
+
+![usmt pc refresh scenario](images/dep-win8-l-usmt-pcrefresh.jpg)
+
+ 
+
+### <a href="" id="bkmk-onepcrefresh"></a>Scenario One: PC-refresh offline using Windows PE and a hard-link migration store
+
+A company has just received funds to update the operating system on all of its computers in the accounting department to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, the update is being handled completely offline, without a network connection. An administrator uses Windows Preinstallation Environment (WinPE) and a hard-link migration store to save each user state to their respective computer.
+
+1.  On each computer, the administrator boots the machine into WinPE and runs the ScanState command-line tool, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive.
+
+2.  On each computer, the administrator installs the company’s standard operating environment (SOE) which includes Windows 10 and other company applications.
+
+3.  The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back to each computer.
+
+### <a href="" id="bkmk-twopcrefresh"></a>Scenario Two: PC-refresh using a compressed migration store
+
+A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a compressed migration store to save the user states to a server.
+
+1.  The administrator runs the ScanState command-line tool on each computer. ScanState saves each user state to a server.
+
+2.  On each computer, the administrator installs the company's standard SOE which includes Windows 10 and other company applications.
+
+3.  The administrator runs the LoadState command-line tool on each source computer, and LoadState restores each user state back to the computer.
+
+### <a href="" id="bkmk-threepcrefresh"></a>Scenario Three: PC-refresh using a hard-link migration store
+
+A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a hard-link migration store to save each user state to their respective computer.
+
+1.  The administrator runs the ScanState command-line tool on each computer, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive.
+
+2.  On each computer, the administrator installs the company's SOE which includes Windows 10 and other company applications.
+
+3.  The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back on each computer.
+
+### <a href="" id="bkmk-fourpcrefresh"></a>Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store
+
+A company has decided to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses Windows.old and a hard-link migration store to save each user state to their respective computer.
+
+1.  The administrator clean installs Windows 10 on each computer, making sure that the Windows.old directory is created by installing Windows 10 without formatting or repartitioning and by selecting a partition that contains the previous version of Windows.
+
+2.  On each computer, the administrator installs the company’s SOE which includes company applications.
+
+3.  The administrator runs the ScanState and LoadState command-line tools successively on each computer while specifying the **/hardlink /nocompress** command-line options.
+
+## <a href="" id="bkmk-pcreplace"></a>PC-Replacement
+
+
+The following diagram shows a PC-replacement migration. First, the administrator migrates the user state from the source computer to an intermediate store. After installing the operating system on the destination computer, the administrator migrates the user state from the store to the destination computer.
+
+ 
+
+![usmt pc replace scenario](images/dep-win8-l-usmt-pcreplace.jpg)
+
+ 
+
+### <a href="" id="bkmk-onepcreplace"></a>Scenario One: Offline migration using WinPE and an external migration store
+
+A company is allocating 20 new computers to users in the accounting department. The users each have a source computer with their files and settings. In this scenario, migration is being handled completely offline, without a network connection.
+
+1.  On each source computer, an administrator boots the machine into WinPE and runs ScanState to collect the user state to either a server or an external hard disk.
+
+2.  On each new computer, the administrator installs the company's SOE which includes Windows 10 and other company applications.
+
+3.  On each of the new computers, the administrator runs the LoadState tool, restoring each user state from the migration store to one of the new computers.
+
+### <a href="" id="bkmk-twopcreplace"></a>Scenario Two: Manual network migration
+
+A company receives 50 new laptops for their managers and needs to reallocate 50 older laptops to new employees. In this scenario, an administrator runs the ScanState tool from the cmd prompt on each computer to collect the user states and save them to a server in a compressed migration store.
+
+1.  The administrator runs the ScanState tool on each of the manager’s old laptops, and saves each user state to a server.
+
+2.  On the new laptops, the administrator installs the company's SOE, which includes Windows 10 and other company applications.
+
+3.  The administrator runs the LoadState tool on the new laptops to migrate the managers’ user states to the appropriate computer. The new laptops are now ready for the managers to use.
+
+4.  On the old computers, the administrator installs the company’s SOE, which includes Windows 10, Microsoft Office, and other company applications. The old computers are now ready for the new employees to use.
+
+### <a href="" id="bkmk-threepcreplace"></a>Scenario Three: Managed network migration
+
+A company is allocating 20 new computers to users in the accounting department. The users each have a source computer that contains their files and settings. An administrator uses a management technology such as a logon script or a batch file to run ScanState on each source computer to collect the user states and save them to a server in a compressed migration store.
+
+1.  On each source computer, the administrator runs the ScanState tool using Microsoft System Center Configuration Manager (SCCM), Microsoft Deployment Toolkit (MDT), a logon script, a batch file, or a non-Microsoft management technology. ScanState collects the user state from each source computer and then saves it to a server.
+
+2.  On each new computer, the administrator installs the company's SOE, which includes Windows 10 and other company applications.
+
+3.  On each of the new computers, the administrator runs the LoadState tool using System Center Configuration Manager, a logon script, a batch file, or a non-Microsoft management technology. LoadState migrates each user state from the migration store to one of the new computers.
+
+## Related topics
+
+
+[Plan Your Migration](usmt-plan-your-migration.md)
+
+[Choose a Migration Store Type](usmt-choose-migration-store-type.md)
+
+[Offline Migration Reference](offline-migration-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-configxml-file.md b/windows/deploy/usmt-configxml-file.md
new file mode 100644
index 0000000000..dea99cd9e0
--- /dev/null
+++ b/windows/deploy/usmt-configxml-file.md
@@ -0,0 +1,584 @@
+---
+title: Config.xml File (Windows 10)
+description: Config.xml File
+ms.assetid: 9dc98e76-5155-4641-bcb3-81915db538e8
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Config.xml File
+
+
+## Config.xml File
+
+
+The Config.xml file is an optional User State Migration Tool (USMT) 10.0 file that you can create using the **/genconfig** option with the ScanState.exe tool. If you want to include all of the default components, and do not want to change the default store-creation or profile-migration behavior, you do not need to create a Config.xml file.
+
+However, if you are satisfied with the default migration behavior defined in the MigApp.xml, MigUser.xml and MigDocs.xml files, but you want to exclude certain components, you can create and modify a Config.xml file and leave the other .xml files unchanged. For example, you must create and modify the Config.xml file if you want to exclude any of the operating-system settings that are migrated. It is necessary to create and modify this file if you want to change any of the default store-creation or profile-migration behavior.
+
+The Config.xml file has a different format than the other migration .xml files, because it does not contain any migration rules. It contains only a list of the operating-system components, applications, user documents that can be migrated, as well as user-profile policy and error-control policy. For this reason, excluding components using the Config.xml file is easier than modifying the migration .xml files, because you do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard characters in this file.
+
+For more information about using the Config.xml file with other migration files, such as the MigDocs.xml and MigApps.xml files, see [Understanding Migration XML Files](understanding-migration-xml-files.md).
+
+**Note**  
+To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration.
+
+ 
+
+## In This Topic
+
+
+In USMT there are new migration policies that can be configured in the Config.xml file. For example, you can configure additional **&lt;ErrorControl&gt;**, **&lt;ProfileControl&gt;**, and **&lt;HardLinkStoreControl&gt;** options. The following elements and parameters are for use in the Config.xml file only.
+
+[&lt;Policies&gt;](#bkmk-policies)
+
+[&lt;ErrorControl&gt;](#bkmk-errorcontrol)
+
+[&lt;fatal&gt;](#bkmk-fatal)
+
+[&lt;fileError&gt;](#bkmk-fileerror)
+
+[&lt;nonfatal&gt;](#bkmk-nonfatal)
+
+[&lt;registryError&gt;](#bkmk-registryerror)
+
+[&lt;HardLinkStoreControl&gt;](#bkmk-hardlinkstorecontrol)
+
+[&lt;fileLocked&gt;](#bkmk-filelock)
+
+[&lt;createHardLink&gt;](#bkmk-createhardlink)
+
+[&lt;errorHardLink&gt;](#bkmk-errorhardlink)
+
+[&lt;ProfileControl&gt;](#bkmk-profilecontrol)
+
+[&lt;localGroups&gt;](#bkmk-localgroups)
+
+[&lt;mappings&gt;](#bkmk-mappings)
+
+[&lt;changeGroup&gt;](#bkmk-changegrou)
+
+[&lt;include&gt;](#bkmk-include)
+
+[&lt;exclude&gt;](#bkmk-exclude)
+
+[Sample Config.xml File](#bkmk-sampleconfigxjmlfile)
+
+## <a href="" id="bkmk-policies"></a>&lt;Policies&gt;
+
+
+The **&lt;Policies&gt;** element contains elements that describe the policies that USMT follows while creating a migration store. Valid children of the **&lt;Policies&gt;** element are **&lt;ErrorControl&gt;** and **&lt;HardLinkStoreControl&gt;**. The **&lt;Policies&gt;** element is a child of **&lt;Configuration&gt;**.
+
+Syntax: `<Policies> </Policies>`
+
+## <a href="" id="bkmk-errorcontrol"></a>&lt;ErrorControl&gt;
+
+
+The **&lt;ErrorControl&gt;** element is an optional element you can configure in the Config.xml file. The configurable **&lt;ErrorControl&gt;** rules support only the environment variables for the operating system that is running and the currently logged-on user. As a workaround, you can specify a path using the (\*) wildcard character.
+
+-   **Number of occurrences**: Once for each component
+
+-   **Parent elements**: The **&lt;Policies&gt;** element
+
+-   **Child elements**: The **&lt;fileError&gt;** and **&lt;registryError&gt;** element
+
+Syntax: `<ErrorControl></ErrorControl>`
+
+The following example specifies that all locked files, regardless of their location (including files in C:\\Users), should be ignored. However, the migration fails if any file in C:\\Users cannot be accessed because of any other reason. In the example below, the **&lt;ErrorControl&gt;** element ignores any problems in migrating registry keys that match the supplied pattern, and it resolves them to an **Access denied** error.
+
+Additionally, the order in the **&lt;ErrorControl&gt;** section implies priority. In this example, the first **&lt;nonFatal&gt;** tag takes precedence over the second **&lt;fatal&gt;** tag. This precedence is applied, regardless of how many tags are listed.
+
+``` syntax
+<ErrorControl>
+  <fileError>
+    <nonFatal errorCode="33">* [*]</nonFatal>
+    <fatal errorCode="any">C:\Users\* [*]</fatal>
+  </fileError>
+  <registryError>
+    <nonFatal errorCode="5">HKCU\SOFTWARE\Microsoft\* [*]</nonFatal>
+  </registryError>
+</ErrorControl>
+```
+
+**Important**  
+The configurable **&lt;ErrorControl&gt;** rules support only the environment variables for the operating system that is running and the currently logged-on user. As a workaround, you can specify a path using the (\*) wildcard character.
+
+ 
+
+### <a href="" id="bkmk-fatal"></a>&lt;fatal&gt;
+
+The **&lt;fatal&gt;** element is not required.
+
+-   **Number of occurrences**: Once for each component
+
+-   **Parent elements**: **&lt;fileError&gt;** and **&lt;registryError&gt;**
+
+-   **Child elements**: None.
+
+Syntax: `<fatal errorCode="any">`*&lt;pattern&gt;*`</fatal>`
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Parameter</th>
+<th align="left">Required</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>errorCode</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>&quot;any&quot; or &quot;<em>specify system error message here</em>&quot;</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+You use the **&lt;fatal&gt;** element to specify that errors matching a specific pattern should cause USMT to halt the migration.
+
+## <a href="" id="bkmk-fileerror"></a>&lt;fileError&gt;
+
+
+The **&lt;fileError&gt;** element is not required.
+
+-   **Number of occurrences**: Once for each component
+
+-   **Parent elements**: **&lt;ErrorControl&gt;**
+
+-   **Child elements**: **&lt;nonFatal&gt;** and **&lt;fatal&gt;**
+
+Syntax: `<fileError></fileError>`
+
+You use the **&lt;fileError&gt;** element to represent the behavior associated with file errors.
+
+## <a href="" id="bkmk-nonfatal"></a>&lt;nonFatal&gt;
+
+
+The **&lt;nonFatal&gt;** element is not required.
+
+-   **Number of occurrences**: Once for each component
+
+-   **Parent elements**: The **&lt;fileError&gt;** and **&lt;registryError&gt;** elements.
+
+-   **Child elements**: None.
+
+Syntax: `<nonfatal errorCode="any">`*&lt;pattern&gt;*`</nonFatal>`
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Parameter</th>
+<th align="left">Required</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>&lt;errorCode&gt;</strong></p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>&quot;any&quot; or &quot;<em>specify system error message here</em>&quot;. If system error messages are not specified, the default behavior applies the parameter to all system error messages.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+You use the **&lt;nonFatal&gt;** element to specify that errors matching a specific pattern should not cause USMT to halt the migration.
+
+## <a href="" id="bkmk-registryerror"></a>&lt;registryError&gt;
+
+
+The **&lt;registryError&gt;**element is not required.
+
+-   **Number of occurrences**: Once for each component
+
+-   **Parent elements**: **&lt;ErrorControl&gt;**
+
+-   **Child elements**: **&lt;nonfatal&gt;** and **&lt;fatal&gt;**
+
+Syntax: `<registryError></registryError>`
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Parameter</th>
+<th align="left">Required</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>&lt;errorCode&gt;</strong></p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>&quot;any&quot; or &quot;<em>specify system error message here</em>&quot;. If system error messages are not specified, the default behavior applies the parameter to all system error messages.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+You use the **&lt;registryError&gt;** element to specify that errors matching a specific pattern should not cause USMT to halt the migration.
+
+## <a href="" id="bkmk-hardlinkstorecontrol"></a>&lt;HardLinkStoreControl&gt;
+
+
+The **&lt;HardLinkStoreControl&gt;** element contains elements that describe how to handle files during the creation of a hard-link migration store. Its only valid child is **&lt;fileLocked&gt;**.
+
+Syntax: `<HardLinkStoreControl> </HardLinkStoreControl>`
+
+-   **Number of occurrences**: Once for each component
+
+-   **Parent elements**: **&lt;Policies&gt;**
+
+-   **Child elements**: **&lt;fileLocked&gt;**
+
+Syntax: `<HardLinkStoreControl></HardLinkStoreControl>`
+
+The **&lt;HardLinkStoreControl&gt;** sample code below specifies that hard links can be created to locked files only if the locked file resides somewhere under C:\\Users\\. Otherwise, a file-access error occurs when a locked file is encountered that cannot be copied, even though is technically possible for the link to be created.
+
+**Important**  
+The **&lt;ErrorControl&gt;** section can be configured to conditionally ignore file access errors, based on the file’s location.
+
+ 
+
+``` syntax
+<Policy>
+   <HardLinkStoreControl>
+      <fileLocked>
+         <createHardLink>C:\Users\*</createHardLink>
+         <errorHardLink>C:\*</errorHardLink>
+      </fileLocked>
+   </HardLinkStoreControl>
+   <ErrorControl>
+      […]
+   </ErrorControl>
+</Policy>
+```
+
+## <a href="" id="bkmk-filelock"></a>&lt;fileLocked&gt;
+
+
+The **&lt;fileLocked&gt;** element contains elements that describe how to handle files that are locked for editing. The rules defined by the **&lt;fileLocked&gt;** element are processed in the order in which they appear in the XML file.
+
+Syntax: `<fileLocked></fileLocked>`
+
+## <a href="" id="bkmk-createhardlink"></a>&lt;createHardLink&gt;
+
+
+The **&lt;createHardLink&gt;** element defines a standard MigXML pattern that describes file paths where hard links should be created, even if the file is locked for editing by another application.
+
+Syntax: `<createHardLink>`*&lt;pattern&gt;*`</createHardLink>`
+
+## <a href="" id="bkmk-errorhardlink"></a>&lt;errorHardLink&gt;
+
+
+The **&lt;errorHardLink&gt;** element defines a standard MigXML pattern that describes file paths where hard links should not be created if the file is locked for editing by another application. USMT will attempt to copy files under these paths into the migration store. However, if that is not possible, **Error\_Locked** is thrown. This is a standard Windows application programming interface (API) error that can be captured by the **&lt;ErrorControl&gt;** section to either cause USMT to skip the file or abort the migration.
+
+Syntax: `<errorHardLink>`*&lt;pattern&gt;*`</errorHardLink>`
+
+## <a href="" id="bkmk-profilecontrol"></a>&lt;ProfileControl&gt;
+
+
+This element is used to contain other elements that establish rules for migrating profiles, users, and policies around local group membership during the migration. **&lt;ProfileMigration&gt;** is a child of **&lt;Configuration&gt;**.
+
+Syntax: &lt;`ProfileControl> </ProfileControl>`
+
+## <a href="" id="bkmk-localgroups"></a>&lt;localGroups&gt;
+
+
+This element is used to contain other elements that establish rules for how to migrate local groups. **&lt;localGroups&gt;** is a child of **&lt;ProfileControl&gt;**.
+
+Syntax: `<localGroups> </localGroups>`
+
+## <a href="" id="bkmk-mappings"></a>&lt;mappings&gt;
+
+
+This element is used to contain other elements that establish mappings between groups.
+
+Syntax: `<mappings> </mappings>`
+
+## <a href="" id="bkmk-changegrou"></a>&lt;changeGroup&gt;
+
+
+This element describes the source and destination groups for a local group membership change during the migration. It is a child of **&lt;localGroups&gt;**. The following parameters are defined:
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Parameter</th>
+<th align="left">Required</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>From</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>A valid local group on the source machine that contains users selected for migration on the command line.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>To</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>A local group that the users are to be moved to during the migration.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>appliesTo</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>nonmigratedUsers, migratedUsers, AllUsers. This value defines which users the change group operation should apply to.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The valid and required children of **&lt;changeGroup&gt;** are **&lt;include&gt;** and **&lt;exclude&gt;**. Although both can be children at the same time, only one is required.
+
+Syntax: `<changeGroup From="Group1" To= "Group2"> </changeGroup>`
+
+## <a href="" id="bkmk-include"></a>&lt;include&gt;
+
+
+This element specifies that its required child, *&lt;pattern&gt;*, should be included in the migration.
+
+Syntax: `<include>``</include>`
+
+## <a href="" id="bkmk-exclude"></a>&lt;exclude&gt;
+
+
+This element specifies that its required child, *&lt;pattern&gt;*, should be excluded from the migration.
+
+Syntax: `<exclude>`` </exclude>`
+
+## <a href="" id="bkmk-sampleconfigxjmlfile"></a>Sample Config.xml File
+
+
+Refer to the following sample Config.xml file for additional details about items you can choose to exclude from a migration.
+
+``` syntax
+<?xml version="1.0" encoding="UTF-8"?>
+<Configuration>
+  <Applications/>
+  <Documents/>
+  <WindowsComponents>
+    <component displayname="Tablet PC Settings" migrate="yes" ID="tablet_pc_settings">
+      <component displayname="Accessories" migrate="yes" ID="tablet_pc_settings\tablet_pc_accessories">
+        <component displayname="Microsoft-Windows-TabletPC-StickyNotes" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-tabletpc-stickynotes/microsoft-windows-tabletpc-stickynotes/settings"/>
+        <component displayname="Microsoft-Windows-TabletPC-SnippingTool" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-tabletpc-snippingtool/microsoft-windows-tabletpc-snippingtool/settings"/>
+        <component displayname="Microsoft-Windows-TabletPC-Journal" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-tabletpc-journal/microsoft-windows-tabletpc-journal/settings"/>
+      </component>
+      <component displayname="Input Panel" migrate="yes" ID="tablet_pc_settings\tablet_pc_input_panel">
+        <component displayname="Microsoft-Windows-TabletPC-InputPanel" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-tabletpc-inputpanel/microsoft-windows-tabletpc-inputpanel/settings"/>
+      </component>
+      <component displayname="General Options" migrate="yes" ID="tablet_pc_settings\tablet_pc_general_options">
+        <component displayname="Microsoft-Windows-TabletPC-UIHub" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-tabletpc-uihub/microsoft-windows-tabletpc-uihub/settings"/>
+        <component displayname="Microsoft-Windows-TabletPC-Platform-Input-Core" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-tabletpc-platform-input-core/microsoft-windows-tabletpc-platform-input-core/settings"/>
+      </component>
+      <component displayname="Handwriting Recognition" migrate="yes" ID="tablet_pc_settings\handwriting_recognition">
+        <component displayname="Microsoft-Windows-TabletPC-InputPersonalization" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-tabletpc-inputpersonalization/microsoft-windows-tabletpc-inputpersonalization/settings"/>
+      </component>
+    </component>
+    <component displayname="Sound and Speech Recognition" migrate="yes" ID="sound_and_speech_recognition">
+      <component displayname="Speech Recognition" migrate="yes" ID="sound_and_speech_recognition\speech_recognition">
+        <component displayname="Microsoft-Windows-SpeechCommon" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-speechcommon/microsoft-windows-speechcommon/settings"/>
+      </component>
+    </component>
+    <component displayname="Hardware" migrate="yes" ID="hardware">
+      <component displayname="Phone and Modem" migrate="yes" ID="hardware\phone_and_modem">
+        <component displayname="Microsoft-Windows-TapiSetup" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-tapisetup/microsoft-windows-tapisetup/settings"/>
+      </component>
+      <component displayname="Printers and Faxes" migrate="yes" ID="hardware\printers_and_faxes">
+        <component displayname="Microsoft-Windows-Printing-Spooler-Core" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-printing-spooler-core/microsoft-windows-printing-spooler-core/settings"/>
+        <component displayname="Microsoft-Windows-Printing-Spooler-Networkclient" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-printing-spooler-networkclient/microsoft-windows-printing-spooler-networkclient/settings"/>
+        <component displayname="Microsoft-Windows-Printing-Spooler-Core-Localspl" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-printing-spooler-core-localspl/microsoft-windows-printing-spooler-core-localspl/settings"/>
+      </component>
+    </component>
+    <component displayname="Programs" migrate="yes" ID="programs">
+      <component displayname="Media Player Settings" migrate="yes" ID="programs\media_player_settings">
+        <component displayname="Microsoft-Windows-MediaPlayer-Migration" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-mediaplayer-migration/microsoft-windows-mediaplayer-migration/settings"/>
+      </component>
+    </component>
+    <component displayname="Communications and Sync" migrate="yes" ID="communications_and_sync">
+      <component displayname="Windows Mail" migrate="yes" ID="communications_and_sync\windows_mail">
+        <component displayname="Microsoft-Windows-WAB" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-wab/microsoft-windows-wab/settings"/>
+        <component displayname="Microsoft-Windows-Mail" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-mail/microsoft-windows-mail/settings"/>
+      </component>
+    </component>
+    <component displayname="Microsoft-Windows-Migration-DisplayGroups" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-migration-displaygroups/microsoft-windows-migration-displaygroups/settings"/>
+    <component displayname="Performance and Maintenance" migrate="yes" ID="performance_and_maintenance">
+      <component displayname="Diagnostics" migrate="yes" ID="performance_and_maintenance\diagnostics">
+        <component displayname="Microsoft-Windows-RemoteAssistance-Exe" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-remoteassistance-exe/microsoft-windows-remoteassistance-exe/settings"/>
+        <component displayname="Microsoft-Windows-Feedback-Service" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-feedback-service/microsoft-windows-feedback-service/settings"/>
+      </component>
+      <component displayname="Error Reporting" migrate="yes" ID="performance_and_maintenance\error_reporting">
+        <component displayname="Microsoft-Windows-ErrorReportingCore" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-errorreportingcore/microsoft-windows-errorreportingcore/settings"/>
+      </component>
+    </component>
+    <component displayname="Network and Internet" migrate="yes" ID="network_and_internet">
+      <component displayname="Offline Files" migrate="yes" ID="network_and_internet\offline_files">
+        <component displayname="Microsoft-Windows-OfflineFiles-Core" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-offlinefiles-core/microsoft-windows-offlinefiles-core/settings"/>
+      </component>
+      <component displayname="Internet Options" migrate="yes" ID="network_and_internet\internet_options">
+        <component displayname="Microsoft-Windows-ieframe" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-ieframe/microsoft-windows-ieframe/settings"/>
+        <component displayname="Microsoft-Windows-IE-InternetExplorer" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-ie-internetexplorer/microsoft-windows-ie-internetexplorer/settings"/>
+        <component displayname="Microsoft-Windows-IE-Feeds-Platform" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-ie-feeds-platform/microsoft-windows-ie-feeds-platform/settings"/>
+        <component displayname="Microsoft-Windows-IE-ClientNetworkProtocolImplementation" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-ie-clientnetworkprotocolimplementation/microsoft-windows-ie-clientnetworkprotocolimplementation/settings"/>
+      </component>
+      <component displayname="Networking Connections" migrate="yes" ID="network_and_internet\networking_connections">
+        <component displayname="Microsoft-Windows-Wlansvc" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-wlansvc/microsoft-windows-wlansvc/settings"/>
+        <component displayname="Microsoft-Windows-RasConnectionManager" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-rasconnectionmanager/microsoft-windows-rasconnectionmanager/settings"/>
+        <component displayname="Microsoft-Windows-RasApi" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-rasapi/microsoft-windows-rasapi/settings"/>
+        <component displayname="Microsoft-Windows-PeerToPeerCollab" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-peertopeercollab/microsoft-windows-peertopeercollab/settings"/>
+        <component displayname="Microsoft-Windows-MPR" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-mpr/microsoft-windows-mpr/settings"/>
+        <component displayname="Microsoft-Windows-Dot3svc" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-dot3svc/microsoft-windows-dot3svc/settings"/>
+      </component>
+    </component>
+    <component displayname="Date, Time, Language and Region" migrate="yes" ID="date_time_language_and_region">
+      <component displayname="Regional Language Options" migrate="yes" ID="date_time_language_and_region\regional_language_options">
+        <component displayname="Microsoft-Windows-TableDrivenTextService-Migration" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-tabledriventextservice-migration/microsoft-windows-tabledriventextservice-migration/settings"/>
+        <component displayname="Microsoft-Windows-TextServicesFramework-Migration" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-textservicesframework-migration/microsoft-windows-textservicesframework-migration/settings"/>
+        <component displayname="Microsoft-Windows-MUI-Settings" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-mui-settings/microsoft-windows-mui-settings/settings"/>
+        <component displayname="Microsoft-Windows-International-Core" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-international-core/microsoft-windows-international-core/settings"/>
+        <component displayname="Microsoft-Windows-IME-Traditional-Chinese-Core" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-ime-traditional-chinese-core/microsoft-windows-ime-traditional-chinese-core/settings"/>
+        <component displayname="Microsoft-Windows-IME-Simplified-Chinese-Core" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-ime-simplified-chinese-core/microsoft-windows-ime-simplified-chinese-core/settings"/>
+        <component displayname="Microsoft-Windows-Desktop_Technologies-Text_Input_Services-IME-Japanese-Core" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-desktop_technologies-text_input_services-ime-japanese-core/microsoft-windows-desktop_technologies-text_input_services-ime-japanese-core/settings"/>
+      </component>
+    </component>
+    <component displayname="Security" migrate="yes" ID="security">
+      <component displayname="Microsoft-Windows-Rights-Management-Client-v1-API" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-rights-management-client-v1-api/microsoft-windows-rights-management-client-v1-api/settings"/>
+      <component displayname="Security Options" migrate="yes" ID="security\security_options">
+        <component displayname="Microsoft-Windows-Credential-Manager" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-credential-manager/microsoft-windows-credential-manager/settings"/>
+      </component>
+    </component>
+    <component displayname="Appearance and Display" migrate="yes" ID="appearance_and_display">
+      <component displayname="Windows Games Settings" migrate="yes" ID="appearance_and_display\windows_games_settings">
+        <component displayname="Microsoft-Windows-GameExplorer" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-gameexplorer/microsoft-windows-gameexplorer/settings"/>
+      </component>
+      <component displayname="Taskbar and Start Menu" migrate="yes" ID="appearance_and_display\taskbar_and_start_menu">
+        <component displayname="Microsoft-Windows-stobject" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-stobject/microsoft-windows-stobject/settings"/>
+        <component displayname="Microsoft-Windows-explorer" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-explorer/microsoft-windows-explorer/settings"/>
+      </component>
+      <component displayname="Personalized Settings" migrate="yes" ID="appearance_and_display\personalized_settings">
+        <component displayname="Microsoft-Windows-uxtheme" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-uxtheme/microsoft-windows-uxtheme/settings"/>
+        <component displayname="Microsoft-Windows-themeui" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-themeui/microsoft-windows-themeui/settings"/>
+        <component displayname="Microsoft-Windows-shmig" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-shmig/microsoft-windows-shmig/settings"/>
+        <component displayname="Microsoft-Windows-shell32" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-shell32/microsoft-windows-shell32/settings"/>
+        <component displayname="Microsoft-Windows-CommandPrompt" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-commandprompt/microsoft-windows-commandprompt/settings"/>
+      </component>
+    </component>
+    <component displayname="Additional Options" migrate="yes" ID="additional_options">
+      <component displayname="Help Settings" migrate="yes" ID="additional_options\help_settings">
+        <component displayname="Microsoft-Windows-Help-Client" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-help-client/microsoft-windows-help-client/settings"/>
+      </component>
+      <component displayname="Windows Core Settings" migrate="yes" ID="additional_options\windows_core_settings">
+        <component displayname="Microsoft-Windows-Win32k-Settings" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-win32k-settings/microsoft-windows-win32k-settings/settings"/>
+        <component displayname="Microsoft-Windows-Web-Services-for-Management-Core" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-web-services-for-management-core/microsoft-windows-web-services-for-management-core/settings"/>
+        <component displayname="Microsoft-Windows-UPnPSSDP" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-upnpssdp/microsoft-windows-upnpssdp/settings"/>
+        <component displayname="Microsoft-Windows-UPnPDeviceHost" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-upnpdevicehost/microsoft-windows-upnpdevicehost/settings"/>
+        <component displayname="Microsoft-Windows-UPnPControlPoint" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-upnpcontrolpoint/microsoft-windows-upnpcontrolpoint/settings"/>
+        <component displayname="Microsoft-Windows-TerminalServices-RemoteConnectionManager" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-terminalservices-remoteconnectionmanager/microsoft-windows-terminalservices-remoteconnectionmanager/settings"/>
+        <component displayname="Microsoft-Windows-TerminalServices-Drivers" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-terminalservices-drivers/microsoft-windows-terminalservices-drivers/settings"/>
+        <component displayname="Microsoft-Windows-SQMApi" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-sqmapi/microsoft-windows-sqmapi/settings"/>
+        <component displayname="Microsoft-Windows-RPC-Remote" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-rpc-remote/microsoft-windows-rpc-remote/settings"/>
+        <component displayname="Microsoft-Windows-RPC-Local" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-rpc-local/microsoft-windows-rpc-local/settings"/>
+        <component displayname="Microsoft-Windows-RPC-HTTP" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-rpc-http/microsoft-windows-rpc-http/settings"/>
+        <component displayname="Microsoft-Windows-Rasppp" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-rasppp/microsoft-windows-rasppp/settings"/>
+        <component displayname="Microsoft-Windows-RasMprDdm" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-rasmprddm/microsoft-windows-rasmprddm/settings"/>
+        <component displayname="Microsoft-Windows-RasBase" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-rasbase/microsoft-windows-rasbase/settings"/>
+        <component displayname="Microsoft-Windows-Microsoft-Data-Access-Components-(MDAC)-ODBC-DriverManager-Dll" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-microsoft-data-access-components-(mdac)-odbc-drivermanager-dll/microsoft-windows-microsoft-data-access-components-(mdac)-odbc-drivermanager-dll/settings"/>
+        <component displayname="Microsoft-Windows-ICM-Profiles" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-icm-profiles/microsoft-windows-icm-profiles/settings"/>
+        <component displayname="Microsoft-Windows-feclient" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-feclient/microsoft-windows-feclient/settings"/>
+        <component displayname="Microsoft-Windows-dpapi-keys" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-dpapi-keys/microsoft-windows-dpapi-keys/settings"/>
+        <component displayname="Microsoft-Windows-Crypto-keys" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-crypto-keys/microsoft-windows-crypto-keys/settings"/>
+        <component displayname="Microsoft-Windows-COM-DTC-Setup" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-com-dtc-setup/microsoft-windows-com-dtc-setup/settings"/>
+        <component displayname="Microsoft-Windows-COM-ComPlus-Setup" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-com-complus-setup/microsoft-windows-com-complus-setup/settings"/>
+        <component displayname="Microsoft-Windows-COM-Base" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-com-base/microsoft-windows-com-base/settings"/>
+        <component displayname="Microsoft-Windows-CAPI2-certs" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-capi2-certs/microsoft-windows-capi2-certs/settings"/>
+      </component>
+    </component>
+    <component displayname="Accessibility" migrate="yes" ID="accessibility">
+      <component displayname="Accessibility Settings" migrate="yes" ID="accessibility\accessibility_settings">
+        <component displayname="Microsoft-Windows-accessibilitycpl" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-accessibilitycpl/microsoft-windows-accessibilitycpl/settings"/>
+      </component>
+    </component>
+  </WindowsComponents>
+  <Policies>
+    <ErrorControl>
+      <!--   Example:
+
+          <fileError>
+            <nonFatal errorCode="33">* [*]</nonFatal>
+            <fatal errorCode="any">C:\Users\* [*]</fatal>
+          </fileError>
+          <registryError>
+            <nonFatal errorCode="5">* [*]</nonFatal>
+          </registryError>
+      -->
+    </ErrorControl>
+    <HardLinkStoreControl>
+      <!--   Example:
+
+          <fileLocked>
+            <createHardLink>c:\Users\* [*]</createHardLink>
+            <errorHardLink>C:\* [*]</errorHardLink>
+          </fileLocked>
+      -->
+    </HardLinkStoreControl>
+  </Policies>
+  <ProfileControl>
+    <!--   Example:
+
+          <localGroups>
+            <mappings>
+              <changeGroup from="Administrators" to="Users" appliesTo="MigratedUsers">
+                <include>
+                  <pattern>DomainName1\Username</pattern>
+                </include>
+                <exclude>
+                  <pattern>DomainName2\Username</pattern>
+                </exclude>
+              </changeGroup>
+            </mappings>
+          </localGroups>
+          
+      -->
+  </ProfileControl>
+</Configuration>
+```
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-conflicts-and-precedence.md b/windows/deploy/usmt-conflicts-and-precedence.md
new file mode 100644
index 0000000000..9de02f7dca
--- /dev/null
+++ b/windows/deploy/usmt-conflicts-and-precedence.md
@@ -0,0 +1,459 @@
+---
+title: Conflicts and Precedence (Windows 10)
+description: Conflicts and Precedence
+ms.assetid: 0e2691a8-ff1e-4424-879b-4d5a2f8a113a
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Conflicts and Precedence
+
+
+When you include, exclude, and reroute files and settings, it is important to know how User State Migration Tool (USMT) 10.0 deals with conflicts and precedence. When working with USMT, the following are the most important conflicts and precedence guidelines to keep in mind.
+
+-   **If there are conflicting rules within a component, the most specific rule is applied.** However, the &lt;unconditionalExclude&gt; rule is an exception because it takes precedence over all others. Directory names take precedence over file extensions. For examples, see [What happens when there are conflicting include and exclude rules?](#bkmk1) and the first example in [Include and exclude precedence examples](#precexamples)****later in this topic.
+
+-   **Only rules inside the same component can affect each other, depending on specificity.** Rules that are in different components do not affect each other, except for the &lt;unconditionalExclude&gt; rule.
+
+-   **If the rules are equally specific, &lt;exclude&gt; takes precedence over &lt;include&gt;.** For example, if you use the &lt;exclude&gt; rule to exclude a file and use the &lt;include&gt; rule to include the same file, the file will be excluded.
+
+-   **The ordering of components does not matter.** It does not matter which components are listed in which .xml file, because each component is processed independently of the other components across all of the .xml files.
+
+-   **The ordering of the &lt;include&gt; and &lt;exclude&gt; rules within a component does not matter.**
+
+-   **You can use the &lt;unconditionalExclude&gt; element to globally exclude data.** This element excludes objects, regardless of any other &lt;include&gt; rules that are in the .xml files. For example, you can use the &lt;unconditionalExclude&gt; element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData.
+
+## In This Topic
+
+
+**General**
+
+-   [What is the relationship between rules that are located within different components?](#bkmk2)
+
+-   [How does precedence work with the Config.xml file?](#bkmk3)
+
+-   [How does USMT process each component in an .xml file with multiple components?](#bkmk4)
+
+-   [How are rules processed?](#bkmk5)
+
+-   [How does USMT combine all of the .xml files that I specify on the command line?](#bkmk6)
+
+**The &lt;include&gt; and &lt;exclude&gt; rules**
+
+-   [What happens when there are conflicting include and exclude rules?](#bkmk1)
+
+-   [&lt;include&gt; and &lt;exclude&gt; precedence examples](#precexamples)
+
+**File collisions**
+
+-   [What is the default behavior when there are file collisions?](#collisions)
+
+-   [How does the &lt;merge&gt; rule work when there are file collisions?](#bkmk11)
+
+## General
+
+
+### <a href="" id="bkmk2"></a>What is the relationship between rules that are located within different components?
+
+Only rules inside the same component can affect each other, depending on specificity, except for the &lt;unconditionalExclude&gt; rule. Rules that are in different components do not affect each other. If there is an &lt;include&gt; rule in one component and an identical &lt;exclude&gt; rule in another component, the data will be migrated because the two rules are independent of each other.
+
+If you have an &lt;include&gt; rule in one component and a &lt;locationModify&gt; rule in another component for the same file, the file will be migrated in both places. That is, it will be included based on the &lt;include&gt; rule, and it will be migrated based on the &lt;locationModify&gt; rule.
+
+The following .xml file migrates all files from C:\\Userdocs, including .mp3 files, because the &lt;exclude&gt; rule is specified in a separate component.
+
+``` syntax
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/UserDocs">
+<component type="Documents" context="System">
+<displayName>User Documents</displayName>
+        <role role="Data">
+            <rules>
+                <exclude>
+                    <objectSet>
+                        <pattern type="File">C:\Userdocs\* [*.mp3]</pattern>
+                    </objectSet>
+                </exclude>
+          </rules>
+        </role>
+</component>
+
+<component type="Documents" context="System">
+<displayName> User documents to include </displayName>
+        <role role="Data">
+            <rules>
+                <include>
+                    <objectSet>
+                        <pattern type="File"> C:\Userdocs\ [*]</pattern>
+                    </objectSet>
+                </include>
+          </rules>
+        </role>
+</component>
+</migration>
+```
+
+### <a href="" id="bkmk3"></a>How does precedence work with the Config.xml file?
+
+Specifying `migrate="no"` in the Config.xml file is the same as deleting the corresponding component from the migration .xml file. However, if you set `migrate="no"` for My Documents, but you have a rule similar to the one shown below in a migration .xml file (which includes all of the .doc files from My Documents), then only the .doc files will be migrated, and all other files will be excluded.
+
+``` syntax
+<include>
+   <objectSet>
+      <pattern type="File">%CSIDL_PERSONAL%\* [*.doc] </pattern>
+   </objectSet>
+</include> 
+```
+
+### <a href="" id="bkmk4"></a>How does USMT process each component in an .xml file with multiple components?
+
+The ordering of components does not matter. Each component is processed independently of other components. For example, if you have an &lt;include&gt; rule in one component and a &lt;locationModify&gt; rule in another component for the same file, the file will be migrated in both places. That is, it will be included based on the &lt;include&gt; rule, and it will be migrated based on the &lt;locationModify&gt; rule.
+
+### <a href="" id="bkmk5"></a>How are rules processed?
+
+There are two broad categories of rules.
+
+-   **Rules that affect the behavior of both the ScanState and LoadState tools**. For example, the &lt;include&gt;, &lt;exclude&gt;, and &lt;unconditionalExclude&gt; rules are processed for each component in the .xml files. For each component, USMT creates an include list and an exclude list. Some of the rules in the component might be discarded due to specificity, but all of the remaining rules are processed. For each &lt;include&gt; rule, USMT iterates through the elements to see if any of the locations need to be excluded. USMT enumerates all of the objects and creates a list of objects it is going to collect for each user. Once the list is complete, each of the objects is stored or migrated to the destination computer.
+
+-   **Rules that affect the behavior of only the LoadState tool**. For example, the &lt;locationModify&gt;, &lt;contentModify&gt;, and &lt;destinationCleanup&gt; rules do not affect ScanState. They are processed only with LoadState. First, the LoadState tool determines the content and location of each component based on the &lt;locationModify&gt;and &lt;contentModify&gt; rules. Then, LoadState processes all of the &lt;destinationCleanup&gt; rules and deletes data from the destination computer. Lastly, LoadState applies the components to the computer.
+
+### <a href="" id="bkmk6"></a>How does USMT combine all of the .xml files that I specify on the command line?
+
+USMT does not distinguish the .xml files based on their name or content. It processes each component within the files separately. USMT supports multiple .xml files only to make it easier to maintain and organize the components within them. Because USMT uses a urlid to distinguish each component from the others, be sure that each .xml file that you specify on the command line has a unique migration urlid.
+
+## <a href="" id="the--include--and--exclude--rules"></a>The &lt;include&gt; and &lt;exclude&gt; rules
+
+
+### <a href="" id="bkmk1"></a>What happens when there are conflicting &lt;include&gt; and &lt;exclude&gt; rules?
+
+If there are conflicting rules within a component, the most specific rule is applied, except with the &lt;unconditionalExclude&gt; rule, which takes precedence over all other rules. If the rules are equally specific, then the data will be not be migrated. For example if you exclude a file, and include the same file, the file will not be migrated. If there are conflicting rules within different components, the rules do not affect each other because each component is processed independently.
+
+In the following example, mp3 files will not be excluded from the migration. This is because directory names take precedence over the file extensions.
+
+``` syntax
+<include>
+     <objectSet>
+          <pattern type="File">C:\Data\* [*]</pattern>
+     </objectSet>
+</include>
+<exclude>
+     <objectSet>
+          <pattern type="File"> C:\* [*.mp3]</pattern>
+     </objectSet>
+</exclude>  
+```
+
+### <a href="" id="precexamples"></a>&lt;include&gt; and &lt;exclude&gt; rules precedence examples
+
+These examples explain how USMT deals with &lt;include&gt; and &lt;exclude&gt; rules. When the rules are in different components, the resulting behavior will be the same regardless of whether the components are in the same or in different migration .xml files.
+
+-   [Including and excluding files](#filesex)
+
+-   [Including and excluding registry objects](#regex)
+
+### <a href="" id="filesex"></a>Including and excluding files
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">If you have the following code in the same component</th>
+<th align="left">Resulting behavior</th>
+<th align="left">Explanation</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><ul>
+<li><p>Include rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1\* [*]&lt;/pattern&gt;</p></li>
+<li><p>Exclude rule: &lt;pattern type=&quot;File&quot;&gt;C:\* [*.txt]&lt;/pattern&gt;</p></li>
+</ul></td>
+<td align="left"><p>Migrates all files and subfolders in Dir1 (including all .txt files in C:).</p></td>
+<td align="left"><p>The &lt;exclude&gt; rule does not affect the migration because the &lt;include&gt; rule is more specific.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><ul>
+<li><p>Include rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1\* [*]&lt;/pattern&gt;</p></li>
+<li><p>Exclude rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1\Dir2\* [*.txt]&lt;/pattern&gt;</p></li>
+</ul></td>
+<td align="left"><p>Migrates all files and subfolders in C:\Dir1, except the .txt files in C:\Dir1\Dir2 and its subfolders.</p></td>
+<td align="left"><p>Both rules are processed as intended.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><ul>
+<li><p>Include rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1\* [*]&lt;/pattern&gt;</p></li>
+<li><p>Exclude rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1\ * [*.txt]&lt;/pattern&gt;</p></li>
+</ul></td>
+<td align="left"><p>Migrates all files and subfolders in C:\Dir1, except the .txt files in C:\Dir1 and its subfolders.</p></td>
+<td align="left"><p>Both rules are processed as intended.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><ul>
+<li><p>Include rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1\Dir2\* [*.txt]&lt;/pattern&gt;</p></li>
+<li><p>Exclude rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1\Dir2\* [*.txt]&lt;/pattern&gt;</p></li>
+</ul></td>
+<td align="left"><p>Nothing will be migrated.</p></td>
+<td align="left"><p>The rules are equally specific, so the &lt;exclude&gt; rule takes precedence over the &lt;include&gt; rule.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><ul>
+<li><p>Include rule: C:\Dir1\* [*.txt]</p></li>
+<li><p>Exclude rule: C:\Dir1\Dir2\* [*]</p></li>
+</ul></td>
+<td align="left"><p>Migrates the .txt files in Dir1 and the .txt files from subfolders other than Dir2.</p>
+<p>No files are migrated from Dir2 or its subfolders.</p></td>
+<td align="left"><p>Both rules are processed as intended.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><ul>
+<li><p>Include rule: C:\Dir1\Dir2\* [*]</p></li>
+<li><p>Exclude rule: C:\Dir1\* [*.txt]</p></li>
+</ul></td>
+<td align="left"><p>Migrates all files and subfolders of Dir2, except the .txt files from Dir1 and any subfolders of Dir1 (including Dir2).</p></td>
+<td align="left"><p>Both rules are processed as intended.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">If you have the following code in different components</th>
+<th align="left">Resulting behavior</th>
+<th align="left">Explanation</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Component 1:</p>
+<ul>
+<li><p>Include rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1\* [*]&lt;/pattern&gt;</p></li>
+<li><p>Exclude rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1\Dir2\* [*.txt]&lt;/pattern&gt;</p></li>
+</ul>
+<p>Component 2:</p>
+<ul>
+<li><p>Include rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1\Dir2\* [*.txt]&lt;/pattern&gt;</p></li>
+<li><p>Exclude rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1\* [*]&lt;/pattern&gt;</p></li>
+</ul></td>
+<td align="left"><p>Migrates all files and subfolders of C:\Dir1\ (including C:\Dir1\Dir2).</p></td>
+<td align="left"><p>Rules that are in different components do not affect each other, except for the &lt;unconditionalExclude&gt; rule. Therefore, in this example, although some .txt files were excluded when Component 1 was processed, they were included when Component 2 was processed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Component 1:</p>
+<ul>
+<li><p>Include rule: C:\Dir1\Dir2\* [*]</p></li>
+</ul>
+<p>Component 2:</p>
+<ul>
+<li><p>Exclude rule: C:\Dir1\* [*.txt]</p></li>
+</ul></td>
+<td align="left"><p>Migrates all files and subfolders from Dir2 except the .txt files in C:\Dir1 and its subfolders.</p></td>
+<td align="left"><p>Both rules are processed as intended.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Component 1:</p>
+<ul>
+<li><p>Exclude rule: C:\Dir1\Dir2\* [*]</p></li>
+</ul>
+<p>Component 2:</p>
+<ul>
+<li><p>Include rule: C:\Dir1\* [*.txt]</p></li>
+</ul></td>
+<td align="left"><p>Migrates all .txt files in Dir1 and any subfolders.</p></td>
+<td align="left"><p>Component 1 does not contain an &lt;include&gt; rule, so the &lt;exclude&gt; rule is not processed.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="regex"></a>Including and excluding registry objects
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">If you have the following code in the same component</th>
+<th align="left">Resulting behavior</th>
+<th align="left">Explanation</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><ul>
+<li><p>Include rule: HKLM\Software\Microsoft\Command Processor\* [*]</p></li>
+<li><p>Exclude Rule: HKLM\Software\Microsoft\Command Processor [DefaultColor]</p></li>
+</ul></td>
+<td align="left"><p>Migrates all keys in HKLM\Software\Microsoft\Command Processor except DefaultColor.</p></td>
+<td align="left"><p>Both rules are processed as intended.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><ul>
+<li><p>Include rule: HKLM\Software\Microsoft\Command Processor [DefaultColor]</p></li>
+<li><p>Exclude Rule: HKLM\Software\Microsoft\Command Processor\* [*]</p></li>
+</ul></td>
+<td align="left"><p>Migrates only DefaultColor in HKLM\Software\Microsoft\Command Processor.</p></td>
+<td align="left"><p>DefaultColor is migrated because the &lt;include&gt; rule is more specific than the &lt;exclude&gt; rule.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><ul>
+<li><p>Include rule: HKLM\Software\Microsoft\Command Processor [DefaultColor]</p></li>
+<li><p>Exclude rule: HKLM\Software\Microsoft\Command Processor [DefaultColor]</p></li>
+</ul></td>
+<td align="left"><p>Does not migrate DefaultColor.</p></td>
+<td align="left"><p>The rules are equally specific, so the &lt;exclude&gt; rule takes precedence over the &lt;include&gt; rule.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">If you have the following code in different components</th>
+<th align="left">Resulting behavior</th>
+<th align="left">Explanation</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Component 1:</p>
+<ul>
+<li><p>Include rule: HKLM\Software\Microsoft\Command Processor [DefaultColor]</p></li>
+<li><p>Exclude rule: HKLM\Software\Microsoft\Command Processor\* [*]</p></li>
+</ul>
+<p>Component 2:</p>
+<ul>
+<li><p>Include rule: HKLM\Software\Microsoft\Command Processor\* [*]</p></li>
+<li><p>Exclude rule: HKLM\Software\Microsoft\Command Processor [DefaultColor]</p></li>
+</ul></td>
+<td align="left"><p>Migrates all the keys/values under HKLM\Software\Microsoft\Command Processor.</p></td>
+<td align="left"><p>Rules that are in different components do not affect each other, except for the &lt;unconditionalExclude&gt; rule. Therefore, in this example, the objects that were excluded when Component 1 was processed were included when Component 2 was processed.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## File collisions
+
+
+### <a href="" id="collisions"></a>What is the default behavior when there are file collisions?
+
+If there is not a &lt;merge&gt; rule, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally: for example, OriginalFileName(1).OriginalExtension, OriginalFileName(2).OriginalExtension, and so on.
+
+### <a href="" id="bkmk11"></a>How does the &lt;merge&gt; rule work when there are file collisions?
+
+When a collision is detected, USMT will select the most specific &lt;merge&gt; rule and apply it to resolve the conflict. For example, if you have a &lt;merge&gt; rule for C:\\\* \[\*\] set to **sourcePriority()** and another &lt;merge&gt; rule for C:\\subfolder\\\* \[\*\] set to **destinationPriority()** , then USMT uses the destinationPriority() rule because it is the most specific.
+
+### Example scenario
+
+The source computer contains the following files:
+
+-   C:\\Data\\SampleA.txt
+
+-   C:\\Data\\SampleB.txt
+
+-   C:\\Data\\Folder\\SampleB.txt
+
+The destination computer contains the following files:
+
+-   C:\\Data\\SampleB.txt
+
+-   C:\\Data\\Folder\\SampleB.txt
+
+You have a custom .xml file that contains the following code:
+
+``` syntax
+<include> 
+   <objectSet> 
+      <pattern type="File">c:\data\* [*]</pattern> 
+   </objectSet> 
+</include> 
+```
+
+For this example, the following table describes the resulting behavior if you add the code in the first column to your custom .xml file.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">If you specify the following code</th>
+<th align="left">Resulting behavior</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><pre class="syntax" space="preserve"><code>&lt;merge script=&quot;MigXmlHelper.DestinationPriority()&quot;&gt; 
+   &lt;objectSet&gt; 
+      &lt;pattern type=&quot;File&quot;&gt;c:\data\* [*]&lt;/pattern&gt; 
+   &lt;/objectSet&gt; 
+&lt;/merge&gt;</code></pre></td>
+<td align="left"><p>During ScanState, all the files will be added to the store.</p>
+<p>During LoadState, only C:\Data\SampleA.txt will be restored.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><pre class="syntax" space="preserve"><code>&lt;merge script=&quot;MigXmlHelper.SourcePriority()&quot;&gt; 
+   &lt;objectSet&gt; 
+      &lt;pattern type=&quot;File&quot;&gt;c:\data\* [*]&lt;/pattern&gt; 
+   &lt;/objectSet&gt; 
+&lt;/merge&gt; </code></pre></td>
+<td align="left"><p>During ScanState, all the files will be added to the store.</p>
+<p>During LoadState, all the files will be restored, overwriting the existing files on the destination computer.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><pre class="syntax" space="preserve"><code>&lt;merge script=&quot;MigXmlHelper.SourcePriority()&quot;&gt; 
+   &lt;objectSet&gt; 
+      &lt;pattern type=&quot;File&quot;&gt;c:\data\ [*]&lt;/pattern&gt; 
+   &lt;/objectSet&gt; 
+&lt;/merge&gt; </code></pre></td>
+<td align="left"><p>During ScanState, all the files will be added to the store.</p>
+<p>During LoadState, the following will occur:</p>
+<ul>
+<li><p>C:\Data\SampleA.txt will be restored.</p></li>
+<li><p>C:\Data\SampleB.txt will be restored, overwriting the existing file on the destination computer.</p></li>
+<li><p>C:\Data\Folder\SampleB.txt will not be restored.</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-custom-xml-examples.md b/windows/deploy/usmt-custom-xml-examples.md
new file mode 100644
index 0000000000..c1fa2bd582
--- /dev/null
+++ b/windows/deploy/usmt-custom-xml-examples.md
@@ -0,0 +1,313 @@
+---
+title: Custom XML Examples (Windows 10)
+description: Custom XML Examples
+ms.assetid: 48f441d9-6c66-43ef-91e9-7c78cde6fcc0
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Custom XML Examples
+
+
+**Note**  
+Because the tables in this topic are wide, you may need to adjust the width of its window.
+
+ 
+
+## In This Topic:
+
+
+-   [Example 1: Migrating an Unsupported Application](#example)
+
+-   [Example 2: Migrating the My Videos Folder](#example2)
+
+-   [Example 3: Migrating Files and Registry Keys](#example3)
+
+-   [Example 4: Migrating Specific Folders from Various Locations](#example4)
+
+## <a href="" id="example"></a>Example 1: Migrating an Unsupported Application
+
+
+The following is a template for the sections that you need to migrate your application. The template is not functional on its own, but you can use it to write your own .xml file.
+
+``` syntax
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/migtestapp">
+  <component type="Application">
+    <!-- Name of the application -->
+    <displayName>Some Application</displayName>
+    <!-- Specify whether the environment variables exist in the context of user or system or both -->
+    <environment context="System">
+      <!-- Create the environment variables -->
+      <variable name="myVar1">
+        <!-- Simple text value assignment to a variable -->
+        <text>value</text>
+      </variable>
+      <variable name="myAppExePath">
+        <!-- Make a call to in-built helper function to get a value from a reg key and assign that value to the variable -->
+        <script>MigXMLHelper.GetStringContent("Registry","HKLM\Software\MyApp\Installer [EXEPATH]")</script>
+      </variable>
+    </environment>
+    <role role="Settings">
+      <detects>
+        <!-- All of these checks must be true for the component to be detected -->
+        <detect>
+          <!-- Make a call to in-built helper function to check if an object exists or not -->
+          <condition>MigXMLHelper.DoesObjectExist("Registry","HKLM\Software\MyApp [win32_version]")</condition>
+        </detect>
+        <detect>
+          <!-- Either of these checks must be true for the component to be detected -->
+          <!-- Make a call to in-built helper function to check if a file version matches or not -->
+          <condition>MigXMLHelper.DoesFileVersionMatch("%MyAppExePath%","ProductVersion","8.*")</condition>
+          <condition>MigXMLHelper.DoesFileVersionMatch("%MyAppExePath%","ProductVersion","9.*")</condition>
+        </detect>
+      </detects>
+      <!-- Describe the rules that will be executed during migration of this component and the context, whether user, system or both -->
+      <rules context="User">
+        <!-- Delete objects specified in the object set on the destination computer before applying source objects -->
+        <destinationCleanup>
+          <!-- Describe the pattern for the list of objects to be deleted -->
+          <objectSet>
+            <pattern type="Registry">HKCU\Software\MyApp\Toolbar\* [*]</pattern>
+            <pattern type="Registry">HKCU\Software\MyApp\ListView\* [*]</pattern>
+            <pattern type="Registry">HKCU\Software\MyApp [ShowTips]</pattern>
+          </objectSet>
+        </destinationCleanup>
+        <!-- Specify which set of objects should be migrated -->
+        <include>
+          <!-- Describe the pattern for the list of objects to be included -->
+          <objectSet>
+            <pattern type="Registry">HKCU\Software\MyApp\Toolbar\* [*]</pattern>
+            <pattern type="Registry">HKCU\Software\MyApp\ListView\* [*]</pattern>
+            <pattern type="Registry">HKCU\Software\MyApp [ShowTips]</pattern>
+          </objectSet>
+        </include>
+        <!-- Specify which set of objects should not be migrated -->
+        <exclude>
+          <!-- Describe the pattern for the list of objects to be excluded from migration -->
+          <objectSet>
+            <pattern type="Registry">HKCU\Software\MyApp [Display]</pattern>
+          </objectSet>
+        </exclude>
+      </rules>
+    </role>
+  </component>
+</migration>
+```
+
+## <a href="" id="example2"></a>Example 2: Migrating the My Videos Folder
+
+
+The following is a custom .xml file named CustomFile.xml that migrates My Videos for all users, if the folder exists on the source computer.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Code</th>
+<th align="left">Behavior</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><pre class="syntax" space="preserve"><code>&lt;condition&gt;MigXmlHelper.DoesObjectExist(&quot;File&quot;,&quot;%CSIDL_MYVIDEO%&quot;)&lt;/condition&gt;</code></pre></td>
+<td align="left"><p>Verifies that My Videos exists on the source computer.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><pre class="syntax" space="preserve"><code>&lt;include filter=&#39;MigXmlHelper.IgnoreIrrelevantLinks()&#39;&gt;</code></pre></td>
+<td align="left"><p>Filters out the shortcuts in My Videos that do not resolve on the destination computer. This has no effect on files that are not shortcuts. For example, if there is a shortcut in My Videos on the source computer that points to C:\Folder1, that shortcut will be migrated only if C:\Folder1 exists on the destination computer. However, all other files, such as .mp3 files, migrate without any filtering.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><pre class="syntax" space="preserve"><code>&lt;pattern type=&quot;File&quot;&gt;%CSIDL_MYVIDEO%\* [*]&lt;/pattern&gt;</code></pre></td>
+<td align="left"><p>Migrates My Videos for all users.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+``` syntax
+<?xml version="1.0" encoding="UTF-8"?>
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/CustomFile">
+<component type="Documents" context="User">
+        <displayName>My Video</displayName>
+        <role role="Data">
+            <detects>           
+                <detect>
+                    <condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")</condition>
+                </detect>
+            </detects>
+            <rules>
+                <include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
+                    <objectSet>
+                        <pattern type="File">%CSIDL_MYVIDEO%\* [*]</pattern>
+                    </objectSet>
+                </include>
+           </rules>
+        </role>
+    </component>
+</migration>
+```
+
+## <a href="" id="example3"></a>Example 3: Migrating Files and Registry Keys
+
+
+This table describes the behavior in the following example .xml file.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Code</th>
+<th align="left">Behavior</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><pre class="syntax" space="preserve"><code>&lt;pattern type=&quot;File&quot;&gt;%ProgramFiles%\USMTTestFolder\* [USMTTestFile.txt]&lt;/pattern&gt;</code></pre></td>
+<td align="left"><p>Migrates all instances of the file Usmttestfile.txt from all sub-directories under %ProgramFiles%\USMTTestFolder.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><pre class="syntax" space="preserve"><code>&lt;pattern type=&quot;File&quot;&gt;%ProgramFiles%\USMTDIRTestFolder\* [*]&lt;/pattern&gt;</code></pre></td>
+<td align="left"><p>Migrates the whole directory under %ProgramFiles%\USMTDIRTestFolder.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><pre class="syntax" space="preserve"><code>&lt;pattern type=&quot;Registry&quot;&gt;HKCU\Software\USMTTESTKEY\* [MyKey]&lt;/pattern&gt;</code></pre></td>
+<td align="left"><p>Migrates all instances of MyKey under HKCU\Software\USMTTESTKEY.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><pre class="syntax" space="preserve"><code>&lt;pattern type=&quot;Registry&quot;&gt;HKLM\Software\USMTTESTKEY\* [*]&lt;/pattern&gt;</code></pre></td>
+<td align="left"><p>Migrates the entire registry hive under HKLM\Software\USMTTESTKEY.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+``` syntax
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/testfilemig">
+  <component type="Application" context="System">
+   <displayName>File Migration Test</displayName>
+   <role role="Data">
+    <rules context="System">
+     <include>
+      <objectSet>
+        <pattern type="File">%ProgramFiles%\USMTTestFolder\* [USMTTestFile.txt]</pattern>
+        <pattern type="File">%ProgramFiles%\USMTDIRTestFolder\* [*]</pattern>
+      </objectSet>
+    </include>
+   </rules>
+  </role>
+</component>
+<component type="System">
+  <displayName>Registry Migration Test</displayName>
+  <role role="Settings">
+   <rules context="UserAndSystem">
+     <include>
+      <objectSet>
+          <pattern type="Registry">HKCU\Software\USMTTESTKEY\* [MyKey]</pattern>
+          <pattern type="Registry">HKLM\Software\USMTTESTKEY\* [*]</pattern>
+      </objectSet>
+     </include>
+   </rules>
+  </role>
+ </component>
+</migration>
+```
+
+## <a href="" id="example4"></a>Example 4: Migrating Specific Folders from Various Locations
+
+
+The behavior for this custom .xml file is described within the &lt;`displayName`&gt; tags in the code.
+
+``` syntax
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
+
+<component type="Documents" context="System">
+  <displayName>Component to migrate all Engineering Drafts subfolders without documents in this folder </displayName>
+  <role role="Data">
+    <rules>
+         <include>
+            <objectSet>
+                 <pattern type="File"> C:\EngineeringDrafts\* [*]</pattern>
+            </objectSet>
+          </include>
+         <exclude>
+            <objectSet>
+                 <pattern type="File"> C:\EngineeringDrafts\ [*]</pattern>
+            </objectSet>
+         </exclude>
+    </rules>
+  </role>
+</component>
+
+<component type="Documents" context="System">
+  <displayName>Component to migrate all user documents except Sample.doc</displayName>
+  <role role="Data">
+    <rules>
+         <include>
+            <objectSet>
+                 <pattern type="File"> C:\UserDocuments\* [*]</pattern>
+            </objectSet>
+          </include>
+        <exclude>
+             <objectSet>
+                 <pattern type="File"> C:\UserDocuments\ [Sample.doc]</pattern>
+             </objectSet>
+          </exclude>
+    </rules>
+  </role>
+</component>
+
+<component type="Documents" context="System">
+  <displayName>Component to migrate all Requests folders on any drive on the computer </displayName>
+  <role role="Data">
+    <rules>
+         <include>
+            <objectSet>
+         <script>MigXmlHelper.GenerateDrivePatterns ("\Requests\* [*] ", "Fixed")</script>            
+         <script>MigXmlHelper.GenerateDrivePatterns ("*\Requests\* [*] ", "Fixed")</script>            
+     </objectSet>
+          </include>
+    </rules>
+  </role>
+</component>
+
+<component type="Documents" context="System">
+  <displayName>Component to migrate all Presentations folder from any location on the C: drive </displayName>
+  <role role="Data">
+    <rules>
+         <include>
+            <objectSet>                 
+<pattern type="File"> C:\*\Presentations\* [*]</pattern>
+<pattern type="File"> C:\Presentations\* [*]</pattern>
+           </objectSet>
+          </include>
+    </rules>
+  </role>
+</component>
+</migration>
+```
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+[Customize USMT XML Files](usmt-customize-xml-files.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-customize-xml-files.md b/windows/deploy/usmt-customize-xml-files.md
new file mode 100644
index 0000000000..94619ce485
--- /dev/null
+++ b/windows/deploy/usmt-customize-xml-files.md
@@ -0,0 +1,133 @@
+---
+title: Customize USMT XML Files (Windows 10)
+description: Customize USMT XML Files
+ms.assetid: d58363c1-fd13-4f65-8b91-9986659dc93e
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Customize USMT XML Files
+
+
+## In This Topic
+
+
+[Overview](#bkmk-overview)
+
+[Migration .xml Files](#bkmk-migxml)
+
+[Custom .xml Files](#bkmk-customxmlfiles)
+
+[The Config.xml File](#bkmk-configxml)
+
+[Examples](#bkmk-examples)
+
+[Additional Information](#bkmk-addlinfo)
+
+## <a href="" id="bkmk-overview"></a>Overview
+
+
+If you want the **ScanState** and **LoadState** tools to use any of the migration .xml files, specify these files at the command line using the **/i** option. Because the **ScanState** and **LoadState** tools need the .xml files to control the migration, specify the same set of .xml files for both the **ScanState** and **LoadState** commands. However, you do not have to specify the Config.xml file with the **/config** option, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. Then the **LoadState** command will migrate only the files and settings that you want to migrate.
+
+If you leave out an .xml file from the **LoadState** command, all of the data in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified with the **ScanState** command will not apply. For example, if you leave out an .xml file, and it contains a rerouting rule such as: `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files, and they will be migrated to C:\\data.
+
+To modify the migration, do one or more of the following.
+
+-   **Modify the migration .xml files.** If you want to exclude a portion of a component—for example, you want to migrate C:\\ but exclude all of the .mp3 files—or if you want to move data to a new location on the destination computer, modify the .xml files. To modify these files, you must be familiar with the migration rules and syntax. If you want **ScanState** and **LoadState** to use these files, specify them at the command line when each command is entered.
+
+-   **Create a custom .xml file.** You can also create a custom .xml file to migrate settings for another application, or to change the migration behavior to suit your needs. For **ScanState** and **LoadState** to use this file, specify them on both command lines.
+
+-   **Create and modify a Config.xml file.** Do this if you want to exclude an entire component from the migration. For example, you can use a Config.xml file to exclude the entire My Documents folder, or exclude the settings for an application. Excluding components using a Config.xml file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. In addition, using a Config.xml file is the only way to exclude the operating system settings from being migrated.
+
+For more information about excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic.
+
+## <a href="" id="bkmk-migxml"></a>Migration .xml Files
+
+
+This section describes the migration .xml files that are included with USMT. Each file contains migration rules that control which components are migrated and where they are migrated to on the destination computer.
+
+**Note**  
+You can use the asterisk (\*) wildcard character in each of these files. However, you cannot use a question mark (?) as a wildcard character.
+
+ 
+
+-   **The MigApp.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate application settings.
+
+-   **The MigDocs.xml file.** Specify this file with both the **ScanState** and **LoadState** tools to migrate all user folders and files that are found by the **MigXmlHelper.GenerateDocPatterns** helper function. This helper function finds user data that resides on the root of any drive and in the Users directory. However, it does not find and migrate any application data, program files, or any files in the Windows directory. You can modify the MigDocs.xml file.
+
+-   **The MigUser.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate user folders, files, and file types. You can modify the MigUser.xml file. This file does not contain rules that migrate specific user accounts. The only way to specify which user accounts to migrate is on the command line using the **ScanState** and the **LoadState** user options.
+
+    **Note**  
+    Do not use the MigUser.xml and MigDocs.xml files together. For more information, see the [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) and [USMT Best Practices](usmt-best-practices.md) topics.
+
+     
+
+## <a href="" id="bkmk-customxmlfiles"></a>Custom .xml Files
+
+
+You can create custom .xml files to customize the migration for your unique needs. For example, you may want to create a custom file to migrate a line-of-business application or to modify the default migration behavior. If you want **ScanState** and **LoadState** to use this file, specify it with both commands. For more information, see the How to Create a Custom .xml File topic.
+
+## <a href="" id="bkmk-configxml"></a>The Config.xml File
+
+
+The Config.xml file is an optional file that you create using the **/genconfig** option with the **ScanState** command. You should create and modify this file if you want to exclude certain components from the migration. In addition, you must create and modify this file if you want to exclude any of the operating system settings from being migrated. The Config.xml file format is different from that of the migration .xml files because it does not contain any migration rules. It contains only a list of the operating system components, applications, and the user documents that can be migrated. For an example, see the [Config.xml File](usmt-configxml-file.md) topic. For this reason, excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard characters in a Config.xml file.
+
+If you want to include all of the default components, you do not need to create the Config.xml file. Alternatively, if you are satisfied with the default migration behavior defined in the MigApp.xml, MigDocs.xml, and MigUser.xml files, and you want to exclude only some components, you can create and modify a Config.xml file and leave the other .xml files in their original state.
+
+When you run the **ScanState** command with the **/genconfig** option, **ScanState** reads the other .xml files that you specify using the **/i** option to create a custom list of components that can be migrated from the computer. This file will contain only operating system components, applications, and the user document sections that are in both of the .xml files and that are installed on the computer when you run the **ScanState** command with the **/genconfig** option. Therefore, you should create this file on a source computer that contains all of the components, applications, and settings that will be present on the destination computers. This will ensure that this file contains every component that can be migrated. The components are organized into sections: &lt;Applications&gt;, &lt;WindowsComponents&gt;, and &lt;Documents&gt;. To choose not to migrate a component, change its entry to `migrate="no"`.
+
+After you create this file, you need to specify it only with the **ScanState** command using the **/Config** option for it to affect the migration. However, if you want to exclude additional data that you migrated to the store, modify the Config.xml file and specify the updated file with the **LoadState** command. For example, if you collected the My Documents folder in the store, but you decide that you do not want to migrate the My Documents folder to a destination computer, you can modify the Config.xml file to indicate `migrate="no"` before you run the **LoadState** command, and the file will not be migrated. For more information about the precedence that takes place when excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic.
+
+In addition, note the following functionality with the Config.xml file:
+
+-   If a parent component is removed from the migration in the Config.xml file by specifying `migrate="no"`, all of its child components will automatically be removed from the migration, even if the child component is set to `migrate="yes"`.
+
+-   If you mistakenly have two lines of code for the same component where one line specifies `migrate="no" `and the other line specifies `migrate="yes"`, the component will be migrated.
+
+-   In USMT there are several migration policies that can be configured in the Config.xml file. For example, you can configure additional **&lt;ErrorControl&gt;**, **&lt;ProfileControl&gt;**, and **&lt;HardLinkStoreControl&gt;** options. For more information, see the [Config.xml File](usmt-configxml-file.md) topic.
+
+**Note**  
+To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration.
+
+ 
+
+### <a href="" id="bkmk-examples"></a>Examples
+
+-   The following command creates a Config.xml file in the current directory, but it does not create a store:
+
+    `scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:5`
+
+-   The following command creates an encrypted store using the Config.xml file and the default migration .xml files:
+
+    `scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:5 /encrypt /key:"mykey"`
+
+-   The following command decrypts the store and migrates the files and settings:
+
+    `loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:5 /decrypt /key:"mykey"`
+
+## <a href="" id="bkmk-addlinfo"></a>Additional Information
+
+
+-   For more information about how to change the files and settings that are migrated, see the [User State Migration Tool (USMT) How-to topics](usmt-how-to.md).
+
+-   For more information about each .xml element, see the [XML Elements Library](usmt-xml-elements-library.md) topic.
+
+-   For answers to common questions, see ".xml files" in the [Frequently Asked Questions](usmt-faq.md) topic.
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
+
+[USMT Resources](usmt-resources.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-determine-what-to-migrate.md b/windows/deploy/usmt-determine-what-to-migrate.md
new file mode 100644
index 0000000000..24c81b0742
--- /dev/null
+++ b/windows/deploy/usmt-determine-what-to-migrate.md
@@ -0,0 +1,62 @@
+---
+title: Determine What to Migrate (Windows 10)
+description: Determine What to Migrate
+ms.assetid: 01ae1d13-c3eb-4618-b39d-ee5d18d55761
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Determine What to Migrate
+
+
+By default, User State Migration Tool (USMT) 10.0 migrates the items listed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md), depending on the migration .xml files you specify. These default settings are often enough for a basic migration.
+
+However, when considering what settings to migrate, you should also consider what settings you would like the user to be able to configure, if any, and what settings you would like to standardize. Many organizations use their migration as an opportunity to create and begin enforcing a better-managed environment. Some of the settings that users can configure on unmanaged computers prior to the migration can be locked on the new, managed computers. For example, standard wallpaper, Internet Explorer security settings, and desktop configuration are some of the items you can choose to standardize.
+
+To reduce complexity and increase standardization, your organization should consider creating a *standard operating environment (SOE)*. An SOE is a combination of hardware and software that you distribute to all users. This means selecting a baseline for all computers, including standard hardware drivers; core operating system features; core productivity applications, especially if they are under volume licensing; and core utilities. This environment should also include a standard set of security features, as outlined in the organization’s corporate policy. Using a standard operating environment can vastly simplify the migration and reduce overall deployment challenges.
+
+## In This Section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Identify Users](usmt-identify-users.md)</p></td>
+<td align="left"><p>Use command-line options to specify which users to migrate and how they should be migrated.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Identify Applications Settings](usmt-identify-application-settings.md)</p></td>
+<td align="left"><p>Determine which applications you want to migrate and prepare a list of application settings to be migrated.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Identify Operating System Settings](usmt-identify-operating-system-settings.md)</p></td>
+<td align="left"><p>Use migration to create a new standard environment on each of the destination computers.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md)</p></td>
+<td align="left"><p>Determine and locate the standard, company-specified, and non-standard locations of the file types, files, folders, and settings that you want to migrate.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-estimate-migration-store-size.md b/windows/deploy/usmt-estimate-migration-store-size.md
new file mode 100644
index 0000000000..1dbd440416
--- /dev/null
+++ b/windows/deploy/usmt-estimate-migration-store-size.md
@@ -0,0 +1,134 @@
+---
+title: Estimate Migration Store Size (Windows 10)
+description: Estimate Migration Store Size
+ms.assetid: cfb9062b-7a2a-467a-a24e-0b31ce830093
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Estimate Migration Store Size
+
+
+The disk space requirements for a migration are dependent on the size of the migration store and the type of migration. You can estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure. You can also calculate the disk space requirements using the ScanState tool.
+
+## In This Topic
+
+
+-   [Hard Disk Space Requirements](#bkmk-spacereqs). Describes the disk space requirements for the migration store and other considerations on the source and destination computers.
+
+-   [Calculate Disk Space Requirements Using the ScanState Tool](#bkmk-calcdiskspace). Describes how to use the ScanState tool to determine how big the migration store will be on a particular computer.
+
+-   [Estimate Migration Store Size](#bkmk-estmigstoresize). Describes how to estimate the average size of migration stores for the computers in your organization, based on your infrastructure.
+
+## <a href="" id="bkmk-spacereqs"></a>Hard Disk Space Requirements
+
+
+-   **Store.** For non-hard-link migrations, you should ensure that there is enough available disk space at the location where you will save your store to contain the data being migrated. You can save your store to another partition, an external storage device such as a USB flash drive or a server. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md).
+
+-   **Source Computer.** The source computer needs enough available space for the following:
+
+    -   [E250 megabytes (MB) minimum of hard disk space.](#bkmk-estmigstoresize) Space is needed to support the User State Migration Tool (USMT) 10.0 operations, for example, growth in the page file. Provided that every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless of the size of the migration. The USMT tools will not create the migration store if 250 MB of disk space is not available.
+
+    -   [Temporary space for USMT to run.](#bkmk-estmigstoresize) Additional disk space for the USMT tools to operate is required. This does not include the minimum 250 MB needed to create the migration store. The amount of temporary space required can be calculated using the ScanState tool.
+
+    -   [Hard-link migration store.](#bkmk-estmigstoresize) It is not necessary to estimate the size of a hard-link migration store. The only case where the hard-link store can be quite large is when non-NTFS file systems exist on the system and contain data being migrated.
+
+-   [Destination computer.](#bkmk-estmigstoresize) The destination computer needs enough available space for the following:
+
+    -   [Operating system.](#bkmk-estmigstoresize)
+
+    -   [Applications.](#bkmk-estmigstoresize)
+
+    -   [Data being migrated.](#bkmk-estmigstoresize) It is important to consider that in addition to the files being migrated, registry information will also require hard disk space for storage.
+
+    -   [Temporary space for USMT to run.](#bkmk-estmigstoresize) Additional disk space for the USMT tools to operate is required. The amount of temporary space required can be calculated using the ScanState tool.
+
+## <a href="" id="bkmk-calcdiskspace"></a>Calculate Disk Space Requirements using the ScanState Tool
+
+
+You can use the ScanState tool to calculate the disk space requirements for a particular compressed or uncompressed migration. It is not necessary to estimate the migration store size for a hard-link migration since this method does not create a separate migration store. The ScanState tool provides disk space requirements for the state of the computer at the time the tool is run. The state of the computer may change during day to day use so it is recommended that you use the calculations as an estimate when planning your migration.
+
+**To run the ScanState tool on the source computer with USMT installed,**
+
+1.  Open a command prompt with administrator privileges.
+
+2.  Navigate to the USMT tools. For example, type
+
+    ``` syntax
+    cd /d "C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\User State Migration Tool\<architecture>"
+    ```
+
+    Where *&lt;architecture&gt;* is x86 or amd64.
+
+3.  Run the **ScanState** tool to generate an XML report of the space requirements. At the command prompt, type
+
+    ``` syntax
+    ScanState.exe <StorePath> /p:<path to a file>
+    ```
+
+    Where *&lt;StorePath&gt;* is a path to a directory where the migration store will be saved and *&lt;path to a file&gt;* is the path and filename where the XML report for space requirements will be saved. For example,
+
+    ``` syntax
+    ScanState.exe c:\store /p:c:\spaceRequirements.xml
+    ```
+
+    The migration store will not be created by running this command, but `StorePath` is a required parameter.
+
+The ScanState tool also allows you to estimate disk space requirements based on a customized migration. For example, you might not want to migrate the My Documents folder to the destination computer. You can specify this in a configuration file when you run the ScanState tool. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md).
+
+**Note**  
+To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, the **/p** option, without specifying *&lt;path to a file&gt;* is still available in USMT.
+
+ 
+
+The space requirements report provides two elements, &lt;**storeSize**&gt; and &lt;**temporarySpace**&gt;. The &lt;**temporarySpace**&gt; value shows the disk space, in bytes, that USMT uses to operate during the migration—this does not include the minimum 250 MB needed to support USMT. The &lt;**storeSize**&gt; value shows the disk space, in bytes, required to host the migration store contents on both the source and destination computers. The following example shows a report generated using **/p:***&lt;path to a file&gt;*.
+
+``` syntax
+<?xml version="1.0" encoding="UTF-8"?>
+<PreMigration>
+  <storeSize>
+    <size clusterSize="4096">11010592768</size>
+  </storeSize>
+  <temporarySpace>
+    <size>58189144</size>
+  </temporarySpace>
+</PreMigration>
+```
+
+Additionally, USMT performs a compliance check for a required minimum of 250 MB of available disk space and will not create a store if the compliance check fails.
+
+## <a href="" id="bkmk-estmigstoresize"></a>Estimate Migration Store Size
+
+
+Determine how much space you will need to store the migrated data. You should base your calculations on the volume of e-mail, personal documents, and system settings for each user. The best way to estimate these is to survey several computers to arrive at an average for the size of the store that you will need.
+
+The amount of space that is required in the store will vary, depending on the local storage strategies your organization uses. For example, one key element that determines the size of migration data sets is e-mail storage. If e-mail is stored centrally, data sets will be smaller. If e-mail is stored locally, such as offline-storage files, data sets will be larger. Mobile users will typically have larger data sets than workstation users. You should perform tests and inventory the network to determine the average data set size in your organization.
+
+**Note**  
+You can create a space-estimate file (Usmtsize.txt), by using the legacy **/p** command-line option to estimate the size of the store.
+
+ 
+
+When trying to determine how much disk space you will need, consider the following issues:
+
+-   **E-mail** : If users deal with a large volume of e-mail or keep e-mail on their local computers instead of on a mail server, the e-mail can take up as much disk space as all other user files combined. Prior to migrating user data, make sure that users who store e-mail locally synchronize their inboxes with their mail server.
+
+-   **User documents**: Frequently, all of a user's documents fit into less than 50 MB of space, depending on the types of files involved. This estimate assumes typical office work, such as word-processing documents and spreadsheets. This estimate can vary substantially based on the types of documents that your organization uses. For example, an architectural firm that predominantly uses computer-aided design (CAD) files needs much more space than a law firm that primarily uses word-processing documents. You do not need to migrate the documents that users store on file servers through mechanisms such as Folder Redirection, as long as users will have access to these locations after the migration.
+
+-   **User system settings** Five megabytes is usually adequate space to save the registry settings. This requirement can fluctuate, however, based on the number of applications that have been installed. It is rare, however, for the user-specific portion of the registry to exceed 5 MB.
+
+## Related topics
+
+
+[Common Migration Scenarios](usmt-common-migration-scenarios.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-exclude-files-and-settings.md b/windows/deploy/usmt-exclude-files-and-settings.md
new file mode 100644
index 0000000000..8b7c7b2c21
--- /dev/null
+++ b/windows/deploy/usmt-exclude-files-and-settings.md
@@ -0,0 +1,300 @@
+---
+title: Exclude Files and Settings (Windows 10)
+description: Exclude Files and Settings
+ms.assetid: df85baf1-6e29-4995-a4bb-ba3f8f7fed0b
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Exclude Files and Settings
+
+
+When you specify the migration .xml files, MigApp.xml, Migdocs, and MigUser.xml, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition you can create a Config.xml file to exclude an entire component from a migration. You cannot, however, exclude users by using the migration .xml files or the Config.xml file. The only way to specify which users to include and exclude is by using the User options on the command line in the ScanState tool. For more information, see [ScanState Syntax](usmt-scanstate-syntax.md).
+
+In this topic:
+
+-   [Create a custom .xml file](#options). You can use the following elements to specify what to exclude:
+
+    -   [include and exclude](#bkmk-includeexclude): You can use the &lt;include&gt; and &lt;exclude&gt; elements to exclude objects with conditions. For example, you can migrate all files located in the C:\\ drive, except any .mp3 files. It is important to remember that [Conflicts and Precedence](usmt-conflicts-and-precedence.md) apply to these elements.
+
+    -   [unconditionalExclude](#exone): You can use the &lt;unconditionalExclude&gt; element to globally exclude data. This element takes precedence over all other include and exclude rules in the .xml files. Therefore, this element excludes objects regardless of any other &lt;include&gt; rules that are in the .xml files. For example, you can exclude all .mp3 files on the computer, or you can exclude all files from C:\\UserData.
+
+-   [Create a Config.xml file](#co): You can create and modify a Config.xml file to exclude an entire component from the migration. For example, you can use this file to exclude the settings for one of the default applications. In addition, creating and modifying a Config.xml file is the only way to exclude the operating-system settings that are migrated to computers running Windows. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax.
+
+## <a href="" id="options"></a>Create a custom .xml file
+
+
+We recommend that you create a custom .xml file instead of modifying the default migration .xml files. When you use a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications.
+
+### <a href="" id="bkmk-includeexclude"></a>&lt;include&gt; and &lt;exclude&gt;
+
+The migration .xml files, MigApp.xml, MigDocs, and MigUser.xml, contain the &lt;component&gt; element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the &lt;include&gt; and &lt;exclude&gt; elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference.md).
+
+**Note**  
+If you specify an &lt;exclude&gt; rule, always specify a corresponding &lt;include&gt; rule. Otherwise, if you do not specify an &lt;include&gt; rule, the specific files or settings will not be included. They will already be excluded from the migration. Thus, an unaccompanied &lt;exclude&gt; rule is unnecessary.
+
+ 
+
+-   [Example 1: How to migrate all files from C:\\ except .mp3 files](#ex1)
+
+-   [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#ex2)
+
+-   [Example 3: How to exclude the files in a folder but include all subfolders](#ex3)
+
+-   [Example 4: How to exclude a file from a specific folder](#ex4)
+
+-   [Example 5: How to exclude a file from any location](#ex5)
+
+### <a href="" id="ex1"></a>Example 1: How to migrate all files from C:\\ except .mp3 files
+
+The following .xml file migrates all files located on the C: drive, except any .mp3 files.
+
+``` syntax
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/mp3files">
+    <!-- This component migrates all files except those with .mp3 extension-->
+    <component type="Documents" context="UserAndSystem">
+        <displayName _locID="miguser.sharedvideo">MP3 Files</displayName>
+        <role role="Data">
+            <rules>
+                <include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
+                    <objectSet>
+                        <pattern type="File">C:\* [*]</pattern>
+                    </objectSet>
+                </include>
+                <exclude>
+                    <objectSet>
+                        <pattern type="File">C:\* [*.mp3]</pattern>
+                    </objectSet>
+                </exclude>
+            </rules>
+        </role>
+    </component>
+</migration>
+```
+
+### <a href="" id="ex2"></a>Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp
+
+The following .xml file migrates all files and subfolders in C:\\Data, except the files and subfolders in C:\\Data\\tmp.
+
+``` syntax
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
+    <component type="Documents" context="System">
+        <displayName _locID="miguser.sharedvideo">Test component</displayName>
+        <role role="Data">
+            <rules>
+         <include>
+            <objectSet>
+                 <pattern type="File">C:\Data\* [*]</pattern>
+            </objectSet>
+          </include>
+         <exclude>
+             <objectSet>
+                   <pattern type="File"> C:\Data\temp\* [*]</pattern>
+             </objectSet>
+         </exclude>  
+            </rules>
+        </role>
+    </component>
+</migration>
+```
+
+### <a href="" id="ex3"></a>Example 3: How to exclude the files in a folder but include all subfolders
+
+The following .xml file migrates any subfolders in C:\\EngineeringDrafts, but excludes all files that are in C:\\EngineeringDrafts.
+
+``` syntax
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
+<component type="Documents" context="System">
+  <displayName>Component to migrate all Engineering Drafts Documents without subfolders</displayName>
+  <role role="Data">
+    <rules>
+         <include>
+            <objectSet>
+                 <pattern type="File"> C:\EngineeringDrafts\* [*]</pattern>
+            </objectSet>
+          </include>
+      <exclude>
+        <objectSet>
+          <pattern type="File"> C:\EngineeringDrafts\ [*]</pattern>
+        </objectSet>
+      </exclude>
+    </rules>
+  </role>
+</component>
+</migration>
+```
+
+### <a href="" id="ex4"></a>Example 4: How to exclude a file from a specific folder
+
+The following .xml file migrates all files and subfolders in C:\\EngineeringDrafts, except for the Sample.doc file in C:\\EngineeringDrafts.
+
+``` syntax
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
+<component type="Documents" context="System">
+  <displayName>Component to migrate all Engineering Drafts Documents except Sample.doc</displayName>
+  <role role="Data">
+    <rules>
+         <include>
+            <objectSet>
+                 <pattern type="File"> C:\EngineeringDrafts\* [*]</pattern>
+            </objectSet>
+          </include>
+      <exclude>
+        <objectSet>
+          <pattern type="File"> C:\EngineeringDrafts\ [Sample.doc]</pattern>
+        </objectSet>
+      </exclude>
+    </rules>
+  </role>
+</component>
+</migration>
+```
+
+### <a href="" id="ex5"></a>Example 5: How to exclude a file from any location
+
+To exclude a Sample.doc file from any location on the C: drive, use the &lt;pattern&gt; element. If multiple files exist with the same name on the C: drive, all of these files will be excluded.
+
+``` syntax
+<pattern type="File"> C:\* [Sample.doc] </pattern>
+```
+
+To exclude a Sample.doc file from any drive on the computer, use the &lt;script&gt; element. If multiple files exist with the same name, all of these files will be excluded.
+
+``` syntax
+<script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script>
+```
+
+[USMT XML Reference](usmt-xml-reference.md)Example 1: How to exclude all .mp3 files
+
+The following .xml file excludes all .mp3 files from the migration:
+
+``` syntax
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/excludefiles">
+  <component context="System" type="Documents">
+        <displayName>Test</displayName>
+        <role role="Data">
+            <rules>
+             <unconditionalExclude>
+                        <objectSet>
+    <script>MigXmlHelper.GenerateDrivePatterns ("* [*.mp3]", "Fixed")</script>
+                        </objectSet> 
+             </unconditionalExclude>
+            </rules>
+        </role>
+    </component>
+</migration>
+```
+
+### <a href="" id="extwo"></a>Example 2: How to exclude all of the files on a specific drive
+
+The following .xml file excludes only the files located on the C: drive.
+
+``` syntax
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/allfiles">
+    <component type="Documents" context="System">
+        <displayName>Test</displayName>
+        <role role="Data">
+            <rules>
+  <unconditionalExclude>
+                    <objectSet>
+      <pattern type="File">c:\*[*]</pattern>
+                    </objectSet>
+  </unconditionalExclude>
+            </rules>
+        </role>
+    </component>
+</migration>
+```
+
+### <a href="" id="exthree"></a>Example 3: How to exclude registry keys
+
+The following .xml file unconditionally excludes the HKey\_Current\_User registry key and all of its subkeys.
+
+``` syntax
+<?xml version="1.0" encoding="UTF-8"?>
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/miguser">
+   <component type="Documents" context="User">
+      <displayName>Test</displayName>
+      <role role="Data">
+         <rules>
+            <include>
+               <objectSet>
+                  <pattern type="Registry">HKCU\testReg[*]</pattern>
+               </objectSet>
+            </include>
+            <unconditionalExclude>
+               <objectSet>
+                  <pattern type="Registry">HKCU\*[*]</pattern>
+               </objectSet>
+            </unconditionalExclude>
+         </rules>
+      </role>
+   </component>
+</migration>
+```
+
+### <a href="" id="exfour"></a>Example 4: How to Exclude C:\\Windows and C:\\Program Files
+
+The following .xml file unconditionally excludes the system folders of C:\\Windows and C:\\Program Files. Note that all \*.docx, \*.xls and \*.ppt files will not be migrated because the &lt;unconditionalExclude&gt; element takes precedence over the &lt;include&gt; element.
+
+``` syntax
+<?xml version="1.0" encoding="UTF-8"?>
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/miguser">
+   <component type="Documents" context="System">
+      <displayName>Test</displayName>
+      <role role="Data">
+         <rules>
+            <include>
+               <objectSet>
+    <script>MigXmlHelper.GenerateDrivePatterns ("* [*.doc]", "Fixed")</script>
+    <script>MigXmlHelper.GenerateDrivePatterns ("* [*.xls]", "Fixed")</script>
+    <script>MigXmlHelper.GenerateDrivePatterns ("* [*.ppt]", "Fixed")</script>
+               </objectSet>
+            </include>
+            <unconditionalExclude>
+               <objectSet>
+                  <pattern type="File">C:\Program Files\* [*]</pattern>
+<pattern type="File">C:\Windows\* [*]</pattern>
+               </objectSet>
+            </unconditionalExclude>
+         </rules>
+      </role>
+   </component>
+</migration>
+```
+
+## <a href="" id="co"></a>Create a Config.xml File
+
+
+You can create and modify a Config.xml file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. Config.xml is an optional file that you can create using the **/genconfig** command-line option with the ScanState tool. For example, you can use the Config.xml file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows.
+
+-   **To exclude the settings for a default application:** Specify `migrate="no"` for the application under the &lt;Applications&gt; section of the Config.xml file.
+
+-   **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the &lt;WindowsComponents&gt; section.
+
+-   **To exclude My Documents:** Specify `migrate="no"` for My Documents under the &lt;Documents&gt; section. Note that any &lt;include&gt; rules in the .xml files will still apply. For example, if you have a rule that includes all the .docx files in My Documents, then only the .docx files will be migrated, but the rest of the files will not.
+
+See [Config.xml File](usmt-configxml-file.md) for more information.
+
+**Note**  
+To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration.
+
+ 
+
+## Related topics
+
+
+[Customize USMT XML Files](usmt-customize-xml-files.md)
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deploy/usmt-extract-files-from-a-compressed-migration-store.md
new file mode 100644
index 0000000000..8bd8e87680
--- /dev/null
+++ b/windows/deploy/usmt-extract-files-from-a-compressed-migration-store.md
@@ -0,0 +1,117 @@
+---
+title: Extract Files from a Compressed USMT Migration Store (Windows 10)
+description: Extract Files from a Compressed USMT Migration Store
+ms.assetid: ad9fbd6e-f89e-4444-8538-9b11566b1f33
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Extract Files from a Compressed USMT Migration Store
+
+
+When you migrate files and settings during a typical PC-refresh migration, you usually create a compressed migration store file on the intermediate store. This migration store is a single image file that contains all files being migrated as well as a catalog file. To protect the compressed file, you can encrypt it by using different encryption algorithms. When you migrate the file back to the source computer after the operating system is installed, you can run the **Usmtutils** command with the **/extract** option to recover the files from the compressed migration store. You can also use the **Usmtutils** command with the **/extract** option any time you need to recover data from a migration store.
+
+Options used with the **/extract** option can specify:
+
+-   The cryptographic algorithm that was used to create the migration store.
+
+-   The encryption key or the text file that contains the encryption key.
+
+-   Include and exclude patterns for selective data extraction.
+
+In addition, you can specify the file patterns that you want to extract by using the **/i** option to include file patterns or the **/e** option to exclude file patterns. When both the **/i** option and the **/e** option are used in the same command, include patterns take precedence over exclude patterns. Note that this is different from the include and exclude rules used in the ScanState and LoadState tools.
+
+## In this topic
+
+
+-   [To run the USMTutils tool with the /extract option](#bkmk-extractsyntax)
+
+-   [To extract all files from a compressed migration store](#bkmk-extractallfiles)
+
+-   [To extract specific file types from an encrypted compressed migration store](#bkmk-extractspecificfiles)
+
+-   [To extract all but one, or more, file types from an encrypted compressed migration store](#bkmk-excludefilepattern)
+
+-   [To extract file types using the include pattern and the exclude pattern](#bkmk-includeexcludefiles)
+
+### <a href="" id="bkmk-extractsyntax"></a>To run the USMTutils tool with the /extract option
+
+To extract files from the compressed migration store onto the destination computer, use the following USMTutils syntax:
+
+Cd /d &lt;USMTpath&gt; usmtutils /extract &lt;filePath&gt; &lt;destinationPath&gt; \[/i:&lt;includePattern&gt;\] \[/e:&lt;excludePattern&gt;\] \[/l:&lt;logfile&gt;\] \[/decrypt\[:&lt;AlgID&gt;\] {/key:&lt;keystring&gt; | /keyfile:&lt;filename&gt;}\] \[/o\]
+
+Where the placeholders have the following values:
+
+-   *&lt;USMTpath&gt;* is the location where you have saved the USMT files and tools.
+
+-   *&lt;filePath&gt;* is the location of the migration store.
+
+-   *&lt;destination path&gt;* is the location of the file where you want the **/extract** option to put the extracted migration store contents.
+
+-   *&lt;includePattern&gt;* specifies the pattern for the files to include in the extraction.
+
+-   *&lt;excludePattern&gt;* specifies the pattern for the files to omit from the extraction.
+
+-   *&lt;AlgID&gt;* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line.
+
+-   *&lt;logfile&gt;* is the location and name of the log file.
+
+-   *&lt;keystring&gt;* is the encryption key that was used to encrypt the migration store.
+
+-   *&lt;filename&gt;* is the location and name of the text file that contains the encryption key.
+
+### <a href="" id="bkmk-extractallfiles"></a>To extract all files from a compressed migration store
+
+To extract everything from a compressed migration store to a file on the C:\\ drive, type:
+
+``` syntax
+usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore
+```
+
+### <a href="" id="bkmk-extractspecificfiles"></a>To extract specific file types from an encrypted compressed migration store
+
+To extract specific files, such as .txt and .pdf files, from an encrypted compressed migration store, type:
+
+``` syntax
+usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt
+```
+
+In this example, the file is encrypted and the encryption key is located in a text file called encryptionKey.
+
+### <a href="" id="bkmk-excludefilepattern"></a>To extract all but one, or more, file types from an encrypted compressed migration store
+
+To extract all files except for one file type, such as .exe files, from an encrypted compressed migration store, type:
+
+``` syntax
+usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt
+```
+
+### <a href="" id="bkmk-includeexcludefiles"></a>To extract file types using the include pattern and the exclude pattern
+
+To extract files from a compressed migration store, and to exclude files of one type (such as .exe files) while including only specific files, use both the include pattern and the exclude pattern, as in this example:
+
+``` syntax
+usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o
+```
+
+In this example, if there is a myProject.exe file, it will also be extracted because the include pattern option takes precedence over the exclude pattern option.
+
+## Related topics
+
+
+[UsmtUtils Syntax](usmt-utilities.md)
+
+[Return Codes](usmt-return-codes.md)
+
+[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-faq.md b/windows/deploy/usmt-faq.md
new file mode 100644
index 0000000000..e69272bc26
--- /dev/null
+++ b/windows/deploy/usmt-faq.md
@@ -0,0 +1,132 @@
+---
+title: Frequently Asked Questions (Windows 10)
+description: Frequently Asked Questions
+ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Frequently Asked Questions
+
+
+The following sections provide frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.
+
+## <a href="" id="bkmk-generalquestions"></a>General
+
+
+### <a href="" id="bkmk-1"></a>How much space is needed on the destination computer?
+
+The destination computer needs enough available space for the following:
+
+-   Operating system
+
+-   Applications
+
+-   Uncompressed store
+
+### <a href="" id="bkmk-directly"></a>Can I store the files and settings directly on the destination computer or do I need a server?
+
+You do not need to save the files to a server. If you are moving the user state to a new computer, you can create the store on a shared folder, on media that you can remove, such as a USB flash drive (UFD), or you can store it directly on the destination computer, as in the following steps:
+
+1.  Create and share the directory C:\\store on the destination computer.
+
+2.  Run the ScanState tool on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store
+
+3.  Run the LoadState tool on the destination computer and specify C:\\store as the store location.
+
+### <a href="" id="no"></a>Can I migrate data between operating systems with different languages?
+
+No. USMT does not support migrating data between operating systems with different languages; the source computer's operating-system language must match the destination computer's operating-system language.
+
+### <a href="" id="bkmk-2"></a>Can I change the location of the temporary directory on the destination computer?
+
+Yes. The environment variable USMT\_WORKING\_DIR can be changed to an alternative temporary directory. There are some offline migration scenarios where this is necessary, for example, when the USMT binaries are located on read-only Windows Preinstallation Environment (WinPE) boot media.
+
+### How do I install USMT?
+
+Because USMT is included in Windows Assessment and Deployment Kit (Windows ADK), you need to install the Windows ADK package on at least one computer in your environment. However, the USMT binaries are designed to be deployed using xcopy. This means that they are installed on a computer simply by recursively copying the USMT directory from the computer containing the Windows ADK to each client computer.
+
+### <a href="" id="uninstall"></a>How do I uninstall USMT?
+
+If you have installed the Windows ADK on the computer, uninstalling Windows ADK will uninstall USMT. For client computers that do not have the Windows ADK installed, you can simply delete the USMT directory to uninstall USMT.
+
+## <a href="" id="bkmk-filesandsettings"></a>Files and Settings
+
+
+### <a href="" id="bkmk-8"></a>How can I exclude a folder or a certain type of file from the migration?
+
+You can use the **&lt;unconditionalExclude&gt;** element to globally exclude data from the migration. For example, you can use this element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData. This element excludes objects regardless of any other &lt;include&gt; rules that are in the .xml files. For an example, see &lt;unconditionalExclude&gt; in the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. For the syntax of this element, see [XML Elements Library](usmt-xml-elements-library.md).
+
+### <a href="" id="bkmk-location"></a>What happens to files that were located on a drive that does not exist on the destination computer?
+
+USMT migrates the files to the %SystemDrive% while maintaining the correct folder hierarchy. For example, if E:\\data\\File.pst is on the source computer, but the destination computer does not have an E:\\ drive, the file will be migrated to C:\\data\\File.pst, if C:\\ is the system drive. This holds true even when &lt;locationModify&gt; rules attempt to move data to a drive that does not exist on the destination computer.
+
+## <a href="" id="bkmk-usmtxmlfiles"></a>USMT .xml Files
+
+
+### <a href="" id="bkmk-111"></a>Where can I get examples of USMT .xml files?
+
+The following topics include examples of USMT .xml files:
+
+-   [Exclude Files and Settings](usmt-exclude-files-and-settings.md)
+
+-   [Reroute Files and Settings](usmt-reroute-files-and-settings.md)
+
+-   [Include Files and Settings](usmt-include-files-and-settings.md)
+
+-   [Custom XML Examples](usmt-custom-xml-examples.md)
+
+### <a href="" id="bkmk-16"></a>Can I use custom .xml files that were written for USMT 5.0?
+
+Yes. You can use custom .xml files that were written for USMT 5.0 with USMT for Windows 10. However, in order to use new USMT functionality, you must revisit your custom USMT files and refresh them to include the new command-line options and XML elements.
+
+### <a href="" id="how"></a>How can I validate the .xml files?
+
+You can use the USMT XML Schema (MigXML.xsd) to write and validate migration .xml files.
+
+### <a href="" id="bkmk-3"></a>Why must I list the .xml files with both the ScanState and LoadState commands?
+
+The .xml files are not copied to the store as in previous versions of USMT. Because the ScanState and LoadState tools need the .xml files to control the migration, you must specify the same set of .xml files for the **ScanState** and **LoadState** commands. If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. **LoadState** will migrate only the files and settings that you want to migrate.
+
+If you exclude an .xml file from the **LoadState** command, then all of the data that is in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified for the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data.
+
+### <a href="" id="bkmk-4"></a>Which files can I modify and specify on the command line?
+
+You can specify the MigUser.xml and MigApp.xml files on the command line. You can modify each of these files. The migration of operating system settings is controlled by the manifests, which you cannot modify. If you want to exclude certain operating-system settings or any other components, create and modify the Config.xml file.
+
+### <a href="" id="bkmk-7"></a>What happens if I do not specify the .xml files on the command line?
+
+-   **ScanState**
+
+    If you do not specify any files with the **ScanState** command, all user accounts and default operating system components are migrated.
+
+-   **LoadState**
+
+    If you do not specify any files with the **LoadState** command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in .xml files with the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data.
+
+## Conflicts and Precedence
+
+
+### <a href="" id="conflicts"></a>What happens when there are conflicting XML rules or conflicting objects on the destination computer?
+
+For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+
+[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)
+
+[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-general-conventions.md b/windows/deploy/usmt-general-conventions.md
new file mode 100644
index 0000000000..ab6c9ad6b3
--- /dev/null
+++ b/windows/deploy/usmt-general-conventions.md
@@ -0,0 +1,101 @@
+---
+title: General Conventions (Windows 10)
+description: General Conventions
+ms.assetid: 5761986e-a847-41bd-bf8e-7c1bd01acbc6
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# General Conventions
+
+
+This topic describes the XML helper functions.
+
+## In This Topic
+
+
+[General XML Guidelines](#bkmk-general)
+
+[Helper Functions](#bkmk-helperfunctions)
+
+## <a href="" id="bkmk-general"></a>General XML Guidelines
+
+
+Before you modify the .xml files, become familiar with the following guidelines:
+
+-   **XML schema**
+
+    You can use the User State Migration Tool (USMT) 10.0 XML schema, MigXML.xsd, to write and validate migration .xml files.
+
+-   **Conflits**
+
+    In general, when there are conflicts within the XML schema, the most specific pattern takes precedence. For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+-   **Required elements**
+
+    The required elements for a migration .xml file are **&lt;migration&gt;**, **&lt;component&gt;**, **&lt;role&gt;**, and **&lt;rules&gt;**.
+
+-   **Required child elements**
+
+    -   USMT does not fail with an error if you do not specify the required child elements. However, you must specify the required child elements for the parent element to affect the migration.
+
+    -   The required child elements apply only to the first definition of the element. If these elements are defined and then referred to using their name, the required child elements do not apply. For example, if you define `<detects name="Example">` in **&lt;namedElements&gt;**, and you specify `<detects name="Example"/>` in **&lt;component&gt;** to refer to this element, the definition inside **&lt;namedElements&gt;** must have the required child elements, but the **&lt;component&gt;** element does not need to have the required child elements.
+
+-   **File names with brackets**
+
+    If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named File.txt, you must specify `<pattern type="File">c:\documents\mydocs [file^].txt]</pattern> `instead of `<pattern type="File">c:\documents\mydocs [file].txt]</pattern>`.
+
+-   **Using quotation marks**
+
+    When you surround code in quotation marks, you can use either double ("") or single (') quotation marks.
+
+## <a href="" id="bkmk-helperfunctions"></a> Helper Functions
+
+
+You can use the XML helper functions in the [XML Elements Library](usmt-xml-elements-library.md) to change migration behavior. Before you use these functions in an .xml file, note the following:
+
+-   **All of the parameters are strings**
+
+-   **You can leave NULL parameters blank**
+
+    As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function:
+
+    ``` syntax
+    SomeFunction("My String argument",NULL,NULL)
+    ```
+
+    is equivalent to:
+
+    ``` syntax
+    SomeFunction("My String argument")
+    ```
+
+-   **The encoded location used in all the helper functions is an unambiguous string representation for the name of an object**
+
+    It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves.
+
+    For example, specify the file C:\\Windows\\Notepad.exe: **c:\\Windows\[Notepad.exe\]**. Similarly, specify the directory C:\\Windows\\System32 like this: **c:\\Windows\\System32**; note the absence of the \[\] characters.
+
+    The registry is represented in a similar way. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key is **HKLM\\SOFTWARE\\MyKey\[\]**.
+
+-   **You specify a location pattern in a way that is similar to how you specify an actual location**
+
+    The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf.
+
+    For example, the pattern **c:\\Windows\\\*** will match the \\Windows directory and all subdirectories, but it will not match any of the files in those directories. To match the files as well, you must specify **c:\\Windows\\\*\[\*\]**.
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-hard-link-migration-store.md b/windows/deploy/usmt-hard-link-migration-store.md
new file mode 100644
index 0000000000..afddeaf45d
--- /dev/null
+++ b/windows/deploy/usmt-hard-link-migration-store.md
@@ -0,0 +1,230 @@
+---
+title: Hard-Link Migration Store (Windows 10)
+description: Hard-Link Migration Store
+ms.assetid: b0598418-4607-4952-bfa3-b6e4aaa2c574
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Hard-Link Migration Store
+
+
+A *hard-link migration store* enables you to perform an in-place migration where all user state is maintained on the computer while the old operating system is removed and the new operating system is installed; this is why it is best suited for the computer-refresh scenario. Use of a hard-link migration store for a computer-refresh scenario drastically improves migration performance and significantly reduces hard-disk utilization, reduces deployment costs and enables entirely new migration scenarios.
+
+## In This Topic
+
+
+[When to Use a Hard-Link Migration](#bkmk-when)
+
+[Understanding a Hard-Link Migration](#bkmk-understandhardlinkmig)
+
+[Scenario](#bkmk-scenario)
+
+[Hard-Link Migration Store Details](#bkmk-hardlinkstoredetails)
+
+[Hard Disk Space](#bkmk-harddiskspace)
+
+[Hard-Link Store Size Estimation](#bkmk-hardlinkstoresizeest)
+
+[Migration Store Path on Multiple Volumes](#bkmk-migstoremultvolumes)
+
+[Location Modifications](#bkmk-locationmodify)
+
+[Migrating Encrypting File System (EFS) Certificates and Files](#bkmk-efs)
+
+[Migrating Locked Files With the Hard-Link Migration Store](#bkmk-miglockedfiles)
+
+[XML Elements in the Config.xml File](#bkmk-xmlelementsinconfig)
+
+## <a href="" id="bkmk-when"></a>When to Use a Hard-Link Migration
+
+
+You can use a hard-link migration store when your planned migration meets both of the following criteria:
+
+-   You are upgrading the operating system on existing hardware rather than migrating to new computers.
+
+-   You are upgrading the operating system on the same volume of the computer.
+
+You cannot use a hard-link migration store if your planned migration includes any of the following:
+
+-   You are migrating data from one computer to a second computer.
+
+-   You are migrating data from one volume on a computer to another volume, for example from C: to D:.
+
+-   You are formatting or repartitioning the disk outside of Windows Setup, or specifying a disk format or repartition during Windows Setup that will remove the migration store.
+
+## <a href="" id="bkmk-understandhardlinkmig"></a>Understanding a Hard-Link Migration
+
+
+The hard-link migration store is created using the command-line option, **/hardlink**, and is equivalent to other migration-store types. However, it differs in that hard links are utilized to keep files stored on the source computer during the migration. Keeping the files in place on the source computer eliminates the redundant work of duplicating files. It also enables the performance benefits and reduction in disk utilization that define this scenario.
+
+When you create a hard link, you give an existing file an additional path. For instance, you could create a hard link to c:\\file1.txt called c:\\hard link\\myFile.txt. These are two paths to the same file. If you open c:\\file1.txt, make changes, and save the file, you will see those changes when you open c:\\hard link\\myFile.txt. If you delete c:\\file1.txt, the file still exists on your computer as c:\\hardlink\\myFile.txt. You must delete both references to the file in order to delete the file.
+
+**Note**  
+A hard link can only be created for a file on the same volume. If you copy a hard-link migration store to another drive or external device, the files, and not the links, are copied, as in a non-compressed migration-store scenario.
+
+ 
+
+For more information about hard links, please see [Hard Links and Junctions](http://go.microsoft.com/fwlink/p/?LinkId=132934)
+
+In most aspects, a hard-link migration store is identical to an uncompressed migration store. It is located where specified by the Scanstate command-line tool and you can view the contents of the store by using Windows® Explorer. Once created, it can be deleted or copied to another location without changing user state. Restoring a hard-link migration store is similar to restoring any other migration store; however, as with creating the store, the same hard-link functionality is used to keep files in-place.
+
+As a best practice, we recommend that you delete the hard-link migration store after you confirm that the Loadstate tool has successfully migrated the files. Since Loadstate has created new paths to the files on your new installation of a Windows operating system, deleting the hard links in the migration store will only delete one path to the files and will not delete the actual files or the paths to them from your new operating system.
+
+**Important**  
+Using the **/c** option will force the Loadstate tool to continue applying files when non-fatal errors occur. If you use the **/c** option, you should verify that no errors are reported in the logs before deleting the hard-link migration store in order to avoid data loss.
+
+ 
+
+Keeping the hard-link migration store can result in additional disk space being consumed or problems with some applications for the following reasons:
+
+-   Applications reporting file-system statistics, for example, space used and free space, might incorrectly report these statistics while the hard-link migration store is present. The file may be reported twice because of the two paths that reference that file.
+
+-   A hard link may lose its connection to the original file. Some applications save changes to a file by creating a temporary file and then renaming the original to a backup filename. The path that was not used to open the file in this application will continue to refer to the unmodified file. The unmodified file that is not in use is taking up additional disk space. You should create the hard-link migration store just before you perform the migration, and not use applications once the store is created, in order to make sure you are migrating the latest versions of all files.
+
+-   Editing the file by using different paths simultaneously may result in data corruption.
+
+**Important**  
+The read-only file attribute on migrated files is lost when the hard-link migration store is deleted. This is due to a limitation in NTFS file system hard links.
+
+ 
+
+## <a href="" id="bkmk-scenario"></a>Hard-Link Migration Scenario
+
+
+For example, a company has decided to deploy Windows 10 on all of their computers. Each employee will keep the same computer, but the operating system on each computer will be updated.
+
+1.  An administrator runs the ScanState command-line tool on each computer, specifying the **/hardlink** command-line option. The ScanState tool saves the user state to a hard-link migration store on each computer, improving performance by reducing file duplication, except in certain specific instances.
+
+    **Note**  
+    As a best practice, we recommend that you do not create your hard-link migration store until just before you perform the migration in order to migrate the latest versions of your files. You should not use your software applications on the computer after creating the migration store until you have finished migrating your files with Loadstate.
+
+     
+
+2.  On each computer, an administrator installs the company's standard operating environment (SOE), which includes Windows 7 and other applications the company currently uses.
+
+3.  An administrator runs the LoadState command-line tool on each computer. The LoadState tool restores user state back on each computer.
+
+## <a href="" id="bkmk-hardlinkstoredetails"></a>Hard-Link Migration Store Details
+
+
+This section provides details about hard-link migration stores.
+
+### <a href="" id="bkmk-harddiskspace"></a>Hard Disk Space
+
+The **/hardlink** command-line option proceeds with creating the migration store only if there is 250 megabytes (MB) of free space on the hard disk. Provided that every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless on the size of the migration.
+
+### <a href="" id="bkmk-hardlinkstoresizeest"></a>Hard-Link Store Size Estimation
+
+It is not necessary to estimate the size of a hard-link migration store. Estimating the size of a migration store is only useful in scenarios where the migration store is very large, and on NTFS volumes the hard-link migration store will require much less incremental space than other store options. The only case where the local store can be quite large is when non-NTFS file systems exist on the system and contain data being migrated. Since NTFS has been the default file system format for Windows XP and newer operating systems, this situation is unusual.
+
+### <a href="" id="bkmk-migstoremultvolumes"></a>Migration Store Path on Multiple Volumes
+
+Separate hard-link migration stores are created on each NTFS volume that contain data being migrated. In this scenario, the primary migration-store location will be specified on the command line, and should be the operating-system volume. Migration stores with identical names and directory names will be created on every volume containing data being migrated. For example:
+
+`Scanstate /hardlink c:\USMTMIG […]`
+
+Running this command on a system that contains the operating system on the C: drive and the user data on the D: drive will generate migration stores in the following locations, assuming that both drives are NTFS:
+
+C:\\USMTMIG\\
+
+D:\\USMTMIG\\
+
+The drive you specify on the command line for the hard-link migration store is important, because it defines where the *master migration store* should be placed. The *master migration store* is the location where data migrating from non-NTFS volumes is stored. This volume must have enough space to contain all of the data that comes from non-NTFS volumes. As in other scenarios, if a migration store already exists at the specified path, the **/o** option must be used to overwrite the existing data in the store.
+
+### <a href="" id="bkmk-locationmodify"></a>Location Modifications
+
+Location modifications that redirect migrated content from one volume to a different volume have an adverse impact on the performance of a hard-link migration. This is because the migrating data that must cross system volumes cannot remain in the hard-link migration store, and must be copied across the system volumes.
+
+### <a href="" id="bkmk-efs"></a>Migrating Encrypting File System (EFS) Certificates and Files
+
+To migrate Encrypting File System (EFS) files to a new installation of an operating system on the same volume of the computer, specify the **/efs:hardlink** option in the Scanstate command-line syntax.
+
+If the EFS files are being restored to a different partition, you should use the **/efs:copyraw** option instead of the **/efs:hardlink** option. Hard links can only be created for files on the same volume. Moving the files to another partition during the migration requires a copy of the files to be created on the new partition. The **/efs:copyraw** option will copy the files to the new partition in encrypted format.
+
+For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md) and the Encrypted File Options in [ScanState Syntax](usmt-scanstate-syntax.md).
+
+### <a href="" id="bkmk-miglockedfiles"></a>Migrating Locked Files with the Hard-Link Migration Store
+
+Files that are locked by an application or the operating system are handled differently when using a hard-link migration store.
+
+Files that are locked by the operating system cannot remain in place and must be copied into the hard-link migration store. As a result, selecting many operating-system files for migration significantly reduces performance during a hard-link migration. As a best practice, we recommend that you do not migrate any files out of the \\Windows directory, which minimizes performance-related issues.
+
+Files that are locked by an application are treated the same in hard-link migrations as in other scenarios when the volume shadow-copy service is not being utilized. The volume shadow-copy service cannot be used in conjunction with hard-link migrations. However, by modifying the new **&lt;HardLinkStoreControl&gt;** section in the Config.xml file, it is possible to enable the migration of files locked by an application.
+
+**Important**  
+There are some scenarios in which modifying the **&lt;HardLinkStoreControl&gt;** section in the Config.xml file makes it more difficult to delete a hard-link migration store. In these scenarios, you must use USMTutils.exe to schedule the migration store for deletion on the next restart.
+
+ 
+
+## <a href="" id="bkmk-xmlelementsinconfig"></a>XML Elements in the Config.xml File
+
+
+A new section in the Config.xml file allows optional configuration of some of the hard-link migration behavior introduced with the **/HardLink** option.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>&lt;Policies&gt;</strong></p></td>
+<td align="left"><p>This element contains elements that describe the policies that USMT follows while creating a migration store.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>&lt;HardLinkStoreControl&gt;</strong></p></td>
+<td align="left"><p>This element contains elements that describe how to handle files during the creation of a hard link migration store.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>&lt;fileLocked&gt;</strong></p></td>
+<td align="left"><p>This element contains elements that describe how to handle files that are locked for editing.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>&lt;createHardLink&gt;</strong></p></td>
+<td align="left"><p>This element defines a standard MigXML pattern that describes file paths where hard links should be created, even if the file is locked for editing by another application.</p>
+<p>Syntax: &lt;createHardLink&gt; [pattern] &lt;/createHardLink&gt;</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>&lt;errorHardLink&gt;</strong></p></td>
+<td align="left"><p>This element defines a standard MigXML pattern that describes file paths where hard links should not be created, if the file is locked for editing by another application.</p>
+<p>&lt;errorHardLink&gt; [pattern] &lt;/errorHardLink&gt;</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Important**  
+You must use the **/nocompress** option with the **/HardLink** option.
+
+ 
+
+The following XML sample specifies that files locked by an application under the \\Users directory can remain in place during the migration. It also specifies that locked files that are not located in the \\Users directory should result in the **File in Use** error. It is important to exercise caution when specifying the paths using the **File in Use&lt;createhardlink&gt;** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete.
+
+``` syntax
+<Policies>
+    <HardLinkStoreControl>
+          <fileLocked>
+            <createHardLink>c:\Users\* [*]</createHardLink>
+            <errorHardLink>C:\* [*]</errorHardLink>
+          </fileLocked>
+    </HardLinkStoreControl>
+</Policies>
+```
+
+## Related topics
+
+
+[Plan Your Migration](usmt-plan-your-migration.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-how-it-works.md b/windows/deploy/usmt-how-it-works.md
new file mode 100644
index 0000000000..8e6b12231e
--- /dev/null
+++ b/windows/deploy/usmt-how-it-works.md
@@ -0,0 +1,145 @@
+---
+title: How USMT Works (Windows 10)
+description: How USMT Works
+ms.assetid: 5c8bd669-9e1e-473d-81e6-652f40b24171
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# How USMT Works
+
+
+USMT includes two tools that migrate settings and data: ScanState and LoadState. ScanState collects information from the source computer, and LoadState applies that information to the destination computer.
+
+-   [ScanState Process](#bkmk-ssprocess)
+
+-   [LoadState Process](#bkmk-lsprocess)
+
+    **Note**  
+    For more information about how USMT processes the rules and the XML files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+     
+
+## <a href="" id="bkmk-ssprocess"></a>The ScanState Process
+
+
+When you run the ScanState tool on the source computer, it goes through the following process:
+
+1.  It parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging.
+
+2.  It collects information about all of the migration components that need to be migrated. A *migration component* is a logical group of files, registry keys, and values. For example, the set of files, registry keys, and values that store the settings of Adobe Acrobat is grouped into a single migration component.
+
+    There are three types of components:
+
+    -   Components that migrate the operating system settings
+
+    -   Components that migrate application settings
+
+    -   Components that migrate users’ files
+
+    The ScanState tool collects information about the application settings and user data components from the .xml files that are specified on the command line.
+
+    In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file.
+
+3.  ScanState determines which user profiles should be migrated. By default, all user profiles on the source computer are migrated. However, you can include and exclude users using the User Options. The public profile in a source computer running Windows 7, Windows 8, and Windows 10 is always migrated, and you cannot exclude these profiles from the migration.
+
+4.  In the "Scanning" phase, ScanState does the following for each user profile selected for migration:
+
+    1.  For each component, ScanState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored.
+
+        **Note**  
+        From this point on, ScanState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. ScanState processes all components in the same way.
+
+         
+
+    2.  Each component that is selected in the previous step is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile that is being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents, assuming that the user profiles are stored in the C:\\Users directory.
+
+    3.  For each selected component, ScanState evaluates the &lt;detects&gt; section. If the condition in the &lt;detects&gt; section evaluates to false, the component is not processed any further. Otherwise, the processing of this component continues.
+
+    4.  For each selected component, ScanState evaluates the &lt;rules&gt; sections. For each &lt;rules&gt; section, if the current user profile is the system profile and the context of the &lt;rules&gt; section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the &lt;rules&gt; section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored.
+
+    5.  ScanState creates a list of migration units that need to be migrated by processing the various subsections under this &lt;rules&gt; section. Each unit is collected if it is mentioned in an &lt;include&gt; subsection, as long as there is not a more specific rule for it in an &lt;exclude&gt; subsection in the same &lt;rules&gt; section. For more information about precedence in the .xml files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+        In addition, any migration unit (such as a file, registry key, or set of registry values) that is in an &lt;UnconditionalExclude&gt; section is not migrated.
+
+        **Note**  
+        ScanState ignores some subsections such as &lt;destinationCleanup&gt; and &lt;locationModify&gt;. These sections are evaluated only on the destination computer.
+
+         
+
+5.  In the "Collecting" phase, ScanState creates a master list of the migration units by combining the lists that were created for each selected user profile.
+
+6.  In the "Saving" phase, ScanState writes the migration units that were collected to the store location.
+
+    **Note**  
+    ScanState does not modify the source computer in any way.
+
+     
+
+## <a href="" id="bkmk-lsprocess"></a>The LoadState Process
+
+
+The LoadState process is very similar to the ScanState process. The ScanState tool collects migration units such as file, registry key, or registry values from the source computer and saves them to the store. Similarly, the LoadState tool collects migration units from the store and applies them to the destination computer.
+
+1.  ScanState parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging.
+
+2.  LoadState collects information about the migration components that need to be migrated.
+
+    LoadState obtains information for the application-settings components and user-data components from the migration .xml files that are specified by the LoadState command.
+
+    In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file.
+
+3.  LoadState determines which user profiles should be migrated. By default, all user profiles present on the source computer are migrated. However, you can include and exclude users using the User Options. The system profile, the "All users" profile in a source computer running Windows XP, or the Public profile in a source computer running Windows Vista, Windows 7, and Windows 8, is always migrated and you cannot exclude these profiles from the migration.
+
+    -   If you are migrating local user accounts and if the accounts do not already exist on the destination computer, you must use the**/lac** command-line option. If you do not specify the **/lac** option, any local user accounts that are not already present on the destination computer, are not migrated.
+
+    -   The **/md** and **/mu** options are processed to rename the user profile on the destination computer, if they have been included when the LoadState command was specified.
+
+    -   For each user profile selected from the store, LoadState creates a corresponding user profile on the destination computer. The destination computer does not need to be connected to the domain for domain user profiles to be created. If USMT cannot determine a domain, it attempts to apply the settings to a local account. For more information, see [Identify Users](usmt-identify-users.md).
+
+4.  In the "Scanning" phase, LoadState does the following for each user profile:
+
+    1.  For each component, LoadState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored.
+
+        **Note**  
+        From this point on, LoadState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. LoadState evaluates all components in the same way.
+
+         
+
+    2.  Each component that is selected is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents (assuming that the user profiles are stored in the C:\\Users directory).
+
+        **Note**  
+        LoadState ignores the &lt;detects&gt; section specified in a component. At this point, all specified components are considered to be detected and are selected for migration.
+
+         
+
+    3.  For each selected component, LoadState evaluates the &lt;rules&gt; sections. For each &lt;rules&gt; section, if the current user profile is the system profile and the context of the &lt;rules&gt; section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the &lt;rules&gt; section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored.
+
+    4.  LoadState creates a master list of migration units by processing the various subsections under the &lt;rules&gt; section. Each migration unit that is in an &lt;include&gt; subsection is migrated as long, as there is not a more specific rule for it in an &lt;exclude&gt; subsection in the same &lt;rules&gt; section. For more information about precedence, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+    5.  LoadState evaluates the destination computer-specific subsections; for example, the &lt;destinationCleanup&gt; and &lt;locationModify&gt; subsections.
+
+    6.  If the destination computer is running Windows 7 or Windows 8 then the migunits that were collected by ScanState using downlevel manifest files are processed by LoadState using the corresponding Component Manifest for Windows 7. The downlevel manifest files are not used during LoadState.
+
+        **Important**  
+        It is important to specify the .xml files with the LoadState command if you want LoadState to use them. Otherwise, any destination-specific rules, such as &lt;locationModify&gt;, in these .xml files are ignored, even if the same .xml files were provided when the ScanState command ran.
+
+         
+
+5.  In the "Apply" phase, LoadState writes the migration units that were collected to the various locations on the destination computer. If there are conflicts and there is not a &lt;merge&gt; rule for the object, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally, for example, OriginalFileName(1).OriginalExtension. Some settings, such as fonts, wallpaper, and screen-saver settings, do not take effect until the next time the user logs on. For this reason, you should log off when the LoadState command actions have completed.
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-how-to.md b/windows/deploy/usmt-how-to.md
new file mode 100644
index 0000000000..22c489f81e
--- /dev/null
+++ b/windows/deploy/usmt-how-to.md
@@ -0,0 +1,78 @@
+---
+title: User State Migration Tool (USMT) How-to topics (Windows 10)
+description: User State Migration Tool (USMT) How-to topics
+ms.assetid: 7b9a2f2a-a43a-4984-9746-a767f9f1c7e3
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# User State Migration Tool (USMT) How-to topics
+
+
+The following table lists topics that describe how to use User State Migration Tool (USMT) 10.0 to perform specific tasks.
+
+## In This Section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Exclude Files and Settings](usmt-exclude-files-and-settings.md)</p></td>
+<td align="left"><p>Create a custom .xml file to exclude files, file types, folders, or registry settings from your migration.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)</p></td>
+<td align="left"><p>Recover files from a compressed migration store after installing the operating system.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Include Files and Settings](usmt-include-files-and-settings.md)</p></td>
+<td align="left"><p>Create a custom .xml file to include files, file types, folders, or registry settings in your migration.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Migrate Application Settings](migrate-application-settings.md)</p></td>
+<td align="left"><p>Migrate the settings of an application that the MigApp.xml file does not include by default.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md)</p></td>
+<td align="left"><p>Migrate Encrypting File System (EFS) certificates by using USMT.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Migrate User Accounts](usmt-migrate-user-accounts.md)</p></td>
+<td align="left"><p>Specify the users to include and exclude in your migration.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Reroute Files and Settings](usmt-reroute-files-and-settings.md)</p></td>
+<td align="left"><p>Create a custom .xml file to reroute files and settings during a migration.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)</p></td>
+<td align="left"><p>Determine whether a compressed migration store is intact, or whether it contains corrupt files or a corrupt catalog.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+
+[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+
+[User State Migration Toolkit (USMT) Reference](usmt-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-identify-application-settings.md b/windows/deploy/usmt-identify-application-settings.md
new file mode 100644
index 0000000000..ca14712f31
--- /dev/null
+++ b/windows/deploy/usmt-identify-application-settings.md
@@ -0,0 +1,57 @@
+---
+title: Identify Applications Settings (Windows 10)
+description: Identify Applications Settings
+ms.assetid: eda68031-9b02-4a5b-a893-3786a6505381
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Identify Applications Settings
+
+
+When planning for your migration, you should identify which applications and settings you want to migrate. For more information about how to create a custom .xml file to migrate the settings of another application, see [Customize USMT XML Files](usmt-customize-xml-files.md).
+
+## Applications
+
+
+First, create and prioritize a list of applications that to be migrated. It may be helpful to review the application lists and decide which applications will be redeployed and which applications will be retired. Often, the applications are prioritized based on a combination of how widely the application is used and how complex the application is.
+
+Next, identify an application owner to be in charge of each application. This is necessary because the developers will not be experts on all of the applications in the organization. The application owner should have the most experience with an application. The application owner provides insight into how the organization installs, configures, and uses the application.
+
+## Application Settings
+
+
+Next, determine and locate the application settings to be migrated. You can acquire much of the information that you need for this step when you are testing the new applications for compatibility with the new operating system.
+
+After completing the list of applications to be migrated, review the list and work with each application owner on a list of settings to be migrated. For each setting, determine whether it needs to be migrated or if the default settings are adequate. Then, determine where the setting is located; for example, in the registry or in an .ini file. Next, consider the following questions to determine what needs to be done to migrate the setting successfully:
+
+-   Is the destination version of the application newer than the source version?
+
+-   Do these settings work with the new version?
+
+-   Do the settings need to be moved or altered?
+
+-   Can the first-run process force the application to appear as if it had run already? If so, does this work correctly, or does it break the application?
+
+After answering these questions, create a custom .xml file to migrate settings. Work with the application owner to develop test cases and to determine the file types that need to be migrated for the application.
+
+## Locating Where Settings Are Stored
+
+
+See [Migrate Application Settings](migrate-application-settings.md) and follow the directions.
+
+## Related topics
+
+
+[Determine What to Migrate](usmt-determine-what-to-migrate.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-identify-file-types-files-and-folders.md b/windows/deploy/usmt-identify-file-types-files-and-folders.md
new file mode 100644
index 0000000000..3ab8ded02b
--- /dev/null
+++ b/windows/deploy/usmt-identify-file-types-files-and-folders.md
@@ -0,0 +1,46 @@
+---
+title: Identify File Types, Files, and Folders (Windows 10)
+description: Identify File Types, Files, and Folders
+ms.assetid: 93bb2a33-c126-4f7a-a961-6c89686d54e0
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Identify File Types, Files, and Folders
+
+
+When planning for your migration, if not using MigDocs.xml, you should identify the file types, files, folders, and settings that you want to migrate. First, you should determine the standard file locations on each computer, such as **My Documents.** , **C:\\Data** , and company-specified locations, such as **\\EngineeringDrafts**. Next, you should determine and locate the non-standard locations. For non-standard locations, consider the following:
+
+-   **File types**. Consider which file types need to be included and excluded from the migration. You can create this list based on common applications used in your organization. Applications normally use specific file name extensions. For example, Microsoft Office Word primarily uses .doc, .docx and .dotx file name extension. However, it also uses other file types, such as templates (.dot files), on a less frequent basis.
+
+-   **Excluded locations**. Consider the locations on the computer that should be excluded from the migration (for example, %WINDIR% and Program Files).
+
+-   **New locations**. Decide where files should be migrated to on the destination computer for example, \\My Documents, a designated folder, or a folder matching the files' name and location on the source computer. For example, you might have shared data on source machine or you might wish to clean up documents outside the user profiles on the source system. Identify any data that needs to be redirected to a new location in the apply phase. This can be accomplished with location modify rules.
+
+Once you have verified which files and file types that the end users work with regularly, you will need to locate them. Files may be saved to a single folder or scattered across a drive. A good starting point for finding files types to include is to look at the registered file types on the computer.
+
+**To find the registered file types on a computer running Windows 7 or Windows 8**
+
+1.  Click **Start**. Open **Control Panel**, click **Control Panel Home**, and click **Programs**.
+
+2.  Click **Default Programs**, and click **Associate a file type or protocol with a program**.
+
+3.  On this screen, the registered file types are displayed.
+
+For more information about how to change the file types, files, and folders that are migrated when you specify the MigUser.xml file, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md).
+
+## Related topics
+
+
+[Determine What to Migrate](usmt-determine-what-to-migrate.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-identify-operating-system-settings.md b/windows/deploy/usmt-identify-operating-system-settings.md
new file mode 100644
index 0000000000..232fabdc33
--- /dev/null
+++ b/windows/deploy/usmt-identify-operating-system-settings.md
@@ -0,0 +1,55 @@
+---
+title: Identify Operating System Settings (Windows 10)
+description: Identify Operating System Settings
+ms.assetid: 1704ab18-1765-41fb-a27c-3aa3128fa242
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Identify Operating System Settings
+
+
+When planning for your migration, you should identify which operating system settings you want to migrate and to what extent you want to create a new standard environment on each of the computers. User State Migration Tool (USMT) 10.0 enables you to migrate select settings and keep the default values for all others. The operating system settings include the following:
+
+-   **Apperance.**
+
+    This includes items such as wallpaper, colors, sounds, and the location of the taskbar.
+
+-   **Action.**
+
+    This includes items such as the key-repeat rate, whether double-clicking a folder opens it in a new window or the same window, and whether you need to single-click or double-click an item to open it.
+
+-   **Internet.**
+
+    These are the settings that let you connect to the Internet and control how your browser operates. This includes items such as your home page URL, favorites, bookmarks, cookies, security settings, dial-up connections, and proxy settings.
+
+-   **Mail.**
+
+    This includes the information that you need to connect to your mail server, your signature file, views, mail rules, local mail, and contacts.
+
+To help you decide which settings to migrate, you should consider any previous migration experiences as well as the results of any surveys and tests that you have conducted. You should also consider the number of help-desk calls related to operating-system settings that you have had in the past, and are able to handle in the future. Also decide how much of the new operating-system functionality you want to take advantage of.
+
+You should migrate any settings that users need to get their jobs done, those that make the work environment comfortable, and those that will reduce help-desk calls after the migration. Although it is easy to dismiss migrating user preferences, you should consider that users can spend a significant amount of time restoring items such as wallpaper, screen savers, and other customizable user-interface features. Most users do not remember how these settings were applied. Although these items are not critical to migration success, migrating these items increases user productivity and overall satisfaction of the migration process.
+
+**Note**  
+For more information about how to change the operating-system settings that are migrated, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md).
+
+For information about the operating-system settings that USMT migrates, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
+
+ 
+
+## Related topics
+
+
+[Determine What to Migrate](usmt-determine-what-to-migrate.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-identify-users.md b/windows/deploy/usmt-identify-users.md
new file mode 100644
index 0000000000..1f23cb942d
--- /dev/null
+++ b/windows/deploy/usmt-identify-users.md
@@ -0,0 +1,85 @@
+---
+title: Identify Users (Windows 10)
+description: Identify Users
+ms.assetid: 957a4fe9-79fd-44a2-8c26-33e50f71f9de
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Identify Users
+
+
+It is important to carefully consider how you plan to migrate users. By default, all users are migrated by User State Migration Tool (USMT) 5.0. You must specify which users to include by using the command line. You cannot specify users in the .xml files. For instructions on how to migrate users, see [Migrate User Accounts](usmt-migrate-user-accounts.md).
+
+## In This Topic
+
+
+-   [Migrating Local Accounts](#bkmk-8)
+
+-   [Migrating Domain Accounts](#bkmk-9)
+
+-   [Command-Line Options](#bkmk-7)
+
+## <a href="" id="bkmk-8"></a>Migrating Local Accounts
+
+
+Before migrating local accounts, note the following:
+
+-   [You must explicitly specify that local accounts that are not on the destination computer should be migrated.](#bkmk-8) If you are migrating local accounts and the local account does not exist on the destination computer, you must use the**/lac** option when using the LoadState command. If the **/lac** option is not specified, no local user accounts will be migrated.
+
+-   [Consider whether to enable user accounts that are new to the destination computer.](#bkmk-8) The **/lae** option enables the account that was created with the **/lac** option. However, if you create a disabled local account by using only the **/lac** option, a local administrator must enable the account on the destination computer.
+
+-   [Be careful when specifying a password for local accounts.](#bkmk-8) If you create the local account with a blank password, anyone could log on to that account on the destination computer. If you create the local account with a password, the password is available to anyone with access to the USMT command-line tools.
+
+    **Note**  
+    If there are multiple users on a computer, and you specify a password with the **/lac** option, all migrated users will have the same password.
+
+     
+
+## <a href="" id="bkmk-9"></a>Migrating Domain Accounts
+
+
+The source and destination computers do not need to be connected to the domain for domain user profiles to be migrated.
+
+## <a href="" id="bkmk-7"></a>Command-Line Options
+
+
+USMT provides several options to migrate multiple users on a single computer. The following command-line options specify which users to migrate.
+
+-   [Specifying users.](#bkmk-8) You can specify which users to migrate with the **/all**, **/ui**, **/uel**, and **/ue** options with both the ScanState and LoadState command-line tools.
+
+    **Important**  
+    The **/uel** option excludes users based on the **LastModified** date of the Ntuser.dat file. The **/uel** option is not valid in offline migrations.
+
+     
+
+-   [Moving users to another domain.](#bkmk-8) You can move user accounts to another domain using the **/md** option with the LoadState command-line tool.
+
+-   [Creating local accounts.](#bkmk-8) You can create and enable local accounts using the **/lac** and **/lae** options with the LoadState command-line tool.
+
+-   [Renaming user accounts.](#bkmk-8) You can rename user accounts using the **/mu** option.
+
+    **Note**  
+    By default, if a user name is not specified in any of the command-line options, the user will be migrated.
+
+     
+
+## Related topics
+
+
+[Determine What to Migrate](usmt-determine-what-to-migrate.md)
+
+[ScanState Syntax](usmt-scanstate-syntax.md)
+
+[LoadState Syntax](usmt-loadstate-syntax.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-include-files-and-settings.md b/windows/deploy/usmt-include-files-and-settings.md
new file mode 100644
index 0000000000..6142749d13
--- /dev/null
+++ b/windows/deploy/usmt-include-files-and-settings.md
@@ -0,0 +1,221 @@
+---
+title: Include Files and Settings (Windows 10)
+description: Include Files and Settings
+ms.assetid: 9009c6a5-0612-4478-8742-abe5eb6cbac8
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Include Files and Settings
+
+
+When you specify the migration .xml files, User State Migration Tool (USMT) 10.0 migrates the settings and components specified in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) To include additional files and settings, we recommend that you create a custom .xml file and then include this file when using both the ScanState and LoadState commands. By creating a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications.
+
+In this topic:
+
+[Migrate a Single Registry Key](#bkmk-migsingleregkey)
+
+[Migrate a Specific Folder](#bkmk-migspecificfolder)
+
+[Migrate a Folder from a Specific Drive](#bkmk-migfoldspecdrive)
+
+[Migrate a Folder from Any Location](#bkmk-migfolderanyloc)
+
+[Migrate a File Type Into a Specific Folder](#bkmk-migfiletypetospecificfolder)
+
+[Migrate a Specific File](#bkmk-migspecificfile)
+
+## <a href="" id="bkmk-migsingleregkey"></a> Migrate a Single Registry Key
+
+
+The following .xml file migrates a single registry key.
+
+``` syntax
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
+     <component type="Application" context="System">
+          <displayName>Component to migrate only registry value string</displayName> 
+          <role role="Settings">
+          <rules>
+               <include>
+                    <objectSet>
+                         <pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent]</pattern> 
+                    </objectSet>
+               </include>
+          </rules>
+          </role>
+     </component>
+</migration>
+```
+
+## <a href="" id="bkmk-migspecificfolder"></a>Migrate a Specific Folder
+
+
+The following examples show how to migrate a folder from a specific drive, and from any location on the computer.
+
+### <a href="" id="bkmk-migfoldspecdrive"></a> Migrate a Folder from a Specific Drive
+
+-   **Including subfolders.** The following .xml file migrates all files and subfolders from C:\\EngineeringDrafts to the destination computer.
+
+    ``` syntax
+    <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
+    <component type="Documents" context="System">
+      <displayName>Component to migrate all Engineering Drafts Documents including subfolders</displayName>
+      <role role="Data">
+        <rules>
+          <include>
+            <objectSet>
+              <pattern type="File">C:\EngineeringDrafts\* [*]</pattern>
+            </objectSet>
+          </include>
+        </rules>
+      </role>
+    </component>
+    </migration>
+    ```
+
+-   **Excluding subfolders.** The following .xml file migrates all files from C:\\EngineeringDrafts, but it does not migrate any subfolders within C:\\EngineeringDrafts.
+
+    ``` syntax
+    <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
+    <component type="Documents" context="System">
+      <displayName>Component to migrate all Engineering Drafts Documents without subfolders</displayName>
+      <role role="Data">
+        <rules>
+          <include>
+            <objectSet>
+              <pattern type="File"> C:\EngineeringDrafts\ [*]</pattern>
+            </objectSet>
+          </include>
+        </rules>
+      </role>
+    </component>
+    </migration>
+    ```
+
+### <a href="" id="bkmk-migfolderanyloc"></a>Migrate a Folder from Any Location
+
+The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any drive on the computer. If multiple folders exist with the same name, then all files with this name are migrated.
+
+``` syntax
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
+<component type="Documents" context="System">
+  <displayName>Component to migrate all Engineering Drafts Documents folder on any drive on the computer </displayName>
+  <role role="Data">
+    <rules>
+         <include>
+            <objectSet>
+         <script>MigXmlHelper.GenerateDrivePatterns ("\EngineeringDrafts\* [*] ", "Fixed")</script>            
+         <script>MigXmlHelper.GenerateDrivePatterns ("*\EngineeringDrafts\* [*] ", "Fixed")</script>            
+       </objectSet>
+          </include>
+    </rules>
+  </role>
+</component>
+</migration>
+```
+
+The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any location on the C:\\ drive. If multiple folders exist with the same name, they are all migrated.
+
+``` syntax
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
+<component type="Documents" context="System">
+  <displayName>Component to migrate all Engineering Drafts Documents EngineeringDrafts folder from where ever it exists on the C: drive </displayName>
+  <role role="Data">
+    <rules>
+         <include>
+            <objectSet>                 
+<pattern type="File"> C:\*\EngineeringDrafts\* [*]</pattern>
+<pattern type="File"> C:\EngineeringDrafts\* [*]</pattern>
+       </objectSet>
+          </include>
+    </rules>
+  </role>
+</component>
+</migration>
+```
+
+## <a href="" id="bkmk-migfiletypetospecificfolder"></a>Migrate a File Type Into a Specific Folder
+
+
+The following .xml file migrates .mp3 files located in the specified drives on the source computer into the C:\\Music folder on the destination computer.
+
+``` syntax
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
+<component type="Documents" context="System">
+  <displayName>All .mp3 files to My Documents</displayName>
+  <role role="Data">
+    <rules>
+      <include>
+        <objectSet>
+          <script>MigXmlHelper.GenerateDrivePatterns ("* [*.mp3]", "Fixed")</script>
+        </objectSet>
+      </include>
+      <!-- Migrates all the .mp3 files in the store to the C:\Music folder during LoadState -->
+      <locationModify script="MigXmlHelper.Move('C:\Music')">
+        <objectSet>
+          <script>MigXmlHelper.GenerateDrivePatterns ("* [*.mp3]", "Fixed")</script>
+        </objectSet>
+      </locationModify>
+    </rules>
+  </role>
+</component>
+</migration> 
+```
+
+## <a href="" id="bkmk-migspecificfile"></a>Migrate a Specific File
+
+
+The following examples show how to migrate a file from a specific folder, and how to migrate a file from any location.
+
+-   **To migrate a file from a folder.** The following .xml file migrates only the Sample.doc file from C:\\EngineeringDrafts on the source computer to the destination computer.
+
+    ``` syntax
+    <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
+    <component type="Documents" context="System">
+      <displayName>Component to migrate all Engineering Drafts Documents</displayName>
+      <role role="Data">
+        <rules>
+          <include>
+            <objectSet>
+              <pattern type="File"> C:\EngineeringDrafts\ [Sample.doc]</pattern>
+            </objectSet>
+          </include>
+        </rules>
+      </role>
+    </component>
+    </migration>
+    ```
+
+-   **To migrate a file from any location.** To migrate the Sample.doc file from any location on the C:\\ drive, use the &lt;pattern&gt; element, as the following example shows. If multiple files exist with the same name on the C:\\ drive, all of files with this name are migrated.
+
+    ``` syntax
+    <pattern type="File"> C:\* [Sample.doc] </pattern>
+    ```
+
+    To migrate the Sample.doc file from any drive on the computer, use &lt;script&gt; as the following example shows. If multiple files exist with the same name, all files with this name are migrated.
+
+    ``` syntax
+    <script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script>
+    ```
+
+## Related topics
+
+
+[Customize USMT XML Files](usmt-customize-xml-files.md)
+
+[Custom XML Examples](usmt-custom-xml-examples.md)
+
+[Conflicts and Precedence](usmt-conflicts-and-precedence.md)
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-loadstate-syntax.md b/windows/deploy/usmt-loadstate-syntax.md
new file mode 100644
index 0000000000..a82a0b4357
--- /dev/null
+++ b/windows/deploy/usmt-loadstate-syntax.md
@@ -0,0 +1,709 @@
+---
+title: LoadState Syntax (Windows 10)
+description: LoadState Syntax
+ms.assetid: 53d2143b-cbe9-4cfc-8506-36e9d429f6d4
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# LoadState Syntax
+
+
+This topic discusses the **LoadState** command syntax and options.
+
+## In This Topic
+
+
+[Before You Begin](#before)
+
+[Syntax](#bkmk-s)
+
+[Storage Options](#bkmk-st)
+
+[Migration Rule Options](#bkmk-mig)
+
+[Monitoring Options](#bkmk-mon)
+
+[User Options](#bkmk-user)
+
+[Incompatible Command-Line Options](#bkmk-cloi)
+
+## <a href="" id="before"></a>Before You Begin
+
+
+Before you run the **LoadState** command, note the following:
+
+-   To ensure that all operating system settings migrate, we recommend that you run the **LoadState** commands in administrator mode from an account with administrative credentials.
+
+-   For information about software requirements for running the **LoadState** command, see [USMT Requirements](usmt-requirements.md).
+
+-   You should log off after you run the **LoadState** command. Some settings (for example, fonts, wallpaper, and screensaver settings) will not take effect until the next time the user logs in.
+
+-   Unless otherwise specified, you can use each option only once when running a tool on the command line.
+
+-   **LoadState** does not require domain controller access to apply domain profiles. This functionality is available without any additional configuration. It is not necessary for the source computer to have had domain controller access when the user profile was gathered using **ScanState**. However, domain profiles are inaccessible until the destination computer is joined to the domain.
+
+-   The [Incompatible Command-Line Options](#bkmk-cloi) table lists which options you can use together and which command-line options are incompatible.
+
+## <a href="" id="bkmk-s"></a>Syntax
+
+
+This section explains the syntax and usage of the command-line options available when you use the **LoadState** command. The options can be specified in any order. If the option contains a parameter, you can specify either a colon or space separator.
+
+The **LoadState** command's syntax is:
+
+loadstate *StorePath* \[/i:\[*Path*\\\]*FileName*\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/decrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsToWait*\] \[/c\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/md:*OldDomain*:*NewDomain*\] \[/mu:*OldDomain*\\*OldUserName*:\[*NewDomain*\\\]*NewUserName*\] \[/lac:\[*Password*\]\] \[/lae\] \[/config:\[*Path*\\\]*FileName*\] \[/?|help\]
+
+For example, to decrypt the store and migrate the files and settings to a computer running Windows 7 type the following on the command line:
+
+`loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:13 /decrypt /key:"mykey"`
+
+## <a href="" id="bkmk-st"></a>Storage Options
+
+
+USMT provides the following options that you can use to specify how and where the migrated data is stored.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Command-Line Option</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><em>StorePath</em></p></td>
+<td align="left"><p>Indicates the folder where the files and settings data are stored. You must specify <em>StorePath</em> when using the <strong>LoadState</strong> command. You cannot specify more than one <em>StorePath</em>.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/decrypt</strong> <strong>/key</strong>:<em>KeyString</em></p>
+<p>or</p>
+<p><strong>/decrypt</strong> <strong>/key</strong>:&quot;<em>Key String</em>&quot;</p>
+<p>or</p>
+<p><strong>/decrypt</strong> <strong>/keyfile</strong>:[<em>Path\</em>]<em>FileName</em></p></td>
+<td align="left"><p>Decrypts the store with the specified key. With this option, you will need to specify the encryption key in one of the following ways:</p>
+<ul>
+<li><p><strong>/key:</strong><em>KeyString</em> specifies the encryption key. If there is a space in <em>KeyString</em>, you must surround the argument with quotation marks.</p></li>
+<li><p><strong>/keyfile:</strong><em>FilePathAndName</em> specifies a text (.txt) file that contains the encryption key</p></li>
+</ul>
+<p><em>KeyString</em> cannot exceed 256 characters.</p>
+<p>The <strong>/key</strong> and <strong>/keyfile</strong> options cannot be used on the same command line.</p>
+<p>The <strong>/decrypt</strong> and <strong>/nocompress</strong> options cannot be used on the same command line.</p>
+<div class="alert">
+<strong>Important</strong>  
+<p>Use caution with this option, because anyone who has access to the <strong>LoadState</strong> command-line script will also have access to the encryption key.</p>
+</div>
+<div>
+ 
+</div>
+<p>For example:</p>
+<p><code>loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /decrypt /key:mykey</code></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/decrypt:</strong><em>&quot;encryption strength&quot;</em></p></td>
+<td align="left"><p>The <strong>/decrypt</strong> option accepts a command-line parameter to define the encryption strength specified for the migration store encryption. For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/hardlink</strong></p></td>
+<td align="left"><p>Enables user-state data to be restored from a hard-link migration store. The <strong>/nocompress</strong> parameter must be specified with <strong>/hardlink</strong> option.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/nocompress</strong></p></td>
+<td align="left"><p>Specifies that the store is not compressed. You should only use this option in testing environments. We recommend that you use a compressed store during your actual migration. This option cannot be used with the <strong>/decrypt</strong> option.</p>
+<p>For example:</p>
+<p><code>loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /nocompress</code></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-mig"></a>Migration Rule Options
+
+
+USMT provides the following options to specify what files you want to migrate.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Command-Line Option</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>/i</strong>:[<em>Path</em>\]<em>FileName</em></p></td>
+<td align="left"><p><strong>(include)</strong></p>
+<p>Specifies an .xml file that contains rules that define what state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigSys.xml, MigDocs.xml and any custom .xml files that you create). <em>Path</em> can be either a relative or full path. If you do not specify the <em>Path</em> variable, then <em>FileName</em> must be located in the current directory.</p>
+<p>For more information about which files to specify, see the &quot;XML files&quot; section of the [Frequently Asked Questions](usmt-faq.md) topic.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/config:</strong>[<em>Path</em>\]<em>FileName</em></p></td>
+<td align="left"><p>Specifies the Config.xml file that the <strong>LoadState</strong> command should use. You cannot specify this option more than once on the command line. <em>Path</em> can be either a relative or full path. If you do not specify the <em>Path</em> variable, then the <em>FileName</em> must be located in the current directory.</p>
+<p>This example migrates the files and settings based on the rules in the Config.xml, MigDocs.xml, and MigApp.xml files:</p>
+<p><code>loadstate \\server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:loadstate.log</code></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/auto:</strong><em>&quot;path to script files&quot;</em></p></td>
+<td align="left"><p>This option enables you to specify the location of the default .xml files and then launch your migration. If no path is specified, USMT will use the directory where the USMT binaries are located. The <strong>/auto</strong> option has the same effect as using the following options: <strong>/i:MigDocs.xml</strong> <strong>/i:MigApp.xml /v:5</strong>.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-mon"></a>Monitoring Options
+
+
+USMT provides several command-line options that you can use to analyze problems that occur during migration.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Command-Line Option</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>/l:</strong>[<em>Path</em>\]<em>FileName</em></p></td>
+<td align="left"><p>Specifies the location and name of the <strong>LoadState</strong> log. You cannot store any of the log files in <em>StorePath</em>. <em>Path</em> can be either a relative or full path. If you do not specify the <em>Path</em> variable, then the log will be created in the current directory. You can specify the <strong>/v</strong> option to adjust the amount of output.</p>
+<p>If you run the <strong>LoadState</strong> command from a shared network resource, you must specify this option or USMT will fail with the error: &quot;USMT was unable to create the log file(s)&quot;. To fix this issue, use the <strong>/l:load.log</strong> option.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/v:</strong><em>&lt;VerbosityLevel&gt;</em></p></td>
+<td align="left"><p><strong>(Verbosity)</strong></p>
+<p>Enables verbose output in the LoadState log file. The default value is 0.</p>
+<p>You can set the <em>VerbosityLevel</em> to one of the following levels:</p>
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Level</th>
+<th align="left">Explanation</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>0</p></td>
+<td align="left"><p>Only the default errors and warnings are enabled.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>1</p></td>
+<td align="left"><p>Enables verbose output.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4</p></td>
+<td align="left"><p>Enables error and status output.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5</p></td>
+<td align="left"><p>Enables verbose and status output.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>8</p></td>
+<td align="left"><p>Enables error output to a debugger.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>9</p></td>
+<td align="left"><p>Enables verbose output to a debugger.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>12</p></td>
+<td align="left"><p>Enables error and status output to a debugger.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>13</p></td>
+<td align="left"><p>Enables verbose, status, and debugger output.</p></td>
+</tr>
+</tbody>
+</table>
+<p> </p>
+<p>For example:</p>
+<p><code>loadstate \\server\share\migration\mystore /v:5 /i:migdocs.xml /i:migapp.xml</code></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/progress:</strong>[<em>Path\</em>]<em>FileName</em></p></td>
+<td align="left"><p>Creates the optional progress log. You cannot store any of the log files in <em>StorePath</em>. <em>Path</em> can be either a relative or full path. If you do not specify the <em>Path</em> variable, then <em>FileName</em> will be created in the current directory.</p>
+<p>For example:</p>
+<p><code>loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /progress:prog.log /l:scanlog.log</code></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/c</strong></p></td>
+<td align="left"><p>When this option is specified, the <strong>LoadState</strong> command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit on the computer, the <strong>LoadState</strong> command will log an error and continue with the migration. Without the <strong>/c</strong> option, the <strong>LoadState</strong> command will exit on the first error. You can use the new &lt;<strong>ErrorControl</strong>&gt; section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the <strong>/c</strong> command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the <strong>/genconfig</strong> option now generates a sample &lt;<strong>ErrorControl</strong>&gt; section that is enabled by specifying error messages and desired behaviors in the Config.xml file.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/r:</strong><em>&lt;TimesToRetry&gt;</em></p></td>
+<td align="left"><p><strong>(Retry)</strong></p>
+<p>Specifies the number of times to retry when an error occurs while migrating the user state from a server. The default is three times. This option is useful in environments where network connectivity is not reliable.</p>
+<p>While restoring the user state, the <strong>/r</strong> option will not recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/w:</strong><em>&lt;SecondsBeforeRetry&gt;</em></p></td>
+<td align="left"><p><strong>(Wait)</strong></p>
+<p>Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/?</strong> or <strong>/help</strong></p></td>
+<td align="left"><p>Displays Help on the command line.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-user"></a>User Options
+
+
+By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or by using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md).
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Command-Line Option</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>/all</strong></p></td>
+<td align="left"><p>Migrates all of the users on the computer.</p>
+<p>USMT migrates all user accounts on the computer, unless you specifically exclude an account with the <strong>/ue</strong> or <strong>/uel</strong> options. For this reason, you do not need to specify this option on the command line. However, if you choose to use the <strong>/all</strong> option, you cannot also use the <strong>/ui</strong>, <strong>/ue</strong> or <strong>/uel</strong> options.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/ui:</strong><em>DomainName</em>\<em>UserName</em></p>
+<p>or</p>
+<p><strong>/ui:</strong>&quot;<em>DomainName</em>\<em>User Name</em>&quot;</p>
+<p>or</p>
+<p><strong>/ui:</strong><em>ComputerName</em>\<em>LocalUserName</em></p></td>
+<td align="left"><p><strong>(User include)</strong></p>
+<p>Migrates the specified user. By default, all users are included in the migration. Therefore, this option is helpful only when used with the <strong>/ue</strong> option. You can specify multiple <strong>/ui</strong> options, but you cannot use the <strong>/ui</strong> option with the <strong>/all</strong> option. <em>DomainName</em> and <em>UserName</em> can contain the asterisk (*) wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotations marks.</p>
+<p>For example:</p>
+<ul>
+<li><p>To include only User2 from the Corporate domain, type:</p>
+<p><code>/ue:*\* /ui:corporate\user2</code></p></li>
+</ul>
+<div class="alert">
+<strong>Note</strong>  
+<p>If a user is specified for inclusion with the <strong>/ui</strong> option, and also is specified to be excluded with either the <strong>/ue</strong> or <strong>/uel</strong> options, the user will be included in the migration.</p>
+</div>
+<div>
+ 
+</div>
+<p>For more examples, see the descriptions of the <strong>/uel</strong>, <strong>/ue</strong>, and <strong>/ui</strong> options in this table.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/uel</strong>:<em>&lt;NumberOfDays&gt;</em></p>
+<p>or</p>
+<p><strong>/uel</strong>:<em>&lt;YYYY/MM/DD&gt;</em></p>
+<p>or</p>
+<p><strong>/uel</strong>:0</p></td>
+<td align="left"><p><strong>(User exclude based on last logon)</strong></p>
+<p>Migrates only the users that logged onto the source computer within the specified time period, based on the <strong>Last Modified</strong> date of the Ntuser.dat file on the source computer. The <strong>/uel</strong> option acts as an include rule. For example, the <strong>/uel:30</strong> option migrates users who logged on, or whose user account was modified, within the last 30 days from the date when the ScanState command is run. You can specify a number of days or you can specify a date. You cannot use this option with the <strong>/all</strong> option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>The <strong>/uel</strong> option is not valid in offline migrations.</p>
+</div>
+<div>
+ 
+</div>
+<p>Examples:</p>
+<ul>
+<li><p><code>/uel:0</code> migrates accounts that were logged on to the source computer when the <strong>ScanState</strong> command was run.</p></li>
+<li><p><code>/uel:90</code> migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.</p></li>
+<li><p><code>/uel:1</code> migrates users whose accounts have been modified within the last 24 hours.</p></li>
+<li><p><code>/uel:2002/1/15</code> migrates users who have logged on or whose accounts have been modified since January 15, 2002.</p></li>
+</ul>
+<p>For example:</p>
+<p><code>loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0</code></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/ue</strong>:<em>DomainName</em>\<em>UserName</em></p>
+<p>or</p>
+<p><strong>/ue</strong>:&quot;<em>DomainName</em>\<em>User Name</em>&quot;</p>
+<p>or</p>
+<p><strong>/ue</strong>:<em>ComputerName</em>\<em>LocalUserName</em></p></td>
+<td align="left"><p><strong>(User exclude)</strong></p>
+<p>Excludes the specified users from the migration. You can specify multiple <strong>/ue</strong> options but you cannot use the <strong>/ue</strong> option with the <strong>/all</strong> option. <em>DomainName</em> and <em>UserName</em> can contain the asterisk (*) wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.</p>
+<p>For example:</p>
+<p><code>loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /ue:contoso\user1</code></p>
+<p>For more examples, see the descriptions of the <strong>/uel</strong>, <strong>/ue</strong>, and <strong>/ui</strong> options in this table.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/md:</strong><em>OldDomain</em>:<em>NewDomain</em></p>
+<p>or</p>
+<p><strong>/md:</strong><em>LocalComputerName:NewDomain</em></p></td>
+<td align="left"><p><strong>(move domain)</strong></p>
+<p>Specifies a new domain for the user. Use this option to change the domain for users on a computer or to migrate a local user to a domain account. <em>OldDomain</em> may contain the asterisk (*) wildcard character.</p>
+<p>You can specify this option more than once. You may want to specify multiple <strong>/md</strong> options if you are consolidating users across multiple domains to a single domain. For example, you could specify the following to consolidate the users from the Corporate and FarNorth domains into the Fabrikam domain: <code>/md:corporate:fabrikam</code> and <code>/md:farnorth:fabrikam</code>.</p>
+<p>If there are conflicts between two <strong>/md</strong> commands, the first rule that you specify is applied. For example, if you specify the <code>/md:corporate:fabrikam</code> and <code>/md:corporate:farnorth</code> commands, then Corporate users would be mapped to the Fabrikam domain.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>If you specify an <em>OldDomain</em> that did not exist on the source computer, the <strong>LoadState</strong> command will appear to complete successfully, without an error or warning. However, in this case, users will not be moved to <em>NewDomain</em> but will remain in their original domain. For example, if you misspell &quot;contoso&quot; and you specify &quot;/md:contso:fabrikam&quot;, the users will remain in contoso on the destination computer.</p>
+</div>
+<div>
+ 
+</div>
+<p>For example:</p>
+<p><code>loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore</code></p>
+<p><code> /progress:prog.log /l:load.log /md:contoso:fabrikam</code></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/mu:</strong><em>OldDomain</em>\<em>OldUserName</em>:[<em>NewDomain</em>\]<em>NewUserName</em></p>
+<p>or</p>
+<p><strong>/mu:</strong><em>OldLocalUserName</em>:<em>NewDomain</em>\<em>NewUserName</em></p></td>
+<td align="left"><p>Specifies a new user name for the specified user. If the store contains more than one user, you can specify multiple <strong>/mu</strong> options. You cannot use wildcard characters with this option.</p>
+<p>For example:</p>
+<p><code>loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore</code></p>
+<p><code>/progress:prog.log /l:load.log /mu:contoso\user1:fabrikam\user1</code></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/lac:</strong>[<em>Password</em>]</p></td>
+<td align="left"><p><strong>(local account create)</strong></p>
+<p>Specifies that if a user account is a local (non-domain) account, and it does not exist on the destination computer, USMT will create the account on the destination computer but it will be disabled. To enable the account, you must also use the <strong>/lae</strong> option.</p>
+<p>If the <strong>/lac</strong> option is not specified, any local user accounts that do not already exist on the destination computer will not be migrated.</p>
+<p><em>Password</em> is the password for the newly created account. An empty password is used by default.</p>
+<div class="alert">
+<strong>Caution</strong>  
+<p>Use the <em>Password</em> variable with caution because it is provided in plain text and can be obtained by anyone with access to the computer that is running the <strong>LoadState</strong> command.</p>
+<p>Also, if the computer has multiple users, all migrated users will have the same password.</p>
+</div>
+<div>
+ 
+</div>
+<p>For example:</p>
+<p><code>loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore</code></p>
+<p>For instructions, see [Migrate User Accounts](usmt-migrate-user-accounts.md).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/lae</strong></p></td>
+<td align="left"><p><strong>(local account enable)</strong></p>
+<p>Enables the account that was created with the <strong>/lac</strong> option. You must specify the <strong>/lac</strong> option with this option.</p>
+<p>For example:</p>
+<p><code>loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore</code></p>
+<p><code>/progress:prog.log /l:load.log /lac:password /lae</code></p>
+<p>For instructions, see [Migrate User Accounts](usmt-migrate-user-accounts.md).</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Examples for the /ui and /ue options
+
+The following examples apply to both the **/ui** and **/ue** options. You can replace the **/ue** option with the **/ui** option to include, rather than exclude, the specified users.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Behavior</th>
+<th align="left">Command</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Exclude the user named User One in the Corporate domain.</p></td>
+<td align="left"><p><code>/ue:&quot;corporate\user one&quot;</code></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Exclude the user named User1 in the Corporate domain.</p></td>
+<td align="left"><p><code>/ue:corporate\user1</code></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Exclude the local user named User1.</p></td>
+<td align="left"><p><code>/ue:%computername%\user1</code></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Exclude all domain users.</p></td>
+<td align="left"><p><code>/ue:Domain\*</code></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Exclude all local users.</p></td>
+<td align="left"><p><code>/ue:%computername%\*</code></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Exclude users in all domains named User1, User2, and so on.</p></td>
+<td align="left"><p><code>/ue:*\user*</code></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Using the Options Together
+
+You can use the **/uel**, **/ue** and **/ui** options together to migrate only the users that you want migrated.
+
+**The /ui option has precedence over the /ue and /uel options.** If a user is specified to be included using the **/ui** option, and also specified to be excluded using either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the **/ui** option takes precedence over the **/ue** option.
+
+**The /uel option takes precedence over the /ue option.** If a user has logged on within the specified time period set by the **/uel** option, that user’s profile will be migrated even if they are excluded by using the **/ue** option. For example, if you specify `/ue:contoso\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Behavior</th>
+<th align="left">Command</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Include only User2 from the Fabrikam domain and exclude all other users.</p></td>
+<td align="left"><p><code>/ue:*\* /ui:fabrikam\user2</code></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Include only the local user named User1 and exclude all other users.</p></td>
+<td align="left"><p><code>/ue:*\* /ui:user1</code></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Include only the domain users from Contoso, except Contoso\User1.</p></td>
+<td align="left"><p>This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:</p>
+<ul>
+<li><p>Using the <strong>ScanState</strong> command-line tool, type: <code>/ue:*\* /ui:contoso\*</code></p></li>
+<li><p>Using the <strong>LoadState</strong> command-line tool, type: <code>/ue:contoso\user1</code></p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Include only local (non-domain) users.</p></td>
+<td align="left"><p><code>/ue:*\* /ui:%computername%\*</code></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-cloi"></a>Incompatible Command-Line Options
+
+
+The following table indicates which command-line options are not compatible with the **LoadState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option.
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Command-Line Option</th>
+<th align="left">/keyfile</th>
+<th align="left">/nocompress</th>
+<th align="left">/genconfig</th>
+<th align="left">/all</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>/i</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/v</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/nocompress</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>N/A</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/key</strong></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/decrypt</strong></p></td>
+<td align="left"><p>Required*</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/keyfile</strong></p></td>
+<td align="left"><p>N/A</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/l</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/progress</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/r</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/w</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/c</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/p</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>N/A</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/all</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/ui</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/ue</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/uel</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/genconfig</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>N/A</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/config</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><em>StorePath</em></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/md</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/mu</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/lae</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/lac</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Note**  
+You must specify either the **/key** or **/keyfile** option with the **/encrypt** option.
+
+ 
+
+## Related topics
+
+
+[XML Elements Library](usmt-xml-elements-library.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-log-files.md b/windows/deploy/usmt-log-files.md
new file mode 100644
index 0000000000..89fc388cf9
--- /dev/null
+++ b/windows/deploy/usmt-log-files.md
@@ -0,0 +1,488 @@
+---
+title: Log Files (Windows 10)
+description: Log Files
+ms.assetid: 28185ebd-630a-4bbd-94f4-8c48aad05649
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Log Files
+
+
+You can use User State Migration Tool (USMT) 10.0 logs to monitor your migration and to troubleshoot errors and failed migrations. This topic describes the available command-line options to enable USMT logs, and new XML elements that configure which types of errors are fatal and should halt the migration, which types are non-fatal and should be skipped so that the migration can continue.
+
+[Log Command-Line Options](#bkmk-commandlineoptions)
+
+[ScanState and LoadState Logs](#bkmk-scanloadstatelogs)
+
+[Progress Log](#bkmk-progresslog)
+
+[List Files Log](#bkmk-listfileslog)
+
+[Diagnostic Log](#bkmk-diagnosticlog)
+
+## <a href="" id="bkmk-commandlineoptions"></a>Log Command-Line Options
+
+
+The following table describes each command-line option related to logs, and it provides the log name and a description of what type of information each log contains.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Command line Option</th>
+<th align="left">File Name</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>/l</strong><em>[Path\]FileName</em></p></td>
+<td align="left"><p>Scanstate.log or LoadState.log</p></td>
+<td align="left"><p>Specifies the path and file name of the ScanState.log or LoadState log.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/progress</strong><em>[Path\]FileName</em></p></td>
+<td align="left"><p>Specifies the path and file name of the Progress log.</p></td>
+<td align="left"><p>Provides information about the status of the migration, by percentage complete.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/v</strong><em>[VerbosityLevel]</em></p></td>
+<td align="left"><p>Not applicable</p></td>
+<td align="left"><p>See the &quot;Monitoring Options&quot; section in [ScanState Syntax](usmt-scanstate-syntax.md).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/listfiles</strong><em>[Path\]FileName</em></p></td>
+<td align="left"><p>Specifies the path and file name of the Listfiles log.</p></td>
+<td align="left"><p>Provides a list of the files that were migrated.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Set the environment variable MIG_ENABLE_DIAG to a path to an XML file.</p></td>
+<td align="left"><p>USMTDiag.xml</p></td>
+<td align="left"><p>The diagnostic log contains detailed system environment information, user environment information, and information about the migration units (migunits) being gathered and their contents.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Note**  
+You cannot store any of the log files in *StorePath*. If you do, the log will be overwritten when USMT is run.
+
+ 
+
+## <a href="" id="bkmk-scanloadstatelogs"></a>ScanState and LoadState Logs
+
+
+ScanState and LoadState logs are text files that are create when you run the ScanState and LoadState tools. You can use these logs to help monitor your migration. The content of the log depends on the command-line options that you use and the verbosity level that you specify. For more information about verbosity levels, see Monitoring Options in [ScanState Syntax](usmt-scanstate-syntax.md).
+
+## <a href="" id="bkmk-progresslog"></a>Progress Log
+
+
+You can create a progress log using the **/progress** option. External tools, such as Microsoft System Center Operations Manager 2007, can parse the progress log to update your monitoring systems. The first three fields in each line are fixed as follows:
+
+-   **Date:** Date, in the format of *day* *shortNameOfTheMonth* *year*. For example: 08 Jun 2006.
+
+-   **Local time:** Time, in the format of *hrs*:*minutes*:*seconds* (using a 24-hour clock). For example: 13:49:13.
+
+-   **Migration time:** Duration of time that USMT was run, in the format of *hrs:minutes:seconds*. For example: 00:00:10.
+
+The remaining fields are key/value pairs as indicated in the following table.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Key</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>program</p></td>
+<td align="left"><p>ScanState.exe or LoadState.exe.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>productVersion</p></td>
+<td align="left"><p>The full product version number of USMT.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>computerName</p></td>
+<td align="left"><p>The name of the source or destination computer on which USMT was run.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>commandLine</p></td>
+<td align="left"><p>The full command used to run USMT.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>PHASE</p></td>
+<td align="left"><p>Reports that a new phase in the migration is starting. This can be one of the following:</p>
+<ul>
+<li><p>Initializing</p></li>
+<li><p>Scanning</p></li>
+<li><p>Collecting</p></li>
+<li><p>Saving</p></li>
+<li><p>Estimating</p></li>
+<li><p>Applying</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>detectedUser</p></td>
+<td align="left"><ul>
+<li><p>For the ScanState tool, these are the users USMT detected on the source computer that can be migrated.</p></li>
+<li><p>For the LoadState tool, these are the users USMT detected in the store that can be migrated.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>includedInMigration</p></td>
+<td align="left"><p>Defines whether the user profile/component is included for migration. Valid values are Yes or No.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>forUser</p></td>
+<td align="left"><p>Specifies either of the following:</p>
+<ul>
+<li><p>The user state being migrated.</p></li>
+<li><p><em>This Computer</em>, meaning files and settings that are not associated with a user.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>detectedComponent</p></td>
+<td align="left"><p>Specifies a component detected by USMT.</p>
+<ul>
+<li><p>For ScanState, this is a component or application that is installed on the source computer.</p></li>
+<li><p>For LoadState, this is a component or application that was detected in the store.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>totalSizeInMBToTransfer</p></td>
+<td align="left"><p>Total size of the files and settings to migrate in megabytes (MB).</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>totalPercentageCompleted</p></td>
+<td align="left"><p>Total percentage of the migration that has been completed by either ScanState or LoadState.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>collectingUser</p></td>
+<td align="left"><p>Specifies which user ScanState is collecting files and settings for.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>totalMinutesRemaining</p></td>
+<td align="left"><p>Time estimate, in minutes, for the migration to complete.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>error</p></td>
+<td align="left"><p>Type of non-fatal error that occurred. This can be one of the following:</p>
+<ul>
+<li><p><strong>UnableToCopy</strong>: Unable to copy to store because the disk on which the store is located is full.</p></li>
+<li><p><strong>UnableToOpen</strong>: Unable to open the file for migration because the file is opened in non-shared mode by another application or service.</p></li>
+<li><p><strong>UnableToCopyCatalog</strong>: Unable to copy because the store is corrupted.</p></li>
+<li><p><strong>UnableToAccessDevice</strong>: Unable to access the device.</p></li>
+<li><p><strong>UnableToApply</strong>: Unable to apply the setting to the destination computer.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>objectName</p></td>
+<td align="left"><p>The name of the file or setting that caused the non-fatal error.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>action</p></td>
+<td align="left"><p>Action taken by USMT for the non-fatal error. The values are:</p>
+<ul>
+<li><p><strong>Ignore</strong>: Non-fatal error ignored and the migration continued because the <strong>/c</strong> option was specified on the command line.</p></li>
+<li><p><strong>Abort</strong>: Stopped the migration because the <strong>/c</strong> option was not specified.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>errorCode</p></td>
+<td align="left"><p>The errorCode or return value.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>numberOfIgnoredErrors</p></td>
+<td align="left"><p>The total number of non-fatal errors that USMT ignored.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>message</p></td>
+<td align="left"><p>The message corresponding to the errorCode.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-listfileslog"></a>List Files Log
+
+
+The List files log (Listfiles.txt) provides a list of the files that were migrated. This list can be used to troubleshoot XML issues or can be retained as a record of the files that were gathered into the migration store. The List Files log is only available for ScanState.exe.
+
+## <a href="" id="bkmk-diagnosticlog"></a>Diagnostic Log
+
+
+You can obtain the diagnostic log by setting the environment variable MIG\_ENABLE\_DIAG to a path to an XML file.
+
+The diagnostic log contains:
+
+-   Detailed system environment information
+
+-   Detailed user environment information
+
+-   Information about the migration units (migunits) being gathered and their contents
+
+## Using the Diagnostic Log
+
+
+The diagnostic log is essentially a report of all the migration units (migunits) included in the migration. A migunit is a collection of data that is identified by the component it is associated with in the XML files. The migration store is made up of all the migunits in the migration. The diagnostic log can be used to verify which migunits were included in the migration and can be used for troubleshooting while authoring migration XML files.
+
+The following examples describe common scenarios in which you can use the diagnostic log.
+
+**Why is this file not migrating when I authored an "include" rule for it?**
+
+Let’s imagine that we have the following directory structure and that we want the “data” directory to be included in the migration along with the “New Text Document.txt” file in the “New Folder.” The directory of **C:\\data** contains:
+
+``` syntax
+01/21/2009  10:08 PM    <DIR>          .
+01/21/2009  10:08 PM    <DIR>          ..
+01/21/2009  10:08 PM    <DIR>          New Folder
+01/21/2009  09:19 PM                13 test (1).txt
+01/21/2009  09:19 PM                13 test.txt
+               2 File(s)             26 bytes
+```
+
+The directory of **C:\\data\\New Folder** contains:
+
+``` syntax
+01/21/2009  10:08 PM    <DIR>          .
+01/21/2009  10:08 PM    <DIR>          ..
+01/21/2009  10:08 PM                 0 New Text Document.txt
+               1 File(s)              0 bytes
+```
+
+To migrate these files you author the following migration XML:
+
+``` syntax
+<?xml version="1.0" encoding="UTF-8"?>
+<migration urlid="http://www.microsoft.com/migration/1.0/TestSuite_BUGFIX">
+
+<component context="System"  type="Application">
+  <displayName>DATA1</displayName>
+  <role role="Data">
+    <rules>
+      <include>
+        <objectSet>
+          <pattern type="File">c:\data\ [*]</pattern>
+        </objectSet>
+      </include>
+
+    </rules>
+  </role>
+</component>
+</migration>
+```
+
+However, upon testing the migration you notice that the “New Text Document.txt” file isn’t included in the migration. To troubleshoot this failure, the migration can be repeated with the environment variable MIG\_ENABLE\_DIAG set such that the diagnostic log is generated. Upon searching the diagnostic log for the component “DATA1”, the following XML section is discovered:
+
+``` syntax
+<MigUnitList>
+<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)" Context="System" ConfidenceLevel="100" Group="Applications" Role="UserData" Agent="CMXEAgent" Selected="true" Supported="true">
+<Patterns Type="Include">
+<Pattern Type="File" Path="C:\data [*]"/>
+</Patterns>
+</MigUnit>
+</MigUnitList>
+<Perform Name="Gather" User="System">
+<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)">
+<Operation Name="Store" Type="File" Path="C:\data" SimObj="false" Success="true"/>
+<Operation Name="Store" Type="File" Path="C:\data [test (1).txt]" SimObj="false" Success="true"/>
+<Operation Name="Store" Type="File" Path="C:\data [test.txt]" SimObj="false" Success="true"/>
+</MigUnit>
+</Perform>
+```
+
+Analysis of this XML section reveals the migunit that was created when the migration rule was processed. The &lt;Perform&gt; section details the actual files that were scheduled for gathering and the result of the gathering operation. The “New Text Document.txt” file doesn’t appear in this section, which confirms that the migration rule was not correctly authored.
+
+An analysis of the XML elements reference topic reveals that the &lt;pattern&gt; tag needs to be modified as follows:
+
+``` syntax
+<pattern type="File">c:\data\* [*]</pattern>
+```
+
+When the migration is preformed again with the modified tag, the diagnostic log reveals the following:
+
+``` syntax
+<MigUnitList>
+<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)" Context="System" ConfidenceLevel="100" Group="Applications" Role="UserData" Agent="CMXEAgent" Selected="true" Supported="true">
+<Patterns Type="Include">
+<Pattern Type="File" Path="C:\data\* [*]"/>
+</Patterns>
+</MigUnit>
+</MigUnitList>
+<Perform Name="Gather" User="System">
+<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)">
+<Operation Name="Store" Type="File" Path="C:\data" SimObj="false" Success="true"/>
+<Operation Name="Store" Type="File" Path="C:\data [test (1).txt]" SimObj="false" Success="true"/>
+<Operation Name="Store" Type="File" Path="C:\data [test.txt]" SimObj="false" Success="true"/>
+<Operation Name="Store" Type="File" Path="C:\data\New Folder" SimObj="false" Success="true"/>
+<Operation Name="Store" Type="File" Path="C:\data\New Folder [New Text Document.txt]" SimObj="false" Success="true"/>
+</MigUnit>
+</Perform>
+```
+
+This diagnostic log confirms that the modified &lt;pattern&gt; value enables the migration of the file.
+
+**Why is this file migrating when I authored an exclude rule excluding it?**
+
+In this scenario, you have the following directory structure and you want all files in the “data” directory to migrate, except for text files. The **C:\\Data** folder contains:
+
+``` syntax
+Directory of C:\Data
+
+01/21/2009  10:08 PM    <DIR>          .
+01/21/2009  10:08 PM    <DIR>          ..
+01/21/2009  10:08 PM    <DIR>          New Folder
+01/21/2009  09:19 PM                13 test (1).txt
+01/21/2009  09:19 PM                13 test.txt
+               2 File(s)             26 bytes
+```
+
+The **C:\\Data\\New Folder\\** contains:
+
+``` syntax
+01/21/2009  10:08 PM    <DIR>          .
+01/21/2009  10:08 PM    <DIR>          ..
+01/21/2009  10:08 PM                 0 New Text Document.txt
+               1 File(s)              0 bytes
+```
+
+You author the following migration XML:
+
+``` syntax
+<?xml version="1.0" encoding="UTF-8"?>
+<migration urlid="http://www.microsoft.com/migration/1.0/TestSuite_BUGFIX">
+
+<component context="System"  type="Application">
+  <displayName>DATA1</displayName>
+  <role role="Data">
+    <rules>
+      <include>
+        <objectSet>
+          <pattern type="File">c:\data\* [*]</pattern>
+        </objectSet>
+      </include>
+    </rules>
+    <rules>
+      <exclude>
+        <objectSet>
+          <pattern type="File">c:\* [*.txt]</pattern>
+        </objectSet>
+      </exclude>
+
+    </rules>
+  </role>
+</component>
+```
+
+However, upon testing the migration you notice that all the text files are still included in the migration. In order to troubleshoot this issue, the migration can be performed with the environment variable MIG\_ENABLE\_DIAG set so that the diagnostic log is generated. Upon searching the diagnostic log for the component “DATA1”, the following XML section is discovered:
+
+``` syntax
+<MigUnitList>
+<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)" Context="System" ConfidenceLevel="100" Group="Applications" Role="UserData" Agent="CMXEAgent" Selected="true" Supported="true">
+<Patterns Type="Include">
+<Pattern Type="File" Path="C:\data\* [*]"/>
+</Patterns>
+<Patterns Type="Exclude">
+<Pattern Type="File" Path="C:\* [*.txt]"/>
+</Patterns>
+</MigUnit>
+</MigUnitList>
+<Perform Name="Gather" User="System">
+<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)">
+<Operation Name="Store" Type="File" Path="C:\data" SimObj="false" Success="true"/>
+<Operation Name="Store" Type="File" Path="C:\data [test (1).txt]" SimObj="false" Success="true"/>
+<Operation Name="Store" Type="File" Path="C:\data [test.docx]" SimObj="false" Success="true"/>
+<Operation Name="Store" Type="File" Path="C:\data [test.txt]" SimObj="false" Success="true"/>
+<Operation Name="Store" Type="File" Path="C:\data\New Folder" SimObj="false" Success="true"/>
+<Operation Name="Store" Type="File" Path="C:\data\New Folder [New Text Document.txt]" SimObj="false" Success="true"/>
+<Operation Name="Store" Type="File" Path="C:\data\New Folder [test.docx]" SimObj="false" Success="true"/>
+</MigUnit>
+</Perform>
+```
+
+Upon reviewing the diagnostic log, you confirm that the files are still migrating, and that it is a problem with the authored migration XML rule. You author an update to the migration XML script as follows:
+
+``` syntax
+<?xml version="1.0" encoding="UTF-8"?>
+<migration urlid="http://www.microsoft.com/migration/1.0/TestSuite_BUGFIX">
+
+<component context="System"  type="Application">
+  <displayName>DATA1</displayName>
+  <role role="Data">
+    <rules>
+      <include>
+        <objectSet>
+          <pattern type="File">c:\data\* [*]</pattern>
+        </objectSet>
+      </include>
+    </rules>
+    <rules>
+      <exclude>
+        <objectSet>
+          <pattern type="File">c:\data\* [*.txt]</pattern>
+        </objectSet>
+      </exclude>
+
+    </rules>
+  </role>
+</component>
+
+
+</migration>
+```
+
+Your revised migration XML script excludes the files from migrating, as confirmed in the diagnostic log:
+
+``` syntax
+<MigUnitList>
+<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)" Context="System" ConfidenceLevel="100" Group="Applications" Role="UserData" Agent="CMXEAgent" Selected="true" Supported="true">
+<Patterns Type="Include">
+<Pattern Type="File" Path="C:\data\* [*]"/>
+</Patterns>
+<Patterns Type="Exclude">
+<Pattern Type="File" Path="C:\data\* [*.txt]"/>
+</Patterns>
+</MigUnit>
+</MigUnitList>
+<Perform Name="Gather" User="System">
+<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)">
+<Operation Name="Store" Type="File" Path="C:\data" SimObj="false" Success="true"/>
+<Operation Name="Store" Type="File" Path="C:\data [test.docx]" SimObj="false" Success="true"/>
+<Operation Name="Store" Type="File" Path="C:\data\New Folder" SimObj="false" Success="true"/>
+<Operation Name="Store" Type="File" Path="C:\data\New Folder [test.docx]" SimObj="false" Success="true"/>
+</MigUnit>
+</Perform>
+```
+
+## Related topics
+
+
+[XML Elements Library](usmt-xml-elements-library.md)
+
+[ScanState Syntax](usmt-scanstate-syntax.md)
+
+[LoadState Syntax](usmt-loadstate-syntax.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-migrate-efs-files-and-certificates.md b/windows/deploy/usmt-migrate-efs-files-and-certificates.md
new file mode 100644
index 0000000000..43a57ddc5d
--- /dev/null
+++ b/windows/deploy/usmt-migrate-efs-files-and-certificates.md
@@ -0,0 +1,50 @@
+---
+title: Migrate EFS Files and Certificates (Windows 10)
+description: Migrate EFS Files and Certificates
+ms.assetid: 7f19a753-ec45-4433-b297-cc30f16fdee1
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Migrate EFS Files and Certificates
+
+
+This topic describes how to migrate Encrypting File System (EFS) certificates. For more information about the **/efs** For options, see [ScanState Syntax](usmt-scanstate-syntax.md).
+
+## To Migrate EFS Files and Certificates
+
+
+Encrypting File System (EFS) certificates will be migrated automatically. However, by default, the User State Migration Tool (USMT) 10.0 fails if an encrypted file is found (unless you specify an **/efs** option). Therefore, you must specify **/efs:abort | skip | decryptcopy | copyraw | hardlink** with the ScanState command to migrate the encrypted files. Then, when you run the LoadState command on the destination computer, the encrypted file and the EFS certificate will be automatically migrated.
+
+**Note**  
+The **/efs** options are not used with the LoadState command.
+
+ 
+
+Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you must ensure that all files in an encrypted folder are encrypted as well or remove the encryption attribute from folders that contain unencrypted files. If the encryption attribute has been removed from a file but not from the parent folder, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool.
+
+You can run the Cipher tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt type:
+
+``` syntax
+Cipher /D /S:<PATH>
+```
+
+Where *&lt;Path&gt;* is the full path of the topmost parent directory where the encryption attribute is set.
+
+## Related topics
+
+
+[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
+
+[Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-migrate-user-accounts.md b/windows/deploy/usmt-migrate-user-accounts.md
new file mode 100644
index 0000000000..25c9490cbc
--- /dev/null
+++ b/windows/deploy/usmt-migrate-user-accounts.md
@@ -0,0 +1,91 @@
+---
+title: Migrate User Accounts (Windows 10)
+description: Migrate User Accounts
+ms.assetid: a3668361-43c8-4fd2-b26e-9a2deaeaeb09
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Migrate User Accounts
+
+
+By default, all users are migrated. The only way to specify which users to include and exclude is on the command line by using the User options. You cannot specify users in the migration XML files or by using the Config.xml file.
+
+## In this Topic
+
+
+-   [To migrate all user accounts and user settings](#bkmk-migrateall)
+
+-   [To migrate two domain accounts (User1 and User2)](#bkmk-migratetwo)
+
+-   [To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain](#bkmk-migratemoveuserone)
+
+## <a href="" id="bkmk-migrateall"></a>To migrate all user accounts and user settings
+
+
+1.  Log on to the source computer as an administrator, and specify the following in a **Command-Prompt** window:
+
+    `scanstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /o`
+
+2.  Log on to the destination computer as an administrator.
+
+3.  Do one of the following:
+
+    -   If you are migrating domain accounts, specify:
+
+        `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml`
+
+    -   If you are migrating local accounts along with domain accounts, specify:
+
+        `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /lac /lae`
+
+        **Note**  
+        You do not have to specify the **/lae** option, which enables the account that was created with the **/lac** option. Instead, you can create a disabled local account by specifying only the **/lac** option, and then a local administrator needs to enable the account on the destination computer.
+
+         
+
+## <a href="" id="bkmk-migratetwo"></a>To migrate two domain accounts (User1 and User2)
+
+
+1.  Log on to the source computer as an administrator, and specify:
+
+    `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:migdocs.xml /i:migapp.xml /o`
+
+2.  Log on to the destination computer as an administrator.
+
+3.  Specify the following:
+
+    `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml`
+
+## <a href="" id="bkmk-migratemoveuserone"></a>To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain
+
+
+1.  Log on to the source computer as an administrator, and type the following at the command-line prompt:
+
+    `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:migdocs.xml /i:migapp.xml /o`
+
+2.  Log on to the destination computer as an administrator.
+
+3.  Specify the following:
+
+    `loadstate \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:migdocs.xml /i:migapp.xml`
+
+## Related topics
+
+
+[Identify Users](usmt-identify-users.md)
+
+[ScanState Syntax](usmt-scanstate-syntax.md)
+
+[LoadState Syntax](usmt-loadstate-syntax.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-migration-store-encryption.md b/windows/deploy/usmt-migration-store-encryption.md
new file mode 100644
index 0000000000..bb6343401f
--- /dev/null
+++ b/windows/deploy/usmt-migration-store-encryption.md
@@ -0,0 +1,71 @@
+---
+title: Migration Store Encryption (Windows 10)
+description: Migration Store Encryption
+ms.assetid: b28c2657-b986-4487-bd38-cb81500b831d
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Migration Store Encryption
+
+
+This topic discusses User State Migration Tool (USMT) 10.0 options for migration store encryption to protect the integrity of user data during a migration.
+
+## USMT Encryption Options
+
+
+USMT enables support for stronger encryption algorithms, called Advanced Encryption Standard (AES), in several bit-level options. AES is a National Institute of Standards and Technology (NIST) specification for the encryption of electronic data.
+
+The encryption algorithm you choose must be specified for both the **ScanState** and the **LoadState** commands, so that these commands can create or read the store during encryption and decryption. The new encryption algorithms can be specified on the **ScanState** and the **LoadState** command lines by using the **/encrypt**:*"encryptionstrength"* and the **/decrypt**:*"encryptionstrength"* command-line options. All of the encryption application programming interfaces (APIs) used by USMT are available in Windows 7, Windows 8, and Windows 10 operating systems. However, export restrictions might limit the set of algorithms that are available to computers in certain locales. You can use the Usmtutils.exe file to determine which encryption algorithms are available to the computers' locales before you begin the migration.
+
+The following table describes the command-line encryption options in USMT.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Component</th>
+<th align="left">Option</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>ScanState</strong></p></td>
+<td align="left"><p><strong>/encrypt</strong><em>&lt;AES, AES_128, AES_192, AES_256, 3DES, 3DES_112&gt;</em></p></td>
+<td align="left"><p>This option and argument specify that the migration store is encrypted and which algorithm to use. When the algorithm argument is not provided, the <strong>ScanState</strong> tool employs the 3DES algorithm.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>LoadState</strong></p></td>
+<td align="left"><p><strong>/decrypt</strong><em>&lt;AES, AES_128, AES_192, AES_256, 3DES, 3DES_112&gt;</em></p></td>
+<td align="left"><p>This option and argument specify that the store must be decrypted and which algorithm to use. When the algorithm argument is not provided, the <strong>LoadState</strong> tool employs the 3DES algorithm.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Important**  
+Some encryption algorithms may not be available on your systems. You can verify which algorithms are available by running the UsmtUtils command with the **/ec** option. For more information see [UsmtUtils Syntax](usmt-utilities.md)
+
+ 
+
+## Related topics
+
+
+[Plan Your Migration](usmt-plan-your-migration.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-overview.md b/windows/deploy/usmt-overview.md
new file mode 100644
index 0000000000..832f03ac5f
--- /dev/null
+++ b/windows/deploy/usmt-overview.md
@@ -0,0 +1,64 @@
+---
+title: User State Migration Tool (USMT) Overview (Windows 10)
+description: User State Migration Tool (USMT) Overview
+ms.assetid: 3b649431-ad09-4b17-895a-3fec7ac0a81f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# User State Migration Tool (USMT) Overview
+
+
+You can use User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems. USMT captures user accounts, user files, operating system settings, and application settings, and then migrates them to a new Windows installation. You can use USMT for both PC replacement and PC refresh migrations. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md).
+
+USMT enables you to do the following:
+
+-   Configure your migration according to your business needs by using the migration rule (.xml) files to control exactly which files and settings are migrated and how they are migrated. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md).
+
+-   Fit your customized migration into your automated deployment process by using the ScanState and LoadState tools, which control collecting and restoring the user files and settings. For more information, see [User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md).
+
+-   Perform offline migrations. You can run migrations offline by using the ScanState command in Windows Preinstallation Environment (WinPE) or you can perform migrations from previous installations of Windows contained in Windows.old directories. For more information about migration types, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md) and [Offline Migration Reference](offline-migration-reference.md).
+
+## Benefits
+
+
+USMT provides the following benefits to businesses that are deploying Windows operating systems:
+
+-   Safely migrates user accounts, operating system and application settings.
+
+-   Lowers the cost of deploying Windows by preserving user state.
+
+-   Reduces end-user downtime required to customize desktops and find missing files.
+
+-   Reduces help-desk calls.
+
+-   Reduces the time needed for the user to become familiar with the new operating system.
+
+-   Increases employee satisfaction with the migration experience.
+
+## Limitations
+
+
+USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [Windows Easy Transfer](http://go.microsoft.com/fwlink/p/?LinkId=140248).
+
+There are some scenarios in which the use of USMT is not recommended. These include:
+
+-   Migrations that require end-user interaction.
+
+-   Migrations that require customization on a machine-by-machine basis.
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-plan-your-migration.md b/windows/deploy/usmt-plan-your-migration.md
new file mode 100644
index 0000000000..eaed479359
--- /dev/null
+++ b/windows/deploy/usmt-plan-your-migration.md
@@ -0,0 +1,66 @@
+---
+title: Plan Your Migration (Windows 10)
+description: Plan Your Migration
+ms.assetid: c951f7df-850e-47ad-b31b-87f902955e3e
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Plan Your Migration
+
+
+Before you use the User State Migration Tool (USMT) 10.0 to perform your migration, we recommend that you plan your migration carefully. Planning can help your migration proceed smoothly and can reduce the risk of migration failure.
+
+In migration planning, both organizations and individuals must first identify what to migrate, including user settings, applications and application settings, and personal data files and folders. Identifying the applications to migrate is especially important so that you can avoid capturing data about applications that may be phased out.
+
+One of the most important requirements for migrating settings and data is restoring only the information that the destination computer requires. Although the data that you capture on the source computer may be more comprehensive than the restoration data for backup purposes, restoring data or settings for applications that you will not install on the destination system is redundant. This can also introduce instability in a newly deployed computer.
+
+## In This Section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Common Migration Scenarios](usmt-common-migration-scenarios.md)</p></td>
+<td align="left"><p>Determine whether you will perform a refresh migration or a replace migration.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)</p></td>
+<td align="left"><p>Learn which applications, user data, and operating system components USMT migrates.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Choose a Migration Store Type](usmt-choose-migration-store-type.md)</p></td>
+<td align="left"><p>Choose an uncompressed, compressed, or hard-link migration store.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Determine What to Migrate](usmt-determine-what-to-migrate.md)</p></td>
+<td align="left"><p>Identify user accounts, application settings, operating system settings, and files that you want to migrate inside your organization.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Test Your Migration](usmt-test-your-migration.md)</p></td>
+<td align="left"><p>Test your migration before you deploy Windows to all users.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-recognized-environment-variables.md b/windows/deploy/usmt-recognized-environment-variables.md
new file mode 100644
index 0000000000..8246122fd9
--- /dev/null
+++ b/windows/deploy/usmt-recognized-environment-variables.md
@@ -0,0 +1,465 @@
+---
+title: Recognized Environment Variables (Windows 10)
+description: Recognized Environment Variables
+ms.assetid: 2b0ac412-e131-456e-8f0c-c26249b5f3df
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Recognized Environment Variables
+
+
+When using the XML files MigDocs.xml, MigApp.xml, and MigUser.xml, you can use environment variables to identify folders that may be different on different computers. Constant special item ID list (CSIDL) values provide a way to identify folders that applications use frequently but may not have the same name or location on any given computer. For example, the documents folder may be C:\\Users\\&lt;Username&gt;\\My Documents on one computer and C:\\Documents and Settings on another. You can use the asterisk (\*) wildcard character in MigUser.xml, MigApp.xml and MigDoc.xml files. However, you cannot use the asterisk (\*) wildcard characters in the Config.xml file.
+
+## In This Topic
+
+
+-   [Variables that are processed for the operating system and in the context of each user](#bkmk-1)
+
+-   [Variables that are recognized only in the user context](#bkmk-2)
+
+## <a href="" id="bkmk-1"></a>Variables that are processed for the operating system and in the context of each user
+
+
+You can use these variables within sections in the .xml files with `context=UserAndSystem`, `context=User`, and `context=System`.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Variable</th>
+<th align="left">Explanation</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>ALLUSERSAPPDATA</strong></p></td>
+<td align="left"><p>Same as <strong>CSIDL_COMMON_APPDATA</strong>.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>ALLUSERSPROFILE</strong></p></td>
+<td align="left"><p>Refers to %<strong>PROFILESFOLDER</strong>%\Public or %<strong>PROFILESFOLDER</strong>%\all users.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>COMMONPROGRAMFILES</strong></p></td>
+<td align="left"><p>Same as <strong>CSIDL_PROGRAM_FILES_COMMON</strong>.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>COMMONPROGRAMFILES</strong>(X86)</p></td>
+<td align="left"><p>Refers to the C:\Program Files (x86)\Common Files folder on 64-bit systems.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_COMMON_ADMINTOOLS</strong></p></td>
+<td align="left"><p>Version 10.0. The file-system directory that contains administrative tools for all users of the computer.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_COMMON_ALTSTARTUP</strong></p></td>
+<td align="left"><p>The file-system directory that corresponds to the non-localized Startup program group for all users.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_COMMON_APPDATA</strong></p></td>
+<td align="left"><p>The file-system directory that contains application data for all users. A typical path Windows is C:\ProgramData.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_COMMON_DESKTOPDIRECTORY</strong></p></td>
+<td align="left"><p>The file-system directory that contains files and folders that appear on the desktop for all users. A typical Windows® XP path is C:\Documents and Settings\All Users\Desktop. A typical path is C:\Users\Public\Desktop.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_COMMON_DOCUMENTS</strong></p></td>
+<td align="left"><p>The file-system directory that contains documents that are common to all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Documents. A typical path is C:\Users\Public\Documents.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_COMMON_FAVORITES</strong></p></td>
+<td align="left"><p>The file-system directory that serves as a common repository for favorites common to all users. A typical path is C:\Users\Public\Favorites.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_COMMON_MUSIC</strong></p></td>
+<td align="left"><p>The file-system directory that serves as a repository for music files common to all users. A typical path is C:\Users\Public\Music.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_COMMON_PICTURES</strong></p></td>
+<td align="left"><p>The file-system directory that serves as a repository for image files common to all users. A typical path is C:\Users\Public\Pictures.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_COMMON_PROGRAMS</strong></p></td>
+<td align="left"><p>The file-system directory that contains the directories for the common program groups that appear on the <strong>Start</strong> menu for all users. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_COMMON_STARTMENU</strong></p></td>
+<td align="left"><p>The file-system directory that contains the programs and folders which appear on the <strong>Start</strong> menu for all users. A typical path in Windows is C:\ProgramData\Microsoft\Windows\Start Menu.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_COMMON_STARTUP</strong></p></td>
+<td align="left"><p>The file-system directory that contains the programs that appear in the Startup folder for all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Start Menu\Programs\Startup. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_COMMON_TEMPLATES</strong></p></td>
+<td align="left"><p>The file-system directory that contains the templates that are available to all users. A typical path is C:\ProgramData\Microsoft\Windows\Templates.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_COMMON_VIDEO</strong></p></td>
+<td align="left"><p>The file-system directory that serves as a repository for video files common to all users. A typical path is C:\Users\Public\Videos.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_DEFAULT_APPDATA</strong></p></td>
+<td align="left"><p>Refers to the Appdata folder inside %<strong>DEFAULTUSERPROFILE</strong>%.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>C<strong>SIDL_DEFAULT_LOCAL_APPDATA</strong></p></td>
+<td align="left"><p>Refers to the local Appdata folder inside %<strong>DEFAULTUSERPROFILE</strong>%.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_DEFAULT_COOKIES</strong></p></td>
+<td align="left"><p>Refers to the Cookies folder inside %<strong>DEFAULTUSERPROFILE</strong>%.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_DEFAULT_CONTACTS</strong></p></td>
+<td align="left"><p>Refers to the Contacts folder inside %<strong>DEFAULTUSERPROFILE</strong>%.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_DEFAULT_DESKTOP</strong></p></td>
+<td align="left"><p>Refers to the Desktop folder inside %<strong>DEFAULTUSERPROFILE</strong>%.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_DEFAULT_DOWNLOADS</strong></p></td>
+<td align="left"><p>Refers to the Downloads folder inside %<strong>DEFAULTUSERPROFILE</strong>%.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_DEFAULT_FAVORITES</strong></p></td>
+<td align="left"><p>Refers to the Favorites folder inside %<strong>DEFAULTUSERPROFILE</strong>%.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_DEFAULT_HISTORY</strong></p></td>
+<td align="left"><p>Refers to the History folder inside %<strong>DEFAULTUSERPROFILE</strong>%.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_DEFAULT_INTERNET_CACHE</strong></p></td>
+<td align="left"><p>Refers to the Internet Cache folder inside %<strong>DEFAULTUSERPROFILE</strong>%.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_DEFAULT_PERSONAL</strong></p></td>
+<td align="left"><p>Refers to the Personal folder inside %<strong>DEFAULTUSERPROFILE</strong>%.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_DEFAULT_MYDOCUMENTS</strong></p></td>
+<td align="left"><p>Refers to the My Documents folder inside %<strong>DEFAULTUSERPROFILE</strong>%.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_DEFAULT_MYPICTURES</strong></p></td>
+<td align="left"><p>Refers to the My Pictures folder inside %<strong>DEFAULTUSERPROFILE</strong>%.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_DEFAULT_MYMUSIC</strong></p></td>
+<td align="left"><p>Refers to the My Music folder inside %<strong>DEFAULTUSERPROFILE</strong>%.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_DEFAULT_MYVIDEO</strong></p></td>
+<td align="left"><p>Refers to the My Videos folder inside %<strong>DEFAULTUSERPROFILE</strong>%.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_DEFAULT_RECENT</strong></p></td>
+<td align="left"><p>Refers to the Recent folder inside %<strong>DEFAULTUSERPROFILE</strong>%.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_DEFAULT_SENDTO</strong></p></td>
+<td align="left"><p>Refers to the Send To folder inside %<strong>DEFAULTUSERPROFILE</strong>%.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_DEFAULT_STARTMENU</strong></p></td>
+<td align="left"><p>Refers to the Start Menu folder inside %<strong>DEFAULTUSERPROFILE</strong>%.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_DEFAULT_PROGRAMS</strong></p></td>
+<td align="left"><p>Refers to the Programs folder inside %<strong>DEFAULTUSERPROFILE</strong>%.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_DEFAULT_STARTUP</strong></p></td>
+<td align="left"><p>Refers to the Startup folder inside %<strong>DEFAULTUSERPROFILE</strong>%.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_DEFAULT_TEMPLATES</strong></p></td>
+<td align="left"><p>Refers to the Templates folder inside %<strong>DEFAULTUSERPROFILE</strong>%.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_DEFAULT_QUICKLAUNCH</strong></p></td>
+<td align="left"><p>Refers to the Quick Launch folder inside %<strong>DEFAULTUSERPROFILE</strong>%.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_FONTS</strong></p></td>
+<td align="left"><p>A virtual folder containing fonts. A typical path is C:\Windows\Fonts.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_PROGRAM_FILESX86</strong></p></td>
+<td align="left"><p>The Program Files folder on 64-bit systems. A typical path is C:\Program Files(86).</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_PROGRAM_FILES_COMMONX86</strong></p></td>
+<td align="left"><p>A folder for components that are shared across applications on 64-bit systems. A typical path is C:\Program Files(86)\Common.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_PROGRAM_FILES</strong></p></td>
+<td align="left"><p>The Program Files folder. A typical path is C:\Program Files.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_PROGRAM_FILES_COMMON</strong></p></td>
+<td align="left"><p>A folder for components that are shared across applications. A typical path is C:\Program Files\Common.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_RESOURCES</strong></p></td>
+<td align="left"><p>The file-system directory that contains resource data. A typical path is C:\Windows\Resources.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_SYSTEM</strong></p></td>
+<td align="left"><p>The Windows System folder. A typical path is C:\Windows\System32.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_WINDOWS</strong></p></td>
+<td align="left"><p>The Windows directory or system root. This corresponds to the %<strong>WINDIR</strong>% or %<strong>SYSTEMROOT</strong>% environment variables. A typical path is C:\Windows.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>DEFAULTUSERPROFILE</strong></p></td>
+<td align="left"><p>Refers to the value in <strong>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [DefaultUserProfile]</strong>.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>PROFILESFOLDER</strong></p></td>
+<td align="left"><p>Refers to the value in <strong>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [ProfilesDirectory]</strong>.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>PROGRAMFILES</strong></p></td>
+<td align="left"><p>Same as <strong>CSIDL_PROGRAM_FILES</strong>.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>PROGRAMFILES(X86)</strong></p></td>
+<td align="left"><p>Refers to the C:\Program Files (x86) folder on 64-bit systems.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>SYSTEM</strong></p></td>
+<td align="left"><p>Refers to %<strong>WINDIR</strong>%\system32.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>SYSTEM16</strong></p></td>
+<td align="left"><p>Refers to %<strong>WINDIR</strong>%\system.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>SYSTEM32</strong></p></td>
+<td align="left"><p>Refers to %<strong>WINDIR</strong>%\system32.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>SYSTEMPROFILE</strong></p></td>
+<td align="left"><p>Refers to the value in <strong>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 [ProfileImagePath]</strong>.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>SYSTEMROOT</strong></p></td>
+<td align="left"><p>Refers to the root of the system drive.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>WINDIR</strong></p></td>
+<td align="left"><p>Refers to the Windows folder located on the system drive.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-2"></a>Variables that are recognized only in the user context
+
+
+You can use these variables in the .xml files within sections with `context=User` and `context=UserAndSystem`.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Variable</th>
+<th align="left">Explanation</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>APPDATA</strong></p></td>
+<td align="left"><p>Same as <strong>CSIDL_APPDATA</strong>.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_ADMINTOOLS</strong></p></td>
+<td align="left"><p>The file-system directory that is used to store administrative tools for an individual user. The Microsoft® Management Console (MMC) saves customized consoles to this directory, which roams with the user profile.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_ALTSTARTUP</strong></p></td>
+<td align="left"><p>The file-system directory that corresponds to the user's non-localized Startup program group.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_APPDATA</strong></p></td>
+<td align="left"><p>The file-system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\username\Application Data or C:\Users\username\AppData\Roaming.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_BITBUCKET</strong></p></td>
+<td align="left"><p>The virtual folder that contains the objects in the user's Recycle Bin.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_CDBURN_AREA</strong></p></td>
+<td align="left"><p>The file-system directory acting as a staging area for files waiting to be written to CD. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\MasteredBurning\Disc Burning.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_CONNECTIONS</strong></p></td>
+<td align="left"><p>The virtual folder representing Network Connections that contains network and dial-up connections.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_CONTACTS</strong></p></td>
+<td align="left"><p>This refers to the Contacts folder in %<strong>CSIDL_PROFILE</strong>%.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_CONTROLS</strong></p></td>
+<td align="left"><p>The virtual folder that contains icons for the Control Panel items.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_COOKIES</strong></p></td>
+<td align="left"><p>The file-system directory that serves as a common repository for Internet cookies. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_DESKTOP</strong></p></td>
+<td align="left"><p>The virtual folder representing the Windows desktop.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_DESKTOPDIRECTORY</strong></p></td>
+<td align="left"><p>The file-system directory used to physically store file objects on the desktop, which should not be confused with the desktop folder itself. A typical path is C:\Users\username\Desktop.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_DRIVES</strong></p></td>
+<td align="left"><p>The virtual folder representing My Computer that contains everything on the local computer: storage devices, printers, and Control Panel. The folder may also contain mapped network drives.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_FAVORITES</strong></p></td>
+<td align="left"><p>The file-system directory that serves as a common repository for the user's favorites. A typical path is C:\Users\Username\Favorites.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_HISTORY</strong></p></td>
+<td align="left"><p>The file-system directory that serves as a common repository for Internet history items.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_INTERNET</strong></p></td>
+<td align="left"><p>A virtual folder for Internet Explorer.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_INTERNET_CACHE</strong></p></td>
+<td align="left"><p>The file-system directory that serves as a common repository for temporary Internet files. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_LOCAL_APPDATA</strong></p></td>
+<td align="left"><p>The file-system directory that serves as a data repository for local, non-roaming applications. A typical path is C:\Users\username\AppData\Local.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_MYDOCUMENTS</strong></p></td>
+<td align="left"><p>The virtual folder representing My Documents.A typical path is C:\Users\Username\Documents.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_MYMUSIC</strong></p></td>
+<td align="left"><p>The file-system directory that serves as a common repository for music files. A typical path is C:\Users\Username\Music.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_MYPICTURES</strong></p></td>
+<td align="left"><p>The file-system directory that serves as a common repository for image files. A typical path is C:\Users\Username\Pictures.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_MYVIDEO</strong></p></td>
+<td align="left"><p>The file-system directory that serves as a common repository for video files. A typical path is C:\Users\Username\Videos.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_NETHOOD</strong></p></td>
+<td align="left"><p>A file-system directory that contains the link objects that may exist in the My Network Places virtual folder. It is not the same as CSIDL_NETWORK, which represents the network namespace root. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Network Shortcuts.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_NETWORK</strong></p></td>
+<td align="left"><p>A virtual folder representing My Network Places, the root of the network namespace hierarchy.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_PERSONAL</strong></p></td>
+<td align="left"><p>The virtual folder representing the My Documents desktop item. This is equivalent to <strong>CSIDL_MYDOCUMENTS</strong>.</p>
+<p>A typical path is C:\Documents and Settings\username\My Documents.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_PLAYLISTS</strong></p></td>
+<td align="left"><p>The virtual folder used to store play albums, typically C:\Users\username\My Music\Playlists.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_PRINTERS</strong></p></td>
+<td align="left"><p>The virtual folder that contains installed printers.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_PRINTHOOD</strong></p></td>
+<td align="left"><p>The file-system directory that contains the link objects that can exist in the Printers virtual folder. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Printer Shortcuts.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_PROFILE</strong></p></td>
+<td align="left"><p>The user's profile folder. A typical path is C:\Users\Username.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_PROGRAMS</strong></p></td>
+<td align="left"><p>The file-system directory that contains the user's program groups, which are themselves file-system directories. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_RECENT</strong></p></td>
+<td align="left"><p>The file-system directory that contains shortcuts to the user's most recently used documents. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Recent.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_SENDTO</strong></p></td>
+<td align="left"><p>The file-system directory that contains <strong>Send To</strong> menu items. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\SendTo.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_STARTMENU</strong></p></td>
+<td align="left"><p>The file-system directory that contains <strong>Start</strong> menu items. A typical path in Windows XP is C:\Documents and Settings\username\Start Menu. A typical path in Windows Vista, Windows 7, or Windows 8 is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>CSIDL_STARTUP</strong></p></td>
+<td align="left"><p>The file-system directory that corresponds to the user's Startup program group. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>CSIDL_TEMPLATES</strong></p></td>
+<td align="left"><p>The file-system directory that serves as a common repository for document templates. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Templates.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>HOMEPATH</strong></p></td>
+<td align="left"><p>Same as the standard environment variable.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>TEMP</strong></p></td>
+<td align="left"><p>The temporary folder on the computer. A typical path is %<strong>USERPROFILE</strong>%\AppData\Local\Temp.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>TMP</strong></p></td>
+<td align="left"><p>The temporary folder on the computer. A typical path is %<strong>USERPROFILE</strong>%\AppData\Local\Temp.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>USERPROFILE</strong></p></td>
+<td align="left"><p>Same as <strong>CSIDL_PROFILE</strong>.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>USERSID</strong></p></td>
+<td align="left"><p>Represents the current user-account security identifier (SID). For example,</p>
+<p>S-1-5-21-1714567821-1326601894-715345443-1026.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-reference.md b/windows/deploy/usmt-reference.md
new file mode 100644
index 0000000000..ffe3b71ef8
--- /dev/null
+++ b/windows/deploy/usmt-reference.md
@@ -0,0 +1,72 @@
+---
+title: User State Migration Toolkit (USMT) Reference (Windows 10)
+description: User State Migration Toolkit (USMT) Reference
+ms.assetid: 2135dbcf-de49-4cea-b2fb-97dd016e1a1a
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# User State Migration Toolkit (USMT) Reference
+
+
+## In This Section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[USMT Requirements](usmt-requirements.md)</p></td>
+<td align="left"><p>Describes operating system, hardware, and software requirements, and user prerequisites.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[USMT Best Practices](usmt-best-practices.md)</p></td>
+<td align="left"><p>Discusses general and security-related best practices when using USMT.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[How USMT Works](usmt-how-it-works.md)</p></td>
+<td align="left"><p>Learn about the processes behind the ScanState and LoadState tools.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Plan Your Migration](usmt-plan-your-migration.md)</p></td>
+<td align="left"><p>Choose what to migrate and the best migration scenario for your enterprise.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)</p></td>
+<td align="left"><p>Explore command-line options for the ScanState, LoadState, and UsmtUtils tools.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[USMT XML Reference](usmt-xml-reference.md)</p></td>
+<td align="left"><p>Learn about customizing a migration with XML files.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Offline Migration Reference](offline-migration-reference.md)</p></td>
+<td align="left"><p>Find requirements, best practices, and other considerations for performing a migration offline.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+
+[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
+
+[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-requirements.md b/windows/deploy/usmt-requirements.md
new file mode 100644
index 0000000000..1ecd866e28
--- /dev/null
+++ b/windows/deploy/usmt-requirements.md
@@ -0,0 +1,182 @@
+---
+title: USMT Requirements (Windows 10)
+description: USMT Requirements
+ms.assetid: 2b0cf3a3-9032-433f-9622-1f9df59d6806
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# USMT Requirements
+
+
+## In This Topic
+
+
+-   [Supported Operating Systems](#bkmk-1)
+
+-   [Software Requirements](#bkmk-2)
+
+-   [Hard Disk Requirements](#bkmk-3)
+
+-   [User Prerequisites](#bkmk-userprereqs)
+
+## <a href="" id="bkmk-1"></a>Supported Operating Systems
+
+
+The User State Migration Tool (USMT) 10.0 does not have any explicit RAM or CPU speed requirements for either the source or destination computers. If your computer complies with the system requirements of the operating system, it also complies with the requirements for USMT. You need an intermediate store location large enough to hold all of the migrated data and settings, and the same amount of hard disk space on the destination computer for the migrated files and settings.
+
+The following table lists the operating systems supported in USMT.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Operating Systems</th>
+<th align="left">ScanState (source computer)</th>
+<th align="left">LoadState (destination computer)</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Windows® XP Professional</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows XP Professional x64 Edition</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>32-bit versions of Windows Vista</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>64-bit versions of Windows Vista</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>32-bit versions of Windows 7</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>64-bit versions of Windows 7</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>32-bit versions of Windows 8</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>64-bit versions of Windows 8</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>32-bit versions of Windows 10</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>64-bit versions of Windows 10</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Note**  
+You can migrate a 32-bit operating system to a 64-bit operating system. However, you cannot migrate a 64-bit operating system to a 32-bit operating system.
+
+USMT does not support any of the Windows Server® operating systems, Windows 2000, or any of the starter editions for Windows XP, Windows Vista, or Windows 7. In addition, USMT only supports migration from Windows XP with Service Pack 3.
+
+ 
+
+## <a href="" id="bkmk-2"></a>Software Requirements
+
+
+-   **Must use latest version of Window PE.** For example, to migrate to Windows 10, you'll need Windows PE 5.1. For more info, see [What's New in Windows PE](http://msdn.microsoft.com/library/windows/hardware/dn938350.aspx).
+
+-   **Must run in Administrator Mode** When manually running the **ScanState** and **LoadState** tools on Windows 7, Windows 8 or Windows 10 you must run them in Administrator mode from an account with administrative credentials to ensure that all specified users are migrated. This is because User Access Control (UAC) is enabled by default. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration.
+
+    To run in Administrator mode:
+
+    1.  Click **Start**.
+
+    2.  Click **All Programs**.
+
+    3.  Click **Accessories**.
+
+    4.  Right-click **Command Prompt**.
+
+    5.  Click **Run as administrator**.
+
+    6.  At the command prompt, type the `ScanState` or `LoadState` command.
+
+    **Important**  
+    You must run USMT in Administrator mode from an account with full administrative permissions, including the following privileges:
+
+    -   SeBackupPrivilege (Back up files and directories)
+
+    -   SeDebugPrivilege (Debug programs)
+
+    -   SeRestorePrivilege (Restore files and directories)
+
+    -   SeSecurityPrivilege (Manage auditing and security log)
+
+    -   SeTakeOwnership Privilege (Take ownership of files or other objects)
+
+     
+
+-   **Specify the /c option and &lt;ErrorControl&gt; settings in the Config.xml file.** USMT will fail if it cannot migrate a file or setting, unless you specify the **/c** option. When you specify the **/c** option, USMT logs an error each time it encounters a file that is in use that did not migrate, but the migration will not be interrupted. In USMT, you can specify in the Config.xml file which types of errors should allow the migration to continue, and which should cause the migration to fail. For more information about error reporting, and the **&lt;ErrorControl&gt;** element, see [Config.xml File](usmt-configxml-file.md), [Log Files](usmt-log-files.md), and [XML Elements Library](usmt-xml-elements-library.md).
+
+-   **Install applications before running the LoadState command.** Install all applications on the destination computer before restoring the user state. This ensures that migrated settings are preserved.
+
+## <a href="" id="bkmk-3"></a>Hard-Disk Requirements
+
+
+Ensure that there is enough available space in the migration-store location and on the source and destination computers. For more information, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md).
+
+## <a href="" id="bkmk-userprereqs"></a>User Prerequisites
+
+
+This documentation assumes that IT professionals using USMT understand command-line tools. The documentation also assumes that IT professionals using USMT to author MigXML rules understand the following:
+
+-   The navigation and hierarchy of the Windows registry.
+
+-   The files and file types that applications use.
+
+-   The methods to extract application and setting information manually from applications created by internal software-development groups and non-Microsoft software vendors.
+
+-   XML-authoring basics.
+
+## Related topics
+
+
+[Plan Your Migration](usmt-plan-your-migration.md)
+
+[Estimate Migration Store Size](usmt-estimate-migration-store-size.md)
+
+[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-reroute-files-and-settings.md b/windows/deploy/usmt-reroute-files-and-settings.md
new file mode 100644
index 0000000000..a948ee7c8c
--- /dev/null
+++ b/windows/deploy/usmt-reroute-files-and-settings.md
@@ -0,0 +1,124 @@
+---
+title: Reroute Files and Settings (Windows 10)
+description: Reroute Files and Settings
+ms.assetid: 905e6a24-922c-4549-9732-60fa11862a6c
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Reroute Files and Settings
+
+
+To reroute files and settings, create a custom .xml file and specify this file name on both the ScanState and LoadState commandlines. This enables you to keep your changes separate from the default .xml files, so that it is easier to track your modifications.
+
+In this topic:
+
+-   [Reroute a Folder](#bkmk-reroutefolder)
+
+-   [Reroute a Specific File Type](#bkmk-reroutespecfiletype)
+
+-   [Reroute a Specific File](#bkmk-reroutespecificfile)
+
+## <a href="" id="bkmk-reroutefolder"></a>Reroute a Folder
+
+
+The following custom .xml file migrates the directories and files from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS.
+
+``` syntax
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
+<component type="Documents" context="User">
+  <displayName>Engineering Drafts Documents to Personal Folder</displayName>
+  <role role="Data">
+    <rules>
+      <!-- Migrate all directories and files present in c:\EngineeringDrafts folder -->
+      <include>
+        <objectSet>
+          <pattern type="File">C:\EngineeringDrafts\* [*]</pattern>
+        </objectSet>
+      </include>
+      <!-- This migrates all files and directories from C:\EngineeringDrafts to every user’s personal folder.-->
+      <locationModify script="MigXmlHelper.RelativeMove('C:\EngineeringDrafts','%CSIDL_PERSONAL%')">
+        <objectSet>
+          <pattern type="File">C:\EngineeringDrafts\* [*]</pattern>
+        </objectSet>
+      </locationModify>
+    </rules>
+  </role>
+</component>
+</migration>
+```
+
+## <a href="" id="bkmk-reroutespecfiletype"></a>Reroute a Specific File Type
+
+
+The following custom .xml file reroutes .mp3 files located in the fixed drives on the source computer into the C:\\Music folder on the destination computer.
+
+``` syntax
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
+<component type="Documents" context="System">
+  <displayName>All .mp3 files to My Documents</displayName>
+  <role role="Data">
+    <rules>
+      <include>
+        <objectSet>
+          <script>MigXmlHelper.GenerateDrivePatterns ("* [*.mp3]", "Fixed")</script>
+        </objectSet>
+      </include>
+      <!-- Migrates all the .mp3 files in the store to the C:\Music folder during LoadState -->
+      <locationModify script="MigXmlHelper.Move('C:\Music')">
+        <objectSet>
+          <script>MigXmlHelper.GenerateDrivePatterns ("* [*.mp3]", "Fixed")</script>
+        </objectSet>
+      </locationModify>
+    </rules>
+  </role>
+</component>
+</migration> 
+```
+
+## <a href="" id="bkmk-reroutespecificfile"></a>Reroute a Specific File
+
+
+The following custom .xml file migrates the Sample.doc file from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS.
+
+``` syntax
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
+<component type="Documents" context="User">
+<displayName>Sample.doc into My Documents</displayName>
+    <role role="Data">
+      <rules>
+        <include> 
+          <objectSet>     
+                 <pattern type="File"> C:\EngineeringDrafts\ [Sample.doc]</pattern>
+          </objectSet>
+        </include>
+       <locationModify script="MigXmlHelper.RelativeMove('C:\EngineeringDrafts','%CSIDL_PERSONAL%')">
+        <objectSet>
+                 <pattern type="File"> C:\EngineeringDrafts\ [Sample.doc]</pattern>
+        </objectSet>
+       </locationModify>
+      </rules>
+    </role>
+</component>
+</migration>
+```
+
+## Related topics
+
+
+[Customize USMT XML Files](usmt-customize-xml-files.md)
+
+[Conflicts and Precedence](usmt-conflicts-and-precedence.md)
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-resources.md b/windows/deploy/usmt-resources.md
new file mode 100644
index 0000000000..0cb115c915
--- /dev/null
+++ b/windows/deploy/usmt-resources.md
@@ -0,0 +1,45 @@
+---
+title: USMT Resources (Windows 10)
+description: USMT Resources
+ms.assetid: a0b266c7-4bcb-49f1-b63c-48c6ace86b43
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# USMT Resources
+
+
+## USMT Online Resources
+
+
+-   [ADK Release Notes](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx)
+
+-   Microsoft Visual Studio
+
+    -   You can use the User State Migration Tool (USMT) XML schema (the MigXML.xsd file) to validate the migration .xml files using an XML authoring tool such as Microsoft® Visual Studio®.
+
+        For more information about how to use the schema with your XML authoring environment, see the environment’s documentation.
+
+-   [Ask the Directory Services Team blog](http://go.microsoft.com/fwlink/p/?LinkId=226365)
+
+-   Forums:
+
+    -   [Microsoft Deployment Toolkit](http://go.microsoft.com/fwlink/p/?LinkId=226386)
+
+    -   [Configuration Manager Operating System Deployment](http://go.microsoft.com/fwlink/p/?LinkId=226388)
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-return-codes.md b/windows/deploy/usmt-return-codes.md
new file mode 100644
index 0000000000..4354a11ca8
--- /dev/null
+++ b/windows/deploy/usmt-return-codes.md
@@ -0,0 +1,781 @@
+---
+title: Return Codes (Windows 10)
+description: Return Codes
+ms.assetid: e71bbc6b-d5a6-4e48-ad01-af0012b35f22
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Return Codes
+
+
+This topic describes User State Migration Tool (USMT) 10.0 return codes and error messages. Also included is a table listing the USMT return codes with their associated mitigation steps. In addition, this topic provides tips to help you use the logfiles to determine why you received an error.
+
+Understanding the requirements for running USMT can help minimize errors in your USMT migrations. For more information, see [USMT Requirements](usmt-requirements.md).
+
+## In This Topic
+
+
+[USMT Return Codes](#bkmk-returncodes)
+
+[USMT Error Messages](#bkmk-errormessages)
+
+[Troubleshooting Return Codes and Error Messages](#bkmk-tscodeserrors)
+
+## <a href="" id="bkmk-returncodes"></a>USMT Return Codes
+
+
+If you encounter an error in your USMT migration, you can use return codes and the more specific information provided in the associated USMT error messages to troubleshoot the issue and to identify mitigation steps.
+
+Return codes are grouped into the following broad categories that describe their area of error reporting:
+
+Success or User Cancel
+
+Invalid Command Lines
+
+Setup and Initialization
+
+Non-fatal Errors
+
+Fatal Errors
+
+As a best practice, we recommend that you set verbosity level to 5, **/v***:5*, on the **ScanState**, **LoadState**, and **USMTUtils** command lines so that the most detailed reporting is available in the respective USMT logs. You can use a higher verbosity level if you want the log files output to go to a debugger.
+
+## <a href="" id="bkmk-errormessages"></a>USMT Error Messages
+
+
+Error messages provide more detailed information about the migration problem than the associated return code. For example, the **ScanState**, **LoadState**, or **USMTUtils** tool might return a code of "11” (for “USMT\_INVALID\_PARAMETERS") and a related error message that reads "/key and /keyfile both specified". The error message is displayed at the command prompt and is identified in the **ScanState**, **LoadState**, or **USMTUtils** log files to help you determine why the return code was received.
+
+You can obtain more information about any listed Windows application programming interface (API) system error codes by typing **net helpmsg** on the command line and, then typing the error code number. For more information about System Error Codes, see [this Microsoft Web site](http://go.microsoft.com/fwlink/p/?LinkId=147060).
+
+## <a href="" id="bkmk-tscodeserrors"></a>Troubleshooting Return Codes and Error Messages
+
+
+The following table lists each return code by numeric value, along with the associated error messages and suggested troubleshooting actions.
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Return code value</th>
+<th align="left">Return code</th>
+<th align="left">Error message</th>
+<th align="left">Troubleshooting, mitigation, workarounds</th>
+<th align="left">Category</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>0</p></td>
+<td align="left"><p>USMT_SUCCESS</p></td>
+<td align="left"><p>Successful run</p></td>
+<td align="left"><p>Not applicable</p></td>
+<td align="left"><p>Success or Cancel</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>1</p></td>
+<td align="left"><p>USMT_DISPLAY_HELP</p></td>
+<td align="left"><p>Command line help requested</p></td>
+<td align="left"><p>Not applicable</p></td>
+<td align="left"><p>Success or Cancel</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>2</p></td>
+<td align="left"><p>USMT_STATUS_CANCELED</p></td>
+<td align="left"><p>Gather was aborted because of an EFS file</p></td>
+<td align="left"><p>Not applicable</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>User chose to cancel (such as pressing CTRL+C)</p></td>
+<td align="left"><p>Not applicable</p></td>
+<td align="left"><p>Success or Cancel</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>3</p></td>
+<td align="left"><p>USMT_WOULD_HAVE_FAILED</p></td>
+<td align="left"><p>At least one error was skipped as a result of /c</p></td>
+<td align="left"><p>Review ScanState, LoadState, or UsmtUtils log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>11</p></td>
+<td align="left"><p>USMT_INVALID_PARAMETERS</p></td>
+<td align="left"><p>/all conflicts with /ui, /ue or /uel</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>/auto expects an optional parameter for the script folder</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>/encrypt can't be used with /nocompress</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>/encrypt requires /key or /keyfile</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>/genconfig can't be used with most other options</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>/genmigxml can't be used with most other options</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>/hardlink requires /nocompress</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>/key and /keyfile both specified</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>/key or /keyfile used without enabling encryption</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>/lae is only used with /lac</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>/listfiles cannot be used with /p</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>/offline requires a valid path to an XML file describing offline paths</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>/offlinewindir requires a valid path to offline windows folder</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>/offlinewinold requires a valid path to offline windows folder</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>A command was already specified</p></td>
+<td align="left"><p>Verify that the command-line syntax is correct and that there are no duplicate commands.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>An option argument is missing</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>An option is specified more than once and is ambiguous</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>By default /auto selects all users and uses the highest log verbosity level. Switches like /all, /ui, /ue, /v are not allowed.</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Command line arguments are required. Specify /? for options.</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Command line option is not valid</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>EFS parameter specified is not valid for /efs</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>File argument is invalid for /genconfig</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>File argument is invalid for /genmigxml</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Invalid space estimate path. Check the parameters and/or file system permissions</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>List file path argument is invalid for /listfiles</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Retry argument must be an integer</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Settings store argument specified is invalid</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Specified encryption algorithm is not supported</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>The /efs:hardlink requires /hardlink</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>The /targetWindows7 option is only available for Windows XP, Windows Vista, and Windows 7</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>The store parameter is required but not specified</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>The source-to-target domain mapping is invalid for /md</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>The source-to-target user account mapping is invalid for /mu</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Undefined or incomplete command line option</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p>Invalid Command Lines</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Use /nocompress, or provide an XML file path with /p&quot;pathtoafile&quot; to get a compressed store size estimate</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>User exclusion argument is invalid</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Verbosity level must be specified as a sum of the desired log options: Verbose (0x01), Record Objects (0x04), Echo to debug port (0x08)</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Volume shadow copy feature is not supported with a hardlink store</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Wait delay argument must be an integer</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>12</p></td>
+<td align="left"><p>USMT_ERROR_OPTION_PARAM_TOO_LARGE</p></td>
+<td align="left"><p>Command line arguments cannot exceed 256 characters</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p>Invalid Command Lines</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Specified settings store path exceeds the maximum allowed length of 256 characters</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>13</p></td>
+<td align="left"><p>USMT_INIT_LOGFILE_FAILED</p></td>
+<td align="left"><p>Log path argument is invalid for /l</p></td>
+<td align="left"><p>When /l is specified in the ScanState command line, USMT validates the path. Verify that the drive and other information, for example file system characters, are correct.</p></td>
+<td align="left"><p>Invalid Command Lines</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>14</p></td>
+<td align="left"><p>USMT_ERROR_USE_LAC</p></td>
+<td align="left"><p>Unable to create a local account because /lac was not specified</p></td>
+<td align="left"><p>When creating local accounts, the command-line options /lac and /lae should be used.</p></td>
+<td align="left"><p>Invalid Command Lines</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>26</p></td>
+<td align="left"><p>USMT_INIT_ERROR</p></td>
+<td align="left"><p>Multiple Windows installations found</p></td>
+<td align="left"><p>Listfiles.txt could not be created. Verify that the location you specified for the creation of this file is valid.</p></td>
+<td align="left"><p>Setup and Initialization</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Software malfunction or unknown exception</p></td>
+<td align="left"><p>Check all loaded .xml files for errors, common error when using /I to load the Config.xml file.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Unable to find a valid Windows directory to proceed with requested offline operation; Check if offline input file is present and has valid entries</p></td>
+<td align="left"><p>Verify that the offline input file is present and that it has valid entries. USMT could not find valid offline operating system. Verify your offline directory mapping.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>27</p></td>
+<td align="left"><p>USMT_INVALID_STORE_LOCATION</p></td>
+<td align="left"><p>A store path can't be used because an existing store exists; specify /o to overwrite</p></td>
+<td align="left"><p>Specify /o to overwrite an existing intermediate or migration store.</p></td>
+<td align="left"><p>Setup and Initialization</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>A store path is missing or has incomplete data</p></td>
+<td align="left"><p>Make sure that the store path is accessible and that the proper permission levels are set.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>An error occurred during store creation</p></td>
+<td align="left"><p>Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>An inappropriate device such as a floppy disk was specified for the store</p></td>
+<td align="left"><p>Make sure that the store path is accessible and that the proper permission levels are set.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Invalid store path; check the store parameter and/or file system permissions</p></td>
+<td align="left"><p>Invalid store path; check the store parameter and/or file system permissions</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>The file layout and/or file content is not recognized as a valid store</p></td>
+<td align="left"><p>Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>The store path holds a store incompatible with the current USMT version</p></td>
+<td align="left"><p>Make sure that the store path is accessible and that the proper permission levels are set.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>The store save location is read-only or does not support a requested storage option</p></td>
+<td align="left"><p>Make sure that the store path is accessible and that the proper permission levels are set.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>28</p></td>
+<td align="left"><p>USMT_UNABLE_GET_SCRIPTFILES</p></td>
+<td align="left"><p>Script file is invalid for /i</p></td>
+<td align="left"><p>Check all specified migration .xml files for errors. This is a common error when using /i to load the Config.xml file.</p></td>
+<td align="left"><p>Setup and Initialization</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Unable to find a script file specified by /i</p></td>
+<td align="left"><p>Verify the location of your script files, and ensure that the command-line options are correct.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>29</p></td>
+<td align="left"><p>USMT_FAILED_MIGSTARTUP</p></td>
+<td align="left"><p>A minimum of 250 MB of free space is required for temporary files</p></td>
+<td align="left"><p>Verify that the system meets the minimum temporary disk space requirement of 250 MB. As a workaround, you can set the environment variable USMT_WORKING_DIR=&lt;path&gt; to redirect the temporary files working directory.</p></td>
+<td align="left"><p>Setup and Initialization</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Another process is preventing migration; only one migration tool can run at a time</p></td>
+<td align="left"><p>Check the ScanState log file for migration .xml file errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Failed to start main processing, look in log for system errors or check the installation</p></td>
+<td align="left"><p>Check the ScanState log file for migration .xml file errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Migration failed because of an XML error; look in the log for specific details</p></td>
+<td align="left"><p>Check the ScanState log file for migration .xml file errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Unable to automatically map the drive letters to match the online drive letter layout; Use /offline to provide a mapping table</p></td>
+<td align="left"><p>Check the ScanState log file for migration .xml file errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>31</p></td>
+<td align="left"><p>USMT_UNABLE_FINDMIGUNITS</p></td>
+<td align="left"><p>An error occurred during the discover phase; the log should have more specific information</p></td>
+<td align="left"><p>Check the ScanState log file for migration .xml file errors.</p></td>
+<td align="left"><p>Setup and Initialization</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>32</p></td>
+<td align="left"><p>USMT_FAILED_SETMIGRATIONTYPE</p></td>
+<td align="left"><p>An error occurred processing the migration system</p></td>
+<td align="left"><p>Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.</p></td>
+<td align="left"><p>Setup and Initialization</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>33</p></td>
+<td align="left"><p>USMT_UNABLE_READKEY</p></td>
+<td align="left"><p>Error accessing the file specified by the /keyfile parameter</p></td>
+<td align="left"><p>Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.</p></td>
+<td align="left"><p>Setup and Initialization</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>The encryption key must have at least one character</p></td>
+<td align="left"><p>Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>34</p></td>
+<td align="left"><p>USMT_ERROR_INSUFFICIENT_RIGHTS</p></td>
+<td align="left"><p>Directory removal requires elevated privileges</p></td>
+<td align="left"><p>Log on as Administrator, and run with elevated privileges.</p></td>
+<td align="left"><p>Setup and Initialization</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>No rights to create user profiles; log in as Administrator; run with elevated privileges</p></td>
+<td align="left"><p>Log on as Administrator, and run with elevated privileges.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>No rights to read or delete user profiles; log in as Administrator, run with elevated privileges</p></td>
+<td align="left"><p>Log on as Administrator, and run with elevated privileges.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>35</p></td>
+<td align="left"><p>USMT_UNABLE_DELETE_STORE</p></td>
+<td align="left"><p>A reboot is required to remove the store</p></td>
+<td align="left"><p>Reboot to delete any files that could not be deleted when the command was executed.</p></td>
+<td align="left"><p>Setup and Initialization</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>A store path can't be used because it contains data that could not be overwritten</p></td>
+<td align="left"><p>A migration store could not be deleted. If you are using a hardlink migration store you might have a locked file in it. You should manually delete the store, or use <strong>USMTUtils /rd</strong> command to delete the store.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>There was an error removing the store</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>36</p></td>
+<td align="left"><p>USMT_ERROR_UNSUPPORTED_PLATFORM</p></td>
+<td align="left"><p>Compliance check failure; please check the logs for details</p></td>
+<td align="left"><p>Investigate whether there is an active temporary profile on the system.</p></td>
+<td align="left"><p>Setup and Initialization</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Use of /offline is not supported during apply</p></td>
+<td align="left"><p>The <strong>/offline</strong> command was not used while running in the Windows Preinstallation Environment (WinPE).</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Use /offline to run gather on this platform</p></td>
+<td align="left"><p>The <strong>/offline</strong> command was not used while running in WinPE.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>37</p></td>
+<td align="left"><p>USMT_ERROR_NO_INVALID_KEY</p></td>
+<td align="left"><p>The store holds encrypted data but the correct encryption key was not provided</p></td>
+<td align="left"><p>Verify that you have included the correct encryption /key or /keyfile.</p></td>
+<td align="left"><p>Setup and Initialization</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>38</p></td>
+<td align="left"><p>USMT_ERROR_CORRUPTED_NOTENCRYPTED_STORE</p></td>
+<td align="left"><p>An error occurred during store access</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.</p></td>
+<td align="left"><p>Setup and Initialization</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>39</p></td>
+<td align="left"><p>USMT_UNABLE_TO_READ_CONFIG_FILE</p></td>
+<td align="left"><p>Error reading Config.xml</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors in the Config.xml file.</p></td>
+<td align="left"><p>Setup and Initialization</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>File argument is invalid for /config</p></td>
+<td align="left"><p>Check the command line you used to load the Config.xml file. You can use online Help by typing /? on the command line.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>40</p></td>
+<td align="left"><p>USMT_ERROR_UNABLE_CREATE_PROGRESS_LOG</p></td>
+<td align="left"><p>Error writing to the progress log</p></td>
+<td align="left"><p>The Progress log could not be created. Verify that the location is valid and that you have write access.</p></td>
+<td align="left"><p>Setup and Initialization</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Progress log argument is invalid for /progress</p></td>
+<td align="left"><p>The Progress log could not be created. Verify that the location is valid and that you have write access.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>41</p></td>
+<td align="left"><p>USMT_PREFLIGHT_FILE_CREATION_FAILED</p></td>
+<td align="left"><p>Can't overwrite existing file</p></td>
+<td align="left"><p>The Progress log could not be created. Verify that the location is valid and that you have write access.</p></td>
+<td align="left"><p>Setup and Initialization</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Invalid space estimate path. Check the parameters and/or file system permissions</p></td>
+<td align="left"><p>Review ScanState log or LoadState log for details about command-line errors.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>42</p></td>
+<td align="left"><p>USMT_ERROR_CORRUPTED_STORE</p></td>
+<td align="left"><p>The store contains one or more corrupted files</p></td>
+<td align="left"><p>Review UsmtUtils log for details about the corrupted files. For information on how to extract the files that are not corrupted, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md).</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>61</p></td>
+<td align="left"><p>USMT_MIGRATION_STOPPED_NONFATAL</p></td>
+<td align="left"><p>Processing stopped due to an I/O error</p></td>
+<td align="left"><p>USMT exited but can continue with the /c command-line option, with the optional configurable &lt;ErrorControl&gt; section or by using the /vsc command-line option.</p></td>
+<td align="left"><p>Non-fatal Errors</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>71</p></td>
+<td align="left"><p>USMT_INIT_OPERATING_ENVIRONMENT_FAILED</p></td>
+<td align="left"><p>A Windows Win32 API error occurred</p></td>
+<td align="left"><p>Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.</p></td>
+<td align="left"><p>Fatal Errors</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>An error occurred when attempting to initialize the diagnostic mechanisms such as the log</p></td>
+<td align="left"><p>Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Failed to record diagnostic information</p></td>
+<td align="left"><p>Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Unable to start. Make sure you are running USMT with elevated privileges</p></td>
+<td align="left"><p>Exit USMT and log in again with elevated privileges.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>72</p></td>
+<td align="left"><p>USMT_UNABLE_DOMIGRATION</p></td>
+<td align="left"><p>An error occurred closing the store</p></td>
+<td align="left"><p>Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.</p></td>
+<td align="left"><p>Fatal Errors</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>An error occurred in the apply process</p></td>
+<td align="left"><p>Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>An error occurred in the gather process</p></td>
+<td align="left"><p>Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Out of disk space while writing the store</p></td>
+<td align="left"><p>Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Out of temporary disk space on the local system</p></td>
+<td align="left"><p>Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.</p></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+
+[Log Files](usmt-log-files.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-scanstate-syntax.md b/windows/deploy/usmt-scanstate-syntax.md
new file mode 100644
index 0000000000..09eb224de7
--- /dev/null
+++ b/windows/deploy/usmt-scanstate-syntax.md
@@ -0,0 +1,864 @@
+---
+title: ScanState Syntax (Windows 10)
+description: ScanState Syntax
+ms.assetid: 004c755f-33db-49e4-8a3b-37beec1480ea
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# ScanState Syntax
+
+
+The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store.
+
+## In This Topic
+
+
+[Before You Begin](#bkmk-beforeyoubegin)
+
+[Syntax](#bkmk-syntax)
+
+[Storage Options](#bkmk-storageoptions)
+
+[Migration Rule Options](#bkmk-migrationruleoptions)
+
+[Monitoring Options](#bkmk-monitoringoptions)
+
+[User Options](#bkmk-useroptions)
+
+[Encrypted File Options](#bkmk-efs)
+
+[Incompatible Command-Line Options](#bkmk-iclo)
+
+## <a href="" id="bkmk-beforeyoubegin"></a>Before You Begin
+
+
+Before you run the **ScanState** command, note the following:
+
+-   To ensure that all operating system settings migrate, in most cases you must run the **ScanState** commands in administrator mode from an account with administrative credentials.
+
+-   If you encrypt the migration store, you will be required to enter an encryption key or a path to a file containing the encryption key. Be sure to make note of the key or the key file location, because this information is not kept anywhere in the migration store. You will need this information when you run the LoadState command to decrypt the migration store, or if you need to run the recovery utility. An incorrect or missing key or key file results in an error message.
+
+-   For information about software requirements for running the **ScanState** command, see [USMT Requirements](usmt-requirements.md).
+
+-   Unless otherwise noted, you can use each option only once when running a tool on the command line.
+
+-   You can gather domain accounts without the source computer having domain controller access. This functionality is available without any additional configuration.
+
+-   The [Incompatible Command-Line Options](#bkmk-iclo) table lists which options you can use together and which command-line options are incompatible.
+
+-   The directory location where you save the migration store will be excluded from the scan. For example, if you save the migration store to the root of the D drive, the D drive and all of its subdirectories will be excluded from the scan.
+
+## <a href="" id="bkmk-syntax"></a>Syntax
+
+
+This section explains the syntax and usage of the **ScanState** command-line options. The options can be specified in any order. If the option contains a parameter, you can use either a colon or a space separator.
+
+The **ScanState** command's syntax is:
+
+scanstate \[*StorePath*\] \[/i:\[*Path*\\\]*FileName*\] \[/o\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/localonly\] \[/encrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsBeforeRetry*\] \[/c\] \[/p\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/efs:abort|skip|decryptcopy|copyraw\] \[/genconfig:\[*Path*\\\]*FileName*\[/config:\[*Path*\\\]*FileName*\] \[/?|help\]
+
+For example:
+
+To create a Config.xml file in the current directory, use:
+
+`scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13`
+
+To create an encrypted store using the Config.xml file and the default migration .xml files, use:
+
+`scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:13 /encrypt /key:"mykey"`
+
+## <a href="" id="bkmk-storageoptions"></a>Storage Options
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Command-Line Option</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><em>StorePath</em></p></td>
+<td align="left"><p>Indicates a folder where files and settings will be saved. Note that <em>StorePath</em> cannot be <strong>c:\</strong>. You must specify the <em>StorePath</em> option in the <strong>ScanState</strong> command, except when using the <strong>/genconfig</strong> option. You cannot specify more than one <em>StorePath</em> location.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/o</strong></p></td>
+<td align="left"><p>Required to overwrite any existing data in the migration store or Config.xml file. If not specified, the <strong>ScanState</strong> command will fail if the migration store already contains data. You cannot use this option more than once on a command line.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/vsc</strong></p></td>
+<td align="left"><p>This option enables the volume shadow-copy service to migrate files that are locked or in use. This command-line option eliminates most file-locking errors that are typically encountered by the <strong>&lt;ErrorControl&gt;</strong> section.</p>
+<p>This option can be used only with the ScanState executable file and cannot be combined with the <strong>/hardlink</strong> option.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/hardlink</strong></p></td>
+<td align="left"><p>Enables the creation of a hard-link migration store at the specified location. The <strong>/nocompress</strong> option must be specified with the <strong>/hardlink</strong> option.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/encrypt</strong> [{<strong>/key:</strong><em>&lt;KeyString&gt;</em> | <strong>/keyfile</strong>:<em>&lt;file&gt;</em>]}</p></td>
+<td align="left"><p>Encrypts the store with the specified key. Encryption is disabled by default. With this option, you will need to specify the encryption key in one of the following ways:</p>
+<ul>
+<li><p><strong>/key:</strong><em>KeyString</em> specifies the encryption key. If there is a space in <em>KeyString</em>, you will need to surround <em>KeyString</em> with quotation marks.</p></li>
+<li><p><strong>/keyfile:</strong><em>FilePathAndName</em> specifies a text (.txt) file that contains the encryption key.</p></li>
+</ul>
+<p>We recommend that <em>KeyString</em> be at least eight characters long, but it cannot exceed 256 characters. The <strong>/key</strong> and <strong>/keyfile</strong> options cannot be used on the same command line. The <strong>/encrypt</strong> and <strong>/nocompress</strong> options cannot be used on the same command line.</p>
+<div class="alert">
+<strong>Important</strong>  
+<p>You should use caution with this option, because anyone who has access to the <strong>ScanState</strong> command-line script will also have access to the encryption key.</p>
+</div>
+<div>
+ 
+</div>
+<p>The following example shows the ScanState command and the <strong>/key</strong> option:</p>
+<p><code>scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /encrypt /key:mykey</code></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/encrypt</strong>:<em>&lt;EncryptionStrength&gt;</em></p></td>
+<td align="left"><p>The <strong>/encrypt</strong> option accepts a command-line parameter to define the encryption strength to be used for encryption of the migration store. For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md).</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/nocompress</strong></p></td>
+<td align="left"><p>Disables compression of data and saves the files to a hidden folder named &quot;File&quot; at <em>StorePath</em>\USMT. Compression is enabled by default. Combining the <strong>/nocompress</strong> option with the <strong>/hardlink</strong> option generates a hard-link migration store. You can use the uncompressed store to view what USMT stored, troubleshoot a problem, or run an antivirus utility against the files. You should use this option only in testing environments, because we recommend that you use a compressed store during your actual migration, unless you are combining the <strong>/nocompress</strong> option with the <strong>/hardlink</strong> option.</p>
+<p>The <strong>/nocompress</strong> and <strong>/encrypt</strong> options cannot be used together in one statement on the command line. However, if you do choose to migrate an uncompressed store, the <strong>LoadState</strong> command will migrate each file directly from the store to the correct location on the destination computer without a temporary location.</p>
+<p>For example:</p>
+<p><code>scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /nocompress</code></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="run-the-scanstate-command-on-an-offline-windows-system-"></a>Run the ScanState Command on an Offline Windows System
+
+
+You can run the **ScanState** command in Windows Preinstallation Environment (WinPE). In addition, USMT supports migrations from previous installations of Windows contained in Windows.old directories. The offline directory can be a Windows directory when you run the **ScanState** command in WinPE or a Windows.old directory when you run the **ScanState** command in Windows.
+
+There are several benefits to running the **ScanState** command on an offline Windows image, including:
+
+-   **Improved Performance.**
+
+    Because WinPE is a thin operating system, there are fewer running services. In this environment, the **ScanState** command has more access to the local hardware resources, enabling **ScanState** to perform migration operations more quickly.
+
+-   **Simplified end to end deployment process.**
+
+    Migrating data from Windows.old simplifies the end-to-end deployment process by enabling the migration process to occur after the new operating system is installed.
+
+-   **Improved success of migration.**
+
+    The migration success rate is increased because files will not be locked for editing while offline, and because WinPE provides administrator access to files in the offline Windows file system, eliminating the need for administrator-level access to the online system.
+
+-   **Ability to recover an unbootable computer.**
+
+    It might be possible to recover and migrate data from an unbootable computer.
+
+## Offline Migration Options
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Command-Line Option</th>
+<th align="left">Definition</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>/offline:</strong><em>&quot;path to an offline.xml file&quot;</em></p></td>
+<td align="left"><p>This option is used to define a path to an offline .xml file that might specify other offline migration options, for example, an offline Windows directory or any domain or folder redirection required in your migration.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/offlinewindir:</strong><em>&quot;path to a Windows directory&quot;</em></p></td>
+<td align="left"><p>This option specifies the offline Windows directory that the <strong>ScanState</strong> command gathers user state from. The offline directory can be Windows.old when you run the <strong>ScanState</strong> command in Windows or a Windows directory when you run the <strong>ScanState</strong> command in WinPE.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/offlinewinold:</strong><em>&quot;Windows.old directory&quot;</em></p></td>
+<td align="left"><p>This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-migrationruleoptions"></a>Migration Rule Options
+
+
+USMT provides the following options to specify what files you want to migrate.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Command-Line Option</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>/i:</strong>[<em>Path</em>\]<em>FileName</em></p></td>
+<td align="left"><p><strong>(include)</strong></p>
+<p>Specifies an .xml file that contains rules that define what user, application or system state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigDocs.xml, and any custom .xml files that you create). <em>Path</em> can be either a relative or full path. If you do not specify the <em>Path</em> variable, then <em>FileName</em> must be located in the current directory. For more information about which files to specify, see the &quot;XML Files&quot; section of the [Frequently Asked Questions](usmt-faq.md) topic.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/genconfig:</strong>[<em>Path</em>\]<em>FileName</em></p></td>
+<td align="left"><p>(Generate <strong>Config.xml</strong>)</p>
+<p>Generates the optional Config.xml file, but does not create a migration store. To ensure that this file contains every component, application and setting that can be migrated, you should create this file on a source computer that contains all the components, applications and settings that will be present on the destination computers. In addition, you should specify the other migration .xml files, using the <strong>/i</strong> option, when you specify this option.</p>
+<p>After you create this file, you will need to make use of it with the <strong>ScanState</strong> command using the <strong>/config</strong> option.</p>
+<p>The only options that you can specify with this option are the <strong>/i</strong>, <strong>/v</strong>, and <strong>/l</strong> options. You cannot specify <em>StorePath</em>, because the <strong>/genconfig</strong> option does not create a store. <em>Path</em> can be either a relative or full path. If you do not specify the <em>Path</em> variable, then <em>FileName</em> will be created in the current directory.</p>
+<p>Examples:</p>
+<ul>
+<li><p>The following example creates a Config.xml file in the current directory:</p>
+<p><code>scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13</code></p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/config:</strong>[<em>Path\</em>]<em>FileName</em></p></td>
+<td align="left"><p>Specifies the Config.xml file that the <strong>ScanState</strong> command should use to create the store. You cannot use this option more than once on the command line. <em>Path</em> can be either a relative or full path. If you do not specify the <em>Path</em> variable, then <em>FileName</em> must be located in the current directory.</p>
+<p>The following example creates a store using the Config.xml file, MigDocs.xml, and MigApp.xml files:</p>
+<p><code>scanstate \\server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log</code></p>
+<p>The following example migrates the files and settings to the destination computer using the <strong>Config.xml</strong>, <strong>MigDocs.xml</strong>, and <strong>MigApp.xml</strong> files:</p>
+<p><code>loadstate \\server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log</code></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/auto:</strong><em>path to script files</em></p></td>
+<td align="left"><p>This option enables you to specify the location of the default .xml files and then begin the migration. If no path is specified, USMT will reference the directory where the USMT binaries are located. The <strong>/auto</strong> option has the same effect as using the following options: <strong>/i:MigDocs.xml</strong> <strong>/i:MigApp.xml /v:5</strong>.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/genmigxml:</strong><em>path to a file</em></p></td>
+<td align="left"><p>This option specifies that the <strong>ScanState</strong> command should use the document finder to create and export an .xml file that defines how to migrate all of the files on the computer on which the <strong>ScanState</strong> command is running.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/targetwindows8</strong></p></td>
+<td align="left"><p>Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 8 or Windows 8.1 instead of Windows 10. You should use this command line option in the following scenarios:</p>
+<ul>
+<li><p><strong>To create a Config.xml file by using the /genconfig option.</strong> Using the <strong>/targetwindows8</strong> option optimizes the Config.xml file so that it only contains components that relate to Windows 8 or Windows 8.1.</p></li>
+<li><p><strong>To create a migration store.</strong> Using the <strong>/targetwindows8</strong> option ensures that the ScanState tool gathers the correct set of operating system settings. Without the <strong>/targetwindows8</strong> command-line option, some settings can be lost during the migration.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/targetwindows7</strong></p></td>
+<td align="left"><p>Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 7 instead of Windows 10. You should use this command line option in the following scenarios:</p>
+<ul>
+<li><p><strong>To create a Config.xml file by using the /genconfig option.</strong> Using the <strong>/targetwindows7</strong> option optimizes the Config.xml file so that it only contains components that relate to Windows 7.</p></li>
+<li><p><strong>To create a migration store.</strong> Using the <strong>/targetwindows7</strong> option ensures that the ScanState tool gathers the correct set of operating system settings. Without the <strong>/targetwindows7</strong> command-line option, some settings can be lost during the migration.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/localonly</strong></p></td>
+<td align="left"><p>Migrates only files that are stored on the local computer, regardless of the rules in the .xml files that you specify on the command line. You should use this option when you want to exclude the data from removable drives on the source computer, such as USB flash drives (UFDs), some external hard drives, and so on, and when there are network drives mapped on the source computer. If the <strong>/localonly</strong> option is not specified, then the <strong>ScanState</strong> command will copy files from these removable or network drives into the store.</p>
+<p>Anything that is not considered a fixed drive by the OS will be excluded by <strong>/localonly</strong>. In some cases large external hard drives are considered fixed drives. These drives can be explicitly excluded from migration by using a custom.xml file. For more information about how to exclude all files on a specific drive, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md).</p>
+<p>The <strong>/localonly</strong> command-line option includes or excludes data in the migration as identified in the following table:</p>
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Drive type</th>
+<th align="left">Behavior with <strong>/localonly</strong></th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Removable drives such as a USB flash drive</p></td>
+<td align="left"><p>Excluded</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Network drives</p></td>
+<td align="left"><p>Excluded</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Fixed drives</p></td>
+<td align="left"><p>Included</p></td>
+</tr>
+</tbody>
+</table>
+<p> </p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-monitoringoptions"></a>Monitoring Options
+
+
+USMT provides several options that you can use to analyze problems that occur during migration.
+
+**Note**  
+The ScanState log is created by default, but you can specify the name and location of the log with the **/l** option.
+
+ 
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Command-Line Option</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>/listfiles</strong>:&lt;FileName&gt;</p></td>
+<td align="left"><p>You can use the <strong>/listfiles</strong> command-line option with the <strong>ScanState</strong> command to generate a text file that lists all of the files included in the migration.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/l:</strong>[<em>Path</em>\]<em>FileName</em></p></td>
+<td align="left"><p>Specifies the location and name of the ScanState log.</p>
+<p>You cannot store any of the log files in <em>StorePath</em>. <em>Path</em> can be either a relative or full path. If you do not specify the <em>Path</em> variable, then the log will be created in the current directory. You can use the <strong>/v</strong> option to adjust the amount of output.</p>
+<p>If you run the <strong>ScanState</strong> or <strong>LoadState</strong> commands from a shared network resource, you must specify this option or USMT will fail with the following error: &quot;USMT was unable to create the log file(s)&quot;. To fix this issue, use the /<strong>l:scan.log</strong> command.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/v:</strong><em>&lt;VerbosityLevel&gt;</em></p></td>
+<td align="left"><p><strong>(Verbosity)</strong></p>
+<p>Enables verbose output in the ScanState log file. The default value is 0.</p>
+<p>You can set the <em>VerbosityLevel</em> to one of the following levels:</p>
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Level</th>
+<th align="left">Explanation</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>0</p></td>
+<td align="left"><p>Only the default errors and warnings are enabled.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>1</p></td>
+<td align="left"><p>Enables verbose output.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4</p></td>
+<td align="left"><p>Enables error and status output.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5</p></td>
+<td align="left"><p>Enables verbose and status output.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>8</p></td>
+<td align="left"><p>Enables error output to a debugger.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>9</p></td>
+<td align="left"><p>Enables verbose output to a debugger.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>12</p></td>
+<td align="left"><p>Enables error and status output to a debugger.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>13</p></td>
+<td align="left"><p>Enables verbose, status, and debugger output.</p></td>
+</tr>
+</tbody>
+</table>
+<p> </p>
+<p>For example:</p>
+<p><code>scanstate \\server\share\migration\mystore /v:13 /i:migdocs.xml /i:migapp.xml</code></p>
+<p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>/<strong>progress</strong>:[<em>Path\</em>]<em>FileName</em></p></td>
+<td align="left"><p>Creates the optional progress log. You cannot store any of the log files in <em>StorePath</em>. <em>Path</em> can be either a relative or full path. If you do not specify the <em>Path</em> variable, then <em>FileName</em> will be created in the current directory.</p>
+<p>For example:</p>
+<p><code>scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /progress:prog.log /l:scanlog.log</code></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/c</strong></p></td>
+<td align="left"><p>When this option is specified, the <strong>ScanState</strong> command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit in the store, the <strong>ScanState</strong> command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the <strong>/c</strong> option, the <strong>ScanState</strong> command will exit on the first error.</p>
+<p>You can use the new &lt;<strong>ErrorControl</strong>&gt; section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the /<strong>c</strong> command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /<strong>genconfig</strong> option now generates a sample &lt;<strong>ErrorControl</strong>&gt; section that is enabled by specifying error messages and desired behaviors in the Config.xml file.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/r:</strong><em>&lt;TimesToRetry&gt;</em></p></td>
+<td align="left"><p><strong>(Retry)</strong></p>
+<p>Specifies the number of times to retry when an error occurs while saving the user state to a server. The default is three times. This option is useful in environments where network connectivity is not reliable.</p>
+<p>While storing the user state, the <strong>/r</strong> option will not be able to recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/w:</strong><em>&lt;SecondsBeforeRetry&gt;</em></p></td>
+<td align="left"><p><strong>(Wait)</strong></p>
+<p>Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/p:</strong><em>&lt;pathToFile&gt;</em></p></td>
+<td align="left"><p>When the <strong>ScanState</strong> command runs, it will create an .xml file in the path specified. This .xml file includes improved space estimations for the migration store. The following example shows how to create this .xml file:</p>
+<p><code>Scanstate.exe C:\MigrationLocation [additional parameters]</code></p>
+<p><code>/p:&quot;C:\MigrationStoreSize.xml&quot;</code></p>
+<p>For more information, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md).</p>
+<p>To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, you can use the <strong>/p</strong> option, without specifying <em>&quot;pathtoafile&quot;</em>, in USMT. If you specify only the <strong>/p</strong> option, the storage space estimations are created in the same manner as with USMT3.x releases.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>/<strong>?</strong> or /<strong>help</strong></p></td>
+<td align="left"><p>Displays Help at the command line.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-useroptions"></a>User Options
+
+
+By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md) and [Migrate User Accounts](usmt-migrate-user-accounts.md).
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Command-Line Option</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>/<strong>all</strong></p></td>
+<td align="left"><p>Migrates all of the users on the computer.</p>
+<p>USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /<strong>ue</strong> or /<strong>uel</strong> options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /<strong>all</strong> option, you cannot also use the /<strong>ui</strong>, /<strong>ue</strong> or /<strong>uel</strong> options.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>/<strong>ui</strong>:<em>&lt;DomainName&gt;</em>\<em>&lt;UserName&gt;</em></p>
+<p>or</p>
+<p>/<strong>ui</strong>:<em>&lt;ComputerName&gt;</em>\<em>&lt;LocalUserName&gt;</em></p></td>
+<td align="left"><p><strong>(User include)</strong></p>
+<p>Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /<strong>ue</strong> or /<strong>uel</strong> options. You can specify multiple /<strong>ui</strong> options, but you cannot use the /<strong>ui</strong> option with the /<strong>all</strong> option. <em>DomainName</em> and <em>UserName</em> can contain the asterisk (*) wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>If a user is specified for inclusion with the /<strong>ui</strong> option, and also is specified to be excluded with either the /<strong>ue</strong> or /<strong>uel</strong> options, the user will be included in the migration.</p>
+</div>
+<div>
+ 
+</div>
+<p>For example:</p>
+<ul>
+<li><p>To include only User2 from the Fabrikam domain, type:</p>
+<p><code>/ue:*\* /ui:fabrikam\user2</code></p></li>
+<li><p>To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:</p>
+<p><code>/uel:30 /ui:fabrikam\*</code></p>
+<p>In this example, a user account from the Contoso domain that was last modified 2 months ago will not be migrated.</p></li>
+</ul>
+<p>For more examples, see the descriptions of the /<strong>ue</strong> and /<strong>ui</strong> options in this table.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>/<strong>uel</strong>:<em>&lt;NumberOfDays&gt;</em></p>
+<p>or</p>
+<p>/<strong>uel</strong>:<em>&lt;YYYY/MM/DD&gt;</em></p>
+<p>or</p>
+<p><strong>/uel:0</strong></p></td>
+<td align="left"><p><strong>(User exclude based on last logon)</strong></p>
+<p>Migrates the users that logged onto the source computer within the specified time period, based on the <strong>Last Modified</strong> date of the Ntuser.dat file on the source computer. The /<strong>uel</strong> option acts as an include rule. For example, the <strong>/uel:30</strong> option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.</p>
+<p>You can specify a number of days or you can specify a date. You cannot use this option with the /<strong>all</strong> option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>The /<strong>uel</strong> option is not valid in offline migrations.</p>
+</div>
+<div>
+ 
+</div>
+<ul>
+<li><p><strong>/uel:0</strong> migrates any users who are currently logged on.</p></li>
+<li><p><strong>/uel:90</strong> migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.</p></li>
+<li><p><strong>/uel:1</strong> migrates users whose account has been modified within the last 24 hours.</p></li>
+<li><p><strong>/uel:2002/1/15</strong> migrates users who have logged on or been modified January 15, 2002 or afterwards.</p></li>
+</ul>
+<p>For example:</p>
+<p><code>scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0</code></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>/<strong>ue</strong>:<em>&lt;DomainName&gt;</em>\<em>&lt;UserName&gt;</em></p>
+<p>-or-</p>
+<p></p>
+<p>/<strong>ue</strong>:<em>&lt;ComputerName&gt;</em>\<em>&lt;LocalUserName&gt;</em></p></td>
+<td align="left"><p><strong>(User exclude)</strong></p>
+<p>Excludes the specified users from the migration. You can specify multiple /<strong>ue</strong> options. You cannot use this option with the /<strong>all</strong> option. <em>&lt;DomainName&gt;</em> and <em>&lt;UserName&gt;</em> can contain the asterisk (*) wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.</p>
+<p>For example:</p>
+<p><code>scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /ue:contoso\user1</code></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## How to Use /ui and /ue
+
+
+The following examples apply to both the /**ui** and /**ue** options. You can replace the /**ue** option with the /**ui** option to include, rather than exclude, the specified users.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Behavior</th>
+<th align="left">Command</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Exclude the user named User One in the Fabrikam domain.</p></td>
+<td align="left"><p><code>/ue:&quot;fabrikam\user one&quot;</code></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Exclude the user named User1 in the Fabrikam domain.</p></td>
+<td align="left"><p><code>/ue:fabrikam\user1</code></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Exclude the local user named User1.</p></td>
+<td align="left"><p><code>/ue:%computername%\user1</code></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Exclude all domain users.</p></td>
+<td align="left"><p><code>/ue:Domain\*</code></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Exclude all local users.</p></td>
+<td align="left"><p><code>/ue:%computername%\*</code></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Exclude users in all domains named User1, User2, and so on.</p></td>
+<td align="left"><p><code>/ue:*\user*</code></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Using the Options Together
+
+
+You can use the /**uel**, /**ue** and /**ui** options together to migrate only the users that you want migrated.
+
+The /**ui** option has precedence over the /**ue** and /**uel** options. If a user is specified to be included using the /**ui** option, and also specified to be excluded using either the /**ue** or /**uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the /**ui** option takes precedence over the /**ue** option.
+
+The /**uel** option takes precedence over the /**ue** option. If a user has logged on within the specified time period set by the /**uel** option, that user’s profile will be migrated even if they are excluded by using the /**ue** option. For example, if you specify `/ue:fixed\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Behavior</th>
+<th align="left">Command</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Include only User2 from the Fabrikam domain and exclude all other users.</p></td>
+<td align="left"><p><code>/ue:*\* /ui:fabrikam\user2</code></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Include only the local user named User1 and exclude all other users.</p></td>
+<td align="left"><p><code>/ue:*\* /ui:user1</code></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Include only the domain users from Contoso, except Contoso\User1.</p></td>
+<td align="left"><p>This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:</p>
+<ul>
+<li><p>On the <strong>ScanState</strong> command line, type: <code>/ue:*\* /ui:contoso\*</code></p></li>
+<li><p>On the <strong>LoadState</strong> command line, type: <code>/ue:contoso\user1</code></p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Include only local (non-domain) users.</p></td>
+<td align="left"><p><code>/ue:*\* /ui:%computername%\*</code></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-efs"></a>Encrypted File Options
+
+
+You can use the following options to migrate encrypted files. In all cases, by default, USMT fails if an encrypted file is found unless you specify an /**efs** option. To migrate encrypted files, you must change the default behavior.
+
+For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md).
+
+**Note**  
+EFS certificates will be migrated automatically when migrating to Windows 7, Windows 8 or Windows 10. Therefore, you should specify the /**efs:copyraw** option with the **ScanState** command to migrate the encrypted files
+
+ 
+
+**Caution**  
+Take caution when migrating encrypted files. If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration.
+
+ 
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Command-Line Option</th>
+<th align="left">Explanation</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>/efs:hardlink</strong></p></td>
+<td align="left"><p>Creates a hard link to the EFS file instead of copying it. Use only with the <strong>/hardlink</strong> and the <strong>/nocompress</strong> options.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/efs:abort</strong></p></td>
+<td align="left"><p>Causes the <strong>ScanState</strong> command to fail with an error code, if an Encrypting File System (EFS) file is found on the source computer. Enabled by default.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/efs:skip</strong></p></td>
+<td align="left"><p>Causes the <strong>ScanState</strong> command to ignore EFS files.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>/<strong>efs:decryptcopy</strong></p></td>
+<td align="left"><p>Causes the <strong>ScanState</strong> command to decrypt the file, if possible, before saving it to the migration store, and to fail if the file cannot be decrypted. If the <strong>ScanState</strong> command succeeds, the file will be unencrypted in the migration store, and once you run the <strong>LoadState</strong> command, the file will be copied to the destination computer.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/efs:copyraw</strong></p></td>
+<td align="left"><p>Causes the <strong>ScanState</strong> command to copy the files in the encrypted format. The files will be inaccessible on the destination computer until the EFS certificates are migrated. EFS certificates will be automatically migrated; however, by default USMT fails if an encrypted file is found, unless you specify an <strong>/efs</strong> option. Therefore you should specify the <strong>/efs:copyraw</strong> option with the <strong>ScanState</strong> command to migrate the encrypted file. Then, when you run the <strong>LoadState</strong> command, the encrypted file and the EFS certificate will be automatically migrated.</p>
+<p>For example:</p>
+<p><code>ScanState /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /efs:copyraw</code></p>
+<div class="alert">
+<strong>Important</strong>  
+<p>All files must be encrypted if the parent folder is encrypted. If the encryption attribute on a file inside an encrypted folder has been removed, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-iclo"></a>Incompatible Command-Line Options
+
+
+The following table indicates which command-line options are not compatible with the **ScanState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option.
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Command-Line Option</th>
+<th align="left">/keyfile</th>
+<th align="left">/nocompress</th>
+<th align="left">/genconfig</th>
+<th align="left">/all</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>/i</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/o</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/v</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>/<strong>nocompress</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>N/A</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>/<strong>localonly</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>/<strong>key</strong></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>/<strong>encrypt</strong></p></td>
+<td align="left"><p>Required*</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>/<strong>keyfile</strong></p></td>
+<td align="left"><p>N/A</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>/<strong>l</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>/<strong>progress</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>/<strong>r</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>/<strong>w</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>/<strong>c</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>/<strong>p</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>N/A</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>/<strong>all</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>/<strong>ui</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>/<strong>ue</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>/<strong>uel</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>/<strong>efs</strong>:<em>&lt;option&gt;</em></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>/<strong>genconfig</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>N/A</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>/<strong>config</strong></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><em>&lt;StorePath&gt;</em></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Note**  
+You must specify either the /**key** or /**keyfile** option with the /**encrypt** option.
+
+ 
+
+## Related topics
+
+
+[XML Elements Library](usmt-xml-elements-library.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-technical-reference.md b/windows/deploy/usmt-technical-reference.md
new file mode 100644
index 0000000000..03ecf596bc
--- /dev/null
+++ b/windows/deploy/usmt-technical-reference.md
@@ -0,0 +1,80 @@
+---
+title: User State Migration Tool (USMT) Technical Reference (Windows 10)
+description: The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.
+ms.assetid: f90bf58b-5529-4520-a9f8-b6cb4e4d3add
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# User State Migration Tool (USMT) Technical Reference
+
+
+The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.
+
+Download the Windows ADK [from this website](http://go.microsoft.com/fwlink/p/?LinkID=526803).
+
+USMT 10.0 includes three command-line tools:
+
+-   ScanState.exe
+
+-   LoadState.exe
+
+-   UsmtUtils.exe
+
+USMT 10.0 also includes a set of three modifiable .xml files:
+
+-   MigApp.xml
+
+-   MigDocs.xml
+
+-   MigUser.xml
+
+Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration.
+
+USMT 10.0 tools can be used on several versions of Windows operating systems, for more information, see [USMT Requirements](usmt-requirements.md). For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](http://go.microsoft.com/fwlink/p/?LinkId=246564).
+
+## In This Section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)</p></td>
+<td align="left"><p>Describes what’s new in USMT, how to get started with USMT, and the benefits and limitations of using USMT.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)</p></td>
+<td align="left"><p>Includes step-by-step instructions for using USMT, as well as how-to topics for conducting tasks in USMT.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)</p></td>
+<td align="left"><p>Provides answers to frequently asked questions and common issues in USMT, as well as a reference for return codes used in USMT.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[User State Migration Toolkit (USMT) Reference](usmt-reference.md)</p></td>
+<td align="left"><p>Includes reference information for migration planning, migration best practices, command-line syntax, using XML, and requirements for using USMT.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Windows Assessment and Deployment Kit](https://msdn.microsoft.com/library/windows/hardware/dn247001.aspx)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-test-your-migration.md b/windows/deploy/usmt-test-your-migration.md
new file mode 100644
index 0000000000..05e999a34d
--- /dev/null
+++ b/windows/deploy/usmt-test-your-migration.md
@@ -0,0 +1,48 @@
+---
+title: Test Your Migration (Windows 10)
+description: Test Your Migration
+ms.assetid: 754af276-8386-4eac-8079-3d1e45964a0d
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Test Your Migration
+
+
+Always test your migration plan in a controlled laboratory setting before you deploy it to your entire organization. In your test environment, you need at least one computer for each type of operating system from which you are migrating data.
+
+After you have thoroughly tested the entire migration process on a single computer running each of your source operating systems, conduct a pilot migration with a small group of users. After migrating a few typical user states to the intermediate store, note the space required and adjust your initial calculations accordingly. For details about estimating the space needed for your migration, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md). You might also need to adjust the registry-setting and file-location information in your migration-rule files. If you make changes, test the migration again. Then verify that all data and settings have migrated as expected. A pilot migration also gives you an opportunity to test your space estimates for the intermediate store.
+
+If your test migration encounters any errors, examine the ScanState and LoadState logs to obtain the exact User State Migration Tool (USMT) 10.0 return code and associated error messages or Windows application programming interface (API) error message. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). You can also obtain more information about a Windows API error message by typing **net helpmsg** and the error message number on the command line.
+
+In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v***:5* option when testing your migration. This verbosity level can be adjusted in a production migration. Reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a higher verbosity level if you want the log files output to go to a debugger.
+
+**Note**  
+Running the ScanState and LoadState tools with the **/v***:5* option creates a detailed log file. Although this option makes the log file large, it is helpful in determining where migration errors occurred.
+
+ 
+
+After you have determined that the pilot migration successfully migrated the specified files and settings, you are ready to add USMT to the server that is running Microsoft® System Center Configuration Manager (SCCM), or a non-Microsoft management technology. For more information, see [Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=140246).
+
+**Note**  
+For testing purposes, you can create an uncompressed store using the **/hardlink /nocompress** option. When compression is disabled, the ScanState tool saves the files and settings to a hidden folder named "File" at *StorePath*\\USMT. You can use the uncompressed store to view what USMT has stored or to troubleshoot a problem, or you can run an antivirus utility against the files. Additionally, you can also use the **/listfiles** command-line option and the diagnostic log to list the files that were gathered and to troubleshoot problems with your migration.
+
+ 
+
+## Related topics
+
+
+[Plan Your Migration](usmt-plan-your-migration.md)
+
+[Log Files](usmt-log-files.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-topics.md b/windows/deploy/usmt-topics.md
new file mode 100644
index 0000000000..400aa1aee7
--- /dev/null
+++ b/windows/deploy/usmt-topics.md
@@ -0,0 +1,58 @@
+---
+title: User State Migration Tool (USMT) Overview Topics (Windows 10)
+description: User State Migration Tool (USMT) Overview Topics
+ms.assetid: 23170271-130b-416f-a7a7-c2f6adc32eee
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# User State Migration Tool (USMT) Overview Topics
+
+
+The User State Migration Tool (USMT) 10.0 provides a highly customizable user-profile migration experience for IT professionals. USMT includes three command-line tools: ScanState.exe, LoadState.exe, and UsmtUtils.exe. USMT also includes a set of three modifiable .xml files: MigApp.xml, MigDocs.xml, and MigUser.xml. Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration.
+
+## In This Section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[User State Migration Tool (USMT) Overview](usmt-overview.md)</p></td>
+<td align="left"><p>Describes the benefits and limitations of using USMT.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Getting Started with the User State Migration Tool (USMT)](getting-started-with-the-user-state-migration-tool.md)</p></td>
+<td align="left"><p>Describes the general process to follow to migrate files and settings, and provides links to more information.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Windows Upgrade and Migration Considerations](windows-upgrade-and-migration-considerations.md)</p></td>
+<td align="left"><p>Discusses the Microsoft® tools you can use to move files and settings between installations, as well as special considerations for performing an upgrade or migration.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
+
+[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+
+[User State Migration Toolkit (USMT) Reference](usmt-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-troubleshooting.md b/windows/deploy/usmt-troubleshooting.md
new file mode 100644
index 0000000000..576f9801c9
--- /dev/null
+++ b/windows/deploy/usmt-troubleshooting.md
@@ -0,0 +1,68 @@
+---
+title: User State Migration Tool (USMT) Troubleshooting (Windows 10)
+description: User State Migration Tool (USMT) Troubleshooting
+ms.assetid: 770f45bb-2284-463f-a29c-69c04f437533
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# User State Migration Tool (USMT) Troubleshooting
+
+
+The following table describes topics that address common User State Migration Tool (USMT) 10.0 issues and questions. These topics describe tools that you can use to troubleshoot issues that arise during your migration.
+
+## In This Section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Common Issues](usmt-common-issues.md)</p></td>
+<td align="left"><p>Find troubleshooting solutions for common problems in USMT.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Frequently Asked Questions](usmt-faq.md)</p></td>
+<td align="left"><p>Find answers to questions about how to use USMT.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Log Files](usmt-log-files.md)</p></td>
+<td align="left"><p>Learn how to enable logging to help you troubleshoot issues in USMT.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Return Codes](usmt-return-codes.md)</p></td>
+<td align="left"><p>Learn how to use return codes to identify problems in USMT.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[USMT Resources](usmt-resources.md)</p></td>
+<td align="left"><p>Find more information and support for using USMT.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[USMT Best Practices](usmt-best-practices.md)
+
+[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+
+[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
+
+[User State Migration Toolkit (USMT) Reference](usmt-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-utilities.md b/windows/deploy/usmt-utilities.md
new file mode 100644
index 0000000000..eb9081b082
--- /dev/null
+++ b/windows/deploy/usmt-utilities.md
@@ -0,0 +1,346 @@
+---
+title: UsmtUtils Syntax (Windows 10)
+description: UsmtUtils Syntax
+ms.assetid: cdab7f2d-dd68-4016-b9ed-41ffa743b65c
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# UsmtUtils Syntax
+
+
+This topic describes the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface. These utilities:
+
+-   Improve your ability to determine cryptographic options for your migration.
+
+-   Assist in removing hard-link stores that cannot otherwise be deleted due to a sharing lock.
+
+-   Verify whether the catalog file or any of the other files in the compressed migration store have become corrupted.
+
+-   Extract files from the compressed migration store when you migrate files and settings to the destination computer.
+
+## In This Topic
+
+
+[Usmtutils.exe](#bkmk-usmtutils-exe)
+
+[Verify Options](#bkmk-verifyoptions)
+
+[Extract Options](#bkmk-extractoptions)
+
+## <a href="" id="bkmk-usmtutils-exe"></a>Usmtutils.exe
+
+
+The following table lists command-line options for USMTutils.exe. The sections that follow provide further command-line options for the **/verify** and the **/extract** options.
+
+The syntax for UsmtUtils.exe is:
+
+usmtutils \[/ec | /rd *&lt;storeDir&gt;* | /verify *&lt;filepath&gt;* \[options\] | /extract *&lt;filepath&gt;* *&lt;destinationPath&gt;* \[options\]\]
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Command-line Option</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>/ec</strong></p></td>
+<td align="left"><p>Returns a list of supported cryptographic algorithms (AlgIDs) on the current system. You can use this on a destination computer to determine which algorithm to use with the <strong>/encrypt</strong> command before you run the ScanState tool on the source computer.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/rd</strong><em>&lt;storeDir&gt;</em></p></td>
+<td align="left"><p>Removes the directory path specified by the <em>&lt;storeDir&gt;</em> argument on the computer. You can use this command to delete hard-link migration stores that cannot otherwise be deleted at a command prompt due to a sharing lock. If the migration store spans multiple volumes on a given drive, it will be deleted from all of these volumes.</p>
+<p>For example:</p>
+<p><code>usmtutils /rd D:\MyHardLinkStore</code></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/y</strong></p></td>
+<td align="left"><p>Overrides the accept deletions prompt when used with the <strong>/rd</strong> option. When you use the <strong>/y</strong> option with the <strong>/rd</strong> option, you will not be prompted to accept the deletions before USMT deletes the directories.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/verify</strong></p></td>
+<td align="left"><p>Returns information on whether the compressed migration store is intact or whether it contains corrupted files or a corrupted catalog.</p>
+<p>See [Verify Options](#bkmk-verifyoptions) for syntax and options to use with <strong>/verify</strong>.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/extract</strong></p></td>
+<td align="left"><p>Recovers files from a compressed USMT migration store.</p>
+<p>See [Extract Options](#bkmk-extractoptions) for syntax and options to use with <strong>/extract</strong>.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-verifyoptions"></a>Verify Options
+
+
+Use the **/verify** option when you want to determine whether a compressed migration store is intact or whether it contains corrupted files or a corrupted catalog. For more information on how to use the **/verify** option, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md).
+
+The syntax for **/verify** is:
+
+usmtutils /verify\[:*&lt;reportType&gt;*\] *&lt;filePath&gt;* \[/l:*&lt;logfile&gt;*\] \[/v:*VerbosityLevel*\] \[/decrypt \[:*&lt;AlgID&gt;*\] {/key:*&lt;keystring&gt;* | /keyfile:*&lt;filename&gt;*}\]
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Command-line Option</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><em>&lt;reportType&gt;</em></p></td>
+<td align="left"><p>Specifies whether to report on all files, corrupted files only, or the status of the catalog.</p>
+<ul>
+<li><p><strong>Summary</strong>. Returns both the number of files that are intact and the number of files that are corrupted in the migration store. If no algorithm is specified, the summary report is displayed as a default.</p></li>
+<li><p><strong>all</strong>. Returns a tab-delimited list of all of the files in the compressed migration store and the status for each file. Each line contains the file name followed by a tab spacing, and either “CORRUPTED” or “OK” depending on the status of the file. The last entry reports the corruption status of the &quot;CATALOG&quot; of the store. A catalog file contains metadata for all files in a migration store. The LoadState tool requires a valid catalog file in order to open the migration store. Returns &quot;OK&quot; if the catalog file is intact and LoadState can open the migration store and &quot;CORRUPTED&quot; if the migration store is corrupted.</p></li>
+<li><p><strong>failureonly</strong>. Returns a tab-delimited list of only the files that are corrupted in the compressed migration store.</p></li>
+<li><p><strong>Catalog</strong>. Returns only the status of the catalog file.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><strong>/l:</strong>
+<p><em>&lt;logfilePath&gt;</em></p></td>
+<td align="left"><p>Specifies the location and name of the log file.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/v:</strong><em>&lt;VerbosityLevel&gt;</em></p></td>
+<td align="left"><p><strong>(Verbosity)</strong></p>
+<p>Enables verbose output in the UsmtUtils log file. The default value is 0.</p>
+<p>You can set the <em>VerbosityLevel</em> to one of the following levels:</p>
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Level</th>
+<th align="left">Explanation</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>0</p></td>
+<td align="left"><p>Only the default errors and warnings are enabled.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>1</p></td>
+<td align="left"><p>Enables verbose output.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4</p></td>
+<td align="left"><p>Enables error and status output.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5</p></td>
+<td align="left"><p>Enables verbose and status output.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>8</p></td>
+<td align="left"><p>Enables error output to a debugger.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>9</p></td>
+<td align="left"><p>Enables verbose output to a debugger.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>12</p></td>
+<td align="left"><p>Enables error and status output to a debugger.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>13</p></td>
+<td align="left"><p>Enables verbose, status, and debugger output.</p></td>
+</tr>
+</tbody>
+</table>
+<p> </p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/decrypt</strong><em>&lt;AlgID&gt;</em><strong>/</strong>:<em>&lt;KeyString&gt;</em></p>
+<p>or</p>
+<p><strong>/decrypt</strong><em>&lt;AlgID&gt;</em><strong>/</strong>:<em>&lt;“Key String”&gt;</em></p>
+<p>or</p>
+<p><strong>/decrypt:</strong><em>&lt;AlgID&gt;</em><strong>/keyfile</strong>:<em>&lt;FileName&gt;</em></p></td>
+<td align="left"><p>Specifies that the <strong>/encrypt</strong> option was used to create the migration store with the ScanState tool. To decrypt the migration store, specify a <strong>/key</strong> or <strong>/keyfile</strong> option as follows:</p>
+<ul>
+<li><p><em>&lt;AlgID&gt;</em> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.</p>
+<p><em>&lt;AlgID&gt;</em> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.</p></li>
+<li><p><strong>/key:</strong><em>&lt;KeyString&gt;</em> specifies the encryption key. If there is a space in <em>&lt;KeyString&gt;</em>, you must surround the argument with quotation marks.</p></li>
+<li><p><strong>/keyfile</strong>: <em>&lt;FileName&gt;</em> specifies the location and name of a text (.txt) file that contains the encryption key.</p></li>
+</ul>
+<p>For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md)</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+Some examples of **/verify** commands:
+
+-   `usmtutils /verify D:\MyMigrationStore\store.mig`
+
+-   `usmtutils /verify:catalog D:\MyMigrationStore\store.mig`
+
+-   `usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt`
+
+-   `usmtutils /verify:failureonly D:\MyMigrationStore\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt`
+
+## <a href="" id="bkmk-extractoptions"></a>Extract Options
+
+
+Use the **/extract** option to recover files from a compressed USMT migration store if it will not restore normally with loadstate. For more information on how to use the **/extract** option, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md).
+
+The syntax for **/extract** is:
+
+/extract *&lt;filePath&gt;* *&lt;destinationPath&gt;* \[/i:*&lt;includePattern&gt;*\] \[/e: *&lt;excludePattern&gt;*\] \[/l: *&lt;logfile&gt;*\] \[/v: *VerbosityLevel&gt;*\] \[/decrypt\[:*&lt;AlgID&gt;*\] {key: *&lt;keystring&gt;* | /keyfile: *&lt;filename&gt;*}\] \[/o\]
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Command-line Option</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><em>&lt;filePath&gt;</em></p></td>
+<td align="left"><p>Path to the USMT migration store.</p>
+<p>For example:</p>
+<p><code>D:\MyMigrationStore\USMT\store.mig</code></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><em>&lt;destinationPath&gt;</em></p></td>
+<td align="left"><p>Path to the folder where the tool puts the individual files.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/i</strong>:<em>&lt;includePattern&gt;</em></p></td>
+<td align="left"><p>Specifies a pattern for files to include in the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use <strong>/i</strong>: <em>&lt;includePattern&gt;</em> and <strong>/e</strong>: <em>&lt;excludePattern&gt;</em> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/e</strong>:<em>&lt;excludePattern&gt;</em></p></td>
+<td align="left"><p>Specifies a pattern for files to omit from the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use <strong>/i</strong>: <em>&lt;includePattern&gt;</em> and <strong>/e</strong>: <em>&lt;excludePattern&gt;</em> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/l</strong>:<em>&lt;logfilePath&gt;</em></p></td>
+<td align="left"><p>Specifies the location and name of the log file.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/v:</strong><em>&lt;VerbosityLevel&gt;</em></p></td>
+<td align="left"><p><strong>(Verbosity)</strong></p>
+<p>Enables verbose output in the UsmtUtils log file. The default value is 0.</p>
+<p>You can set the <em>VerbosityLevel</em> to one of the following levels:</p>
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Level</th>
+<th align="left">Explanation</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>0</p></td>
+<td align="left"><p>Only the default errors and warnings are enabled.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>1</p></td>
+<td align="left"><p>Enables verbose output.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4</p></td>
+<td align="left"><p>Enables error and status output.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5</p></td>
+<td align="left"><p>Enables verbose and status output.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>8</p></td>
+<td align="left"><p>Enables error output to a debugger.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>9</p></td>
+<td align="left"><p>Enables verbose output to a debugger.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>12</p></td>
+<td align="left"><p>Enables error and status output to a debugger.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>13</p></td>
+<td align="left"><p>Enables verbose, status, and debugger output.</p></td>
+</tr>
+</tbody>
+</table>
+<p> </p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>/decrypt</strong><em>&lt;AlgID&gt;</em><strong>/key</strong>:<em>&lt;KeyString&gt;</em></p>
+<p>or</p>
+<p><strong>/decrypt</strong><em>&lt;AlgID&gt;</em><strong>/</strong>:<em>&lt;“Key String”&gt;</em></p>
+<p>or</p>
+<p><strong>/decrypt:</strong><em>&lt;AlgID&gt;</em><strong>/keyfile</strong>:<em>&lt;FileName&gt;</em></p></td>
+<td align="left"><p>Specifies that the <strong>/encrypt</strong> option was used to create the migration store with the ScanState tool. To decrypt the migration store, you must also specify a <strong>/key</strong> or <strong>/keyfile</strong> option as follows:</p>
+<ul>
+<li><p><em>&lt;AlgID&gt;</em> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.</p>
+<p><em>&lt;AlgID&gt;</em> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.</p></li>
+<li><p><strong>/key</strong>: <em>&lt;KeyString&gt;</em> specifies the encryption key. If there is a space in <em>&lt;KeyString&gt;</em>, you must surround the argument with quotation marks.</p></li>
+<li><p><strong>/keyfile</strong>:<em>&lt;FileName&gt;</em> specifies a text (.txt) file that contains the encryption key</p></li>
+</ul>
+<p>For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>/o</strong></p></td>
+<td align="left"><p>Overwrites existing output files.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+Some examples of **/extract** commands:
+
+-   `usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore`
+
+-   `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt, *.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt`
+
+-   `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtlog.txt`
+
+-   `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o`
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
+
+[Return Codes](usmt-return-codes.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-what-does-usmt-migrate.md b/windows/deploy/usmt-what-does-usmt-migrate.md
new file mode 100644
index 0000000000..83b3851c29
--- /dev/null
+++ b/windows/deploy/usmt-what-does-usmt-migrate.md
@@ -0,0 +1,417 @@
+---
+title: What Does USMT Migrate (Windows 10)
+description: What Does USMT Migrate
+ms.assetid: f613987d-0f17-43fe-9717-6465865ceda7
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# What Does USMT Migrate?
+
+
+## In This Topic
+
+
+-   [Default Migration Scripts](#bkmk-defaultmigscripts)
+
+-   [User Data](#bkmk-3)
+
+-   [Operating-System Components](#bkmk-4)
+
+-   [Supported Applications](#bkmk-2)
+
+-   [What USMT Does Not Migrate](#no)
+
+## <a href="" id="bkmk-defaultmigscripts"></a>Default Migration Scripts
+
+
+The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts:
+
+-   **MigApp.XML.** Rules to migrate application settings.
+
+-   **MigDocs.XML.** Rules that use the **MigXmlHelper.GenerateDocPatterns** helper function, which can be used to automatically find user documents on a computer without the need to author extensive custom migration .xml files.
+
+-   **MigUser.XML.** Rules to migrate user profiles and user data.
+
+    MigUser.xml gathers everything in a user’s profile and then does a file extension- based search of most of the system for other user data. If data doesn’t match either of these criteria, the data won’t be migrated. For the most part, this file describes a "core" migration.
+
+    The following data does not migrate with MigUser.xml:
+
+    -   Files outside the user profile that don’t match one of the file extensions in MigUser.xml.
+
+    -   Access control lists (ACLs) for folders outside the user profile.
+
+## <a href="" id="bkmk-3"></a>User Data
+
+
+This section describes the user data that USMT migrates by default, using the MigUser.xml file. It also defines how to migrate ACLs.
+
+-   **Folders from each user profile.** When you specify the MigUser.xml file, USMT migrates everything in a user’s profiles including the following:
+
+    My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites.
+
+-   **Folders from the All Users and Public profiles.** When you specify the MigUser.xml file, USMT also migrates the following from the **All Users** profile in Windows® XP, or the **Public** profile in Windows Vista, Windows 7, or Windows 8:
+
+    -   Shared Documents
+
+    -   Shared Video
+
+    -   Shared Music
+
+    -   Shared desktop files
+
+    -   Shared Pictures
+
+    -   Shared Start menu
+
+    -   Shared Favorites
+
+-   **File types.** When you specify the MigUser.xml file, the ScanState tool searches the fixed drives, collects and then migrates files with any of the following file extensions:
+
+    **.accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.**
+
+    **Note**  
+    The asterisk (\*) stands for zero or more characters.
+
+     
+
+-   **Access control lists.** USMT migrates ACLs for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named File1.txt that is read-only for User1 and read/write for User2, these settings will still apply on the destination computer after the migration.
+
+**Important**  
+To migrate ACLs, you must specify the directory to migrate in the MigUser.xml file. Using file patterns like \*.doc will not migrate a directory. The source ACL information is migrated only when you explicitly specify the directory. For example, `<pattern type="File">c:\test docs</pattern>`.
+
+ 
+
+## <a href="" id="bkmk-4"></a>Operating-System Components
+
+
+USMT migrates operating-system components to a destination computer from computers running Windows 7 and Windows 8
+
+The following components are migrated by default using the manifest files:
+
+-   Accessibility settings
+
+-   Address book
+
+-   Command-prompt settings
+
+-   \*Desktop wallpaper
+
+-   EFS files
+
+-   Favorites
+
+-   Folder options
+
+-   Fonts
+
+-   Group membership. USMT migrates users’ group settings. The groups to which a user belongs can be found by right-clicking **My Computer** on the Start menu and then clicking **Manage**.
+
+-   \*Windows Internet Explorer® settings
+
+-   Microsoft® Open Database Connectivity (ODBC) settings
+
+-   Mouse and keyboard settings
+
+-   Network drive mapping
+
+-   \*Network printer mapping
+
+-   \*Offline files
+
+-   \*Phone and modem options
+
+-   RAS connection and phone book (.pbk) files
+
+-   \*Regional settings
+
+-   Remote Access
+
+-   \*Taskbar settings
+
+-   User personal certificates (all)
+
+-   Windows Mail.
+
+-   \*Windows Media Player
+
+-   Windows Rights Management
+
+\* These settings are not available for an offline migration. For more information, see [Offline Migration Reference](offline-migration-reference.md).
+
+**Important**  
+This list may not be complete. There may be additional components that are migrated.
+
+ 
+
+**Note**  
+Some settings, such as fonts, are not applied by the LoadState tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the LoadState tool.
+
+ 
+
+## <a href="" id="bkmk-2"></a>Supported Applications
+
+
+Although it is not required for all applications, it is good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that the migrated settings are not overwritten by the application installers.
+
+**Note**  
+The versions of installed applications must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office.
+
+ 
+
+**Note**  
+USMT migrates only the settings that have been used or modified by the user. If there is an application setting on the source computer that was not touched by the user, the setting may not migrate.
+
+ 
+
+When you specify the MigApp.xml file, USMT migrates the settings for the following applications:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Product</th>
+<th align="left">Version</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Adobe Acrobat Reader</p></td>
+<td align="left"><p>9</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>AOL Instant Messenger</p></td>
+<td align="left"><p>6.8</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Adobe Creative Suite</p></td>
+<td align="left"><p>2</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Adobe Photoshop CS</p></td>
+<td align="left"><p>8, 9</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Adobe ImageReady CS</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Apple iTunes</p></td>
+<td align="left"><p>6, 7, 8</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Apple QuickTime Player</p></td>
+<td align="left"><p>5, 6, 7</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Apple Safari</p></td>
+<td align="left"><p>3.1.2</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Google Chrome</p></td>
+<td align="left"><p>beta</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Google Picasa</p></td>
+<td align="left"><p>3</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Google Talk</p></td>
+<td align="left"><p>beta</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>IBM Lotus 1-2-3</p></td>
+<td align="left"><p>9</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>IBM Lotus Notes</p></td>
+<td align="left"><p>6,7, 8</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>IBM Lotus Organizer</p></td>
+<td align="left"><p>5</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>IBM Lotus WordPro</p></td>
+<td align="left"><p>9.9</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Intuit Quicken Deluxe</p></td>
+<td align="left"><p>2009</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Money Plus Business</p></td>
+<td align="left"><p>2008</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Money Plus Home</p></td>
+<td align="left"><p>2008</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Mozilla Firefox</p></td>
+<td align="left"><p>3</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft Office</p></td>
+<td align="left"><p>2003, 2007, 2010</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Microsoft Office Access®</p></td>
+<td align="left"><p>2003, 2007, 2010</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft Office Excel®</p></td>
+<td align="left"><p>2003, 2007, 2010</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Microsoft Office FrontPage®</p></td>
+<td align="left"><p>2003, 2007, 2010</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft Office OneNote®</p></td>
+<td align="left"><p>2003, 2007, 2010</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Microsoft Office Outlook®</p></td>
+<td align="left"><p>2003, 2007, 2010</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft Office PowerPoint®</p></td>
+<td align="left"><p>2003, 2007, 2010</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Microsoft Office Publisher</p></td>
+<td align="left"><p>2003, 2007, 2010</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft Office Word</p></td>
+<td align="left"><p>2003, 2007, 2010</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Opera Software Opera</p></td>
+<td align="left"><p>9.5</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft Outlook Express</p></td>
+<td align="left"><p>(only mailbox file)</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Microsoft Project</p></td>
+<td align="left"><p>2003, 2007</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft Office Visio®</p></td>
+<td align="left"><p>2003, 2007</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>RealPlayer Basic</p></td>
+<td align="left"><p>11</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Sage Peachtree</p></td>
+<td align="left"><p>2009</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Skype</p></td>
+<td align="left"><p>3.8</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows Live Mail</p></td>
+<td align="left"><p>12, 14</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows Live Messenger</p></td>
+<td align="left"><p>8.5, 14</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows Live MovieMaker</p></td>
+<td align="left"><p>14</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows Live Photo Gallery</p></td>
+<td align="left"><p>12, 14</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows Live Writer</p></td>
+<td align="left"><p>12, 14</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows Mail</p></td>
+<td align="left"><p>(Windows 7 and 8)</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft Works</p></td>
+<td align="left"><p>9</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Yahoo Messenger</p></td>
+<td align="left"><p>9</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft Zune™ Software</p></td>
+<td align="left"><p>3</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="no"></a>What USMT Does Not Migrate
+
+
+The following is a list of the settings that USMT does not migrate. If you are having a problem that is not listed here, see [Common Issues](usmt-common-issues.md).
+
+### Application Settings
+
+USMT does not migrate the following application settings:
+
+-   Settings from earlier versions of an application. The versions of each application must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. USMT can migrate from an earlier version of Microsoft Office to a later version.
+
+-   Application settings and some operating-system settings when a local account is created. For example, if you run /lac to create a local account on the destination computer, USMT will migrate the user data, but only some of the operating-system settings, such as wallpaper and screensaver settings, and no application settings will migrate.
+
+-   Microsoft Project settings, when migrating from Office 2003 to Office 2007 system.
+
+-   ICQ Pro settings, if ICQ Pro is installed in a different location on the destination computer. To successfully migrate the settings of ICQ Pro, you must install ICQ Pro in the same location on the destination computer as it was on the source computer. Otherwise, after you run the LoadState tool, the application will not start. You may encounter problems when:
+
+    -   You change the default installation location on 32-bit destination computers.
+
+    -   You attempt to migrate from a 32-bit computer to a 64-bit computer. This is because the ICQ Pro default installation directory is different on the two types of computers. When you install ICQ Pro on a 32-bit computer, the default location is "C:\\Program Files\\...". The ICQ Pro default installation directory on an x64-based computer, however, is “C:\\Program Files (x86)\\...”.
+
+### Operating-System Settings
+
+USMT does not migrate the following operating-system settings.
+
+-   Local printers, hardware-related settings, drivers, passwords, application binary files, synchronization files, DLL files, or other executable files.
+
+-   Permissions for shared folders. After migration, you must manually re-share any folders that were shared on the source computer.
+
+-   Files and settings migrating between operating systems with different languages. The operating system of the source computer must match the language of the operating system on the destination computer.
+
+-   Customized icons for shortcuts may not migrate.
+
+-   Taskbar settings, when the source computer is running Windows XP.
+
+You should also note the following:
+
+-   You should run USMT from an account with administrative credentials. Otherwise, some data will not migrate. When running the ScanState and LoadState tools you must run the tools in Administrator mode from an account with administrative credentials. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. In addition, you must run the ScanState tool on Windows XP from an account with administrative credentials. Otherwise, some operating-system settings will not migrate. To run in Administrator mode, click **Start**, click **All Programs**, click **Accessories**, right-click **Command Prompt**, and then click **Run as administrator**.
+
+-   You can use the /**localonly** option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify /**localonly**, see [ScanState Syntax](usmt-scanstate-syntax.md).
+
+## Related topics
+
+
+[Plan Your Migration](usmt-plan-your-migration.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-xml-elements-library.md b/windows/deploy/usmt-xml-elements-library.md
new file mode 100644
index 0000000000..87ffc8c9c3
--- /dev/null
+++ b/windows/deploy/usmt-xml-elements-library.md
@@ -0,0 +1,4232 @@
+---
+title: XML Elements Library (Windows 10)
+description: XML Elements Library
+ms.assetid: f5af0f6d-c3bf-4a4c-a0ca-9db7985f954f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# XML Elements Library
+
+
+## Overview
+
+
+This topic describes the XML elements and helper functions that you can employ to author migration .xml files to use with User State Migration Tool (USMT). It is assumed that you understand the basics of XML. .
+
+## In This Topic
+
+
+In addition to XML elements and helper functions, this topic describes how to specify encoded locations and locations patterns, functions that are for internal USMT use only, and the version tags that you can use with helper functions.
+
+-   [Elements and helper functions](#elements)
+
+-   [Appendix](#appendix)
+
+    -   [Specifying locations](#locations)
+
+    -   [Internal USMT functions](#internalusmtfunctions)
+
+    -   [Valid version tags](#allowed)
+
+## <a href="" id="elements"></a>Elements and Helper Functions
+
+
+The following table describes the XML elements and helper functions you can use with USMT.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left"><strong>Elements A-K</strong></th>
+<th align="left"><strong>Elements L-Z</strong></th>
+<th align="left"><strong>Helper functions</strong></th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[&lt;addObjects&gt;](#addobjects)</p>
+<p>[&lt;attributes&gt;](#attribute)</p>
+<p>[&lt;bytes&gt;](#bytes)</p>
+<p>[&lt;commandLine&gt;](#commandline)</p>
+<p>[&lt;component&gt;](#component)</p>
+<p>[&lt;condition&gt;](#condition)</p>
+<p>[&lt;conditions&gt;](#conditions)</p>
+<p>[&lt;content&gt;](#content)</p>
+<p>[&lt;contentModify&gt;](#contentmodify)</p>
+<p>[&lt;description&gt;](#description)</p>
+<p>[&lt;destinationCleanup&gt;](#destinationcleanup)</p>
+<p>[&lt;detect&gt;](#detect)</p>
+<p>[&lt;detects&gt;](#detects)</p>
+<p>[&lt;detection&gt;](#detection)</p>
+<p>[&lt;displayName&gt;](#displayname)</p>
+<p>[&lt;environment&gt;](#bkmk-environment)</p>
+<p>[&lt;exclude&gt;](#exclude)</p>
+<p>[&lt;excludeAttributes&gt;](#excludeattributes)</p>
+<p>[&lt;extensions&gt;](#extensions)</p>
+<p>[&lt;extension&gt;](#extension)</p>
+<p>[&lt;externalProcess&gt;](#externalprocess)</p>
+<p>[&lt;icon&gt;](#icon)</p>
+<p>[&lt;include&gt;](#include)</p>
+<p>[&lt;includeAttribute&gt;](#includeattributes)</p></td>
+<td align="left"><p>[&lt;library&gt;](#library)</p>
+<p>[&lt;location&gt;](#location)</p>
+<p>[&lt;locationModify&gt;](#locationmodify)</p>
+<p>[&lt;_locDefinition&gt;](#locdefinition)</p>
+<p>[&lt;manufacturer&gt;](#manufacturer)</p>
+<p>[&lt;merge&gt;](#merge)</p>
+<p>[&lt;migration&gt;](#migration)</p>
+<p>[&lt;namedElements&gt;](#namedelements)</p>
+<p>[&lt;object&gt;](#object)</p>
+<p>[&lt;objectSet&gt;](#objectset)</p>
+<p>[&lt;path&gt;](#path)</p>
+<p>[&lt;paths&gt;](#paths)</p>
+<p>[&lt;pattern&gt;](#pattern)</p>
+<p>[&lt;processing&gt;](#processing)</p>
+<p>[&lt;plugin&gt;](#plugin)</p>
+<p>[&lt;role&gt;](#role)</p>
+<p>[&lt;rules&gt;](#rules)</p>
+<p>[&lt;script&gt;](#script)</p>
+<p>[&lt;text&gt;](#text)</p>
+<p>[&lt;unconditionalExclude&gt;](#unconditionalexclude)</p>
+<p>[&lt;variable&gt;](#variable)</p>
+<p>[&lt;version&gt;](#version)</p>
+<p>[&lt;windowsObjects&gt;](#windowsobjects)</p></td>
+<td align="left"><p>[&lt;condition&gt; functions](#conditionfunctions)</p>
+<p>[&lt;content&gt; functions](#contentfunctions)</p>
+<p>[&lt;contentModify&gt; functions](#contentmodifyfunctions)</p>
+<p>[&lt;include&gt; and &lt;exclude&gt; filter functions](#persistfilterfunctions)</p>
+<p>[&lt;locationModify&gt; functions](#locationmodifyfunctions)</p>
+<p>[&lt;merge&gt; functions](#mergefunctions)</p>
+<p>[&lt;script&gt; functions](#scriptfunctions)</p>
+<p>[Internal USMT functions](#internalusmtfunctions)</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="addobjects"></a>&lt;addObjects&gt;
+
+
+The &lt;addObjects&gt; element emulates the existence of one or more objects on the source computer. The child &lt;object&gt; elements provide the details of the emulated objects. If the content is a &lt;script&gt; element, the result of the invocation will be an array of objects.
+
+-   **Number of occurrences:** unlimited
+
+-   **Parent elements:**[&lt;rules&gt;](#rules)
+
+-   **Required child elements:** [&lt;object&gt;](#object) In addition, you must specify [&lt;location&gt;](#location) and [&lt;attribute&gt;](#attribute) as child elements of this &lt;object&gt; element.
+
+-   **Optional child elements:**[&lt;conditions&gt;](#conditions), &lt;condition&gt;, [&lt;script&gt;](#script)
+
+Syntax:
+
+&lt;addObjects&gt;
+
+&lt;/addObjects&gt;
+
+The following example is from the MigApp.xml file:
+
+``` syntax
+<addObjects>
+   <object>
+      <location type="Registry">%HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [UpgradeVersion]</location>
+      <attributes>DWORD</attributes>
+      <bytes>0B000000</bytes>
+   </object>
+   <object>
+      <location type="Registry">%HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [Lang]</location>
+      <attributes>DWORD</attributes>
+      <bytes>00000000</bytes>
+   </object>
+</addObjects>
+```
+
+## <a href="" id="attribute"></a>&lt;attributes&gt;
+
+
+The &lt;attributes&gt; element defines the attributes for a registry key or file.
+
+-   **Number of occurrences:** once for each &lt;object&gt;
+
+-   **Parent elements:**[&lt;object&gt;](#object)
+
+-   **Child elements:** none
+
+Syntax:
+
+&lt;attributes&gt;*Content*&lt;/attributes&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><em>Content</em></p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>The content depends on the type of object specified.</p>
+<ul>
+<li><p>For files, the content can be a string containing any of the following attributes separated by commas:</p>
+<ul>
+<li><p>Archive</p></li>
+<li><p>Read-only</p></li>
+<li><p>System</p></li>
+<li><p>Hidden</p></li>
+</ul></li>
+<li><p>For registry keys, the content can be one of the following types:</p>
+<ul>
+<li><p>None</p></li>
+<li><p>String</p></li>
+<li><p>ExpandString</p></li>
+<li><p>Binary</p></li>
+<li><p>Dword</p></li>
+<li><p>REG_SZ</p></li>
+</ul></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The following example is from the MigApp.xml file:
+
+``` syntax
+<object>
+   <location type="Registry">%HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [Lang]</location>
+   <attributes>DWORD</attributes>
+   <bytes>00000000</bytes>
+</object> 
+```
+
+## <a href="" id="bytes"></a>&lt;bytes&gt;
+
+
+You must specify the &lt;bytes&gt; element only for files because, if &lt;location&gt; corresponds to a registry key or a directory, then &lt;bytes&gt; will be ignored.
+
+-   **Number of occurrences:** zero or one
+
+-   **Parent elements:**[&lt;object&gt;](#object)
+
+-   **Child elements:** none
+
+Syntax:
+
+&lt;bytes string="Yes|No" expand="Yes|No"&gt;*Content*&lt;/bytes&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>string</p></td>
+<td align="left"><p>No, default is No</p></td>
+<td align="left"><p>Determines whether <em>Content</em> should be interpreted as a string or as bytes.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>expand</p></td>
+<td align="left"><p>No (default = Yes</p></td>
+<td align="left"><p>When the expand parameter is Yes, the content of the &lt;bytes&gt; element is first expanded in the context of the source computer and then interpreted.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><em>Content</em></p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Depends on the value of the string.</p>
+<ul>
+<li><p>When the string is Yes: the content of the &lt;bytes&gt; element is interpreted as a string.</p></li>
+<li><p>When the string is No: the content of the &lt;bytes&gt; element is interpreted as bytes. Each two characters represent the hexadecimal value of a byte. For example, &quot;616263&quot; is the representation for the &quot;abc&quot; ANSI string. A complete representation of the UNICODE string &quot;abc&quot; including the string terminator would be: &quot;6100620063000000&quot;.</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The following example is from the MigApp.xml file:
+
+``` syntax
+<object>
+   <location type="Registry">%HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [Lang]</location>
+   <attributes>DWORD</attributes>
+   <bytes>00000000</bytes>
+</object> 
+```
+
+## <a href="" id="commandline"></a>&lt;commandLine&gt;
+
+
+You might want to use the &lt;commandLine&gt; element if you want to start or stop a service or application before or after you run the ScanState and LoadState tools.
+
+-   **Number of occurrences:** unlimited
+
+-   **Parent elements:**[&lt;externalProcess&gt;](#externalprocess)
+
+-   **Child elements:** none****
+
+Syntax:
+
+&lt;commandLine&gt;*CommandLineString*&lt;/commandLine&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><em>CommandLineString</em></p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>A valid command line.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="component"></a>&lt;component&gt;
+
+
+The &lt;component&gt; element is required in a custom .xml file. This element defines the most basic construct of a migration .xml file. For example, in the MigApp.xml file, "Microsoft® Office 2003" is a component that contains another component, "Microsoft Office Access® 2003". You can use the child elements to define the component.
+
+A component can be nested inside another component; that is, the &lt;component&gt; element can be a child of the &lt;role&gt; element within the &lt;component&gt; element in two cases: 1) when the parent &lt;component&gt; element is a container or 2) if the child &lt;component&gt; element has the same role as the parent &lt;component&gt; element.
+
+-   **Number of occurrences:** Unlimited
+
+-   **Parent elements:**[&lt;migration&gt;](#migration), [&lt;role&gt;](#role)
+
+-   **Required child elements:**[&lt;role&gt;](#role), [&lt;displayName&gt;](#displayname)
+
+-   **Optional child elements:**[&lt;manufacturer&gt;](#manufacturer), [&lt;version&gt;](#version), [&lt;description&gt;](#description), [&lt;paths&gt;](#paths), [&lt;icon&gt;](#icon), [&lt;environment&gt;](#bkmk-environment), [&lt;extensions&gt;](#extensions)
+
+Syntax:
+
+&lt;component type="System|Application|Device|Documents" context="User|System|UserAndSystem" defaultSupported="TRUE|FALSE|YES|NO"
+
+hidden="Yes|No"&gt;
+
+&lt;/component&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>type</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>You can use the following to group settings, and define the type of the component.</p>
+<ul>
+<li><p><strong>System:</strong> Operating system settings. All Windows® components are defined by this type.</p>
+<p>When type=&quot;System&quot; and defaultSupported=&quot;FALSE&quot; the settings will not migrate unless there is an equivalent component in the .xml files that is specified on the LoadState command line. For example, the default MigSys.xml file contains components with type=&quot;System&quot; and defaultSupported=&quot;FALSE&quot;. If you specify this file on the ScanState command line, you must also specify the file on the LoadState command line for the settings to migrate. This is because the LoadState tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name. Otherwise, the LoadState tool will not migrate those settings from the store. This is helpful when the source computer is running Windows XP, and you are migrating to both Windows Vista and Windows XP because you can use the same store for both destination computers.</p></li>
+<li><p><strong>Application:</strong> Settings for an application.</p></li>
+<li><p><strong>Device:</strong> Settings for a device.</p></li>
+<li><p><strong>Documents:</strong> Specifies files.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>context</p></td>
+<td align="left"><p>No</p>
+<p>Default = UserAndSystem</p></td>
+<td align="left"><p>Defines the scope of this parameter; that is, whether to process this component in the context of the specific user, across the entire operating system, or both.</p>
+<p>The largest possible scope is set by the &lt;component&gt; element. For example, if a &lt;component&gt; element has a context of User and a &lt;rules&gt; element had a context of UserAndSystem, then the &lt;rules&gt; element would act as though it has a context of User. If a &lt;rules&gt; element has a context of System, it would act as though the &lt;rules&gt; element is not there.</p>
+<ul>
+<li><p><strong>User</strong>. Evaluates the component for each user.</p></li>
+<li><p><strong>System</strong>. Evaluates the component only once for the system.</p></li>
+<li><p><strong>UserAndSystem</strong>. Evaluates the component for the entire operating system and each user.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>defaultSupported</p></td>
+<td align="left"><p>No</p>
+<p>(default = TRUE)</p></td>
+<td align="left"><p>Can be any of TRUE, FALSE, YES or NO. If this parameter is FALSE (or NO), the component will not be migrated unless there is an equivalent component on the destination computer.</p>
+<p>When type=&quot;System&quot; and defaultSupported=&quot;FALSE&quot; the settings will not migrate unless there is an equivalent component in the .xml files that are specified on the LoadState command line. For example, the default MigSys.xml file contains components with type=&quot;System&quot; and defaultSupported=&quot;FALSE&quot;. If you specify this file on the ScanState command line, you must also specify the file on the LoadState command line for the settings to migrate. This is because the LoadState tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name or the LoadState tool will not migrate those settings from the store. This is helpful when the source computer is running Windows XP, and you are migrating to both Windows Vista and Windows XP because you can use the same store for both destination computers.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>hidden</p></td>
+<td align="left"><p> </p></td>
+<td align="left"><p>This parameter is for internal USMT use only.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For an example, see any of the default migration .xml files.
+
+## <a href="" id="condition"></a>&lt;condition&gt;
+
+
+Although the &lt;condition&gt; element under the &lt;detect&gt;, &lt;objectSet&gt;, and &lt;addObjects&gt; elements is supported, we recommend that you do not use it. This element might be deprecated in future versions of USMT, requiring you to rewrite your scripts. We recommend that, if you need to use a condition within the &lt;objectSet&gt; and &lt;addObjects&gt; elements, you use the more powerful [&lt;conditions&gt;](#conditions) element, which allows you to formulate complex Boolean statements.
+
+The &lt;condition&gt; element has a Boolean result. You can use this element to specify the conditions in which the parent element will be evaluated. If any of the present conditions return FALSE, the parent element will not be evaluated.
+
+-   **Number of occurrences:** unlimited.
+
+-   **Parent elements:**[&lt;conditions&gt;](#conditions), &lt;detect&gt;, &lt;objectSet&gt;, &lt;addObjects&gt;
+
+-   **Child elements:** none
+
+-   **Helper functions:** You can use the following [&lt;condition&gt; functions](#conditionfunctions) with this element: DoesOSMatch, IsNative64Bit(), IsOSLaterThan, IsOSEarlierThan, DoesObjectExist, DoesFileVersionMatch, IsFileVersionAbove, IsFileVersionBelow, IsSystemContext, DoesStringContentEqual, DoesStringContentContain, IsSameObject, IsSameContent, and IsSameStringContent.
+
+Syntax:
+
+&lt;condition negation="Yes|No"&gt;*ScriptName*&lt;/condition&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>negation</p></td>
+<td align="left"><p>No</p>
+<p>Default = No</p></td>
+<td align="left"><p>&quot;Yes&quot; reverses the True/False value of the condition.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><em>ScriptName</em></p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>A script that has been defined within this migration section.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For example,
+
+In the code sample below, the &lt;condition&gt; elements, A and B, are joined together by the AND operator because they are in separate &lt;conditions&gt; sections. For example:
+
+``` syntax
+<detection>
+   <conditions>
+      <condition>A</condition>
+   </conditions>
+   <conditions operation="AND">
+      <condition>B</condition>
+   </conditions>
+</detection>
+```
+
+However, in the code sample below, the &lt;condition&gt; elements, A and B, are joined together by the OR operator because they are in the same &lt;conditions&gt; section.
+
+``` syntax
+<detection>
+   <conditions>
+      <condition>A</condition>
+      <condition>B</condition>
+   </conditions>
+</detection>
+```
+
+### <a href="" id="conditionfunctions"></a>&lt;condition&gt; functions
+
+The &lt;condition&gt; functions return a Boolean value. You can use these elements in &lt;addObjects&gt; conditions.
+
+-   [Operating system version functions](#operatingsystemfunctions)
+
+-   [Object content functions](#objectcontentfunctions)
+
+### <a href="" id="operatingsystemfunctions"></a>Operating system version functions
+
+-   **DoesOSMatch**
+
+    All matches are case insensitive.
+
+    Syntax: DoesOSMatch("*OSType*","*OSVersion*")
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>OSType</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The only valid value for this setting is <strong>NT</strong>. Note, however, that you must set this setting for the &lt;condition&gt; functions to work correctly.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>OSVersion</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The major version, minor version, build number and corrected service diskette version separated by periods. For example, <code>5.0.2600.Service Pack 1</code>. You can also specify partial specification of the version with a pattern. For example, <code>5.0.*</code>.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    For example:
+
+    &lt;condition&gt;MigXmlHelper.DoesOSMatch("NT","\*")&lt;/condition&gt;
+
+-   **IsNative64Bit**
+
+    The IsNative64Bit function returns TRUE if the migration process is running as a native 64-bit process; that is, a process running on a 64-bit system without Windows on Windows (WOW). Otherwise, it returns FALSE.
+
+-   **IsOSLaterThan**
+
+    All comparisons are case insensitive.
+
+    Syntax: IsOSLaterThan("*OSType*","*OSVersion*")
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>OSType</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>Can be <strong>9x</strong> or <strong>NT</strong>. If <em>OSType</em> does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and <em>OSType</em> is “9x”, the result will be FALSE.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>OSVersion</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The major version, minor version, build number, and corrected service diskette version separated by periods. For example, <code>5.0.2600.Service Pack 1</code>. You can also specify partial specification of the version but no pattern is allowed. For example, <code>5.0</code>.</p>
+    <p>The IsOSLaterThan function returns TRUE if the current operating system is later than or equal to <em>OSVersion</em>.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    For example:
+
+    &lt;condition negation="Yes"&gt;MigXmlHelper.IsOSLaterThan("NT","6.0")&lt;/condition&gt;
+
+-   **IsOSEarlierThan**
+
+    All comparisons are case insensitive.
+
+    Syntax: IsOSEarlierThan("*OSType*","*OSVersion*")
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>OSType</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>Can be <strong>9x</strong> or <strong>NT</strong>. If <em>OSType</em> does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and <em>OSType</em> is “9x” the result will be FALSE.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>OSVersion</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The major version, minor version, build number, and corrected service diskette version separated by periods. For example, <code>5.0.2600.Service Pack 1</code>. You can also specify partial specification of the version but no pattern is allowed. For example, <code>5.0</code>.</p>
+    <p>The IsOSEarlierThan function returns TRUE if the current operating system is earlier than <em>OSVersion</em>.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+### <a href="" id="objectcontentfunctions"></a>Object content functions
+
+-   **DoesObjectExist**
+
+    The DoesObjectExist function returns TRUE if any object exists that matches the location pattern. Otherwise, it returns FALSE. The location pattern is expanded before attempting the enumeration.
+
+    Syntax: DoesObjectExist("*ObjectType*","*EncodedLocationPattern*")
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>ObjectType</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>Defines the object type. Can be File or Registry.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>EncodedLocationPattern</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The [location pattern](#locations). Environment variables are allowed.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    For an example of this element, see the MigApp.xml file.
+
+-   **DoesFileVersionMatch**
+
+    The pattern check is case insensitive.
+
+    Syntax: DoesFileVersionMatch("*EncodedFileLocation*","*VersionTag*","*VersionValue*")
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>EncodedFileLocation</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The [location pattern](#locations) for the file that will be checked. Environment variables are allowed.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>VersionTag</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The [version tag](#allowed) value that will be checked.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><em>VersionValue</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>A string pattern. For example, &quot;Microsoft*&quot;.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    For example:
+
+    &lt;condition&gt;MigXmlHelper.DoesFileVersionMatch("%MSNMessengerInstPath%\\msnmsgr.exe","ProductVersion","6.\*")&lt;/condition&gt;
+
+    &lt;condition&gt;MigXmlHelper.DoesFileVersionMatch("%MSNMessengerInstPath%\\msnmsgr.exe","ProductVersion","7.\*")&lt;/condition&gt;
+
+-   **IsFileVersionAbove**
+
+    The IsFileVersionAbove function returns TRUE if the version of the file is higher than *VersionValue*.
+
+    Syntax: IsFileVersionAbove("*EncodedFileLocation*","*VersionTag*","*VersionValue*")
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>EncodedFileLocation</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The [location pattern](#locations) for the file that will be checked. Environment variables are allowed.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>VersionTag</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The [version tag](#allowed) value that will be checked.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><em>VersionValue</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The value to compare to. You cannot specify a pattern.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+-   **IsFileVersionBelow**
+
+    Syntax: IsFileVersionBelow("*EncodedFileLocation*","*VersionTag*","*VersionValue*")
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>EncodedFileLocation</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The [location pattern](#locations) for the file that will be checked. Environment variables are allowed.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>VersionTag</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The [version tag](#allowed) value that will be checked.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><em>VersionValue</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The value to compare to. You cannot specify a pattern.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+-   **IsSystemContext**
+
+    The IsSystemContext function returns TRUE if the current context is "System". Otherwise, it returns FALSE.
+
+    Syntax: IsSystemContext()
+
+-   **DoesStringContentEqual**
+
+    The DoesStringContentEqual function returns TRUE if the string representation of the given object is identical to `StringContent`.
+
+    Syntax: DoesStringContentEqual("*ObjectType*","*EncodedLocation*","*StringContent*")
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>ObjectType</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>Defines the type of object. Can be File or Registry.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>EncodedLocationPattern</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The [encoded location](#locations) for the object that will be examined. You can specify environment variables.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>StringContent</p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The string that will be checked against.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    For example:
+
+    ``` syntax
+    <condition negation="Yes">MigXmlHelper.DoesStringContentEqual("File","%USERNAME%","")</condition>
+    ```
+
+-   **DoesStringContentContain**
+
+    The DoesStringContentContain function returns TRUE if there is at least one occurrence of *StrToFind* in the string representation of the object.
+
+    Syntax: DoesStringContentContain("*ObjectType*","*EncodedLocation*","*StrToFind*")
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>ObjectType</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>Defines the type of object. Can be File or Registry.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>EncodedLocationPattern</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The [encoded location](#locations) for the object that will be examined. You can specify environment variables.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><em>StrToFind</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>A string that will be searched inside the content of the given object.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+-   **IsSameObject**
+
+    The IsSameObject function returns TRUE if the given encoded locations resolve to the same physical object. Otherwise, it returns FALSE.
+
+    Syntax: IsSameObject("*ObjectType*","*EncodedLocation1*","*EncodedLocation2*")
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>ObjectType</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>Defines the type of object. Can be File or Registry.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>EncodedLocation1</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The [encoded location](#locations) for the first object. You can specify environment variables.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><em>EncodedLocation2</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The [encoded location](#locations) for the second object. You can specify environment variables.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    For example:
+
+    ``` syntax
+    <objectSet>
+         <condition negation="Yes">MigXmlHelper.IsSameObject("File","%CSIDL_FAVORITES%","%CSIDL_COMMON_FAVORITES%")</condition>
+         <pattern type="File">%CSIDL_FAVORITES%\* [*]</pattern>
+    </objectSet>
+    ```
+
+-   **IsSameContent**
+
+    The IsSameContent function returns TRUE if the given objects have the same content. Otherwise, it returns FALSE. The content will be compared byte by byte.
+
+    Syntax: IsSameContent("*ObjectType1*","*EncodedLocation1*","*ObjectType2*","*EncodedLocation2*")
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>ObjectType1</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>Defines the type of the first object. Can be File or Registry.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>EncodedLocation1</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The [encoded location](#locations) for the first object. You can specify environment variables.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><em>ObjectType2</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>Defines the type of the second object. Can be File or Registry.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>EncodedLocation2</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The [encoded location](#locations) for the second object. You can specify environment variables.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+-   **IsSameStringContent**
+
+    The IsSameStringContent function returns TRUE if the given objects have the same content. Otherwise, it returns FALSE. The content will be interpreted as a string.
+
+    Syntax: IsSameStringContent("*ObjectType1*","*EncodedLocation1*","*ObjectType2*","*EncodedLocation2*")
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>ObjectType1</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>Defines the type of the first object. Can be File or Registry.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>EncodedLocation1</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The [encoded location](#locations) for the first object. You can specify environment variables.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><em>ObjectType2</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>Defines the type of the second object. Can be File or Registry.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>EncodedLocation2</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The [encoded location](#locations) for the second object. You can specify environment variables.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+## <a href="" id="conditions"></a>&lt;conditions&gt;
+
+
+The &lt;conditions&gt; element returns a Boolean result that is used to specify the conditions in which the parent element is evaluated. USMT evaluates the child elements, and then joins their results using the operators AND or OR according to the **operation** parameter.
+
+-   **Number of occurrences:** Unlimited inside another &lt;conditions&gt; element. Limited to one occurrence in [&lt;detection&gt;](#detection), [&lt;rules&gt;](#rules), [&lt;addObjects&gt;](#addobjects), and [&lt;objectSet&gt;](#objectset)
+
+-   **Parent elements:**[&lt;conditions&gt;](#conditions), [&lt;detection&gt;](#detection), [&lt;environment&gt;](#bkmk-environment), [&lt;rules&gt;](#rules), [&lt;addObjects&gt;](#addobjects), and [&lt;objectSet&gt;](#objectset)
+
+-   **Child elements:**[&lt;conditions&gt;](#conditions), [&lt;condition&gt;](#condition)
+
+Syntax:
+
+&lt;conditions operation="AND|OR"&gt;
+
+&lt;/conditions&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>operation</p></td>
+<td align="left"><p>No, default = AND</p></td>
+<td align="left"><p>Defines the Boolean operation that is performed on the results that are obtained from the child elements.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The following example is from the MigApp.xml file:
+
+``` syntax
+<environment name="GlobalEnv">
+   <conditions>
+      <condition negation="Yes">MigXmlHelper.IsNative64Bit()</condition>
+   </conditions>
+   <variable name="HklmWowSoftware">
+   <text>HKLM\Software</text>
+   </variable>
+</environment>
+```
+
+## <a href="" id="content"></a>&lt;content&gt;
+
+
+You can use the &lt;content&gt; element to specify a list of object patterns to obtain an object set from the source computer. Each &lt;objectSet&gt; within a &lt;content&gt; element is evaluated. For each resulting object pattern list, the objects that match it are enumerated and their content is filtered by the filter parameter. The resulting string array is the output for the &lt;content&gt; element. The filter script returns an array of locations. The parent &lt;objectSet&gt; element can contain multiple child &lt;content&gt; elements.
+
+-   **Number of occurrences:** unlimited
+
+-   **Parent elements:**[&lt;objectSet&gt;](#objectset)
+
+-   **Child elements:**[&lt;objectSet&gt;](#objectset)
+
+-   **Helper functions:** You can use the following [&lt;content&gt; functions](#contentfunctions) with this element: ExtractSingleFile, ExtractMultipleFiles, and ExtractDirectory.
+
+Syntax:
+
+&lt;content filter="*ScriptInvocation*"&gt;
+
+&lt;/content&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>filter</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example<code>, MyScripts.AScript (&quot;Arg1&quot;,&quot;Arg2&quot;)</code>.</p>
+<p>The script is called for each object that is enumerated by the object sets in the &lt;include&gt; rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="contentfunctions"></a>&lt;content&gt; functions
+
+The following functions generate patterns out of the content of an object. These functions are called for every object that the parent &lt;ObjectSet&gt; element is enumerating.
+
+-   **ExtractSingleFile**
+
+    If the registry value is a MULTI-SZ, only the first segment is processed. The returned pattern is the encoded location for a file that must exist on the system. If the specification is correct in the registry value, but the file does not exist, this function returns NULL.
+
+    Syntax: ExtractSingleFile(*Separators*,*PathHints*)
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>Separators</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>A list of possible separators that might follow the file specification in this registry value name. For example, if the content is &quot;C:\Windows\Notepad.exe,-2&quot;, the separator is a comma. You can specify NULL.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>PathHints</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>A list of extra paths, separated by colons (;), where the function will look for a file matching the current content. For example, if the content is &quot;Notepad.exe&quot; and the path is the %Path% environment variable, the function will find Notepad.exe in %windir% and returns &quot;c:\Windows [Notepad.exe]&quot;. You can specify NULL.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    For example:
+
+    ``` syntax
+    <content filter="MigXmlHelper.ExtractSingleFile(',','%system%')">
+    ```
+
+    and
+
+    ``` syntax
+    <content filter="MigXmlHelper.ExtractSingleFile(NULL,'%CSIDL_COMMON_FONTS%')">
+    ```
+
+-   **ExtractMultipleFiles**
+
+    The ExtractMultipleFiles function returns multiple patterns, one for each file that is found in the content of the given registry value. If the registry value is a MULTI-SZ, the MULTI-SZ separator is considered a separator by default. therefore, for MULTI-SZ, the &lt;Separators&gt; argument must be NULL.
+
+    The returned patterns are the encoded locations for files that must exist on the source computer. If the specification is correct in the registry value but the file does not exist, it will not be included in the resulting list.
+
+    Syntax: ExtractMultipleFiles(*Separators*,*PathHints*)
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>Separators</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>A list of possible separators that might follow the file specification in this registry value name. For example, if the content is &quot;C:\Windows\Notepad.exe,-2&quot;, the separator is a comma. This parameter must be NULL when processing MULTI-SZ registry values.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>PathHints</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>A list of extra paths, separated by colons (;), where the function will look for a file matching the current content. For example, if the content is &quot;Notepad.exe&quot; and the path is the %Path% environment variable, the function will find Notepad.exe in %windir% and returns &quot;c:\Windows [Notepad.exe]&quot;. You can specify NULL.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+-   **ExtractDirectory**
+
+    The ExtractDirectory function returns a pattern that is the encoded location for a directory that must exist on the source computer. If the specification is correct in the registry value, but the directory does not exist, this function returns NULL. If it is processing a registry value that is a MULTI-SZ, only the first segment will be processed.
+
+    Syntax: ExtractDirectory(*Separators*,*LevelsToTrim*,*PatternSuffix*)
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>Separators</em></p></td>
+    <td align="left"><p>No</p></td>
+    <td align="left"><p>A list of possible separators that might follow the file specification in this registry value name. For example, if the content is &quot;C:\Windows\Notepad.exe,-2&quot;, the separator is a comma. You must specify NULL when processing MULTI-SZ registry values.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>LevelsToTrim</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The number of levels to delete from the end of the directory specification. Use this function to extract a root directory when you have a registry value that points inside that root directory in a known location.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><em>PatternSuffix</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The pattern to add to the directory specification. For example, <code>* [*]</code>.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    For example:
+
+    ``` syntax
+    <objectSet>
+         <content filter='MigXmlHelper.ExtractDirectory (NULL, "1")'>
+              <objectSet>
+                   <pattern type="Registry">%HklmWowSoftware%\Classes\Software\RealNetworks\Preferences\DT_Common []</pattern>
+              </objectSet>
+         </content>
+    </objectSet>
+    ```
+
+## <a href="" id="contentmodify"></a>&lt;contentModify&gt;
+
+
+The &lt;contentModify&gt; element modifies the content of an object before it is written to the destination computer. For each &lt;contentModify&gt; element there can be multiple &lt;objectSet&gt; elements. This element returns the new content of the object that is being processed.
+
+-   **Number of occurrences:** Unlimited
+
+-   **Parent elements:**[&lt;rules&gt;](#rules)
+
+-   **Required child elements:**[&lt;objectSet&gt;](#objectset)
+
+-   **Helper functions**: You can use the following [&lt;contentModify&gt; functions](#contentmodifyfunctions) with this element: ConvertToDWORD, ConvertToString, ConvertToBinary, KeepExisting, OffsetValue, SetValueByTable, MergeMultiSzContent, and MergeDelimitedContent.
+
+Syntax:
+
+&lt;contentModify script="*ScriptInvocation*"&gt;
+
+&lt;/contentModify&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>script</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example<code>, MyScripts.AScript (&quot;Arg1&quot;,&quot;Arg2&quot;).</code></p>
+<p>The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="contentmodifyfunctions"></a>&lt;contentModify&gt; functions
+
+The following functions change the content of objects as they are migrated. These functions are called for every object that the parent &lt;ObjectSet&gt; element is enumerating.
+
+-   **ConvertToDWORD**
+
+    The ConvertToDWORD function converts the content of registry values that are enumerated by the parent &lt;ObjectSet&gt; element to a DWORD. For example, ConvertToDWORD will convert the string "1" to the DWORD 0x00000001. If the conversion fails, then the value of DefaultValueOnError will be applied.
+
+    Syntax: ConvertToDWORD(*DefaultValueOnError*)
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>DefaultValueOnError</em></p></td>
+    <td align="left"><p>No</p></td>
+    <td align="left"><p>The value that will be written into the value name if the conversion fails. You can specify NULL, and 0 will be written if the conversion fails.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+-   **ConvertToString**
+
+    The ConvertToString function converts the content of registry values that match the parent &lt;ObjectSet&gt; element to a string. For example, it will convert the DWORD 0x00000001 to the string "1". If the conversion fails, then the value of DefaultValueOnError will be applied.
+
+    Syntax: ConvertToString(*DefaultValueOnError*)
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>DefaultValueOnError</em></p></td>
+    <td align="left"><p>No</p></td>
+    <td align="left"><p>The value that will be written into the value name if the conversion fails. You can specify NULL, and 0 will be written if the conversion fails.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    For example:
+
+    ``` syntax
+    <contentModify script="MigXmlHelper.ConvertToString('1')">
+         <objectSet>
+              <pattern type="Registry">HKCU\Control Panel\Desktop [ScreenSaveUsePassword]</pattern>
+         </objectSet>
+    </contentModify>
+    ```
+
+-   **ConvertToBinary**
+
+    The ConvertToBinary function converts the content of registry values that match the parent &lt;ObjectSet&gt; element to a binary type.
+
+    Syntax: ConvertToBinary ()
+
+-   **OffsetValue**
+
+    The OffsetValue function adds or subtracts *Value* from the value of the migrated object, and then writes the result back into the registry value on the destination computer. For example, if the migrated object is a DWORD with a value of 14, and the *Value* is "-2", the registry value will be 12 on the destination computer.
+
+    Syntax: OffsetValue(*Value*)
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>Value</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The string representation of a numeric value. It can be positive or negative. For example, <code>OffsetValue(2)</code>.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+-   **SetValueByTable**
+
+    The SetValueByTable function matches the value from the source computer to the source table. If the value is there, the equivalent value in the destination table will be applied. If the value is not there, or if the destination table has no equivalent value, the *DefaultValueOnError* will be applied.
+
+    Syntax: SetValueByTable(*SourceTable*,*DestinationTable*,*DefaultValueOnError*)
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>SourceTable</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>A list of values separated by commas that are possible for the source registry values.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>DestinationTable</em></p></td>
+    <td align="left"><p>No</p></td>
+    <td align="left"><p>A list of translated values separated by commas.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><em>DefaultValueOnError</em></p></td>
+    <td align="left"><p>No</p></td>
+    <td align="left"><p>The value that will be applied to the destination computer if either 1) the value for the source computer does not match <em>SourceTable</em>, or 2) <em>DestinationTable</em> has no equivalent value.</p>
+    <p>If DefaultValueOnError is NULL, the value will not be changed on the destination computer.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+-   **KeepExisting**
+
+    You can use the KeepExisting function when there are conflicts on the destination computer. This function will keep (not overwrite) the specified attributes for the object that is on the destination computer.
+
+    Syntax: KeepExisting("*OptionString*","*OptionString*","*OptionString*",…)
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>OptionString</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p><em>OptionString</em> can be <strong>Security</strong>, <strong>TimeFields</strong>, or <strong>FileAttrib</strong>:<em>Letter</em>. You can specify one of each type of <em>OptionStrings</em>. Do not specify multiple <em>OptionStrings</em> with the same value. If you do, the right-most option of that type will be kept. For example, do not specify <strong>(&quot;FileAttrib:H&quot;, &quot;FileAttrib:R&quot;)</strong> because only Read-only will be evaluated. Instead specify <strong>(&quot;FileAttrib:HR&quot;)</strong> and both Hidden and Read-only attributes will be kept on the destination computer.</p>
+    <ul>
+    <li><p><strong>Security</strong>. Keeps the destination object's security descriptor if it exists.</p></li>
+    <li><p><strong>TimeFields</strong>. Keeps the destination object's time stamps. This parameter is for files only.</p></li>
+    <li><p><strong>FileAttrib:</strong><em>Letter</em>. Keeps the destination object's attribute value, either On or OFF, for the specified set of file attributes. This parameter is for files only. The following are case-insensitive, but USMT will ignore any values that are invalid, repeated, or if there is a space after &quot;FileAttrib:&quot;. You can specify any combination of the following attributes:</p>
+    <ul>
+    <li><p><strong>A</strong> = Archive</p></li>
+    <li><p><strong>C</strong> = Compressed</p></li>
+    <li><p><strong>E</strong> = Encrypted</p></li>
+    <li><p><strong>H</strong> = Hidden</p></li>
+    <li><p><strong>I</strong> = Not Content Indexed</p></li>
+    <li><p><strong>O</strong> = Offline</p></li>
+    <li><p><strong>R</strong> = Read-Only</p></li>
+    <li><p><strong>S</strong> = System</p></li>
+    <li><p><strong>T</strong> = Temporary</p></li>
+    </ul></li>
+    </ul></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+-   **MergeMultiSzContent**
+
+    The MergeMultiSzContent function merges the MULTI-SZ content of the registry values that are enumerated by the parent &lt;ObjectSet&gt; element with the content of the equivalent registry values that already exist on the destination computer. `Instruction` and` String` either remove or add content to the resulting MULTI-SZ. Duplicate elements will be removed.
+
+    Syntax: MergeMultiSzContent (*Instruction*,*String*,*Instruction*,*String*,…)
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>Instruction</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>Can be one of the following:</p>
+    <ul>
+    <li><p><strong>Add</strong>. Adds the corresponding String to the resulting MULTI-SZ if it is not already there.</p></li>
+    <li><p><strong>Remove</strong>. Removes the corresponding String from the resulting MULTI-SZ.</p></li>
+    </ul></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>String</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The string to be added or removed.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+-   **MergeDelimitedContent**
+
+    The MergeDelimitedContent function merges the content of the registry values that are enumerated by the parent &lt;ObjectSet&gt; element with the content of the equivalent registry values that already exist on the destination computer. The content is considered a list of elements separated by one of the characters in the Delimiters parameter. Duplicate elements will be removed.
+
+    Syntax: MergeDelimitedContent(*Delimiters*,*Instruction*,*String*,…)
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>Delimiters</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>A single character that will be used to separate the content of the object that is being processed. The content will be considered as a list of elements that is separated by the <em>Delimiters</em>.</p>
+    <p>For example, &quot;.&quot; will separate the string based on a period.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>Instruction</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>Can one of the following:</p>
+    <ul>
+    <li><p><strong>Add.</strong> Adds <em>String</em> to the resulting MULTI-SZ if it is not already there.</p></li>
+    <li><p><strong>Remove.</strong> Removes <em>String</em> from the resulting MULTI-SZ.</p></li>
+    </ul></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><em>String</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The string to be added or removed.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+## <a href="" id="description"></a>&lt;description&gt;
+
+
+The &lt;description&gt; element defines a description for the component but does not affect the migration.
+
+-   **Number of occurrences:** zero or one
+
+-   **Parent elements:**[&lt;component&gt;](#component)
+
+-   **Child elements:** none
+
+Syntax:
+
+&lt;description&gt;*ComponentDescription*&lt;/description&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><em>ComponentDescription</em></p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>The description of the component.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The following code sample shows how the &lt;description&gt; element defines the "My custom component" description.:
+
+``` syntax
+<description>My custom component<description>
+```
+
+## <a href="" id="destinationcleanup"></a>&lt;destinationCleanup&gt;
+
+
+The &lt;destinationCleanup&gt; element deletes objects, such as files and registry keys, from the destination computer before applying the objects from the source computer. This element is evaluated only when the LoadState tool is run on the destination computer. That is, this element is ignored by the ScanState tool.
+
+**Important**  
+Use this option with extreme caution because it will delete objects from the destination computer.
+
+ 
+
+For each &lt;destinationCleanup&gt; element there can be multiple &lt;objectSet&gt; elements. A common use for this element is if there is a missing registry key on the source computer and you want to ensure that a component is migrated. In this case, you can delete all of the component's registry keys before migrating the source registry keys. This will ensure that if there is a missing key on the source computer, it will also be missing on the destination computer.
+
+-   **Number of occurrences:** Unlimited
+
+-   **Parent elements:**[&lt;rules&gt;](#rules)
+
+-   **Child elements:**[&lt;objectSet&gt;](#objectset) (Note that the destination computer will delete all child elements.)
+
+Syntax:
+
+&lt;destinationCleanup filter=*ScriptInvocation*&gt;
+
+&lt;/destinationCleanup&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>filter</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example<code>, MyScripts.AScript (&quot;Arg1&quot;,&quot;Arg2&quot;).</code></p>
+<p>The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For example:
+
+``` syntax
+<destinationCleanup>
+   <objectSet>
+      <pattern type="Registry">HKCU\Software\Lotus\123\99.0\DDE Preferences\* [*]</pattern>
+      <pattern type="Registry">HKCU\Software\Lotus\123\99.0\Find Preferences\* [*]</pattern>
+   </objectSet>
+</destinationCleanup>
+```
+
+## <a href="" id="detect"></a>&lt;detect&gt;
+
+
+Although the &lt;detect&gt; element is still supported, we do not recommend using it because it may be deprecated in future versions of USMT. In that case, you would have to rewrite your scripts. Instead, we recommend that you use the [&lt;detection&gt;](#detection)**element.**
+
+You use the &lt;detect&gt; element to determine if the component is present on a system. If all child &lt;detect&gt; elements within a &lt;detect&gt; element resolve to TRUE, then the &lt;detect&gt; element resolves to TRUE. If any child &lt;detect&gt; elements resolve to FALSE, then their parent &lt;detect&gt; element resolves to FALSE. If there is no &lt;detect&gt; element section, then USMT will assume that the component is present.
+
+For each &lt;detect&gt; element there can be multiple child &lt;condition&gt; or &lt;objectSet&gt; elements, which will be logically joined by an OR operator. If at least one &lt;condition&gt; or &lt;objectSet&gt; element evaluates to TRUE, then the &lt;detect&gt; element evaluates to TRUE.
+
+-   **Number of occurrences:** unlimited
+
+-   **Parent elements:** &lt;detects&gt;, [&lt;namedElements&gt;](#namedelements)
+
+-   **Required child elements:**[&lt;condition&gt;](#condition)
+
+-   **Optional child elements:**[&lt;objectSet&gt;](#objectset)
+
+Syntax:
+
+&lt;detect name="*ID*" context="User|System|UserAndSystem"&gt;
+
+&lt;/detect&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>name</p></td>
+<td align="left"><p>Yes, when &lt;detect&gt; is a child to &lt;namedElements&gt;</p>
+<p>No, when &lt;detect&gt; is a child to &lt;detects&gt;</p></td>
+<td align="left"><p>When <em>ID</em> is specified, any child elements are not processed. Instead, any other &lt;detect&gt; elements with the same name that are declared within the &lt;namedElements&gt; element are processed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>context</p></td>
+<td align="left"><p>No</p>
+<p>(default = UserAndSystem)</p></td>
+<td align="left"><p>Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both.</p>
+<p>The largest possible scope is set by the component element. For example, if a &lt;component&gt; element has a context of User, and a &lt;rules&gt; element had a context of UserAndSystem, then the &lt;rules&gt; element would act as though it had a context of User. If the &lt;rules&gt; element had a context of System, it would act as though the &lt;rules&gt; element were not there.</p>
+<ul>
+<li><p><strong>User.</strong> Evaluates the variables for each user.</p></li>
+<li><p><strong>System.</strong> Evaluates the variables only once for the system.</p></li>
+<li><p><strong>UserAndSystem.</strong> Evaluates the variables for the entire operating system and each user.</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For examples, see the examples for [&lt;detection&gt;](#detection).
+
+## <a href="" id="detects"></a>&lt;detects&gt;
+
+
+Although the &lt;detects&gt; element is still supported, we recommend that you do not use it because it may be deprecated in future versions of USMT, which would require you to rewrite your scripts. Instead, we recommend that you use the [&lt;detection&gt;](#detection) element if the parent element is &lt;role&gt; or &lt;namedElements&gt;, and we recommend that you use the &lt;conditions&gt; element if the parent element is &lt;rules&gt;. Using &lt;detection&gt; allows you to more clearly formulate complex Boolean statements.
+
+The &lt;detects&gt; element is a container for one or more &lt;detect&gt; elements. If all of the child &lt;detect&gt; elements within a &lt;detects&gt; element resolve to TRUE, then &lt;detects&gt; resolves to TRUE. If any of the child &lt;detect&gt; elements resolve to FALSE, then &lt;detects&gt; resolves to FALSE. If you do not want to write the &lt;detects&gt; elements within a component, then you can create the &lt;detects&gt; element under the &lt;namedElements&gt; element, and then refer to it. If there is no &lt;detects&gt; element section, then USMT will assume that the component is present. The results from each &lt;detects&gt; element are joined together by the OR operator to form the rule used to detect the parent element.
+
+Syntax:
+
+&lt;detects name="*ID*" context="User|System|UserAndSystem"&gt;
+
+&lt;/detects&gt;
+
+-   **Number of occurrences:** Unlimited.
+
+-   **Parent elements:**[&lt;role&gt;](#role), [&lt;rules&gt;](#rules), [&lt;namedElements&gt;](#namedelements)
+
+-   **Required child elements:** &lt;detect&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>name</p></td>
+<td align="left"><p>Yes, when &lt;detects&gt; is a child to &lt;namedElements&gt;</p>
+<p>No, when &lt;detects&gt; is a child to &lt;role&gt; or &lt;rules&gt;</p></td>
+<td align="left"><p>When <em>ID</em> is specified, no child &lt;detect&gt; elements are processed. Instead, any other &lt;detects&gt; elements with the same name that are declared within the &lt;namedElements&gt; element are processed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>context</p></td>
+<td align="left"><p>No</p>
+<p>(default = UserAndSystem)</p></td>
+<td align="left"><p>Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both.</p>
+<p>The largest possible scope is set by the &lt;component element&gt;. For example, if a &lt;component&gt; element has a context of User and a &lt;rules&gt; element had a context of UserAndSystem, then the &lt;rules&gt; element would act as though it had a context of User. If the &lt;rules&gt; element had a context of System, it would act as though the &lt;rules&gt; element were not there.</p>
+<ul>
+<li><p><strong>User.</strong> Evaluates the variables for each user.</p></li>
+<li><p><strong>System.</strong> Evaluates the variables only once for the system.</p></li>
+<li><p><strong>UserAndSystem.</strong> Evaluates the variables for the entire operating system and each user.</p></li>
+</ul>
+<p>The context parameter is ignored for &lt;detects&gt; elements that are inside &lt;rules&gt; elements.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The following example is from the MigApp.xml file.
+
+``` syntax
+<detects>
+   <detect>
+      <condition>MigXmlHelper.DoesFileVersionMatch("%Lotus123InstPath%\123w.exe","ProductVersion","9.*")</condition>
+   </detect>
+   <detect>
+      <condition>MigXmlHelper.DoesFileVersionMatch("%SmartSuiteInstPath%\smartctr.exe","ProductVersion","99.*")</condition>
+   </detect>
+</detects>
+```
+
+## <a href="" id="detection"></a>&lt;detection&gt;
+
+
+The &lt;detection&gt; element is a container for one &lt;conditions&gt; element. The result of the child &lt;condition&gt; elements, located underneath the &lt;conditions&gt; element, determines the result of this element. For example, if all of the child &lt;conditions&gt; elements within the &lt;detection&gt; element resolve to TRUE, then the &lt;detection&gt; element resolves to TRUE. If any of the child &lt;conditions&gt; elements resolve to FALSE, then the &lt;detection&gt; element resolves to FALSE.
+
+In addition, the results from each &lt;detection&gt; section within the &lt;role&gt; element are joined together by the OR operator to form the detection rule of the parent element. That is, if one of the &lt;detection&gt; sections resolves to TRUE, then the &lt;role&gt; element will be processed. Otherwise, the &lt;role&gt; element will not be processed.
+
+Use the &lt;detection&gt; element under the &lt;namedElements&gt; element if you do not want to write it within a component. Then include a matching &lt;detection&gt; section under the &lt;role&gt; element to control whether the component is migrated. If there is not a &lt;detection&gt; section for a component, then USMT will assume that the component is present.
+
+-   **Number of occurrences:** Unlimited.
+
+-   **Parent elements:**[&lt;role&gt;](#role), [&lt;namedElements&gt;](#namedelements)
+
+-   **Child elements:**[&lt;conditions&gt;](#conditions)
+
+Syntax:
+
+&lt;detection name="*ID*" context="User|System|UserAndSystem"&gt;
+
+&lt;/detection&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>name</p></td>
+<td align="left"><ul>
+<li><p>Yes, when &lt;detection&gt; is declared under &lt;namedElements&gt;</p></li>
+<li><p>Optional, when declared under &lt;role&gt;</p></li>
+</ul></td>
+<td align="left"><p>If declared, the content of the &lt;detection&gt; element is ignored and the content of the &lt;detection&gt; element with the same name that is declared in the &lt;namedElements&gt; element will be evaluated.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>context</p></td>
+<td align="left"><p>No, default = UserAndSystem</p></td>
+<td align="left"><p>Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both.</p>
+<ul>
+<li><p><strong>User.</strong> Evaluates the component for each user.</p></li>
+<li><p><strong>System.</strong> Evaluates the component only once for the system.</p></li>
+<li><p><strong>UserAndSystem.</strong> Evaluates the component for the entire operating system and each user.</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For example:
+
+``` syntax
+<detection name="AdobePhotoshopCS">
+   <conditions>
+      <condition>MigXmlHelper.DoesObjectExist("Registry","HKCU\Software\Adobe\Photoshop\8.0")</condition>
+      <condition>MigXmlHelper.DoesFileVersionMatch("%PhotoshopSuite8Path%\Photoshop.exe","FileVersion","8.*")</condition>
+   </conditions>
+</detection>
+```
+
+and
+
+``` syntax
+<role role="Settings">
+   <detection>
+      <conditions>
+         <condition>MigXmlHelper.DoesFileVersionMatch("%QuickTime5Exe%","ProductVersion","QuickTime 5.*")</condition>
+         <condition>MigXmlHelper.DoesFileVersionMatch("%QuickTime5Exe%","ProductVersion","QuickTime 6.*")</condition>
+      </conditions>
+   </detection>
+```
+
+## <a href="" id="displayname"></a>&lt;displayName&gt;
+
+
+The &lt;displayName&gt; element is a required field within each &lt;component&gt; element.
+
+-   **Number of occurrences:** once for each component
+
+-   **Parent elements:**[&lt;component&gt;](#component)
+
+-   **Child elements:** none
+
+Syntax:
+
+&lt;displayName \_locID="*ID*"&gt;*ComponentName*&lt;/displayName&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>locID</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>This parameter is for internal USMT use. Do not use this parameter.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><em>ComponentName</em></p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>The name for the component.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For example:
+
+``` syntax
+<displayName>Command Prompt settings</displayName>
+```
+
+## <a href="" id="bkmk-environment"></a>&lt;environment&gt;
+
+
+The &lt;environment&gt; element is a container for &lt;variable&gt; elements in which you can define variables to use in your .xml file. All environment variables defined this way will be private. That is, they will be available only for their child components and the component in which they were defined. For two example scenarios, see [Examples](#envex).
+
+-   **Number of occurrences:** unlimited
+
+-   **Parent elements:**[&lt;role&gt;](#role), [&lt;component&gt;](#component), [&lt;namedElements&gt;](#namedelements)
+
+-   **Required child elements:**[&lt;variable&gt;](#variable)
+
+-   **Optional child elements:**[conditions](#conditions)
+
+Syntax:
+
+&lt;environment name="ID" context="User|System|UserAndSystem"&gt;
+
+&lt;/environment&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>name</p></td>
+<td align="left"><p>Yes, when &lt;environment&gt; is a child of &lt;namedElements&gt;</p>
+<p>No, when &lt;environment&gt; is a child of &lt;role&gt; or &lt;component&gt;</p></td>
+<td align="left"><p>When declared as a child of the &lt;role&gt; or &lt;component&gt; elements, if <em>ID</em> is declared, USMT ignores the content of the &lt;environment&gt; element and the content of the &lt;environment&gt; element with the same name declared in the &lt;namedElements&gt; element is processed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>context</p></td>
+<td align="left"><p>No</p>
+<p>(default = UserAndSystem)</p></td>
+<td align="left"><p>Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both.</p>
+<p>The largest possible scope is set by the &lt;component&gt; element. For example, if a &lt;component&gt; element has a context of User and a &lt;rules&gt; element had a context of UserAndSystem, then the &lt;rules&gt; element would act as though it had a context of User. If the &lt;rules&gt; element had a context of System, it would act as though &lt;rules&gt; were not there.</p>
+<ul>
+<li><p><strong>User.</strong> Evaluates the variables for each user.</p></li>
+<li><p><strong>System.</strong> Evaluates the variables only once for the system.</p></li>
+<li><p><strong>UserAndSystem.</strong> Evaluates the variables for the entire operating system and each user.</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="envex"></a>
+
+
+### Example scenario 1
+
+In this scenario, you want to generate the location of objects at run time depending on the configuration of the destination computer. For example, you must do this if an application writes data in the directory where it is installed, and users can install the application anywhere on the computer. If the application writes a registry value hklm\\software\\companyname\\install \[path\] and then updates this value with the location where the application is installed, then the only way for you to migrate the required data correctly is to define an environment variable. For example:
+
+``` syntax
+<environment>
+   <variable name="INSTALLPATH">
+      <script>MigXmlHelper.GetStringContent("Registry","\software\companyname\install [path]")</script>
+   </variable>
+</environment>
+```
+
+Then you can use an include rule as follows. You can use any of the [&lt;script&gt; functions](#scriptfunctions) to perform similar tasks.
+
+``` syntax
+<include>
+   <objectSet>
+      <pattern type="File">%INSTALLPATH%\ [*.xyz]</pattern>
+   </objectSet>
+</include>
+```
+
+Second, you can also filter registry values that contain data that you need. The following example extracts the first string (before the separator ",") in the value of the registry Hklm\\software\\companyname\\application\\ \[Path\].
+
+``` syntax
+<environment>
+   <variable name="APPPATH">
+        <objectSet>
+           <content filter='MigXmlHelper.ExtractDirectory (",", "1")'>
+             <objectSet>
+                <pattern type="Registry">Hklm\software\companyname\application\ [Path]</pattern>
+              </objectSet>
+            </content>
+        </objectSet>
+    </variable>
+</environment>
+```
+
+### Example scenario 2:
+
+In this scenario, you want to migrate five files named File1.txt, File2.txt, and so on, from %SYSTEMDRIVE%\\data\\userdata\\dir1\\dir2\\. To do this you must have the following &lt;include&gt; rule in an .xml file:
+
+``` syntax
+<include>
+   <objectSet>
+      <pattern type="File">%SYSTEMDRIVE%\data\userdata\dir1\dir2 [File1.txt]</pattern>
+      <pattern type="File">%SYSTEMDRIVE%\data\userdata\dir1\dir2 [File2.txt]</pattern>
+      <pattern type="File">%SYSTEMDRIVE%\data\userdata\dir1\dir2 [File3.txt]</pattern>
+      <pattern type="File">%SYSTEMDRIVE%\data\userdata\dir1\dir2 [File4.txt]</pattern>
+      <pattern type="File">%SYSTEMDRIVE%\data\userdata\dir1\dir2 [File5.txt]</pattern>
+   </objectSet>
+</include>
+```
+
+Instead of typing the path five times, you can create a variable for the location as follows:
+
+``` syntax
+<environment>
+   <variable name="DATAPATH">
+      <text>%SYSTEMDRIVE%\data\userdata\dir1\dir2 </text>
+      </variable>
+</environment>
+```
+
+Then, you can specify the variable in an &lt;include&gt; rule as follows:
+
+``` syntax
+<include>
+   <objectSet>
+      <pattern type="File">%DATAPATH% [File1.txt]</pattern>
+      <pattern type="File">%DATAPATH% [File2.txt]</pattern>
+      <pattern type="File">%DATAPATH% [File3.txt]</pattern>
+      <pattern type="File">%DATAPATH% [File4.txt]</pattern>
+      <pattern type="File">%DATAPATH% [File5.txt]</pattern>
+   </objectSet>
+</include>
+```
+
+## <a href="" id="exclude"></a>&lt;exclude&gt;
+
+
+The &lt;exclude&gt; element determines what objects will not be migrated, unless there is a more specific &lt;include&gt; element that migrates an object. If there is an &lt;include&gt; and &lt;exclude&gt; element for the same object, the object will be included. For each &lt;exclude&gt; element there can be multiple child &lt;objectSet&gt; elements.
+
+-   **Number of occurrences:** Unlimited
+
+-   **Parent elements:**[&lt;rules&gt;](#rules)
+
+-   **Child elements:**[&lt;objectSet&gt;](#objectset)
+
+-   **Helper functions:** You can use the following [&lt;exclude&gt; filter functions](#persistfilterfunctions) with this element: CompareStringContent, IgnoreIrrelevantLinks, AnswerNo, NeverRestore, and SameRegContent.
+
+Syntax:
+
+&lt;exclude filter="*ScriptInvocation*"&gt;
+
+&lt;/exclude&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>filter</p></td>
+<td align="left"><p>No</p>
+<p>(default = No)</p></td>
+<td align="left"><p>A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example<code>, MyScripts.AScript (&quot;Arg1&quot;,&quot;Arg2&quot;).</code></p>
+<p>The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For example, from the MigUser.xml file:
+
+``` syntax
+<exclude>
+   <objectSet>
+      <pattern type="File">%CSIDL_MYMUSIC%\* [*]</pattern>
+      <pattern type="File">%CSIDL_MYPICTURES%\* [*]</pattern>
+      <pattern type="File">%CSIDL_MYVIDEO%\* [*]</pattern>
+   </objectSet>
+</exclude>
+```
+
+## <a href="" id="excludeattributes"></a>&lt;excludeAttributes&gt;
+
+
+You can use the &lt;excludeAttributes&gt; element to determine which parameters associated with an object will not be migrated. If there are conflicts between the &lt;includeAttributes&gt; and &lt;excludeAttributes&gt; elements, the most specific pattern determines the patterns that will not be migrated. If an object does not have an &lt;includeAttributes&gt; or &lt;excludeAttributes&gt; element, then all of its parameters will be migrated.
+
+-   **Number of occurrences:** Unlimited
+
+-   **Parent elements:**[&lt;rules&gt;](#rules)
+
+-   **Child elements:**[&lt;objectSet&gt;](#objectset)
+
+Syntax:
+
+&lt;excludeAttributes attributes="Security|TimeFields|Security,TimeFields"&gt;
+
+&lt;/excludeAttributes&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Parameter</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>attributes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Specifies the attributes to be excluded. You can specify one of the following, or both separated by quotes; for example, <code>&quot;Security&quot;,&quot;TimeFields&quot;</code>:</p>
+<ul>
+<li><p>Security can be one of Owner, Group, DACL, or SACL.</p></li>
+<li><p>TimeFields can be one of CreationTime, LastAccessTime and LastWrittenTime</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+Example:
+
+``` syntax
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/miguser">
+<!-- This component migrates My Video files -->
+   <component type="System" context="System">
+      <displayName>System Data</displayName>
+         <role role="Data">
+            <rules>
+<!-- Include all of the text files, which are immediately in the drive where the operating system is installed -->
+               <include>
+                  <objectSet>
+                     <pattern type="File">%SYSTEMDRIVE%\ [*.txt]</pattern>
+                  </objectSet>
+               </include>
+<!-- Exclude the time stamps from the text file starting with the letter a -->
+               <excludeAttributes attributes="TimeFields">
+                  <objectSet>
+                     <pattern type="File">%SYSTEMDRIVE%\ [a*.txt]</pattern>
+                  </objectSet>
+               </excludeAttributes>
+<!-- include the time stamps from the text file aa.txt -->
+               <includeAttributes attributes="TimeFields">
+                  <objectSet>
+                     <pattern type="File">%SYSTEMDRIVE%\ [aa.txt]</pattern>
+                  </objectSet>
+               </includeAttributes>
+<!-- Logoff the user after loadstate successfully completed. -->
+               <externalProcess when="post-apply">
+                  <commandLine>
+                     logoff
+                  </commandLine>
+               </externalProcess>
+         </rules>
+   </role>
+<!-- Migrate 
+   all doc files from the system
+   all power point files
+   all visio design files 
+   all my c++ program files -->
+   <extensions>
+      <extension>DOC</extension>
+      <extension>PPT</extension>
+      <extension>VXD</extension>
+      <extension>PST</extension>
+      <extension>CPP</extension>
+   </extensions>
+</component>
+</migration>
+```
+
+## <a href="" id="extensions"></a>&lt;extensions&gt;
+
+
+The &lt;extensions&gt; element is a container for one or more &lt;extension&gt; elements.
+
+-   **Number of occurrences:** zero or one
+
+-   **Parent elements:**[&lt;component&gt;](#component)
+
+-   **Required child elements:**[&lt;extension&gt;](#extension)
+
+Syntax:
+
+&lt;extensions&gt;
+
+&lt;/extensions&gt;
+
+## <a href="" id="extension"></a>&lt;extension&gt;
+
+
+You can use the &lt;extension&gt; element to specify documents of a specific extension.
+
+-   **Number of occurrences:** unlimited
+
+-   **Parent elements:**[&lt;extensions&gt;](#extensions)
+
+-   **Child elements:** none
+
+Syntax:
+
+&lt;extension&gt;*FilenameExtension*&lt;/extension&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><em>FilenameExtension</em></p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>A file name extension.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For example, if you want to migrate all \*.doc files from the source computer, specifying the following code under the &lt;component&gt; element:
+
+``` syntax
+<extensions> 
+        <extension>doc</extension> 
+<extensions> 
+```
+
+is the same as specifying the following code below the &lt;rules&gt; element:
+
+``` syntax
+<include> 
+        <objectSet> 
+                <script>MigXmlHelper.GenerateDrivePatterns ("* [*.doc]", "Fixed")</script> 
+        </objectSet> 
+</include>
+```
+
+For another example of how to use the &lt;extension&gt; element, see the example for [&lt;excludeAttributes&gt;](#excludeattributes).
+
+## <a href="" id="externalprocess"></a>&lt;externalProcess&gt;
+
+
+You can use the &lt;externalProcess&gt; element to run a command line during the migration process. For example, you may want to run a command after the LoadState process completes.
+
+-   **Number of occurrences:** Unlimited
+
+-   **Parent elements:**[&lt;rules&gt;](#rules)
+
+-   **Required child elements:**[&lt;commandLine&gt;](#commandline)
+
+Syntax:
+
+&lt;externalProcess when="pre-scan|scan-success|post-scan|pre-apply|apply-success|post-apply"&gt;
+
+&lt;/externalProcess&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>when</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Indicates when the command line should be run. This value can be one of the following:</p>
+<ul>
+<li><p><strong>pre-scan</strong> before the scanning process begins.</p></li>
+<li><p><strong>scan-success</strong> after the scanning process has finished successfully.</p></li>
+<li><p><strong>post-scan</strong> after the scanning process has finished, whether it was successful or not.</p></li>
+<li><p><strong>pre-apply</strong> before the apply process begins.</p></li>
+<li><p><strong>apply-success</strong> after the apply process has finished successfully.</p></li>
+<li><p><strong>post-apply</strong> after the apply process has finished, whether it was successful or not.</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For an example of how to use the &lt;externalProcess&gt; element, see the example for [&lt;excludeAttributes&gt;](#excludeattributes).
+
+## <a href="" id="icon"></a>&lt;icon&gt;
+
+
+This is an internal USMT element. Do not use this element.
+
+## <a href="" id="include"></a>&lt;include&gt;
+
+
+The &lt;include&gt; element determines what to migrate, unless there is a more specific [&lt;exclude&gt;](#exclude) rule. You can specify a script to be more specific to extend the definition of what you want to collect. For each &lt;include&gt; element there can be multiple &lt;objectSet&gt; elements.
+
+-   **Number of occurrences:** Unlimited
+
+-   **Parent elements:**[&lt;rules&gt;](#rules)
+
+-   **Required child element:**[&lt;objectSet&gt;](#objectset)
+
+-   **Helper functions:** You can use the following [&lt;include&gt; filter functions](#persistfilterfunctions) with this element: CompareStringContent, IgnoreIrrelevantLinks, AnswerNo, and NeverRestore.
+
+Syntax:
+
+&lt;include filter="*ScriptInvocation*"&gt;
+
+&lt;/include&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>filter</p></td>
+<td align="left"><p>No.</p>
+<p>If this parameter is not specified, then all patterns that are inside the child &lt;ObjectSet&gt; element will be processed.</p></td>
+<td align="left"><p>A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example<code>, MyScripts.AScript (&quot;Arg1&quot;,&quot;Arg2&quot;).</code></p>
+<p>The script will be called for each object that is enumerated by the object sets in the &lt;include&gt; rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The following example is from the MigUser.xml file:
+
+``` syntax
+<component type="Documents" context="User">
+   <displayName _locID="miguser.myvideo">My Video</displayName>
+      <paths>
+         <path type="File">%CSIDL_MYVIDEO%</path>
+      </paths>
+      <role role="Data">
+         <detects>           
+            <detect>
+               <condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")</condition>
+            </detect>
+         </detects>
+         <rules>
+               <include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
+                  <objectSet>
+                     <pattern type="File">%CSIDL_MYVIDEO%\* [*]</pattern>
+                  </objectSet>
+               </include>
+               <merge script="MigXmlHelper.DestinationPriority()">
+                  <objectSet>
+                     <pattern type="File">%CSIDL_MYVIDEO% [desktop.ini]</pattern>
+                  </objectSet>
+            </merge>
+         </rules>
+      </role>
+    </component>
+```
+
+### <a href="" id="persistfilterfunctions"></a>&lt;include&gt; and &lt;exclude&gt; filter functions
+
+The following functions return a Boolean value. You can use them to migrate certain objects based on when certain conditions are met.
+
+-   **AnswerNo**
+
+    This filter always returns FALSE.
+
+    Syntax: AnswerNo ()
+
+-   **CompareStringContent**
+
+    Syntax: CompareStringContent("*StringContent*","*CompareType*")
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>StringContent</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The string to check against.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>CompareType</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>A string. Use one of the following values:</p>
+    <ul>
+    <li><p><strong>Equal</strong> (case insensitive). The function returns TRUE if the string representation of the current object that is processed by the migration engine is identical to <code>StringContent</code>.</p></li>
+    <li><p><strong>NULL</strong> <strong>or any other value</strong>. The function returns TRUE if the string representation of the current object that is processed by the migration engine does not match <code>StringContent</code>.</p></li>
+    </ul></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+-   **IgnoreIrrelevantLinks**
+
+    This filter screens out the .lnk files that point to an object that is not valid on the destination computer. Note that the screening takes place on the destination computer, so all .lnk files will be saved to the store during ScanState. Then they will be screened out when you run the LoadState tool.
+
+    Syntax: IgnoreIrrelevantLinks ()
+
+    For example:
+
+    ``` syntax
+    <include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
+         <objectSet>
+              <pattern type="File">%CSIDL_COMMON_VIDEO%\* [*]</pattern>
+         </objectSet>
+    </include>
+    ```
+
+-   **NeverRestore**
+
+    You can use this function to collect the specified objects from the source computer but then not migrate the objects to the destination computer. When run with the ScanState tool, this function evaluates to TRUE. When run with the LoadState tool, this function evaluates to FALSE. You may want to use this function when you want to check an object's value on the destination computer but do not intend to migrate the object to the destination.
+
+    Syntax: NeverRestore()
+
+    In the following example, HKCU\\Control Panel\\International \[Locale\] will be included in the store, but it will not be migrated to the destination computer:
+
+    ``` syntax
+    <include filter="MigXmlHelper.NeverRestore()">
+       <objectSet>
+          <pattern type="Registry">HKCU\Control Panel\International [Locale]</pattern>
+       </objectSet>
+    </include>
+    ```
+
+## <a href="" id="includeattributes"></a>&lt;includeAttributes&gt;
+
+
+You can use the &lt;includeAttributes&gt; element to determine whether certain parameters associated with an object will be migrated along with the object itself. If there are conflicts between the &lt;includeAttributes&gt; and &lt;excludeAttributes&gt; elements, the most specific pattern will determine which parameters will be migrated. If an object does not have an &lt;includeAttributes&gt; or &lt;excludeAttributes&gt; element, then all of its parameters will be migrated.
+
+-   **Number of occurrences:** unlimited
+
+-   **Parent elements:**[&lt;rules&gt;](#rules)
+
+-   **Child elements:**[&lt;objectSet&gt;](#objectset)
+
+Syntax:
+
+&lt;includeAttributes attributes="Security|TimeFields|Security,TimeFields"&gt;
+
+&lt;/includeAttributes&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>attributes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Specifies the attributes to be included with a migrated object. You can specify one of the following, or both separated by quotes; for example, <code>&quot;Security&quot;,&quot;TimeFields&quot;</code>:</p>
+<ul>
+<li><p>Security can be one of the following values:</p>
+<ul>
+<li><p><strong>Owner.</strong> The owner of the object (SID).</p></li>
+<li><p><strong>Group.</strong> The primary group for the object (SID).</p></li>
+<li><p><strong>DACL</strong> (discretionary access control list). An access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object.</p></li>
+<li><p><strong>SACL</strong> (system access control list). An ACL that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object's SACL is controlled by a privilege typically held only by system administrators.</p></li>
+</ul></li>
+<li><p>TimeFields can be one of the following:</p>
+<ul>
+<li><p><strong>CreationTime.</strong> Specifies when the file or directory was created.</p></li>
+<li><p><strong>LastAccessTime.</strong> Specifies when the file is last read from, written to, or, in the case of executable files, run.</p></li>
+<li><p><strong>LastWrittenTime.</strong> Specifies when the file is last written to, truncated, or overwritten.</p></li>
+</ul></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For an example of how to use the &lt;includeAttributes&gt; element, see the example for [&lt;excludeAttributes&gt;](#excludeattributes).
+
+## <a href="" id="library"></a>&lt;library&gt;
+
+
+This is an internal USMT element. Do not use this element.
+
+## <a href="" id="location"></a>&lt;location&gt;
+
+
+The &lt;location&gt; element defines the location of the &lt;object&gt; element.
+
+-   **Number of occurrences:** once for each &lt;object&gt;
+
+-   **Parent elements:**[&lt;object&gt;](#object)
+
+-   **Child elements:**[&lt;script&gt;](#script)
+
+Syntax:
+
+&lt;location type="*typeID*"&gt;*ObjectLocation*&lt;/location&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>type</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p><em>typeID</em> can be Registry or File.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><em>ObjectLocation</em></p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>The location of the object.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The following example is from the MigApp.xml file:
+
+``` syntax
+<addObjects>
+   <object>
+      <location type="Registry">%HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [UpgradeVersion]</location>
+      <attributes>DWORD</attributes>
+      <bytes>0B000000</bytes>
+   </object>
+   <object>
+      <location type="Registry">%HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [Lang]</location>
+      <attributes>DWORD</attributes>
+      <bytes>00000000</bytes>
+   </object>
+</addObjects>
+```
+
+## <a href="" id="locationmodify"></a>&lt;locationModify&gt;
+
+
+You can use the &lt;locationModify&gt; element to change the location and name of an object before it is migrated to the destination computer. The &lt;locationModify&gt; element is processed only when the LoadState tool is run on the destination computer. In other words, this element is ignored by the ScanState tool. The &lt;locationModify&gt; element will create the appropriate folder on the destination computer if it does not already exist.
+
+**Number of occurrences:** Unlimited
+
+-   **Parent elements:**[&lt;rules&gt;](#rules)
+
+-   **Required child element:**[&lt;objectSet&gt;](#objectset)
+
+-   **Helper functions:** You can use the following [&lt;locationModify&gt; functions](#locationmodifyfunctions) with this element: ExactMove, RelativeMove, and Move.
+
+Syntax:
+
+&lt;locationModify script="*ScriptInvocation*"&gt;
+
+&lt;/locationModify&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>script</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example<code>, MyScripts.AScript (&quot;Arg1&quot;,&quot;Arg2&quot;).</code></p>
+<p>The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The following example is from the MigApp.xml file:
+
+``` syntax
+<locationModify script="MigXmlHelper.RelativeMove('%CSIDL_APPDATA%\Microsoft\Office','%CSIDL_APPDATA%')">
+   <objectSet>
+      <pattern type="File">%CSIDL_APPDATA%\Microsoft\Office\ [Access10.pip]</pattern>
+   </objectSet>
+</locationModify>
+```
+
+### <a href="" id="locationmodifyfunctions"></a>&lt;locationModify&gt; functions
+
+The following functions change the location of objects as they are migrated when using the &lt;locationModify&gt; element. These functions are called for every object that the parent &lt;ObjectSet&gt; element is enumerating. The &lt;locationModify&gt; element will create the appropriate folder on the destination computer if it does not already exist.
+
+-   **ExactMove**
+
+    The ExactMove function moves all of the objects that are matched by the parent &lt;ObjectSet&gt; element into the given *ObjectEncodedLocation*. You can use this function when you want to move a single file to a different location on the destination computer. If the destination location is a node, all of the matching source objects will be written to the node without any subdirectories. If the destination location is a leaf, the migration engine will migrate all of the matching source objects to the same location. If a collision occurs, the normal collision algorithms will apply.
+
+    Syntax: ExactMove(*ObjectEncodedLocation*)
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>ObjectEncodedLocation</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The destination [location](#locations) for all of the source objects.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    For example:
+
+    ``` syntax
+    <locationModify script="MigXmlHelper.ExactMove('HKCU\Keyboard Layout\Toggle [HotKey]')">
+         <objectSet>
+              <pattern type="Registry">HKCU\Keyboard Layout\Toggle []</pattern>
+         </objectSet>
+    </locationModify>
+    ```
+
+-   **Move**
+
+    The Move function moves objects to a different location on the destination computer. In addition, this function creates subdirectories that were above the longest CSIDL in the source object name.
+
+    Syntax: Move(*DestinationRoot*)
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>DestinationRoot</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The location where the source objects will be moved. If needed, this function will create any subdirectories that were above the longest CSIDL in the source object name.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+-   **RelativeMove**
+
+    You can use the RelativeMove function to collect and move data. Note that you can use environment variables in source and destination roots, but they may be defined differently on the source and destination computers.
+
+    Syntax: RelativeMove(*SourceRoot*,*DestinationRoot*)
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>SourceRoot</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The location from where the objects will be moved. Any source objects that are enumerated by the parent &lt;ObjectSet&gt; element that are not in this location will not be moved.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>DestinationRoot</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The location where the source objects will be moved to on the destination computer. If needed, this function will create any subdirectories that were above <em>SourceRoot</em>.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    For example:
+
+    ``` syntax
+    <include>
+       <objectSet>
+          <pattern type="File">%CSIDL_COMMON_FAVORITES%\* [*]</pattern>
+       <objectSet>
+    </include>
+    <locationModify script="MigXmlHelper.RelativeMove('%CSIDL_COMMON_FAVORITES%','%CSIDL_COMMON_FAVORITES%')">
+         <objectSet>
+              <pattern type="File">%CSIDL_COMMON_FAVORITES%\* [*]</pattern>
+         </objectSet>
+    </locationModify>
+    ```
+
+## <a href="" id="locdefinition"></a>&lt;\_locDefinition&gt;
+
+
+This is an internal USMT element. Do not use this element.
+
+## <a href="" id="manufacturer"></a>&lt;manufacturer&gt;
+
+
+The &lt;manufacturer&gt; element defines the manufacturer for the component, but does not affect the migration.
+
+-   **Number of occurrences:** zero or one
+
+-   **Parent elements:**[&lt;component&gt;](#component)
+
+-   **Child elements:** none
+
+Syntax:
+
+&lt;manufacturer&gt;*Name*&lt;/manufacturer&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><em>Name</em></p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>The name of the manufacturer for the component.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="merge"></a>&lt;merge&gt;
+
+
+The &lt;merge&gt; element determines what will happen when a collision occurs. A collision is when an object that is migrated is already present on the destination computer. If you do not specify this element, the default behavior for the registry is for the source object to overwrite the destination object. The default behavior for files is for the source file to be renamed to "OriginalFileName(1).OriginalExtension". This element specifies only what should be done when a collision occurs. It does not include objects. Therefore, for your objects to migrate, you must specify &lt;include&gt; rules along with the &lt;merge&gt; element. When an object is processed and a collision is detected, USMT will select the most specific merge rule and apply it to resolve the conflict. For example, if you have a &lt;merge&gt; rule C:\\\* \[\*\] set to &lt;sourcePriority&gt; and a &lt;merge&gt; rule C:\\subfolder\\\* \[\*\] set to &lt;destinationPriority&gt;, then USMT would use the &lt;destinationPriority&gt; rule because it is the more specific.
+
+For an example of this element, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+-   **Number of occurrences:** Unlimited
+
+-   **Parent elements:**[&lt;rules&gt;](#rules)
+
+-   **Required child element:**[&lt;objectSet&gt;](#objectset)
+
+-   **Helper functions:** You can use the following [&lt;merge&gt; functions](#mergefunctions) with this element: SourcePriority, DestinationPriority, FindFilePlaceByPattern, LeafPattern, NewestVersion, HigherValue(), and LowerValue().
+
+Syntax:
+
+&lt;merge script="*ScriptInvocation*"&gt;
+
+&lt;/merge&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>script</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example<code>, MyScripts.AScript (&quot;Arg1&quot;,&quot;Arg2&quot;).</code></p>
+<p>The script will be called for each object that is enumerated by the object sets in the &lt;include&gt; rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The following example is from the MigUser.xml file:
+
+``` syntax
+<rules>
+   <include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
+      <objectSet>
+         <pattern type="File">%CSIDL_MYVIDEO%\* [*]</pattern>
+      </objectSet>
+   </include>
+   <merge script="MigXmlHelper.DestinationPriority()">
+      <objectSet>
+         <pattern type="File">%CSIDL_MYVIDEO% [desktop.ini]</pattern>
+      </objectSet>
+   </merge>
+</rules>
+```
+
+### <a href="" id="mergefunctions"></a>&lt;merge&gt; functions
+
+These functions control how collisions are resolved.
+
+-   **DestinationPriority**
+
+    Specifies to keep the object that is on the destination computer and not migrate the object from the source computer.
+
+    For example:
+
+    ``` syntax
+    <merge script="MigXmlHelper.DestinationPriority()">
+         <objectSet>
+              <pattern type="Registry">HKCU\Software\Microsoft\Office\9.0\PhotoDraw\ [MyPictures]</pattern>
+              <pattern type="Registry">HKCU\Software\Microsoft\Office\9.0\PhotoDraw\Settings\ [PicturesPath]</pattern>
+              <pattern type="Registry">HKCU\Software\Microsoft\Office\9.0\PhotoDraw\Settings\ [AdditionalPlugInPath]</pattern>
+         </objectSet>
+    </merge>
+    ```
+
+-   **FindFilePlaceByPattern**
+
+    The FindFilePlaceByPattern function saves files with an incrementing counter when a collision occurs. It is a string that contains one of each constructs: &lt;F&gt;, &lt;E&gt;, &lt;N&gt; in any order.
+
+    Syntax: FindFilePlaceByPattern(*FilePattern*)
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>FilePattern</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><ul>
+    <li><p><strong>&lt;F&gt;</strong> will be replaced by the original file name.</p></li>
+    <li><p><strong>&lt;N&gt;</strong> will be replaced by an incrementing counter until there is no collision with the objects on the destination computer.</p></li>
+    <li><p><strong>&lt;E&gt;</strong> will be replaced by the original file name extension.</p></li>
+    </ul>
+    <p>For example, <code>&lt;F&gt; (&lt;N&gt;).&lt;E&gt;</code> will change the source file MyDocument.doc into MyDocument (1).doc on the destination computer.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+-   **NewestVersion**
+
+    The NewestVersion function will resolve conflicts on the destination computer based on the version of the file.
+
+    Syntax: NewestVersion(*VersionTag*)
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>VersionTag</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The version field that will be checked. This can be &quot;FileVersion&quot; or &quot;ProductVersion&quot;. The file with the highest <em>VersionTag</em> version determines which conflicts will be resolved based on the file's version. For example, if Myfile.txt contains FileVersion 1 and the same file on the destination computer contains FileVersion 2, the file on destination will remain.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+-   **HigherValue()**
+
+    You can use this function for merging registry values. The registry values will be evaluated as numeric values, and the one with the higher value will determine which registry values will be merged.
+
+-   **LowerValue()**
+
+    You can use this function for merging registry values. The registry values will be evaluated as numeric values and the one with the lower value will determine which registry values will be merged.
+
+-   **SourcePriority**
+
+    Specifies to migrate the object from the source computer, and to delete the object that is on the destination computer.
+
+    For example:
+
+    ``` syntax
+    <merge script="MigXmlHelper.SourcePriority()">
+     <objectSet>
+       <pattern type="Registry">%HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Publisher [UpgradeVersion]</pattern>
+       <pattern type="Registry">%HklmWowSoftware%\Microsoft\Office\11.0\Common\Migration\Publisher [UpgradeVersion]</pattern>
+       <pattern type="Registry">%HklmWowSoftware%\Microsoft\Office\10.0\Common\Migration\Publisher [UpgradeVersion]</pattern>
+     </objectSet>
+    </merge>
+    ```
+
+## <a href="" id="migration"></a>&lt;migration&gt;
+
+
+The &lt;migration&gt; element is the single root element of a migration .xml file and is required. Each .xml file must have a unique migration urlid. The urlid of each file that you specify on the command line must be unique. This is because USMT uses the urlid to define the components within the file. For example, you must specify the following at the beginning of each file: &lt;CustomFileName&gt; is the name of the file; for example, "CustomApp".
+
+-   **Number of occurrences:** one
+
+-   **Parent elements:** none
+
+-   **Required child elements:**[&lt;component&gt;](#component)
+
+-   **Optional child elements:**[&lt;library&gt;](#library), [&lt;namedElements&gt;](#namedelements)
+
+Syntax:
+
+&lt;migration urlid="*UrlID/*Name"&gt;
+
+&lt;/migration&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>urlid</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p><em>UrlID</em> is a string identifier that uniquely identifies this .xml file. This parameter must be a no-colon-name as defined by the XML Namespaces specification. Each migration .xml file must have a unique urlid. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. For more information about XML Namespaces, see [Use XML Namespaces](http://go.microsoft.com/fwlink/p/?LinkId=220938).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Name</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Although not required, it is good practice to use the name of the .xml file.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The following example is from the MigApp.xml file:
+
+``` syntax
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/migapp">
+</migration>
+```
+
+## MigXMLHelper.FileProperties
+
+
+This filter helper function can be used to filter the migration of files based on file size and date attributes.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Helper Function</th>
+<th align="left">MigXMLHelper.FileProperties (property, operator, valueToCompare)</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Property</p></td>
+<td align="left"><p>filesize, dateCreated, dateModified, dateAccessed</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Operator</p></td>
+<td align="left"><p>range, neq, lte, lt, eq, gte, gt</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>valueToCompare</p></td>
+<td align="left"><p>The value we are comparing. For example:</p>
+<p>Date: “2008/05/15-2005/05/17”, “2008/05/15”</p>
+<p>Size: A numeral with B, KB, MB, or GB at the end. “5GB”, “1KB-1MB”</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+``` syntax
+<component context="System"  type="Application">
+<displayName>File_size</displayName>
+<role role="Data">
+
+   <rules>
+        <include filter='MigXmlHelper.FileProperties("dateAccessed","range","2008/05/15-2008/05/17")'>
+         <objectSet>
+         <pattern type="File">%SYSTEMDRIVE%\DOCS\* [*]</pattern>
+         </objectSet>
+      </include>
+   </rules>
+</role>
+</component>
+```
+
+## <a href="" id="namedelements"></a>&lt;namedElements&gt;
+
+
+You can use the **&lt;namedElements&gt;** element to define named elements. You can use these elements in any component throughout your .xml file. For an example of how to use this element, see the MigApp.xml file.
+
+Syntax:
+
+&lt;namedElements&gt;
+
+&lt;/namedElements&gt;
+
+-   **Number of occurrences:** Unlimited
+
+-   **Parent elements:**[&lt;migration&gt;](#migration)
+
+-   **Child elements:**[&lt;environment&gt;](#bkmk-environment), [&lt;rules&gt;](#rules), [&lt;conditions&gt;](#conditions), [&lt;detection&gt;](#detection), &lt;detects&gt;, &lt;detect&gt;
+
+For an example of this element, see the MigApp.xml file.
+
+## <a href="" id="object"></a>&lt;object&gt;
+
+
+The &lt;object&gt; element represents a file or registry key.
+
+-   **Number of occurrences:** Unlimited
+
+-   **Parent elements:**[&lt;addObjects&gt;](#addobjects)
+
+-   **Required child elements:**[&lt;location&gt;](#location), [&lt;attributes&gt;](#attribute)
+
+-   **Optional child elements:**[&lt;bytes&gt;](#bytes)
+
+Syntax:
+
+&lt;object&gt;
+
+&lt;/object&gt;
+
+The following example is from the MigApp.xml file:
+
+``` syntax
+<addObjects>
+   <object>
+      <location type="Registry">%HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [UpgradeVersion]</location>
+      <attributes>DWORD</attributes>
+      <bytes>0B000000</bytes>
+   </object>
+   <object>
+      <location type="Registry">%HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [Lang]</location>
+      <attributes>DWORD</attributes>
+      <bytes>00000000</bytes>
+      </object>
+</addObjects>
+```
+
+## <a href="" id="objectset"></a>&lt;objectSet&gt;
+
+
+The &lt;objectSet&gt; element contains a list of object patterns ; for example, file paths, registry locations, and so on. Any child &lt;conditions&gt; elements will be evaluated first. If all child &lt;conditions&gt; elements return FALSE, the &lt;objectSet&gt; element will evaluate to an empty set. For each parent element, there can be only multiple &lt;objectSet&gt; elements.
+
+-   **Number of occurrences:** Unlimited
+
+-   **Parent elements:**[&lt;variable&gt;](#variable), [&lt;content&gt;](#content), [&lt;include&gt;](#include), [&lt;exclude&gt;](#exclude), [&lt;merge&gt;](#merge), [&lt;contentModify&gt;](#contentmodify), [&lt;locationModify&gt;](#locationmodify), [&lt;destinationCleanup&gt;](#destinationcleanup), [&lt;includeAttributes&gt;](#includeattributes), [&lt;excludeAttributes&gt;](#excludeattributes), [&lt;unconditionalExclude&gt;](#unconditionalexclude), &lt;detect&gt;
+
+-   **Required child elements:** either [&lt;script&gt;](#script) or [&lt;pattern&gt;](#pattern)
+
+-   **Optional child elements:**[&lt;content&gt;](#content), [conditions](#conditions), &lt;condition&gt;
+
+Syntax:
+
+&lt;objectSet&gt;
+
+&lt;/objectSet&gt;
+
+The following example is from the MigUser.xml file:
+
+``` syntax
+<component type="Documents" context="User">
+   <displayName _locID="miguser.mymusic">My Music</displayName>
+      <paths>
+         <path type="File">%CSIDL_MYMUSIC%</path>
+      </paths>
+   <role role="Data">
+      <detects>           
+      <detect>
+         <condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_MYMUSIC%")</condition>
+      </detect>
+   </detects>           
+   <rules>
+      <include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
+         <objectSet>
+            <pattern type="File">%CSIDL_MYMUSIC%\* [*]</pattern>
+         </objectSet>
+      </include>
+      <merge script="MigXmlHelper.DestinationPriority()">
+         <objectSet>
+            <pattern type="File">%CSIDL_MYMUSIC%\ [desktop.ini]</pattern>
+         </objectSet>
+      </merge>
+   </rules>
+   </role>
+</component>
+```
+
+## <a href="" id="path"></a>&lt;path&gt;
+
+
+This is an internal USMT element. Do not use this element.
+
+## <a href="" id="paths"></a>&lt;paths&gt;
+
+
+This is an internal USMT element. Do not use this element.
+
+## <a href="" id="pattern"></a>&lt;pattern&gt;
+
+
+You can use this element to specify multiple objects. You can specify multiple &lt;pattern&gt; elements for each &lt;objectSet&gt; element and they will be combined. If you are specifying files, you may want to use GenerateDrivePatterns with &lt;script&gt; instead. GenerateDrivePatterns is basically the same as a &lt;pattern&gt; rule, without the drive letter specification. For example, the following two lines of code are similar:
+
+``` syntax
+<pattern type="File">C:\Folder\* [Sample.doc]</pattern>
+<script>MigXmlHelper.GenerateDrivePatterns("\Folder\* [Sample.doc]","Fixed"</script>
+```
+
+-   **Number of occurrences:** Unlimited
+
+-   **Parent elements:**[&lt;objectSet&gt;](#objectset)
+
+-   **Child elements:** none but *Path* \[*object*\] must be valid.
+
+Syntax:
+
+&lt;pattern type="*typeID*"&gt;*Path* \[*object*\]&lt;/pattern&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>type</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p><em>typeID</em> can be Registry, File, or Ini. If <em>typeId</em> is Ini, then you cannot have a space between <em>Path</em> and <em>object</em>. For example, the following is correct when type=&quot;Ini&quot;:</p>
+<p><strong>&lt;pattern type=&quot;Ini&quot;&gt;%WinAmp5InstPath%\Winamp.ini|WinAmp[keeponscreen]&lt;/pattern&gt;</strong></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><em>Path</em> [<em>object</em>]</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>A valid registry or file path pattern, followed by at least one space, followed by brackets [] that contain the object to be migrated.</p>
+<ul>
+<li><p><em>Path</em> can contain the asterisk (*) wildcard character or can be an [Recognized Environment Variables](usmt-recognized-environment-variables.md). You cannot use the question mark as a wildcard character.You can use HKCU and HKLM to refer to HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE respectively.</p></li>
+<li><p><em>Object</em> can contain the asterisk (*) wildcard character. However, you cannot use the question mark as a wildcard character. For example:</p>
+<p><strong>C:\Folder\ [*]</strong> enumerates all files in C:\<em>Path</em> but no subfolders of C:\Folder.</p>
+<p><strong>C:\Folder\* [*]</strong> enumerates all files and subfolders of C:\Folder.</p>
+<p><strong>C:\Folder\ [*.mp3]</strong> enumerates all .mp3 files in C:\Folder.</p>
+<p><strong>C:\Folder\ [Sample.doc]</strong> enumerates only the Sample.doc file located in C:\Folder.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>If you are migrating a file that has a square bracket character ([ or ]) in the file name, you must insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named &quot;file].txt&quot;, you must specify <code>&lt;pattern type=&quot;File&quot;&gt;c:\documents\mydocs [file^].txt]&lt;/pattern&gt; </code>instead of <code>&lt;pattern type=&quot;File&quot;&gt;c:\documents\mydocs [file].txt]&lt;/pattern&gt;</code>.</p>
+</div>
+<div>
+ 
+</div></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For example:
+
+-   To migrate a single registry key:
+
+    ``` syntax
+    <pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent]</pattern>
+    ```
+
+-   To migrate the EngineeringDrafts folder and any subfolders from the C: drive:
+
+    ``` syntax
+    <pattern type="File">C:\EngineeringDrafts\* [*]</pattern>
+    ```
+
+-   To migrate only the EngineeringDrafts folder, excluding any subfolders, from the C: drive:
+
+    [Reroute Files and Settings](usmt-reroute-files-and-settings.md)
+
+-   To migrate the Sample.doc file from C:\\EngineeringDrafts:
+
+    ``` syntax
+    <pattern type="File"> C:\EngineeringDrafts\ [Sample.doc]</pattern>
+    ```
+
+-   To migrate the Sample.doc file from where ever it exists on the C: drive use pattern in the following way. If multiple files exist with the same name on the C: drive, then all of these files will be migrated.
+
+    ``` syntax
+    <pattern type="File"> C:\* [Sample.doc] </pattern>
+    ```
+
+-   For more examples of how to use this element, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md), [Reroute Files and Settings](usmt-reroute-files-and-settings.md), [Include Files and Settings](usmt-include-files-and-settings.md), and [Custom XML Examples](usmt-custom-xml-examples.md).
+
+## <a href="" id="processing"></a>&lt;processing&gt;
+
+
+You can use this element to run a script during a specific point within the migration process. Return values are not expected from the scripts that you specify, and if there are return values, they will be ignored.
+
+-   **Number of occurrences:** unlimited
+
+-   **Parent elements:**[&lt;rules&gt;](#rules)
+
+-   **Required child element:**[&lt;script&gt;](#script)
+
+Syntax:
+
+&lt;processing when="pre-scan|scan-success|post-scan|pre-apply|apply-success|post-apply"&gt;
+
+&lt;/processing&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>when</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Indicates when the script should be run. This value can be one of the following:</p>
+<ul>
+<li><p><strong>pre-scan</strong> means before the scanning process begins.</p></li>
+<li><p><strong>scan-success</strong> means after the scanning process has finished successfully.</p></li>
+<li><p><strong>post-scan</strong> means after the scanning process has finished, whether it was successful or not.</p></li>
+<li><p><strong>pre-apply</strong> means before the apply process begins.</p></li>
+<li><p><strong>apply-success</strong> means after the apply process has finished successfully.</p></li>
+<li><p><strong>post-apply</strong> means after the apply process has finished, whether it was successful or not.</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="plugin"></a>&lt;plugin&gt;
+
+
+This is an internal USMT element. Do not use this element.
+
+## <a href="" id="role"></a>&lt;role&gt;
+
+
+The &lt;role&gt; element is required in a custom .xml file. By specifying the &lt;role&gt; element, you can create a concrete component. The component will be defined by the parameters specified at the &lt;component&gt; level, and with the role that you specify here.
+
+-   **Number of occurrences:** Each &lt;component&gt; can have one, two or three child &lt;role&gt; elements.
+
+-   **Parent elements:**[&lt;component&gt;](#component), [&lt;role&gt;](#role)
+
+-   **Required child elements:**[&lt;rules&gt;](#rules)
+
+-   **Optional child elements:**[&lt;environment&gt;](#bkmk-environment), [&lt;detection&gt;](#detection), [&lt;component&gt;](#component), [&lt;role&gt;](#role), &lt;detects&gt;, &lt;plugin&gt;,
+
+Syntax:
+
+&lt;role role="Container|Binaries|Settings|Data"&gt;
+
+&lt;/role&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>role</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Defines the role for the component. Role can be one of:</p>
+<ul>
+<li><p><strong>Container</strong></p></li>
+<li><p><strong>Binaries</strong></p></li>
+<li><p><strong>Settings</strong></p></li>
+<li><p><strong>Data</strong></p></li>
+</ul>
+<p>You can either:</p>
+<ol>
+<li><p>Specify up to three &lt;role&gt; elements within a &lt;component&gt; — one “Binaries” role element, one “Settings” role element and one “Data” role element. These parameters do not change the migration behavior — their only purpose is to help you categorize the settings that you are migrating. You can nest these &lt;role&gt; elements, but each nested element must be of the same role parameter.</p></li>
+<li><p>Specify one “Container” &lt;role&gt; element within a &lt;component&gt; element. In this case, you cannot specify any child &lt;rules&gt; elements, only other &lt;component&gt; elements. And each child &lt;component&gt; element must have the same type as that of parent &lt;component&gt; element. For example:</p></li>
+</ol>
+<pre class="syntax" space="preserve"><code>&lt;component context=&quot;UserAndSystem&quot; type=&quot;Application&quot;&gt;
+  &lt;displayName _locID=&quot;migapp.msoffice2003&quot;&gt;Microsoft Office 2003&lt;/displayName&gt; 
+  &lt;environment name=&quot;GlobalEnv&quot; /&gt; 
+  &lt;role role=&quot;Container&quot;&gt;
+    &lt;detection name=&quot;AnyOffice2003Version&quot; /&gt; 
+    &lt;detection name=&quot;FrontPage2003&quot; /&gt; 
+    &lt;!-- 
+ Office 2003 Common Settings 
+  --&gt; 
+    &lt;component context=&quot;UserAndSystem&quot; type=&quot;Application&quot;&gt;</code></pre></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The following example is from the MigUser.xml file. For more examples, see the MigApp.xml file:
+
+``` syntax
+<component type="System" context="User">
+   <displayName _locID="miguser.startmenu">Start Menu</displayName>
+   <paths>
+      <path type="File">%CSIDL_STARTMENU%</path>
+   </paths>
+   <role role="Settings">
+      <detects>           
+         <detect>
+            <condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_STARTMENU%")</condition>
+         </detect>
+      </detects>           
+   <rules>
+      <include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
+         <objectSet>
+            <pattern type="File">%CSIDL_STARTMENU%\* [*]</pattern>
+         </objectSet>
+      </include>
+      <merge script="MigXmlHelper.DestinationPriority()">
+         <objectSet>
+            <pattern type="File">%CSIDL_STARTMENU% [desktop.ini]</pattern>
+            <pattern type="File">%CSIDL_STARTMENU%\* [*]</pattern>
+         </objectSet>
+      </merge>
+   </rules>
+   </role>
+</component>
+```
+
+## <a href="" id="rules"></a>&lt;rules&gt;
+
+
+The &lt;rules&gt; element is required in a custom .xml file. This element contains rules that will run during the migration if the parent &lt;component&gt; element is selected, unless the child &lt;conditions&gt; element, if present, evaluates to FALSE. For each &lt;rules&gt; element there can be multiple child &lt;rules&gt; elements.
+
+-   **Number of occurrences:** unlimited
+
+-   **Parent elements:**[&lt;role&gt;](#role), [&lt;rules&gt;](#rules), [&lt;namedElements&gt;](#namedelements)
+
+-   **Required child elements:**[&lt;include&gt;](#include)
+
+-   **Optional child elements:**[&lt;rules&gt;](#rules), [&lt;exclude&gt;](#exclude), [&lt;unconditionalExclude&gt;](#unconditionalexclude),[&lt;merge&gt;](#merge), [&lt;contentModify&gt;](#contentmodify), [&lt;locationModify&gt;](#locationmodify), [&lt;destinationCleanup&gt;](#destinationcleanup), [&lt;addObjects&gt;](#addobjects), [&lt;externalProcess&gt;](#externalprocess), [&lt;processing&gt;](#processing), [&lt;includeAttributes&gt;](#includeattributes), [&lt;excludeAttributes&gt;](#excludeattributes), [conditions](#conditions), &lt;detects&gt;
+
+Syntax:
+
+&lt;rules name="*ID*" context="User|System|UserAndSystem"&gt;
+
+&lt;/rules&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>name</p></td>
+<td align="left"><p>Yes, when &lt;rules&gt; is a child to &lt;namedElements&gt;</p>
+<p>No, when &lt;rules&gt; is a child to any other element</p></td>
+<td align="left"><p>When <em>ID</em> is specified, any child elements are not processed. Instead, any other &lt;rules&gt; elements with the same name that are declared within &lt;namedElements&gt; are processed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>context</p></td>
+<td align="left"><p>No</p>
+<p>(default = UserAndSystem)</p></td>
+<td align="left"><p>Defines the scope of this parameter — whether to process this component in the context of the specific user, across the entire operating system, or both.</p>
+<p>The largest possible scope is set by the component element. For example, if a &lt;component&gt; element has a context of User and a &lt;rules&gt; element had a context of UserAndSystem, then the &lt;rules&gt; element would act as though it has a context of User. If &lt;rules&gt; had a context of System, it would act as though &lt;rules&gt; was not there.</p>
+<ul>
+<li><p><strong>User.</strong> Evaluates the variables for each user.</p></li>
+<li><p><strong>System.</strong> Evaluates the variables only once for the system.</p></li>
+<li><p><strong>UserAndSystem.</strong> Evaluates the variables for the entire operating system and each user.</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The following example is from the MigUser.xml file:
+
+``` syntax
+<component type="Documents" context="User">
+   <displayName _locID="miguser.mymusic">My Music</displayName>
+      <paths>
+         <path type="File">%CSIDL_MYMUSIC%</path>
+      </paths>
+   <role role="Data">
+      <detects>           
+      <detect>
+         <condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_MYMUSIC%")</condition>
+      </detect>
+   </detects>           
+   <rules>
+      <include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
+         <objectSet>
+            <pattern type="File">%CSIDL_MYMUSIC%\* [*]</pattern>
+         </objectSet>
+      </include>
+      <merge script="MigXmlHelper.DestinationPriority()">
+         <objectSet>
+            <pattern type="File">%CSIDL_MYMUSIC%\ [desktop.ini]</pattern>
+         </objectSet>
+      </merge>
+   </rules>
+   </role>
+</component>
+```
+
+## <a href="" id="script"></a>&lt;script&gt;
+
+
+The return value that is required by &lt;script&gt; depends on the parent element.
+
+**Number of occurrences:** Once for [&lt;variable&gt;](#variable), unlimited for [&lt;objectSet&gt;](#objectset) and [&lt;processing&gt;](#processing)
+
+**Parent elements:**[&lt;objectSet&gt;](#objectset), [&lt;variable&gt;](#variable), [&lt;processing&gt;](#processing)
+
+**Child elements:** none
+
+**Syntax and helper functions:**
+
+-   General Syntax: &lt;script&gt;*ScriptWithArguments*&lt;/script&gt;
+
+-   You can use [GetStringContent](#scriptfunctions) when &lt;script&gt; is within &lt;variable&gt;.
+
+    Syntax: &lt;script&gt;MigXmlHelper.GetStringContent("*ObjectType*","*EncodedLocationPattern*", "*ExpandContent*")&lt;/script&gt;
+
+    Example:` <script>MigXMLHelper.GetStringContent("Registry","HKLM\Software\MyApp\Installer [EXEPATH]")</script>`
+
+-   You can use [GenerateUserPatterns](#scriptfunctions) when &lt;script&gt; is within &lt;objectSet&gt;.
+
+    Syntax: &lt;script&gt;MigXmlHelper.GenerateUserPatterns("*ObjectType*","*EncodedLocationPattern*","*ProcessCurrentUser*")&lt;/script&gt;
+
+    Example: `<script>MigXmlHelper.GenerateUserPatterns ("File","%USERPROFILE%\* [*.doc]", "FALSE")</script>`
+
+-   You can use [GenerateDrivePatterns](#scriptfunctions) when &lt;script&gt; is within &lt;objectSet&gt;.
+
+    Syntax: &lt;script&gt;MigXmlHelper.GenerateDrivePatterns("*PatternSegment*","*DriveType*")&lt;/script&gt;
+
+    Example: `<script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script>`
+
+-   You can use the [Simple executing scripts](#scriptfunctions) with &lt;script&gt; elements that are within &lt;processing&gt; elements: AskForLogoff, ConvertToShortFileName, KillExplorer, RemoveEmptyDirectories, RestartExplorer, RegisterFonts, StartService, StopService, SyncSCM.
+
+    Syntax: &lt;script&gt;MigXmlHelper.*ExecutingScript*&lt;/script&gt;
+
+    Example: `<script>MigXmlHelper.KillExplorer()</script>`
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><em>ScriptWithArguments</em></p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example<code>, MyScripts.AScript (&quot;Arg1&quot;,&quot;Arg2&quot;).</code></p>
+<p>The script will be called for each object that is enumerated by the object sets in the &lt;include&gt; rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.</p>
+<p>The return value that is required by &lt;script&gt; depends on the parent element.</p>
+<ul>
+<li><p>When used within &lt;variable&gt;, the return value must be a string.</p></li>
+<li><p>When used within &lt;objectSet&gt;, the return value must be a two-dimensional array of strings.</p></li>
+<li><p>When used within &lt;location&gt;, the return value must be a valid location that aligns with the type attribute of &lt;location&gt;. For example, if &lt;location type=&quot;File&quot;&gt;, the child script element, if specified, must be a valid file location.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>If you are migrating a file that has a bracket character ([ or ]) in the file name, insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named &quot;file].txt&quot;, specify <code>&lt;pattern type=&quot;File&quot;&gt;c:\documents\mydocs [file^].txt]&lt;/pattern&gt; </code>instead of <code>&lt;pattern type=&quot;File&quot;&gt;c:\documents\mydocs [file].txt]&lt;/pattern&gt;</code>.</p>
+</div>
+<div>
+ 
+</div></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+Examples:
+
+To migrate the Sample.doc file from any drive on the source computer, use &lt;script&gt; as follows. If multiple files exist with the same name, all such files will get migrated.
+
+``` syntax
+<script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script> 
+```
+
+For more examples of how to use this element, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md), [Reroute Files and Settings](usmt-reroute-files-and-settings.md), and [Custom XML Examples](usmt-custom-xml-examples.md).
+
+### <a href="" id="scriptfunctions"></a>&lt;script&gt; functions
+
+You can use the following functions with the &lt;script&gt; element
+
+-   [String and pattern generating functions](#stringgeneratingfunctions)
+
+-   [Simple executing scripts](#simple)
+
+### <a href="" id="stringgeneratingfunctions"></a>String and pattern generating functions
+
+These functions return either a string or a pattern.
+
+-   **GetStringContent**
+
+    You can use GetStringContent with &lt;script&gt; elements that are within &lt;variable&gt; elements. If possible, this function returns the string representation of the given object. Otherwise, it returns NULL. For file objects this function always returns NULL.
+
+    Syntax: GetStringContent("*ObjectType*","*EncodedLocationPattern*", "*ExpandContent*")
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>ObjectType</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The type of object. Can be Registry or Ini (for an .ini file).</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>EncodedLocationPattern</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><ul>
+    <li><p>If type of object is Registry, EncodedLocationPattern must be a valid registry path. For example, HKLM\SOFTWARE\MyKey[].</p></li>
+    <li><p>If the type of object is Ini, then EncodedLocationPattern must be in the following format:</p>
+    <p>IniFilePath|SectionName[SettingName]</p></li>
+    </ul></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><em>ExpandContent</em></p></td>
+    <td align="left"><p>No (default=TRUE)</p></td>
+    <td align="left"><p>Can be TRUE or FALSE. If FALSE, then the given location will not be expanded before it is returned.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    For example:
+
+    ``` syntax
+    <variable name="MSNMessengerInstPath">
+    <script>MigXmlHelper.GetStringContent("Registry","%HklmWowSoftware%\Microsoft\MSNMessenger [InstallationDirectory]")</script>
+    </variable>
+    ```
+
+-   **GenerateDrivePatterns**
+
+    The GenerateDrivePatterns function will iterate all of the available drives and select the ones that match the requested drive type. It will then concatenate the selected drives with the end part of *PatternSegment* to form a full encoded file pattern. For example, if *PatternSegment* is `Path [file.txt]` and DriveType is `Fixed`, then the function will generate `C:\Path [file.txt]`, and other patterns if there are fixed drives other than C:. You cannot specify environment variables with this function. You can use GenerateDrivePatterns with &lt;script&gt; elements that are within [&lt;objectSet&gt;](#objectset) that are within &lt;include&gt;/&lt;exclude&gt;.
+
+    Syntax: GenerateDrivePatterns("*PatternSegment*","*DriveType*")
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>PatternSegment</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The suffix of an encoded pattern. It will be concatenated with a drive specification, such as &quot;c:\&quot;, to form a complete [encoded file pattern](#locations). For example, &quot;* [*.doc]&quot;. <em>PatternSegment</em> cannot be an environment variable.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>DriveType</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The drive type for which the patterns are to be generated. You can specify one of:</p>
+    <ul>
+    <li><p>Fixed</p></li>
+    <li><p>CDROM</p></li>
+    <li><p>Removable</p></li>
+    <li><p>Remote</p></li>
+    </ul></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    See the last component in the MigUser.xml file for an example of this element.
+
+-   **GenerateUserPatterns**
+
+    The function will iterate through all users that are being migrated, excluding the currently processed user if &lt;ProcessCurrentUser&gt; is FALSE, and will expand the specified pattern in the context of each user. For example, if users A, B and C have profiles in C:\\Documents and Settings), by calling `GenerateUserPattens('File','%userprofile% [*.doc]','TRUE')`, the helper function will generate the following three patterns:
+
+    -   "C:\\Documents and Settings\\A\\\* \[\*.doc\]"
+
+    -   "C:\\Documents and Settings\\B\\\* \[\*.doc\]"
+
+    -   "C:\\Documents and Settings\\C\\\* \[\*.doc\]"
+
+    Syntax:GenerateUserPatterns("*ObjectType*","*EncodedLocationPattern*","*ProcessCurrentUser*")
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Setting</th>
+    <th align="left">Required?</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><em>ObjectType</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>Defines the object type. Can be File or Registry.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><em>EncodedLocationPattern</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>The [location pattern](#locations). Environment variables are allowed.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><em>ProcessCurrentUser</em></p></td>
+    <td align="left"><p>Yes</p></td>
+    <td align="left"><p>Can be TRUE or FALSE. Indicates if the patterns should be generated for the current user.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    **Example:**
+
+    If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called while USMT is processing user A, then this function will only generate patterns for users B and C. You can use this helper function to build complex rules. For example, to migrate all .doc files from the source computer — but if user X is not migrated, then do not migrate any of the .doc files from user X’s profile.
+
+    The following is example code for this scenario. The first &lt;rules&gt; element migrates all.doc files on the source computer with the exception of those inside C:\\Documents and Settings. The second &lt;rules&gt; elements will migrate all .doc files from C:\\Documents and Settings with the exception of the .doc files in the profiles of the other users. Because the second &lt;rules&gt; element will be processed in each migrated user context, the end result will be the desired behavior. The end result is the one we expected.
+
+    ``` syntax
+    <rules context="System">
+      <include>
+        <objectSet>
+          <script>MigXmlHelper.GenerateDrivePatterns ("* [*.doc]", "Fixed")</script>
+        </objectSet>
+      </include>
+      <exclude>
+        <objectSet>
+          <pattern type="File">%ProfilesFolder%\* [*.doc]</pattern>
+        </objectSet>
+      </exclude>
+    </rules>
+    <rules context="User">
+      <include>
+        <objectSet>
+          <pattern type="File">%ProfilesFolder%\* [*.doc]</pattern>
+        </objectSet>
+      </include>
+      <exclude>
+        <objectSet>
+          <script>MigXmlHelper.GenerateUserPatterns ("File","%userprofile%\* [*.doc]", "FALSE")</script>
+        </objectSet>
+      </exclude>
+    </rules>
+    ```
+
+### MigXmlHelper.GenerateDocPatterns
+
+This helper function invokes the document finder to scan the system for all files that can be migrated. It can be invoked in either System or User context to focus the scan.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><em>ScanProgramFiles</em></p></td>
+<td align="left"><p>No (default = FALSE)</p></td>
+<td align="left"><p>Can be TRUE or FALSE. The <em>ScanProgramFiles</em> parameter determines whether or not the document finder scans the <strong>Program Files</strong> directory to gather registered file extensions for known applications. For example, when set to TRUE it will discover and migrate .jpg files under the Photoshop directory, if .jpg is a file extension registered to Photoshop.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><em>IncludePatterns</em></p></td>
+<td align="left"><p>No (default = TRUE)</p></td>
+<td align="left"><p>Can be TRUE or FALSE. TRUE will generate include patterns and can be added under the &lt;include&gt; element. FALSE will generate exclude patterns and can be added under the &lt;exclude&gt; element.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><em>SystemDrive</em></p></td>
+<td align="left"><p>No (default = FALSE)</p></td>
+<td align="left"><p>Can be TRUE or FALSE. If TRUE, restricts all patterns to the system drive.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+``` syntax
+ <!-- This component migrates data in user context -->
+  <component type="Documents" context="User">
+    <displayName>MigDocUser</displayName>
+    <role role="Data">
+      <rules>
+        <include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
+          <objectSet>
+            <script>MigXmlHelper.GenerateDocPatterns ("false")</script>
+          </objectSet>
+        </include>
+        <exclude>
+          <objectSet>
+           <script>MigXmlHelper.GenerateDocPatterns ("false", "false", "false")</script>
+          </objectSet>
+        </exclude>
+      </rules>
+    </role>
+  </component>
+```
+
+### <a href="" id="simple"></a>Simple executing scripts
+
+The following scripts have no return value. You can use the following errors with &lt;script&gt; elements that are within &lt;processing&gt; elements
+
+-   **AskForLogoff()**. Prompts the user to log off at the end of the migration. For example:
+
+    ``` syntax
+         <processing when="apply-success">
+              <script>MigXmlHelper.AskForLogoff()</script>
+         </processing>
+    ```
+
+-   **ConvertToShortFileName(RegistryEncodedLocation)**. If *RegistryEncodedLocation* is the full path of an existing file, this function will convert the file to its short file name and then it will update the registry value.
+
+-   **KillExplorer()**. Stops Explorer.exe for the current user context. This allows access to certain keys and files that are kept open when Explorer.exe is running. For example:
+
+    ``` syntax
+         <processing when="pre-apply">
+              <script>MigXmlHelper.KillExplorer()</script>
+         </processing>
+    ```
+
+-   **RegisterFonts(FileEncodedLocation)**. Registers the given font or all of the fonts in the given directory. For example:
+
+    ``` syntax
+    <processing when="apply-success">
+    <script>MigXmlHelper.RegisterFonts("%CSIDL_COMMON_FONTS%")</script>
+    </processing>
+    ```
+
+-   **RemoveEmptyDirectories (DirectoryEncodedPattern).** Deletes any empty directories that match *DirectoryEncodedPattern* on the destination computer.
+
+-   **RestartExplorer().** Restarts Explorer.exe at the end of the migration. For example:
+
+    ``` syntax
+         <processing when="post-apply">
+              <script>MigXmlHelper.RestartExplorer()</script>
+         </processing>
+    ```
+
+-   **StartService (ServiceName, OptionalParam1, OptionalParam2,…).** Starts the service identified by *ServiceName. ServiceName* is the subkey in HKLM\\System\\CurrentControlSet\\Services that holds the data for the given service. The optional parameters, if any, will be passed to the StartService API. For more information, see [this Microsoft Web site](http://go.microsoft.com/fwlink/p/?LinkId=267898).
+
+-   **StopService (ServiceName)**. Stops the service that is identified by *ServiceName. ServiceName* is the subkey in HKLM\\System\\CurrentControlSet\\Services that holds the data for the given service.
+
+-   **SyncSCM(ServiceShortName).** Reads the Start type value from the registry (HKLM\\System\\CurrentControlSet\\Services\\ServiceShortName \[Start\]) after it is changed by the migration engine, and then synchronizes Service Control Manager (SCM) with the new value.
+
+## <a href="" id="text"></a>&lt;text&gt;
+
+
+You can use the &lt;text&gt; element to set a value for any environment variables that are inside one of the migration .xml files.
+
+-   **Number of occurrences:** Once in each [&lt;variable&gt;](#variable) element.
+
+-   **Parent elements:**[&lt;variable&gt;](#variable)
+
+-   **Child elements:** None.
+
+Syntax:
+
+&lt;text&gt;*NormalText*&lt;/text&gt;
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><em>NormalText</em></p></td>
+<td align="left"><p>This is interpreted as normal text.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For example:
+
+``` syntax
+<variable name="QuickTime5or6DataSys">
+  <text>%CSIDL_COMMON_APPDATA%\QuickTime</text> 
+</variable>
+```
+
+## <a href="" id="unconditionalexclude"></a>&lt;unconditionalExclude&gt;
+
+
+The &lt;unconditionalExclude&gt; element excludes the specified files and registry values from the migration, regardless of the other include rules in any of the migration .xml files or in the Config.xml file. The objects declared here will not be migrated because this element takes precedence over all other rules. For example, even if there are explicit &lt;include&gt; rules to include .mp3 files, if you specify to exclude them with this option, then they will not be migrated.
+
+Use this element if you want to exclude all .mp3 files from the source computer. Or, if you are backing up C:\\UserData using another method, you can exclude the entire folder from the migration. Use this element with caution, however, because if an application needs a file that you exclude, the application may not function properly on the destination computer.
+
+-   **Number of occurrences:** Unlimited.
+
+-   **Parent elements:**[&lt;rules&gt;](#rules)
+
+-   **Child elements:**[&lt;objectSet&gt;](#objectset)
+
+Syntax:
+
+&lt;unconditionalExclude&gt;&lt;/unconditionalExclude&gt;
+
+The following .xml file excludes all .mp3 files from migration. For additional examples of how to use this element, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md).
+
+``` syntax
+<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/excludefiles">
+  <component context="System" type="Documents">
+        <displayName>Test</displayName>
+        <role role="Data">
+            <rules>
+             <unconditionalExclude>
+                        <objectSet>
+    <script>MigXmlHelper.GenerateDrivePatterns ("* [*.mp3]", "Fixed")</script>
+                        </objectSet> 
+             </unconditionalExclude>
+            </rules>
+        </role>
+    </component>
+</migration>
+```
+
+## <a href="" id="variable"></a>&lt;variable&gt;
+
+
+The &lt;variable&gt; element is required in an &lt;environment&gt; element. For each &lt;variable&gt; element there must be one &lt;objectSet&gt;, &lt;script&gt;, or &lt;text&gt; element. The content of the &lt;variable&gt; element assigns a text value to the environment variable. This element has the following three options:
+
+1.  If the &lt;variable&gt; element contains a &lt;text&gt; element, then the value of the variable element will be the value of the &lt;text&gt; element.
+
+2.  If the &lt;variable&gt; element contains a &lt;script&gt; element and the invocation of the script produces a non-null string, then the value of the &lt;variable&gt; element will be the result of the script invocation.
+
+3.  If the &lt;variable&gt; element contains an &lt;objectSet&gt; element and the evaluation of the &lt;objectSet&gt; element produces at least one object pattern, then the value of the first object to match the resulting object pattern will be the value of the variable element.
+
+-   **Number of occurrences:** Unlimited
+
+-   **Parent elements:**[&lt;environment&gt;](#bkmk-environment)
+
+-   **Required child elements:** either [&lt;text&gt;](#text), or [&lt;script&gt;](#script), or [&lt;objectSet&gt;](#objectset)
+
+Syntax:
+
+&lt;variable name="*ID*" remap=TRUE|FALSE&gt;
+
+&lt;/variable&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>name</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p><em>ID</em> is a string value that is the name used to reference the environment variable. We recommend that <em>ID</em> start with the component’s name to avoid namespace collisions. For example, if your component’s name is MyComponent, and you want a variable that is your component’s install path, you could specify <code>MyComponent.InstallPath</code>.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>remap</p></td>
+<td align="left"><p>No, default = FALSE</p></td>
+<td align="left"><p>Specifies whether to evaluate this environment variable as a remapping environment variable. Objects that are located in a path that is underneath this environment variable’s value are automatically moved to where the environment variable points on the destination computer.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The following example is from the MigApp.xml file:
+
+``` syntax
+<environment>
+   <variable name="HklmWowSoftware">
+      <text>HKLM\Software</text>
+   </variable>
+   <variable name="WinZip8or9or10Exe">
+      <script>MigXmlHelper.GetStringContent("Registry","%HklmWowSoftware%\Microsoft\Windows\CurrentVersion\App Paths\winzip32.exe []")</script>
+   </variable>
+</environment>
+```
+
+## <a href="" id="version"></a>&lt;version&gt;
+
+
+The &lt;version&gt; element defines the version for the component, but does not affect the migration.
+
+-   **Number of occurrences:** zero or one
+
+-   **Parent elements:**[&lt;component&gt;](#component)
+
+-   **Child elements:** none
+
+Syntax:
+
+&lt;version&gt;*ComponentVersion*&lt;/version&gt;
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Required?</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><em>ComponentVersion</em></p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>The version of the component, which can contain patterns.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For example:
+
+``` syntax
+<version>4.*</version>
+```
+
+## <a href="" id="windowsobjects"></a>&lt;windowsObjects&gt;
+
+
+The &lt;windowsObjects&gt; element is for USMT internal use only. Do not use this element.
+
+## Appendix
+
+
+### <a href="" id="locations"></a>Specifying locations
+
+-   **Specifying encoded locations**. The encoded location used in all of the helper functions is an unambiguous string representation for the name of an object. It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves.
+
+    For example, specify the file C:\\Windows\\Notepad.exe like this: `c:\Windows[Notepad.exe]`. Similarly, specify the directory C:\\Windows\\System32 like this: `c:\Windows\System32`. (Notice the absence of the \[\] construct.)
+
+    Representing the registry is very similar. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key will be `HKLM\SOFTWARE\MyKey[]`.
+
+-   **Specifying location patterns**. You specify a location pattern in a way that is similar to how you specify an actual location. The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf.
+
+    For example, the pattern `c:\Windows\*` will match the Windows directory and all subdirectories. But it will not match any of the files in those directories. To match the files as well, you must specify `c:\Windows\*[*]`.
+
+### <a href="" id="internalusmtfunctions"></a>Internal USMT functions
+
+The following functions are for internal USMT use only. Do not use them in an .xml file.
+
+-   AntiAlias
+
+-   ConvertScreenSaver
+
+-   ConvertShowIEOnDesktop
+
+-   ConvertToOfficeLangID
+
+-   MigrateActiveDesktop
+
+-   MigrateAppearanceUPM
+
+-   MigrateDisplayCS
+
+-   MigrateDisplaySS
+
+-   MigrateIEAutoSearch
+
+-   MigrateMouseUPM
+
+-   MigrateSoundSysTray
+
+-   MigrateTaskBarSS
+
+-   SetPstPathInMapiStruc
+
+### <a href="" id="allowed"></a>Valid version tags
+
+You can use the following version tags with various helper functions:
+
+-   “CompanyName”
+
+-   “FileDescription”
+
+-   “FileVersion”
+
+-   “InternalName”
+
+-   “LegalCopyright”
+
+-   “OriginalFilename”
+
+-   “ProductName”
+
+-   “ProductVersion”
+
+The following version tags contain values that can be compared:
+
+-   “FileVersion”
+
+-   “ProductVersion”
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/usmt-xml-reference.md b/windows/deploy/usmt-xml-reference.md
new file mode 100644
index 0000000000..49d7403f8f
--- /dev/null
+++ b/windows/deploy/usmt-xml-reference.md
@@ -0,0 +1,73 @@
+---
+title: USMT XML Reference (Windows 10)
+description: USMT XML Reference
+ms.assetid: fb946975-0fee-4ec0-b3ef-7c34945ee96f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# USMT XML Reference
+
+
+This section contains topics that you can use to work with and to customize the migration XML files.
+
+## In This Section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Understanding Migration XML Files](understanding-migration-xml-files.md)</p></td>
+<td align="left"><p>Provides an overview of the default and custom migration XML files and includes guidelines for creating and editing a customized version of the MigDocs.xml file.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Config.xml File](usmt-configxml-file.md)</p></td>
+<td align="left"><p>Describes the Config.xml file and policies concerning its configuration.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Customize USMT XML Files](usmt-customize-xml-files.md)</p></td>
+<td align="left"><p>Describes how to customize USMT XML files.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Custom XML Examples](usmt-custom-xml-examples.md)</p></td>
+<td align="left"><p>Gives examples of XML files for various migration scenarios.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Conflicts and Precedence](usmt-conflicts-and-precedence.md)</p></td>
+<td align="left"><p>Describes the precedence of migration rules and how conflicts are handled.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[General Conventions](usmt-general-conventions.md)</p></td>
+<td align="left"><p>Describes the XML helper functions.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[XML File Requirements](xml-file-requirements.md)</p></td>
+<td align="left"><p>Describes the requirements for custom XML files.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Recognized Environment Variables](usmt-recognized-environment-variables.md)</p></td>
+<td align="left"><p>Describes environment variables recognized by USMT.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[XML Elements Library](usmt-xml-elements-library.md)</p></td>
+<td align="left"><p>Describes the XML elements and helper functions for authoring migration XML files to use with USMT.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/vamt-known-issues.md b/windows/deploy/vamt-known-issues.md
new file mode 100644
index 0000000000..61a3218417
--- /dev/null
+++ b/windows/deploy/vamt-known-issues.md
@@ -0,0 +1,31 @@
+---
+title: VAMT Known Issues (Windows 10)
+description: VAMT Known Issues
+ms.assetid: 8992f1f3-830a-4ce7-a248-f3a6377ab77f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# VAMT Known Issues
+
+
+The following list contains the current known issues with the Volume Activation Management Tool (VAMT) 3.0.
+
+-   The VAMT Windows Management Infrastructure (WMI) remote operations may take longer to execute if the target computer is in a sleep or standby state.
+
+-   Recovery of Non-Genuine computers is a two-step process. VAMT can be used to install a new product key and activate the computer. However, the computer itself must visit the [Windows Genuine Advantage](http://go.microsoft.com/fwlink/p/?linkid=182914) Web site to revalidate the computer's Genuine status. Upon successfully completing this step, the computer will be restored to full functionality. For more information on recovering Non-Genuine Windows computers, go to [Windows Volume Activation](http://go.microsoft.com/fwlink/p/?linkid=184668).
+
+-   When opening a Computer Information List (.cil file) saved in a previous version of VAMT, the edition information is not shown for each product in the center pane. Users must update the product status again to obtain the edition information.
+
+-   The remaining activation count can only be retrieved for MAKs.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/vamt-requirements.md b/windows/deploy/vamt-requirements.md
new file mode 100644
index 0000000000..4c152fa860
--- /dev/null
+++ b/windows/deploy/vamt-requirements.md
@@ -0,0 +1,37 @@
+---
+title: VAMT Requirements (Windows 10)
+description: VAMT Requirements
+ms.assetid: d14d152b-ab8a-43cb-a8fd-2279364007b9
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# VAMT Requirements
+This topic includes info about the product key and system requirements for VAMT.
+
+## Product Key Requirements
+The Volume Activation Management Tool (VAMT) can be used to perform activations using any of the following types of product keys.
+
+|Product key type |Where to obtain |
+|-----------------|----------------|
+|<ul><li>Multiple Activation Key (MAK)</li><li>Key Management Service (KMS) host key (CSVLK)</li><li>KMS client setup keys (GVLK)</li></ul> |Volume licensing keys can only be obtained with a signed contract from Microsoft. For more info, see the [Microsoft Volume Licensing portal](http://go.microsoft.com/fwlink/p/?LinkId=227282). |
+|Retail product keys |Obtained at time of product purchase. |
+
+## System Requirements
+The following table lists the system requirements for the VAMT host computer.
+
+|Item |Minimum system requirement |
+|-----|---------------------------|
+|Computer and Processor |1 GHz x86 or x64 processor |
+|Memory |1 GB RAM for x86 or 2 GB RAM for x64 |
+|Hard Disk |16 GB available hard disk space for x86 or 20 GB for x64 |
+|External Drive|Removable media (Optional) |
+|Display |1024x768 or higher resolution monitor |
+|Network |Connectivity to remote computers via Windows® Management Instrumentation (TCP/IP) and Microsoft® Activation Web Service on the Internet via HTTPS |
+|Operating System |Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, or Windows Server 2012. |
+|Additional Requirements |<ul><li>Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).</li><li>PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server® 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](http://go.microsoft.com/fwlink/p/?LinkId=218356).</li><li>If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.</li></ul> |
+
+## Related topics
+- [Install and Configure VAMT](install-configure-vamt.md)
\ No newline at end of file
diff --git a/windows/deploy/vamt-step-by-step.md b/windows/deploy/vamt-step-by-step.md
new file mode 100644
index 0000000000..f1140f50a6
--- /dev/null
+++ b/windows/deploy/vamt-step-by-step.md
@@ -0,0 +1,32 @@
+---
+title: VAMT Step-by-Step Scenarios (Windows 10)
+description: VAMT Step-by-Step Scenarios
+ms.assetid: 455c542c-4860-4b57-a1f0-7e2d28e11a10
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# VAMT Step-by-Step Scenarios
+This section provides step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; the scenarios in this section describe some of the most common to get you started.
+
+## In this Section
+
+|Topic |Description |
+|------|------------|
+|[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. |
+|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers — the first one with Internet access and a second computer within an isolated workgroup — as proxies to perform MAK volume activation for workgroup computers that do not have Internet access. |
+|[Scenario 3: KMS Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. |
+
+## Related topics
+- [Introduction to VAMT](introduction-vamt.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md b/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md
new file mode 100644
index 0000000000..233beb97f0
--- /dev/null
+++ b/windows/deploy/verify-the-condition-of-a-compressed-migration-store.md
@@ -0,0 +1,123 @@
+---
+title: Verify the Condition of a Compressed Migration Store (Windows 10)
+description: Verify the Condition of a Compressed Migration Store
+ms.assetid: 4a3fda96-5f7d-494a-955f-6b865ec9fcae
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Verify the Condition of a Compressed Migration Store
+
+
+When you migrate files and settings during a typical PC-refresh migration, the user state is usually stored in a compressed folder on the intermediate store. This compressed folder, also called the compressed migration store, is a single image file that contains:
+
+-   All of the files being migrated.
+
+-   The user’s settings.
+
+-   A catalog file that contains metadata for all files in the migration store.
+
+When you run the **LoadState** command to load the data from these files to the destination computer, LoadState requires a valid catalog file in order to open the migration store. You can run the **UsmtUtils** command with the **/verify** option to determine whether the compressed migration store is intact, or whether it contains corrupted files or a corrupted catalog. You should run the **/verify** option on the migration store before you overwrite the original user-state files and settings.
+
+When you use the **/verify** option, you can specify what type of information to report in the UsmtUtils log file. These report types are:
+
+-   **Catalog**: Displays the status of only the catalog file.
+
+-   **All**: Displays the status of all files, including the catalog file.
+
+-   **Failure only**: Displays only the files that are corrupted.
+
+## In This Topic
+
+
+The following sections demonstrate how to run the **UsmtUtils** command with the **/verify** option, and how to specify the information to display in the UsmtUtils log file.
+
+-   [The UsmtUtils syntax for the /verify option](#bkmk-verifysyntax)
+
+-   [To verify that the migration store is intact](#bkmk-verifyintactstore)
+
+-   [To verify the status of only the catalog file](#bkmk-verifycatalog)
+
+-   [To verify the status of all files](#bkmk-verifyallfiles)
+
+-   [To verify the status of the files and return only the corrupted files](#bkmk-returncorrupted)
+
+### <a href="" id="bkmk-verifysyntax"></a>The UsmtUtils Syntax for the /verify Option
+
+To verify the condition of a compressed migration store, use the following UsmtUtils syntax:
+
+cd /d&lt;USMTpath&gt;usmtutils /verify\[:&lt;reportType&gt;\] &lt;filePath&gt; \[/l:&lt;logfile&gt;\] \[/decrypt \[:&lt;AlgID&gt;\] {/key:&lt;keystring&gt; | /keyfile:&lt;filename&gt;}\]
+
+Where the placeholders have the following values:
+
+-   *&lt;USMTpath&gt;* is the location where you have saved the USMT files and tools.
+
+-   *&lt;reportType&gt;* specifies whether to report on all files, corrupted files only, or the status of the catalog.
+
+-   *&lt;filePath&gt;* is the location of the compressed migration store.
+
+-   *&lt;logfile&gt;* is the location and name of the log file.
+
+-   *&lt;AlgID&gt;* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line.
+
+-   *&lt;keystring&gt;* is the encryption key that was used to encrypt the migration store.
+
+-   *&lt;filename&gt;* is the location and name of the text file that contains the encryption key.
+
+### <a href="" id="bkmk-verifyintactstore"></a>To Verify that the Migration Store is Intact
+
+To verify whether the migration store is intact or whether it contains corrupted files or a corrupted catalog, type:
+
+``` syntax
+usmtutils /verify D:\MyMigrationStore\store.mig
+```
+
+Because no report type is specified, UsmtUtils displays the default summary report.
+
+### <a href="" id="bkmk-verifycatalog"></a>To Verify the Status of Only the Catalog File
+
+To verify whether the catalog file is corrupted or intact, type:
+
+``` syntax
+usmtutils /verify:catalog D:\MyMigrationStore\store.mig
+```
+
+### <a href="" id="bkmk-verifyallfiles"></a>To Verify the Status of all Files
+
+To verify whether there are any corrupted files in the compressed migration store, and to specify the name and location of the log file, type:
+
+`usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt`
+
+In addition to verifying the status of all files, this example decrypts the files. Because no encryption algorithm is specified, UsmtUtils uses the default 3DES cryptographic algorithm.
+
+### <a href="" id="bkmk-returncorrupted"></a>To Verify the Status of the Files and Return Only the Corrupted Files
+
+In this example, the log file will only list the files that became corrupted during the ScanState process. This list will include the catalog file if it is also corrupted.
+
+``` syntax
+usmtutils /verify:failureonly D:\MyMigrationStore\USMT\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt
+```
+
+This example also decrypts the files by specifying the cryptographic algorithm and the location of the file that contains the encryption key.
+
+### Next Steps
+
+If the **/verify** option indicates that there are corrupted files in the migration store, you can use the **/extract** option in the UsmtUtils tool to recover data from some corrupted stores. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md).
+
+## Related topics
+
+
+[UsmtUtils Syntax](usmt-utilities.md)
+
+[Return Codes](usmt-return-codes.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/volume-activation-management-tool.md b/windows/deploy/volume-activation-management-tool.md
new file mode 100644
index 0000000000..9c084effad
--- /dev/null
+++ b/windows/deploy/volume-activation-management-tool.md
@@ -0,0 +1,57 @@
+---
+title: Volume Activation Management Tool (VAMT) Technical Reference (Windows 10)
+description: The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
+ms.assetid: 1df0f795-f41c-473b-850c-e98af1ad2f2a
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Volume Activation Management Tool (VAMT) Technical Reference
+The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
+
+VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems:
+
+-   Windows® 7
+
+-   Windows 8
+
+-   Windows 8.1
+
+-   Windows 10
+
+-   Windows Server 2008 R2
+
+-   Windows Server® 2012
+
+-   Windows Server 2012 R2
+
+**Important**  
+VAMT is designed to manage volume activation for: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Microsoft Office 2010, and Microsoft Office 2013. Computers installed with volume editions of **Windows XP** or **Windows Server 2003** cannot be managed using VAMT. However, Office 2010 and Office 2013 products installed on these two operating systems can still be managed.
+
+VAMT is only available in an EN-US (x86) package.
+
+## In this Section
+|Topic |Description |
+|------|------------|
+|[Introduction to VAMT](introduction-vamt.md) |Provides a description of VAMT and common usages. |
+|[Active Directory-Based Activation Overview](active-directory-based-activation-overview.md) |Describes Active Directory-Based Activation scenarios. |
+|[Install and Configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. |
+|[Add and Manage Products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. |
+|[Manage Product Keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. |
+|[Manage Activations](manage-activations-vamt.md) |Describes how to activate a client computer by using a variety of activation methods. |
+|[Manage VAMT Data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. |
+|[VAMT Step-by-Step Scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. |
+|[VAMT Known Issues](vamt-known-issues.md) |Lists known issues in VAMT. |
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/volume-activation-windows-10.md b/windows/deploy/volume-activation-windows-10.md
new file mode 100644
index 0000000000..6801b087cd
--- /dev/null
+++ b/windows/deploy/volume-activation-windows-10.md
@@ -0,0 +1,86 @@
+---
+title: Volume Activation for Windows 10 (Windows 10)
+description: This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows.
+ms.assetid: 6e8cffae-7322-4fd3-882a-cde68187aef2
+keywords: ["vamt", "volume activation", "activation", "windows activation"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Volume Activation for Windows 10
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012 R2
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+**Looking for volume licensing information?**
+
+-   [Download the Volume Licensing Reference Guide for Windows 10 Desktop Operating System](http://go.microsoft.com/fwlink/p/?LinkId=620104)
+
+**Looking for retail activation?**
+
+-   [Get Help Activating Microsoft Windows](http://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows.
+
+*Volume activation* is the process that Microsoft volume licensing customers use to automate and manage the activation of Windows operating systems, Microsoft Office, and other Microsoft products across large organizations. Volume licensing is available to customers who purchase software under various volume programs (such as Open and Select) and to participants in programs such as the Microsoft Partner Program and MSDN Subscriptions.
+
+Volume activation is a configurable solution that helps automate and manage the product activation process on computers running Windows operating systems that have been licensed under a volume licensing program. Volume activation is also used with other software from Microsoft (most notably the Office suites) that are sold under volume licensing agreements and that support volume activation.
+
+This guide provides information and step-by-step guidance to help you choose a volume activation method that suits your environment, and then to configure that solution successfully. This guide describes the volume activation features that are available in Windows 10 and Windows Server 2012 R2 and the tools that are provided in these versions of Windows and Windows Server to manage volume activation.
+
+Because most organizations will not immediately switch all computers to Windows 10, practical volume activation strategies must also take in to account how to work with the Windows 8, Windows 7, Windows Server 2012, and Windows Server 2008 R2Windows Server 2008 R2 operating systems. This guide discusses how the new volume activation tools can support earlier operating systems, but it does not discuss the tools that are provided with earlier operating system versions.
+
+Volume activation—and the need for activation itself—is not new, and this guide does not review all of its concepts and history. You can find additional background in the appendices of this guide. For more information, see [Volume Activation Overview](http://go.microsoft.com/fwlink/p/?LinkId=618209) in the TechNet Library.
+
+If you would like additional information about planning a volume activation deployment specifically for Windows 7 and Windows Server 2008 R2, please see the [Volume Activation Planning Guide for Windows 7](http://go.microsoft.com/fwlink/p/?LinkId=618210).
+
+To successfully plan and implement a volume activation strategy, you must:
+
+-   Learn about and understand product activation.
+
+-   Review and evaluate the available activation types or models.
+
+-   Consider the connectivity of the clients to be activated.
+
+-   Choose the method or methods to be used with each type of client.
+
+-   Determine the types and number of product keys you will need.
+
+-   Determine the monitoring and reporting needs in your organization.
+
+-   Install and configure the tools required to support the methods selected.
+
+Keep in mind that the method of activation does not change an organization’s responsibility to the licensing requirements. You must ensure that all software used in your organization is properly licensed and activated in accordance with the terms of the licensing agreements in place.
+
+**In this guide:**
+
+-   [Plan for volume activation](plan-for-volume-activation-client.md)
+
+-   [Activate using Key Management Service](activate-using-key-management-service-vamt.md)
+
+-   [Activate using Active Directory-based activation](activate-using-active-directory-based-activation-client.md)
+
+-   [Activate clients running Windows 10](activate-windows-10-clients-vamt.md)
+
+-   [Monitor activation](monitor-activation-client.md)
+
+-   [Use the Volume Activation Management Tool](use-the-volume-activation-management-tool-client.md)
+
+-   [Appendix: Information sent to Microsoft during activation](appendix-information-sent-to-microsoft-during-activation-client.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/windows-10-deployment-scenarios.md b/windows/deploy/windows-10-deployment-scenarios.md
new file mode 100644
index 0000000000..c8b2a39bfd
--- /dev/null
+++ b/windows/deploy/windows-10-deployment-scenarios.md
@@ -0,0 +1,133 @@
+---
+title: Windows 10 deployment scenarios (Windows 10)
+description: To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider.
+ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5
+keywords: ["upgrade, in-place, configuration, deploy"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Windows 10 deployment scenarios
+
+**Applies to**
+-   Windows 10
+
+To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task.
+
+## In-place upgrade
+For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure.
+
+Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like System Center Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences.
+
+The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process.
+
+Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.)
+
+There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include:
+
+-   Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.
+
+-   Changing from legacy BIOS to UEFI booting. Some organizations deployed earlier versions of Windows on UEFI-enabled systems, leveraging the legacy BIOS capabilities of these systems. Because changing from legacy BIOS to UEFI requires changing the hardware configuration, disk configuration, and OS configuration, this is not possible using in-place upgrade.
+<p>**Note**<br>Windows 10 does not require UEFI, so it would work fine to upgrade a system using legacy BIOS emulation. Some Windows 10 features, such as Secure Boot, would not be available after doing this.
+
+-   Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
+
+-   Devices that use third-party disk encryption software. While devices encrypted with BitLocker can easily be upgraded, more work is necessary for third-party disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process (check with your ISV to see if they have instructions), but if not available a traditional deployment would be needed.
+
+-   Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS.
+
+-   Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken.
+
+## Dynamic provisioning
+For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this.
+
+The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include:
+
+-   Changing the Windows edition with a single reboot. For organizations that have Software Assurance for Windows, it is easy to change a device from Windows 10 Pro to Windows 10 Enterprise, just by specifying an appropriate product or setup key. When the device restarts, all of the Windows 10 Enterprise features will be enabled.
+
+-   Configuring the device with VPN and Wi-Fi connections that may be needed to gain access to organization resources.
+
+-   Installation of additional apps needed for organization functions.
+
+-   Configuration of common Windows settings to ensure compliance with organization policies.
+
+-   Enrollment of the device in a mobile device management (MDM) solution, such as Microsoft Intune.
+
+There are two primary dynamic provisioning scenarios:
+
+-   **Azure Active Directory (Azure AD) Join with automatic mobile device management (MDM) enrollment.** In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed.
+
+-   **Provisioning package configuration.** Using the [Windows Imaging and Configuration Designer (ICD)](http://go.microsoft.com/fwlink/p/?LinkId=619358), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](../manage/configure-devices-without-mdm.md).
+
+Either way, these scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios).
+
+While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts.
+
+## Traditional deployment
+New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [System Center Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
+
+With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them.
+
+The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary:
+
+-   **New computer.** A bare-metal deployment of a new machine.
+
+-   **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup).
+
+-   **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup).
+
+###New computer
+This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD).
+
+The deployment process for the new machine scenario is as follows:
+
+1.  Start the setup from boot media (CD, USB, ISO, or PXE).
+
+2.  Wipe the hard disk clean and create new volume(s).
+
+3.  Install the operating system image.
+
+4.  Install other applications (as part of the task sequence).
+
+After taking these steps, the computer is ready for use.
+
+###Computer refresh
+A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario.
+
+The deployment process for the wipe-and-load scenario is as follows:
+
+1.  Start the setup on a running operating system.
+
+2.  Save the user state locally.
+
+3.  Wipe the hard disk clean (except for the folder containing the backup).
+
+4.  Install the operating system image.
+
+5.  Install other applications.
+
+6.  Restore the user state.
+
+After taking these steps, the machine is ready for use.
+
+###Computer replace
+A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored.
+
+The deployment process for the replace scenario is as follows:
+
+1.  Save the user state (data and settings) on the server through a backup job on the running operating system.
+
+2.  Deploy the new computer as a bare-metal deployment.
+
+    **Note**<br>In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk.
+
+## Related topics
+- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
+- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=620230)
+- [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Windows setup technical reference](http://go.microsoft.com/fwlink/p/?LinkId=619357)
+- [Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=619358)
+- [UEFI firmware](http://go.microsoft.com/fwlink/p/?LinkId=619359)
\ No newline at end of file
diff --git a/windows/deploy/windows-10-deployment-tools-reference.md b/windows/deploy/windows-10-deployment-tools-reference.md
new file mode 100644
index 0000000000..e71eedae97
--- /dev/null
+++ b/windows/deploy/windows-10-deployment-tools-reference.md
@@ -0,0 +1,59 @@
+---
+title: Windows 10 deployment tools reference (Windows 10)
+description: Learn about the tools available to deploy Windows 10.
+ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Windows 10 deployment tools reference
+
+
+Learn about the tools available to deploy Windows 10.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)</p></td>
+<td align="left"><p>To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md)</p></td>
+<td align="left"><p>The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation-management-tool.md)</p></td>
+<td align="left"><p>The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md)</p></td>
+<td align="left"><p>The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/windows-10-edition-upgrades.md b/windows/deploy/windows-10-edition-upgrades.md
new file mode 100644
index 0000000000..72baf3a243
--- /dev/null
+++ b/windows/deploy/windows-10-edition-upgrades.md
@@ -0,0 +1,85 @@
+---
+title: Windows 10 edition upgrade (Windows 10)
+description: With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported.
+ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Windows 10 edition upgrade
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkID=690882).
+
+The following table shows the methods you can use to upgrade editions of Windows 10.
+
+|Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile > Mobile Enterprise |
+|-------|-----------|-----------------|----------------|-----------------|----------------|--------|
+| Using mobile device management (MDM) |![unsupported](images/crossmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |
+| Using a provisioning package |![unsupported](images/crossmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |
+| Using a command-line tool |![unsupported](images/crossmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![unsupported](images/crossmark.png) |
+| Entering a product key manually |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![unsupported](images/crossmark.png) |
+| Purchasing a license from the Windows Store |![supported](images/checkmark.png) |![unsupported](images/crossmark.png) |![unsupported](images/crossmark.png) |![unsupported](images/crossmark.png) |![unsupported](images/crossmark.png) |![unsupported](images/crossmark.png) |
+
+**Note**<br>Each desktop edition in the table also has an N and KN edition. These editions have had media-related functionality removed. Devices with N or KN editions installed can be upgraded to corresponding N or KN editions using the same methods.
+
+## Upgrade using mobile device management (MDM)
+- To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](http://go.microsoft.com/fwlink/p/?LinkID=690907).
+
+- To upgrade mobile editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithLicense** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](http://go.microsoft.com/fwlink/p/?LinkID=690907).
+
+## Upgrade using a provisioning package
+The Windows Imaging and Configuration Designer (ICD) tool is included in the Windows Assessment and Deployment Kit (ADK) for Windows 10. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
+
+- To use Windows ICD to create a provisioning package for upgrading desktop editions of Windows 10, go to **Runtime settings &gt; EditionUpgrade &gt; UpgradeEditionWithProductKey** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition.
+
+- To use Windows ICD to create a provisioning package for upgrading mobile editions of Windows 10, go to **Runtime settings &gt; EditionUpgrade &gt; UpgradeEditionWithLicense** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition.
+
+For more info on creating and applying a provisioning package using Windows ICD, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=533700).
+
+## Upgrade using a command-line tool
+You can run the changepk.exe command-line tool to upgrade devices to a supported edition of Windows 10:
+
+`changepk.exe /ProductKey <enter your new product key here>`
+
+## Upgrade by manually entering a product key
+If you are upgrading only a few devices, you may want to enter a product key for the upgraded edition manually.
+
+**To manually enter a product key**
+
+1.  From either the Start menu or the Start screen, type 'Activation' and click on the Activation shortcut.
+
+2.  Click **Change product key**.
+
+3.  Enter your product key.
+
+4.  Follow the on-screen instructions.
+
+## Upgrade by purchasing a license from the Windows Store
+If you do not have a product key, you can upgrade your edition of Windows 10 through the Windows Store.
+
+**To upgrade through the Windows Store**
+
+1.  From either the **Start** menu or the **Start** screen, type 'Activation' and click on the Activation shortcut.
+
+2.  Click **Go to Store**.
+
+3.  Follow the on-screen instructions.
+    
+    **Note**<br>If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Windows Store, click [here](ms-windows-store://windowsupgrade/).
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/windows-adk-scenarios-for-it-pros.md b/windows/deploy/windows-adk-scenarios-for-it-pros.md
new file mode 100644
index 0000000000..3fb2944f22
--- /dev/null
+++ b/windows/deploy/windows-adk-scenarios-for-it-pros.md
@@ -0,0 +1,91 @@
+---
+title: Windows ADK for Windows 10 scenarios for IT Pros (Windows 10)
+description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.
+ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Windows ADK for Windows 10 scenarios for IT Pros
+
+
+The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](http://msdn.microsoft.com/library/windows/hardware/dn927348.aspx).
+
+In previous releases of Windows, the Windows ADK docs were published on both TechNet and the MSDN Hardware Dev Center. Starting with the Windows 10 release, Windows ADK documentation is available on the MSDN Hardware Dev Center. For the Windows 10 ADK reference content, see [Desktop manufacturing](http://msdn.microsoft.com/library/windows/hardware/dn938361.aspx).
+
+Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center.
+
+### Create a Windows image using command-line tools
+
+[DISM](http://msdn.microsoft.com/library/windows/hardware/dn898558.aspx) is used to mount and service Windows images.
+
+Here are some things you can do with DISM:
+
+-   [Mount an offline image](http://msdn.microsoft.com/library/windows/hardware/dn938321.aspx)
+-   [Add drivers to an offline image](http://msdn.microsoft.com/library/windows/hardware/dn898469.aspx)
+-   [Enable or disable Windows features](http://msdn.microsoft.com/library/windows/hardware/dn898567.aspx)
+-   [Add or remove packages](http://msdn.microsoft.com/library/windows/hardware/dn898481.aspx)
+-   [Add language packs](http://msdn.microsoft.com/library/windows/hardware/dn898470.aspx)
+-   [Add Universal Windows apps](http://msdn.microsoft.com/library/windows/hardware/dn898600.aspx)
+-   [Upgrade the Windows edition](http://msdn.microsoft.com/library/windows/hardware/dn898500.aspx)
+
+[Sysprep](http://msdn.microsoft.com/library/windows/hardware/dn938335.aspx) prepares a Windows installation for imaging and allows you to capture a customized installation.
+
+Here are some things you can do with Sysprep:
+
+-   [Generalize a Windows installation](http://msdn.microsoft.com/library/windows/hardware/dn938334.aspx)
+-   [Customize the default user profile](http://msdn.microsoft.com/library/windows/hardware/dn898521.aspx)
+-   [Use answer files](http://msdn.microsoft.com/library/windows/hardware/dn938346.aspx)
+
+[Windows PE (WinPE)](http://msdn.microsoft.com/library/windows/hardware/dn938389.aspx) is a small operating system used to boot a computer that does not have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system.
+
+Here are ways you can create a WinPE image:
+
+-   [Create a bootable USB drive](http://msdn.microsoft.com/library/windows/hardware/dn938386.aspx)
+-   [Create a Boot CD, DVD, ISO, or VHD](http://msdn.microsoft.com/library/windows/hardware/dn938385.aspx)
+
+[Windows Recovery Environment (Windows RE)](http://msdn.microsoft.com/library/windows/hardware/dn938364.aspx) is a recovery environment that can repair common operating system problems.
+
+Here are some things you can do with Windows RE:
+
+-   [Customize Windows RE](http://msdn.microsoft.com/library/windows/hardware/dn898523.aspx)
+-   [Push-button reset](http://msdn.microsoft.com/library/windows/hardware/dn938307.aspx)
+
+[Windows System Image Manager (Windows SIM)](http://msdn.microsoft.com/library/windows/hardware/dn922445.aspx) helps you create answer files that change Windows settings and run scripts during installation.
+
+Here are some things you can do with Windows SIM:
+
+-   [Create answer file](http://msdn.microsoft.com/library/windows/hardware/dn915085.aspx)
+-   [Add a driver path to an answer file](http://msdn.microsoft.com/library/windows/hardware/dn915062.aspx)
+-   [Add a package to an answer file](http://msdn.microsoft.com/library/windows/hardware/dn915066.aspx)
+-   [Add a custom command to an answer file](http://msdn.microsoft.com/library/windows/hardware/dn915058.aspx)
+
+For a list of settings you can change, see [Unattended Windows Setup Reference](http://msdn.microsoft.com/library/windows/hardware/dn923277.aspx) on the MSDN Hardware Dev Center.
+
+### Create a Windows image using Windows ICD
+
+Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](http://msdn.microsoft.com/library/windows/hardware/dn916113.aspx) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), Windows 10 Mobile, or Windows 10 IoT Core (IoT Core) image.
+
+Here are some things you can do with Windows ICD:
+
+-   [Build and apply a provisioning package](http://msdn.microsoft.com/library/windows/hardware/dn916107.aspx)
+-   [Export a provisioning package](http://msdn.microsoft.com/library/windows/hardware/dn916110.aspx)
+-   [Build and deploy an image for Windows 10 for desktop editions](http://msdn.microsoft.com/library/windows/hardware/dn916105.aspx)
+
+### IT Pro Windows deployment tools
+
+There are also a few tools included in the Windows ADK that are specific to IT Pros and this documentation is available on TechNet:
+
+-   [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation-management-tool.md)
+-   [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/windows-deployment-scenarios-and-tools.md b/windows/deploy/windows-deployment-scenarios-and-tools.md
new file mode 100644
index 0000000000..9d87667c9a
--- /dev/null
+++ b/windows/deploy/windows-deployment-scenarios-and-tools.md
@@ -0,0 +1,346 @@
+---
+title: Windows 10 deployment tools (Windows 10)
+description: To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process.
+ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877
+keywords: ["deploy, volume activation, BitLocker, recovery, install, installation, VAMT, MDT, USMT, WDS"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Windows 10 deployment tools
+
+
+To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment.
+
+Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these are just tools and not a complete solution on their own. It’s when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT) 2013 Update 1](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) or [Microsoft System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) that you get the complete deployment solution.
+
+In this topic, you also learn about different types of reference images that you can build, and why reference images are beneficial for most organizations
+
+## <a href="" id="sec06"></a>Windows Assessment and Deployment Kit
+
+
+Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more details, see [Windows ADK for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=526803  ) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
+
+![figure 1](images/win-10-adk-select.png)
+
+Figure 1. The Windows 10 ADK feature selection page.
+
+### Deployment Image Servicing and Management (DISM)
+
+DISM is one of the deployment tools included in the Windows ADK and is used for capturing, servicing, and deploying boot images and operating system images.
+
+DISM services online and offline images. For example, with DISM you can install the Microsoft .NET Framework 3.5.1 in Windows 10 online, which means that you can start the installation in the running operating system, not that you get the software online. The /LimitAccess switch configures DISM to get the files only from a local source:
+
+``` syntax
+Dism.exe /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS /LimitAccess
+```
+
+In Windows 10, you can use Windows PowerShell for many of the functions performed by DISM.exe. The equivalent command in Windows 10 using PowerShell is:
+
+``` syntax
+Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All 
+-Source D:\Sources\SxS -LimitAccess
+```
+
+![figure 2](images/mdt-11-fig05.png)
+
+Figure 2. Using DISM functions in PowerShell.
+
+For more information on DISM, see [DISM technical reference](http://go.microsoft.com/fwlink/p/?LinkId=619161).
+
+### User State Migration Tool (USMT)
+
+USMT is a backup and restore tool that allows you to migrate user state, data, and settings from one installation to another. Microsoft Deployment Toolkit (MDT) and System Center 2012 R2 Configuration Manager use USMT as part of the operating system deployment process.
+
+**Note**  
+Occasionally, we find that customers are wary of USMT because they believe it requires significant configuration, but, as you will learn below, using USMT is not difficult. If you use MDT and Lite Touch to deploy your machines, the USMT feature is automatically configured and extended so that it is easy to use. With MDT, you do nothing at all and USMT just works.
+
+ 
+
+USMT includes several command-line tools, the most important of which are ScanState and LoadState:
+
+-   **ScanState.exe.** This performs the user-state backup.
+
+-   **LoadState.exe.** This performs the user-state restore.
+
+-   **UsmtUtils.exe.** This supplements the functionality in ScanState.exe and LoadState.exe.
+
+In addition to these tools, there are also XML templates that manage which data is migrated. You can customize the templates, or create new ones, to manage the backup process at a high level of detail. USMT uses the following terms for its templates:
+
+-   **Migration templates.** The default templates in USMT.
+
+-   **Custom templates.** Custom templates that you create.
+
+-   **Config template.** An optional template, called Config.xml, which you can use to exclude or include components in a migration without modifying the other standard XML templates.
+
+![figure 3](images/mdt-11-fig06.png)
+
+Figure 3. A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files.
+
+USMT supports capturing data and settings from Windows Vista and later, and restoring the data and settings to Windows 7 and later (including Windows 10 in both cases). It also supports migrating from a 32-bit operating system to a 64-bit operating system, but not the other way around. For example, you can use USMT to migrate from Windows 7 x86 to Windows 10 x64.
+
+By default USMT migrates many settings, most of which are related to the user profile but also to Control Panel configurations, file types, and more. The default templates that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two default templates migrate the following data and settings:
+
+-   Folders from each profile, including those from user profiles as well as shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated.
+
+-   Specific file types. USMT templates migrate the following file types: .accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.
+
+    **Note**  
+    The OpenDocument extensions (\*.odt, \*.odp, \*.ods, etc.) that Microsoft Office applications can use are not migrated by default.
+
+     
+
+-   Operating system component settings
+
+-   Application settings
+
+These are the settings migrated by the default MigUser.xml and MigApp.xml templates. For more details on what USMT migrates, see [What does USMT migrate?](http://go.microsoft.com/fwlink/p/?LinkId=619227) For more information on the USMT overall, see the [USMT technical reference](http://go.microsoft.com/fwlink/p/?LinkId=619228).
+
+### Windows Imaging and Configuration Designer
+
+Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This is particularly useful for setting up new devices, without the need for re-imaging the device with a custom image.
+
+![figure 4](images/windows-icd.png)
+
+Figure 4. Windows Imaging and Configuration Designer.
+
+For more information, see [Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkID=525483).
+
+### Windows System Image Manager (Windows SIM)
+
+Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or Configuration Manager, you don’t need Windows SIM very often because those systems automatically update the Unattend.xml file during the deployment, greatly simplifying the process overall.
+
+![figure 7](images/mdt-11-fig07.png)
+
+Figure 5. Windows answer file opened in Windows SIM.
+
+For more information, see [Windows System Image Manager Technical Reference]( http://go.microsoft.com/fwlink/p/?LinkId=619906).
+
+### Volume Activation Management Tool (VAMT)
+
+If you don’t use KMS, you can still manage your MAKs centrally with the Volume Activation Management Tool (VAMT). With this tool, you can install and manage product keys throughout the organization. VAMT also can activate on behalf of clients without Internet access, acting as a MAK proxy.
+
+![figure 6](images/mdt-11-fig08.png)
+
+Figure 6. The updated Volume Activation Management Tool.
+
+VAMT also can be used to create reports, switch from MAK to KMS, manage Active Directory-based activation, and manage Office 2010 and Office 2013 volume activation. VAMT also supports PowerShell (instead of the old command-line tool). For example, if you want to get information from the VAMT database, you can type:
+
+``` syntax
+Get-VamtProduct
+```
+
+For more information on the VAMT, see [VAMT technical reference](http://go.microsoft.com/fwlink/p/?LinkId=619230).
+
+### Windows Preinstallation Environment (Windows PE)
+
+Windows PE is a “Lite” version of Windows 10 and was created to act as a deployment platform. Windows PE replaces the DOS or Linux boot disks that ruled the deployment solutions of the last decade.
+
+The key thing to know about Windows PE is that, like the operating system, it needs drivers for at least network and storage devices in each PC. Luckily Windows PE includes the same drivers as the full Windows 10 operating system, which means much of your hardware will work out of the box.
+
+![figure 7](images/mdt-11-fig09.png)
+
+Figure 7. A machine booted with the Windows ADK default Windows PE boot image.
+
+For more details on Windows PE, see [Windows PE (WinPE)](http://go.microsoft.com/fwlink/p/?LinkId=619233).
+
+## <a href="" id="sec07"></a>Windows Recovery Environment
+
+
+Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you will see an automatic failover into Windows RE.
+
+![figure 8](images/mdt-11-fig10.png)
+
+Figure 8. A Windows 10 client booted into Windows RE, showing Advanced options.
+
+For more information on Windows RE, see [Windows Recovery Environment](http://go.microsoft.com/fwlink/p/?LinkId=619236).
+
+## <a href="" id="sec08"></a>Windows Deployment Services
+
+
+Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you will use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker.
+
+![figure 9](images/mdt-11-fig11.png)
+
+Figure 9. Windows Deployment Services using multicast to deploy three machines.
+
+In Windows Server 2012 R2, [Windows Deployment Services](http://go.microsoft.com/fwlink/p/?LinkId=619245) can be configured for stand-alone mode or for Active Directory integration. In most scenarios, the Active Directory integration mode is the best option. WDS also has the capability to manage drivers; however, driver management through MDT and Configuration Manager is more suitable for deployment due to the flexibility offered by both solutions, so you will use them instead. In WDS, it is possible to pre-stage devices in Active Directory, but here, too, Configuration Manager has that capability built in, and MDT has the ability to use a SQL Server database for pre-staging. In most scenarios, those solutions are better than the built-in pre-staging function as they allow greater control and management.
+
+### Trivial File Transfer Protocol (TFTP) configuration
+
+In some cases, you need to modify TFTP Maximum Block Size settings for performance tuning reasons, especially when PXE traffic travels through routers and such. In the previous version of WDS, it was possible to change that, but the method of do so—editing the registry—was not user friendly. In Windows Server 2012, this has become much easier to do as it can be configured as a setting.
+
+Also, there are a few new features related to TFTP performance:
+
+-   **Scalable buffer management.** Allows buffering an entire file instead of a fixed-size buffer for each client, enabling different sessions to read from the same shared buffer.
+
+-   **Scalable port management.** Provides the capability to service clients with shared UDP port allocation, increasing scalability.
+
+-   **Variable-size transmission window (Variable Windows Extension).** Improves TFTP performance by allowing the client and server to determine the largest workable window size.
+
+![figure 10](images/mdt-11-fig12.png)
+
+Figure 10. TFTP changes are now easy to perform.
+
+## <a href="" id="sec09"></a>Microsoft Deployment Toolkit 2013 Update 1
+
+
+MDT 2013 Update 1 is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical features for an enterprise-ready deployment solution.
+
+MDT 2013 Update 1 has two main parts: the first is Lite Touch, which is a stand-alone deployment solution; the second is Zero Touch, which is an extension to System Center 2012 R2 Configuration Manager.
+
+**Note**  
+Lite Touch and Zero Touch are marketing names for the two solutions that MDT 2013 supports, and the naming has nothing to do with automation. You can fully automate the stand-alone MDT 2013 Update 1 solution (Lite Touch), and you can configure the solution integration with Configuration Manager to prompt for information.
+
+ 
+
+![figure 11](images/mdt-11-fig13.png)
+
+Figure 11. The Deployment Workbench in MDT 2013, showing a task sequence.
+
+For more information on MDT 2013 Update 1, see the [Microsoft Deployment Toolkit](http://go.microsoft.com/fwlink/p/?LinkId=618117) resource center.
+
+## <a href="" id="sec10"></a>Microsoft Security Compliance Manager 2013
+
+
+[Microsoft SCM](http://go.microsoft.com/fwlink/p/?LinkId=619246) is a free utility used to create baseline security settings for the Windows client and server environment. The baselines can be exported and then deployed via Group Policy, local policies, MDT, or Configuration Manager. The current version of Security Compliance Manager includes baselines for Windows 8.1 and several earlier versions of Windows, Windows Server, and Internet Explorer.
+
+![figure 12](images/mdt-11-fig14.png)
+
+Figure 12. The SCM console showing a baseline configuration for a fictional client's computer security compliance.
+
+## <a href="" id="sec11"></a>Microsoft Desktop Optimization Pack
+
+
+MDOP is a suite of technologies available to Software Assurance customers through an additional subscription.
+
+The following components are included in the MDOP suite:
+
+-   **Microsoft Application Virtualization (App-V).** App-V 5.0 provides an integrated platform, more flexible virtualization, and powerful management for virtualized applications. With the release of App-V 5.0 SP3, you have support to run virtual applications on Windows 10.
+
+-   **Microsoft User Experience Virtualization (UE-V).** UE-V monitors the changes that are made by users to application settings and Windows operating system settings. The user settings are captured and centralized to a settings storage location. These settings can then be applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions.
+
+-   **Microsoft Advanced Group Policy Management (AGPM).** AGPM enables advanced management of Group Policy objects by providing change control, offline editing, and role-based delegation.
+
+-   **Microsoft Diagnostics and Recovery Toolset (DaRT).** DaRT provides additional tools that extend Windows RE to help you troubleshoot and repair your machines.
+
+-   **Microsoft BitLocker Administration and Monitoring (MBAM).** MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options, as well as monitor compliance with these policies.
+
+For more information on the benefits of an MDOP subscription, see [Microsoft Desktop Optimization Pack](http://go.microsoft.com/fwlink/p/?LinkId=619247).
+
+## <a href="" id="sec12"></a>Internet Explorer Administration Kit 11
+
+
+There has been a version of IEAK for every version of Internet Explorer since 3.0. It gives you the capability to customize Internet Explorer as you would like. The end result of using IEAK is an Internet Explorer package that can be deployed unattended. The wizard creates one .exe file and one .msi file.
+
+![figure 13](images/mdt-11-fig15.png)
+
+Figure 13. The User Experience selection screen in IEAK 11.
+
+To download IEAK 11, see the [Internet Explorer Administration Kit (IEAK) Information and Downloads](http://go.microsoft.com/fwlink/p/?LinkId=619248) page.
+
+## <a href="" id="sec13"></a>Windows Server Update Services
+
+
+WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment.
+
+![figure 14](images/mdt-11-fig16.png)
+
+Figure 14. The Windows Server Update Services console.
+
+For more information on WSUS, see the [Windows Server Update Services Overview](http://go.microsoft.com/fwlink/p/?LinkId=619249).
+
+## <a href="" id="sec14"></a>Unified Extensible Firmware Interface
+
+
+For many years BIOS has been the industry standard for booting a PC. BIOS has served us well, but it is time to replace it with something better. **UEFI** is the replacement for BIOS, so it is important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment.
+
+### Introduction to UEFI
+
+BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including:
+
+-   16-bit code
+
+-   1 MB address space
+
+-   Poor performance on ROM initialization
+
+-   MBR maximum bootable disk size of 2.2 TB
+
+As the replacement to BIOS, UEFI has many features that Windows can and will use.
+
+With UEFI, you can benefit from:
+
+-   **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks.
+
+-   **Faster boot time.** UEFI does not use INT 13, and that improves boot time, especially when it comes to resuming from hibernate.
+
+-   **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start.
+
+-   **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS.
+
+-   **CPU-independent architecture.** Even if BIOS can run both 32- and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS.
+
+-   **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That is not needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment.
+
+-   **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors.
+
+-   **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware cannot switch the boot loader.
+
+### Versions
+
+UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a small number of machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later.
+
+### Hardware support for UEFI
+
+In regard to UEFI, hardware is divided into four device classes:
+
+-   **Class 0 devices.** This is the UEFI definition for a BIOS, or non-UEFI, device.
+
+-   **Class 1 devices.** These devices behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured.
+
+-   **Class 2 devices.** These devices have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available.
+
+-   **Class 3 devices.** These are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 is not supported on these class 3 devices. Class 3 devices do not have a CSM to emulate BIOS.
+
+### Windows support for UEFI
+
+Microsoft started with support for EFI 1.10 on servers and then added support for UEFI on both clients and servers.
+
+With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI does not support cross-platform boot. This means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system.
+
+### How UEFI is changing operating system deployment
+
+There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices:
+
+-   Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS.
+
+-   When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It is common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa.
+
+-   When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4GB.
+
+-   UEFI does not support cross-platform booting; therefore, you need to have the correct boot media (32- or 64-bit).
+
+For more information on UEFI, see the [UEFI firmware](http://go.microsoft.com/fwlink/p/?LinkId=619251) overview and related resources.
+
+## Related topics
+
+
+[Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md)
+
+[Deploy Windows To Go](deploy-windows-to-go.md)
+
+[Sideload apps in Windows 10](sideload-apps-in-windows-10.md)
+
+[Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/windows-upgrade-and-migration-considerations.md b/windows/deploy/windows-upgrade-and-migration-considerations.md
new file mode 100644
index 0000000000..ff55a8264c
--- /dev/null
+++ b/windows/deploy/windows-upgrade-and-migration-considerations.md
@@ -0,0 +1,85 @@
+---
+title: Windows Upgrade and Migration Considerations (Windows 10)
+description: Windows Upgrade and Migration Considerations
+ms.assetid: 7f85095c-5922-45e9-b28e-91b1263c7281
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# Windows Upgrade and Migration Considerations
+
+
+Files and application settings can be migrated to new hardware running the Windows® operating system, or they can be maintained during an operating system upgrade on the same computer. This topic summarizes the Microsoft® tools you can use to move files and settings between installations in addition to special considerations for performing an upgrade or migration.
+
+## Upgrade from a Previous Version of Windows
+
+
+You can upgrade from an earlier version of Windows, which means you can install the new version of Windows and retain your applications, files, and settings as they were in your previous version of Windows. If you decide to perform a custom installation of Windows instead of an upgrade, your applications and settings will not be maintained. Your personal files, and all Windows files and directories, will be moved to a Windows.old folder. You can access your data in the Windows.old folder after Windows Setup is complete.
+
+## Migrate Files and Settings
+
+
+Migration tools are available to transfer settings from one computer that is running Windows to another. These tools transfer only the program settings, not the programs themselves.
+
+For more information about application compatibility, see the [Application Compatibility Toolkit (ACT)](http://go.microsoft.com/fwlink/p/?LinkId=131349).
+
+The User State Migration Tool (USMT) 10.0 is an application intended for administrators who are performing large-scale automated deployments. For deployment to a small number of computers or for individually customized deployments, you can use Windows Easy Transfer.
+
+### Migrate with Windows Easy Transfer
+
+Windows Easy Transfer is a software wizard for transferring files and settings from one computer that is running Windows to another. It helps you select what to move to your new computer, enables you to set which migration method to use, and then performs the transfer. When the transfer has completed, Windows Easy Transfer Reports shows you what was transferred and provides a list of programs you might want to install on your new computer, in addition to links to other programs you might want to download.
+
+With Windows Easy Transfer, files and settings can be transferred using a network share, a USB flash drive (UFD), or the Easy Transfer cable. However, you cannot use a regular universal serial bus (USB) cable to transfer files and settings with Windows Easy Transfer. An Easy Transfer cable can be purchased on the Web, from your computer manufacturer, or at an electronics store.
+
+### Migrate with the User State Migration Tool
+
+You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they are migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded.
+
+## Upgrade and Migration Considerations
+
+
+Whether you are upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations:
+
+### Application Compatibility
+
+For more information about application compatibility in Windows, see the [Application Compatibility Toolkit (ACT)](http://go.microsoft.com/fwlink/p/?LinkId=131349).
+
+### Multilingual Windows Image Upgrades
+
+When performing multilingual Windows upgrades, cross-language upgrades are not supported by USMT. If you are upgrading or migrating an operating system with multiple language packs installed, you can upgrade or migrate only to the system default user interface (UI) language. For example, if English is the default but you have a Spanish language pack installed, you can upgrade or migrate only to English.
+
+If you are using a single-language Windows image that matches the system default UI language of your multilingual operating system, the migration will work. However, all of the language packs will be removed, and you will have to reinstall them after the upgrade is completed.
+
+### Errorhandler.cmd
+
+When upgrading from an earlier version of Windows, if you intend to use Errorhandler.cmd, you must copy this file into the %WINDIR%\\Setup\\Scripts directory on the old installation. This makes sure that if there are errors during the down-level phase of Windows Setup, the commands in Errorhandler.cmd will run.
+
+### Data Drive ACL Migration
+
+During the configuration pass of Windows Setup, the root access control list (ACL) on drives formatted for NTFS that do not appear to have an operating system will be changed to the default Windows XP ACL format. The ACLs on these drives are changed to enable authenticated users to modify access on folders and files.
+
+Changing the ACLs may affect the performance of Windows Setup if the default Windows XP ACLs are applied to a partition with a large amount of data. Because of these performance concerns, you can change the following registry value to disable this feature:
+
+``` syntax
+Key: HKLM\System\Setup
+Type: REG_DWORD 
+Value: "DDACLSys_Disabled" = 1
+```
+
+This feature is disabled if this registry key value exists and is configured to 1.
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deploy/xml-file-requirements.md b/windows/deploy/xml-file-requirements.md
new file mode 100644
index 0000000000..50c5e1b161
--- /dev/null
+++ b/windows/deploy/xml-file-requirements.md
@@ -0,0 +1,44 @@
+---
+title: XML File Requirements (Windows 10)
+description: XML File Requirements
+ms.assetid: 4b567b50-c50a-4a4f-8684-151fe3f8275f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: CFaw
+---
+
+# XML File Requirements
+
+
+When creating custom .xml files, note the following requirements:
+
+-   **The file must be in Unicode Transformation Format-8 (UTF-8).** You must save the file in this format, and you must specify the following syntax at the beginning of each .xml file:
+
+    ``` syntax
+    <?xml version="1.0" encoding="UTF-8"?>
+    ```
+
+-   **The file must have a unique migration urlid**. The urlid of each file that you specify on the command line must be different. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. This is because USMT uses the urlid to define the components within the file. For example, you must specify the following syntax at the beginning of each file:
+
+    ``` syntax
+    <?xml version="1.0" encoding="UTF-8"?>
+    <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/<CustomFileName>">
+    ```
+
+-   **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This is because the Config.xml file defines the components by the display name and the migration urlid. For example, specify the following syntax:
+
+    ``` syntax
+    <displayName>My Application</displayName>
+    ```
+
+For examples of custom .xml files, see [Custom XML Examples](usmt-custom-xml-examples.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/docfx.json b/windows/docfx.json
new file mode 100644
index 0000000000..4d4f037a4c
--- /dev/null
+++ b/windows/docfx.json
@@ -0,0 +1,24 @@
+{
+  "build": {
+    "content":
+      [
+        {
+          "files": ["**/**.md"],
+          "exclude": ["**/obj/**"]
+        }
+      ],
+    "resource": [
+        {
+          "files": ["**/images/**", "**/*.json"],
+          "exclude": ["**/obj/**"]
+        }
+    ],
+    "globalMetadata": {
+        "ROBOTS": "INDEX, FOLLOW"
+    },
+    "externalReference": [
+    ],
+    "template": "op.html",
+    "dest": "windows"
+  }
+}
diff --git a/windows/index.md b/windows/index.md
new file mode 100644
index 0000000000..08ec4adaa7
--- /dev/null
+++ b/windows/index.md
@@ -0,0 +1,39 @@
+---
+title: Windows 10 and Windows 10 Mobile (Windows 10)
+description: This library provides the core content that IT pros need to evaluate, plan, deploy, and manage devices running Windows 10 or Windows 10 Mobile.
+ms.assetid: 345A4B4E-BC1B-4F5C-9E90-58E647D11C60
+ms.prod: W10
+author: brianlic-msft
+---
+
+# Windows 10 and Windows 10 Mobile
+
+
+This library provides the core content that IT pros need to evaluate, plan, deploy, and manage devices running Windows 10 or Windows 10 Mobile.
+
+## In this library
+
+
+[What's new in Windows 10](whats-new/index.md)
+
+[Plan for Windows 10 deployment](plan/index.md)
+
+[Deploy Windows 10](deploy/index.md)
+
+[Keep Windows 10 secure](keep-secure/index.md)
+
+[Manage and update Windows 10](manage/index.md)
+
+## Related topics
+
+
+[Windows 10 TechCenter](http://go.microsoft.com/fwlink/?LinkId=620009)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
new file mode 100644
index 0000000000..05507c1d74
--- /dev/null
+++ b/windows/keep-secure/TOC.md
@@ -0,0 +1,414 @@
+# [Keep Windows 10 secure](index.md)
+## [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md)
+## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
+## [Device Guard certification and compliance](device-guard-certification-and-compliance.md)
+### [Get apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md)
+### [Create a Device Guard code integrity policy based on a reference device](creating-a-device-guard-policy-for-signed-apps.md)
+## [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+### [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+### [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
+### [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
+### [Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
+### [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+### [Event ID 300 - Passport successfully created](passport-event-300.md)
+## [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
+## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md)
+## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
+## [Protect derived domain credentials with Credential Guard](credential-guard.md)
+## [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md)
+### [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md)
+#### [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
+##### [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)
+##### [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)
+##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
+#### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md)
+### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
+#### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md)
+#### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md)
+## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
+## [VPN profile options](vpn-profile-options.md)
+## [Security technologies](security-technologies.md)
+### [AppLocker](applocker-overview.md)
+#### [Administer AppLocker](administer-applocker.md)
+##### [Maintain AppLocker policies](maintain-applocker-policies.md)
+##### [Edit an AppLocker policy](edit-an-applocker-policy.md)
+##### [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md)
+##### [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md)
+##### [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md)
+##### [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md)
+##### [Optimize AppLocker performance](optimize-applocker-performance.md)
+##### [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
+##### [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md)
+##### [Working with AppLocker rules](working-with-applocker-rules.md)
+###### [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
+###### [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
+###### [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
+###### [Create AppLocker default rules](create-applocker-default-rules.md)
+###### [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md)
+###### [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md)
+###### [Delete an AppLocker rule](delete-an-applocker-rule.md)
+###### [Edit AppLocker rules](edit-applocker-rules.md)
+###### [Enable the DLL rule collection](enable-the-dll-rule-collection.md)
+###### [Enforce AppLocker rules](enforce-applocker-rules.md)
+###### [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md)
+##### [Working with AppLocker policies](working-with-applocker-policies.md)
+###### [Configure the Application Identity service](configure-the-application-identity-service.md)
+###### [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
+###### [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md)
+###### [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md)
+###### [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md)
+###### [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md)
+###### [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md)
+###### [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md)
+###### [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md)
+###### [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md)
+###### [Merge AppLocker policies manually](merge-applocker-policies-manually.md)
+###### [Refresh an AppLocker policy](refresh-an-applocker-policy.md)
+###### [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md)
+#### [AppLocker design guide](applocker-policies-design-guide.md)
+##### [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
+##### [Determine your application control objectives](determine-your-application-control-objectives.md)
+##### [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
+###### [Document your app list](document-your-application-list.md)
+##### [Select the types of rules to create](select-types-of-rules-to-create.md)
+###### [Document your AppLocker rules](document-your-applocker-rules.md)
+##### [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+###### [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)
+###### [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md)
+###### [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md)
+##### [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
+###### [Document your application control management processes](document-your-application-control-management-processes.md)
+##### [Create your AppLocker planning document](create-your-applocker-planning-document.md)
+#### [AppLocker deployment guide](applocker-policies-deployment-guide.md)
+##### [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md)
+##### [Requirements for Deploying AppLocker Policies](requirements-for-deploying-applocker-policies.md)
+##### [Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md)
+##### [Create Your AppLocker policies](create-your-applocker-policies.md)
+###### [Create Your AppLocker rules](create-your-applocker-rules.md)
+##### [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
+###### [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
+####### [Determine which apps are digitally signed on a reference device](determine-which-applications-are-digitally-signed-on-a-reference-computer.md)
+####### [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md)
+#### [AppLocker technical reference](applocker-technical-reference.md)
+##### [What Is AppLocker?](what-is-applocker.md)
+##### [Requirements to use AppLocker](requirements-to-use-applocker.md)
+##### [AppLocker policy use scenarios](applocker-policy-use-scenarios.md)
+##### [How AppLocker works](how-applocker-works-techref.md)
+###### [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md)
+###### [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md)
+###### [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md)
+###### [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md)
+###### [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md)
+####### [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md)
+####### [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md)
+####### [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md)
+###### [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
+####### [Executable rules in AppLocker](executable-rules-in-applocker.md)
+####### [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md)
+####### [Script rules in AppLocker](script-rules-in-applocker.md)
+####### [DLL rules in AppLocker](dll-rules-in-applocker.md)
+####### [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md)
+##### [AppLocker architecture and components](applocker-architecture-and-components.md)
+##### [AppLocker processes and interactions](applocker-processes-and-interactions.md)
+##### [AppLocker functions](applocker-functions.md)
+##### [Security considerations for AppLocker](security-considerations-for-applocker.md)
+##### [Tools to Use with AppLocker](tools-to-use-with-applocker.md)
+###### [Using Event Viewer with AppLocker](using-event-viewer-with-applocker.md)
+##### [AppLocker Settings](applocker-settings.md)
+### [BitLocker](bitlocker-overview.md)
+#### [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
+#### [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
+#### [BitLocker basic deployment](bitlocker-basic-deployment.md)
+#### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md)
+#### [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
+#### [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
+#### [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)
+#### [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
+#### [BCD settings and BitLocker](bcd-settings-and-bitlocker.md)
+#### [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)
+#### [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)
+##### [Types of attacks for volume encryption keys](types-of-attacks-for-volume-encryption-keys.md)
+##### [BitLocker Countermeasures](bitlocker-countermeasures.md)
+##### [Choose the Right BitLocker Countermeasure](choose-the-right-bitlocker-countermeasure.md)
+#### [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)
+### [Encrypted Hard Drive](encrypted-hard-drive.md)
+### [Security auditing](security-auditing-overview.md)
+#### [Basic security audit policies](basic-security-audit-policies.md)
+##### [Create a basic audit policy for an event category](create-a-basic-audit-policy-settings-for-an-event-category.md)
+##### [Apply a basic audit policy on a file or folder](apply-a-basic-audit-policy-on-a-file-or-folder.md)
+##### [View the security event log](view-the-security-event-log.md)
+##### [Basic security audit policy settings](basic-security-audit-policy-settings.md)
+###### [Audit account logon events](basic-audit-account-logon-events.md)
+###### [Audit account management](basic-audit-account-management.md)
+###### [Audit directory service access](basic-audit-directory-service-access.md)
+###### [Audit logon events](basic-audit-logon-events.md)
+###### [Audit object access](basic-audit-object-access.md)
+###### [Audit policy change](basic-audit-policy-change.md)
+###### [Audit privilege use](basic-audit-privilege-use.md)
+###### [Audit process tracking](basic-audit-process-tracking.md)
+###### [Audit system events](basic-audit-system-events.md)
+#### [Advanced security audit policies](advanced-security-auditing.md)
+##### [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md)
+##### [Advanced security auditing FAQ](advanced-security-auditing-faq.md)
+###### [Which editions of Windows support advanced audit policy configuration](which-editions-of-windows-support-advanced-audit-policy-configuration.md)
+##### [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+###### [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md)
+###### [Monitor the use of removable storage devices](monitor-the-use-of-removable-storage-devices.md)
+###### [Monitor resource attribute definitions](monitor-resource-attribute-definitions.md)
+###### [Monitor central access policy and rule definitions](monitor-central-access-policy-and-rule-definitions.md)
+###### [Monitor user and device claims during sign-in](monitor-user-and-device-claims-during-sign-in.md)
+###### [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md)
+###### [Monitor the central access policies associated with files and folders](monitor-the-central-access-policies-associated-with-files-and-folders.md)
+###### [Monitor claim types](monitor-claim-types.md)
+##### [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+###### [Audit Credential Validation](audit-credential-validation.md)
+###### [Audit Kerberos Authentication Service ](audit-kerberos-authentication-service.md)
+###### [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
+###### [Audit Other Account Logon Events ](audit-other-account-logon-events.md)
+###### [Audit Application Group Management](audit-application-group-management.md)
+###### [Audit Computer Account Management](audit-computer-account-management.md)
+###### [Audit Distribution Group Management](audit-distribution-group-management.md)
+###### [Audit Other Account Management Events](audit-other-account-management-events.md)
+###### [Audit Security Group Management](audit-security-group-management.md)
+###### [Audit User Account Management](audit-user-account-management.md)
+###### [Audit DPAPI Activity](audit-dpapi-activity.md)
+###### [Audit PNP Activity](audit-pnp-activity.md)
+###### [Audit Process Creation](audit-process-creation.md)
+###### [Audit Process Termination ](audit-process-termination.md)
+###### [Audit RPC Events](audit-rpc-events.md)
+###### [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+###### [Audit Directory Service Access](audit-directory-service-access.md)
+###### [Audit Directory Service Changes](audit-directory-service-changes.md)
+###### [Audit Directory Service Replication](audit-directory-service-replication.md)
+###### [Audit Account Lockout ](audit-account-lockout.md)
+###### [Audit User/Device Claims](audit-user-device-claims.md)
+###### [Audit Group Membership](audit-group-membership.md)
+###### [Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)
+###### [Audit IPsec Main Mode](audit-ipsec-main-mode.md)
+###### [Audit IPsec Quick Mode](audit-ipsec-quick-mode.md)
+###### [Audit Logoff](audit-logoff.md)
+###### [Audit Logon](audit-logon.md)
+###### [Audit Network Policy Server](audit-network-policy-server.md)
+###### [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+###### [Audit Special Logon](audit-special-logon.md)
+###### [Audit Application Generated](audit-application-generated.md)
+###### [Audit Certification Services](audit-certification-services.md)
+###### [Audit Detailed File Share ](audit-detailed-file-share.md)
+###### [Audit File Share](audit-file-share.md)
+###### [Audit File System](audit-file-system.md)
+###### [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+###### [Audit Filtering Platform Packet Drop ](audit-filtering-platform-packet-drop.md)
+###### [Audit Handle Manipulation](audit-handle-manipulation.md)
+###### [Audit Kernel Object ](audit-kernel-object.md)
+###### [Audit Other Object Access Events](audit-other-object-access-events.md)
+###### [Audit Registry](audit-registry.md)
+###### [Audit Removable Storage](audit-removable-storage.md)
+###### [Audit SAM ](audit-sam.md)
+###### [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
+###### [Audit Audit Policy Change](audit-audit-policy-change.md)
+###### [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+###### [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+###### [Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)
+###### [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+###### [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+###### [Audit Sensitive Privilege Use ](audit-sensitive-privilege-use.md)
+###### [Audit Non-Sensitive Privilege Use ](audit-non-sensitive-privilege-use.md)
+###### [Audit Other Privilege Use Events ](audit-other-privilege-use-events.md)
+###### [Audit IPsec Driver](audit-ipsec-driver.md)
+###### [Audit Other System Events](audit-other-system-events.md)
+###### [Audit Security State Change](audit-security-state-change.md)
+###### [Audit Security System Extension](audit-security-system-extension.md)
+###### [Audit System Integrity](audit-system-integrity.md)
+###### [Registry (Global Object Access Auditing) ](registry-global-object-access-auditing.md)
+###### [File System (Global Object Access Auditing) ](file-system-global-object-access-auditing.md)
+### [Security policy settings](security-policy-settings.md)
+#### [Administer security policy settings](administer-security-policy-settings.md)
+##### [Network List Manager policies](network-list-manager-policies.md)
+#### [Configure security policy settings](how-to-configure-security-policy-settings.md)
+#### [Security policy settings reference](security-policy-settings-reference.md)
+##### [Account Policies](account-policies.md)
+###### [Password Policy](password-policy.md)
+####### [Enforce password history](enforce-password-history.md)
+####### [Maximum password age](maximum-password-age.md)
+####### [Minimum password age](minimum-password-age.md)
+####### [Minimum password length](minimum-password-length.md)
+####### [Password must meet complexity requirements](password-must-meet-complexity-requirements.md)
+####### [Store passwords using reversible encryption](store-passwords-using-reversible-encryption.md)
+###### [Account Lockout Policy](account-lockout-policy.md)
+####### [Account lockout duration](account-lockout-duration.md)
+####### [Account lockout threshold](account-lockout-threshold.md)
+####### [Reset account lockout counter after](reset-account-lockout-counter-after.md)
+###### [Kerberos Policy](kerberos-policy.md)
+####### [Enforce user logon restrictions](enforce-user-logon-restrictions.md)
+####### [Maximum lifetime for service ticket](maximum-lifetime-for-service-ticket.md)
+####### [Maximum lifetime for user ticket](maximum-lifetime-for-user-ticket.md)
+####### [Maximum lifetime for user ticket renewal](maximum-lifetime-for-user-ticket-renewal.md)
+####### [Maximum tolerance for computer clock synchronization](maximum-tolerance-for-computer-clock-synchronization.md)
+##### [Audit Policy](audit-policy.md)
+##### [Security Options](security-options.md)
+###### [Accounts: Administrator account status](accounts-administrator-account-status.md)
+###### [Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md)
+###### [Accounts: Guest account status](accounts-guest-account-status.md)
+###### [Accounts: Limit local account use of blank passwords to console logon only](accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md)
+###### [Accounts: Rename administrator account](accounts-rename-administrator-account.md)
+###### [Accounts: Rename guest account](accounts-rename-guest-account.md)
+###### [Audit: Audit the access of global system objects](audit-audit-the-access-of-global-system-objects.md)
+###### [Audit: Audit the use of Backup and Restore privilege](audit-audit-the-use-of-backup-and-restore-privilege.md)
+###### [Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](audit-force-audit-policy-subcategory-settings-to-override.md)
+###### [Audit: Shut down system immediately if unable to log security audits](audit-shut-down-system-immediately-if-unable-to-log-security-audits.md)
+###### [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
+###### [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
+###### [Devices: Allow undock without having to log on](devices-allow-undock-without-having-to-log-on.md)
+###### [Devices: Allowed to format and eject removable media](devices-allowed-to-format-and-eject-removable-media.md)
+###### [Devices: Prevent users from installing printer drivers](devices-prevent-users-from-installing-printer-drivers.md)
+###### [Devices: Restrict CD-ROM access to locally logged-on user only](devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md)
+###### [Devices: Restrict floppy access to locally logged-on user only](devices-restrict-floppy-access-to-locally-logged-on-user-only.md)
+###### [Domain controller: Allow server operators to schedule tasks](domain-controller-allow-server-operators-to-schedule-tasks.md)
+###### [Domain controller: LDAP server signing requirements](domain-controller-ldap-server-signing-requirements.md)
+###### [Domain controller: Refuse machine account password changes](domain-controller-refuse-machine-account-password-changes.md)
+###### [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
+###### [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
+###### [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
+###### [Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md)
+###### [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md)
+###### [Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)
+###### [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)
+###### [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md)
+###### [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)
+###### [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md)
+###### [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)
+###### [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md)
+###### [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md)
+###### [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)
+###### [Interactive logon: Prompt user to change password before expiration](interactive-logon-prompt-user-to-change-password-before-expiration.md)
+###### [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)
+###### [Interactive logon: Require smart card](interactive-logon-require-smart-card.md)
+###### [Interactive logon: Smart card removal behavior](interactive-logon-smart-card-removal-behavior.md)
+###### [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md)
+###### [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
+###### [Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)
+###### [Microsoft network server: Amount of idle time required before suspending session](microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)
+###### [Microsoft network server: Attempt S4U2Self to obtain claim information](microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)
+###### [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)
+###### [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
+###### [Microsoft network server: Disconnect clients when logon hours expire](microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)
+###### [Microsoft network server: Server SPN target name validation level](microsoft-network-server-server-spn-target-name-validation-level.md)
+###### [Network access: Allow anonymous SID/Name translation](network-access-allow-anonymous-sidname-translation.md)
+###### [Network access: Do not allow anonymous enumeration of SAM accounts](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md)
+###### [Network access: Do not allow anonymous enumeration of SAM accounts and shares](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md)
+###### [Network access: Do not allow storage of passwords and credentials for network authentication](network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)
+###### [Network access: Let Everyone permissions apply to anonymous users](network-access-let-everyone-permissions-apply-to-anonymous-users.md)
+###### [Network access: Named Pipes that can be accessed anonymously](network-access-named-pipes-that-can-be-accessed-anonymously.md)
+###### [Network access: Remotely accessible registry paths](network-access-remotely-accessible-registry-paths.md)
+###### [Network access: Remotely accessible registry paths and subpaths](network-access-remotely-accessible-registry-paths-and-subpaths.md)
+###### [Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)
+###### [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md)
+###### [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md)
+###### [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)
+###### [Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md)
+###### [Network security: Allow PKU2U authentication requests to this computer to use online identities](network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md)
+###### [Network security: Configure encryption types allowed for Kerberos Win7 only](network-security-configure-encryption-types-allowed-for-kerberos.md)
+###### [Network security: Do not store LAN Manager hash value on next password change](network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)
+###### [Network security: Force logoff when logon hours expire](network-security-force-logoff-when-logon-hours-expire.md)
+###### [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md)
+###### [Network security: LDAP client signing requirements](network-security-ldap-client-signing-requirements.md)
+###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)
+###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)
+###### [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md)
+###### [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md)
+###### [Network security: Restrict NTLM: Audit incoming NTLM traffic](network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md)
+###### [Network security: Restrict NTLM: Audit NTLM authentication in this domain](network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md)
+###### [Network security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md)
+###### [Network security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md)
+###### [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)
+###### [Recovery console: Allow automatic administrative logon](recovery-console-allow-automatic-administrative-logon.md)
+###### [Recovery console: Allow floppy copy and access to all drives and folders](recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)
+###### [Shutdown: Allow system to be shut down without having to log on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)
+###### [Shutdown: Clear virtual memory pagefile](shutdown-clear-virtual-memory-pagefile.md)
+###### [System cryptography: Force strong key protection for user keys stored on the computer](system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)
+###### [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)
+###### [System objects: Require case insensitivity for non-Windows subsystems](system-objects-require-case-insensitivity-for-non-windows-subsystems.md)
+###### [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](system-objects-strengthen-default-permissions-of-internal-system-objects.md)
+###### [System settings: Optional subsystems](system-settings-optional-subsystems.md)
+###### [System settings: Use certificate rules on Windows executables for Software Restriction Policies](system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)
+###### [User Account Control: Admin Approval Mode for the Built-in Administrator account](user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)
+###### [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md)
+###### [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md)
+###### [User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md)
+###### [User Account Control: Detect application installations and prompt for elevation](user-account-control-detect-application-installations-and-prompt-for-elevation.md)
+###### [User Account Control: Only elevate executables that are signed and validated](user-account-control-only-elevate-executables-that-are-signed-and-validated.md)
+###### [User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md)
+###### [User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)
+###### [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)
+###### [User Account Control: Virtualize file and registry write failures to per-user locations](user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)
+##### [Advanced security audit policy settings](secpol-advanced-security-audit-policy-settings.md)
+##### [User Rights Assignment](user-rights-assignment.md)
+###### [Access Credential Manager as a trusted caller](access-credential-manager-as-a-trusted-caller.md)
+###### [Access this computer from the network](access-this-computer-from-the-network.md)
+###### [Act as part of the operating system](act-as-part-of-the-operating-system.md)
+###### [Add workstations to domain](add-workstations-to-domain.md)
+###### [Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md)
+###### [Allow log on locally](allow-log-on-locally.md)
+###### [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md)
+###### [Back up files and directories](back-up-files-and-directories.md)
+###### [Bypass traverse checking](bypass-traverse-checking.md)
+###### [Change the system time](change-the-system-time.md)
+###### [Change the time zone](change-the-time-zone.md)
+###### [Create a pagefile](create-a-pagefile.md)
+###### [Create a token object](create-a-token-object.md)
+###### [Create global objects](create-global-objects.md)
+###### [Create permanent shared objects](create-permanent-shared-objects.md)
+###### [Create symbolic links](create-symbolic-links.md)
+###### [Debug programs](debug-programs.md)
+###### [Deny access to this computer from the network](deny-access-to-this-computer-from-the-network.md)
+###### [Deny log on as a batch job](deny-log-on-as-a-batch-job.md)
+###### [Deny log on as a service](deny-log-on-as-a-service.md)
+###### [Deny log on locally](deny-log-on-locally.md)
+###### [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)
+###### [Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)
+###### [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md)
+###### [Generate security audits](generate-security-audits.md)
+###### [Impersonate a client after authentication](impersonate-a-client-after-authentication.md)
+###### [Increase a process working set](increase-a-process-working-set.md)
+###### [Increase scheduling priority](increase-scheduling-priority.md)
+###### [Load and unload device drivers](load-and-unload-device-drivers.md)
+###### [Lock pages in memory](lock-pages-in-memory.md)
+###### [Log on as a batch job](log-on-as-a-batch-job.md)
+###### [Log on as a service](log-on-as-a-service.md)
+###### [Manage auditing and security log](manage-auditing-and-security-log.md)
+###### [Modify an object label](modify-an-object-label.md)
+###### [Modify firmware environment values](modify-firmware-environment-values.md)
+###### [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md)
+###### [Profile single process](profile-single-process.md)
+###### [Profile system performance](profile-system-performance.md)
+###### [Remove computer from docking station](remove-computer-from-docking-station.md)
+###### [Replace a process level token](replace-a-process-level-token.md)
+###### [Restore files and directories](restore-files-and-directories.md)
+###### [Shut down the system](shut-down-the-system.md)
+###### [Synchronize directory service data](synchronize-directory-service-data.md)
+###### [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md)
+### [Trusted Platform Module](trusted-platform-module-overview.md)
+#### [TPM fundamentals](tpm-fundamentals.md)
+#### [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
+#### [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md)
+#### [Backup the TPM recovery Information to AD DS](backup-tpm-recovery-information-to-ad-ds.md)
+#### [Manage TPM commands](manage-tpm-commands.md)
+#### [Manage TPM lockout](manage-tpm-lockout.md)
+#### [Change the TPM owner password](change-the-tpm-owner-password.md)
+#### [Initialize and configure ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md)
+#### [Switch PCR banks on TPM 2.0 devices](switch-pcr-banks-on-tpm-2-0-devices.md)
+#### [TPM recommendations](tpm-recommendations.md)
+### [User Account Control](user-account-control-overview.md)
+#### [How User Account Control works](how-user-account-control-works.md)
+#### [User Account Control security policy settings](user-account-control-security-policy-settings.md)
+### [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
+#### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
+#### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
+#### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+## [Enterprise security guides](windows-10-enterprise-security-guides.md)
+### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
+### [Device Guard deployment guide](device-guard-deployment-guide.md)
+### [Microsoft Passport guide](microsoft-passport-guide.md)
+### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
+### [Windows 10 security overview](windows-10-security-guide.md)
+
diff --git a/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md b/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md
new file mode 100644
index 0000000000..0a360b14e3
--- /dev/null
+++ b/windows/keep-secure/access-credential-manager-as-a-trusted-caller.md
@@ -0,0 +1,138 @@
+---
+title: Access Credential Manager as a trusted caller (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Access Credential Manager as a trusted caller security policy setting.
+ms.assetid: a51820d2-ca5b-47dd-8e9b-d7008603db88
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Access Credential Manager as a trusted caller
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Access Credential Manager as a trusted caller** security policy setting.
+
+## Reference
+
+
+The **Access Credential Manager as a trusted caller** policy setting is used by Credential Manager during backup and restore. No accounts should have this privilege because it is assigned only to the Winlogon service. Saved credentials of users may be compromised if this privilege is given to other entities.
+
+Constant: SeTrustedCredManAccessPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not defined
+
+### Best practices
+
+-   Do not modify this policy setting from the default.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client computer effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the computer is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+If an account is given this user right, the user of the account may create an application that calls into Credential Manager and is returned the credentials for another user.
+
+### Countermeasure
+
+Do not define the **Access Credential Manager as a trusted caller** policy setting for any accounts besides Credential Manager.
+
+### Potential impact
+
+None. Not defined is the default configuration.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/access-this-computer-from-the-network.md b/windows/keep-secure/access-this-computer-from-the-network.md
new file mode 100644
index 0000000000..0c6e340409
--- /dev/null
+++ b/windows/keep-secure/access-this-computer-from-the-network.md
@@ -0,0 +1,157 @@
+---
+title: Access this computer from the network (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Access this computer from the network security policy setting.
+ms.assetid: f6767bc2-83d1-45f1-847c-54f5362db022
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Access this computer from the network
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Access this computer from the network** security policy setting.
+
+## Reference
+
+
+The **Access this computer from the network** policy setting determines which users can connect to the device from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+).
+
+Users, devices, and service accounts gain or lose the **Access this computer from network** user right by being explicitly or implicitly added or removed from a security group that has been granted this user right. For example, a user account or a machine account may be explicitly added to a custom security group or a built-in security group, or it may be implicitly added by Windows to a computed security group such as Domain Users, Authenticated Users, or Enterprise Domain Controllers.
+
+By default, user accounts and machine accounts are granted the **Access this computer from network** user right when computed groups such as Authenticated Users, and for domain controllers, the Enterprise Domain Controllers group, are defined in the default domain controllers Group Policy Object (GPO).
+
+Constant: SeNetworkLogonRight
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not defined
+
+### Best practices
+
+-   On desktop devices or member servers, grant this right only to users and administrators.
+
+-   On domain controllers, grant this right only to authenticated users, enterprise domain controllers, and administrators.
+
+-   This setting includes the **Everyone** group to ensure backward compatibility. Upon Windows upgrade, after you have verified that all users and groups are correctly migrated, you should remove the **Everyone** group and use the **Authenticated Users** group instead.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Everyone, Administrators, Authenticated Users, Enterprise Domain Controllers, Pre-Windows 2000 Compatible Access</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Everyone, Administrators, Users, Backup Operators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>Everyone, Administrators, Authenticated Users, Enterprise Domain Controllers, Pre-Windows 2000 Compatible Access</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>Everyone, Administrators, Users, Backup Operators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client computer effective default settings</p></td>
+<td align="left"><p>Everyone, Administrators, Users, Backup Operators</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+When modifying this user right, the following actions might cause users and services to experience network access issues:
+
+-   Removing the Enterprise Domain Controllers security group
+
+-   Removing the Authenticated Users group or an explicit group that allows users, computers, and service accounts the user right to connect to computers over the network
+
+-   Removing all user and machine accounts
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Users who can connect from their device to the network can access resources on target devices for which they have permission. For example, the **Access this computer from the network** user right is required for users to connect to shared printers and folders. If this user right is assigned to the **Everyone** group, anyone in the group can read the files in those shared folders. This situation is unlikely because the groups created by a default installation of at least Windows Server 2008 R2 or Windows 7 do not include the **Everyone** group. However, if a device is upgraded and the original device includes the **Everyone** group as part of its defined users and groups, that group is transitioned as part of the upgrade process and is present on the device.
+
+### Countermeasure
+
+Restrict the **Access this computer from the network** user right to only those users and groups who require access to the computer. For example, if you configure this policy setting to the **Administrators** and **Users** groups, users who log on to the domain can access resources that are shared from servers in the domain if members of the **Domain Users** group are included in the local **Users** group.
+
+**Note**  
+If you are using IPsec to help secure network communications in your organization, ensure that a group that includes machine accounts is given this right. This right is required for successful computer authentication. Assigning this right to **Authenticated Users** or **Domain Computers** meets this requirement.
+
+ 
+
+### Potential impact
+
+If you remove the **Access this computer from the network** user right on domain controllers for all users, no one can log on to the domain or use network resources. If you remove this user right on member servers, users cannot connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to additional accounts that are required by those components. It is important to verify that authorized users are assigned this user right for the devices that they need to access the network.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/account-lockout-duration.md b/windows/keep-secure/account-lockout-duration.md
new file mode 100644
index 0000000000..56ba277f4f
--- /dev/null
+++ b/windows/keep-secure/account-lockout-duration.md
@@ -0,0 +1,115 @@
+---
+title: Account lockout duration (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Account lockout duration security policy setting.
+ms.assetid: a4167bf4-27c3-4a9b-8ef0-04e3c6ec3aa4
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Account lockout duration
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting.
+
+## Reference
+
+
+The **Account lockout duration** policy setting determines the number of minutes that a locked-out account remains locked out before automatically becoming unlocked. The available range is from 1 through 99,999 minutes. A value of 0 specifies that the account will be locked out until an administrator explicitly unlocks it. If **Account lockout threshold** is set to a number greater than zero, **Account lockout duration** must be greater than or equal to the value of [Reset account lockout counter after](reset-account-lockout-counter-after.md).
+
+This policy setting is dependent on the **Account lockout threshold** policy setting that is defined, and it must be greater than or equal to the value specified for the [Reset account lockout counter after](reset-account-lockout-counter-after.md) policy setting.
+
+### Possible values
+
+-   A user-defined number of minutes from 0 through 99,999
+
+-   Not defined
+
+If [Account lockout threshold](account-lockout-threshold.md) is configured, after the specified number of failed attempts, the account will be locked out. If th **Account lockout duration** is set to 0, the account will remain locked until an administrator unlocks it manually.
+
+It is advisable to set **Account lockout duration** to approximately 30 minutes. To specify that the account will never be locked out, set the value to 0. To configure the value for this policy setting so that it never automatically unlocks the account might seem like a good idea; however, doing so can increase the number of requests that your organization’s Help Desk receives to unlock accounts that were locked by mistake.
+
+### Location
+
+**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**
+
+### Default values
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or Group Policy Object (GPO)</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client computer effective default settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Security considerations
+
+
+More than a few unsuccessful password submissions during an attempt to log on to a computer might represent an attacker's attempts to determine an account password by trial and error. The Windows and Windows Server operating systems can track logon attempts, and you can configure the operating system to disable the account for a preset period of time after a specified number of failed attempts. Account lockout policy settings control the threshold for this response and what action to take after the threshold is reached.
+
+### Vulnerability
+
+A denial-of-service (DoS) condition can be created if an attacker abuses the [Account lockout threshold](account-lockout-threshold.md) policy setting and repeatedly attempts to log on with a specific account. After you configure the Account lockout threshold policy setting, the account will be locked out after the specified number of failed attempts. If you configure the **Account lockout duration** policy setting to 0, the account remains locked until you unlock it manually.
+
+### Countermeasure
+
+Configure the **Account lockout duration** policy setting to an appropriate value for your environment. To specify that the account will remain locked until you manually unlock it, configure the value to 0. When the **Account lockout duration** policy setting is configured to a nonzero value, automated attempts to guess account passwords are delayed for this interval before resuming attempts against a specific account. Using this setting in combination with the [Account lockout threshold](account-lockout-threshold.md) policy setting makes automated password guessing attempts more difficult.
+
+### Potential impact
+
+Configuring the **Account lockout duration** policy setting to 0 so that accounts cannot be automatically unlocked can increase the number of requests that your organization's Help Desk receives to unlock accounts that were locked by mistake.
+
+## Related topics
+
+
+[Account Lockout Policy](account-lockout-policy.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/account-lockout-policy.md b/windows/keep-secure/account-lockout-policy.md
new file mode 100644
index 0000000000..a8156f485c
--- /dev/null
+++ b/windows/keep-secure/account-lockout-policy.md
@@ -0,0 +1,68 @@
+---
+title: Account Lockout Policy (Windows 10)
+description: Describes the Account Lockout Policy settings and links to information about each policy setting.
+ms.assetid: eb968c28-17c5-405f-b413-50728cb7b724
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Account Lockout Policy
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the Account Lockout Policy settings and links to information about each policy setting.
+
+Someone who attempts to use more than a few unsuccessful passwords while trying to log on to your system might be a malicious user who is attempting to determine an account password by trial and error. Windows domain controllers keep track of logon attempts, and domain controllers can be configured to respond to this type of potential attack by disabling the account for a preset period of time. Account Lockout Policy settings control the threshold for this response and the actions to be taken after the threshold is reached. The Account Lockout Policy settings can be configured in the following location in the Group Policy Management Console: **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**.
+
+The following topics provide a discussion of each policy setting's implementation and best practices considerations, policy location, default values for the server type or Group Policy Object (GPO), relevant differences in operating system versions, and security considerations (including the possible vulnerabilities of each policy setting), countermeasures that you can implement, and the potential impact of implementing the countermeasures.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Account lockout duration](account-lockout-duration.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Account lockout duration</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Account lockout threshold](account-lockout-threshold.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Account lockout threshold</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Reset account lockout counter after](reset-account-lockout-counter-after.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Reset account lockout counter after</strong> security policy setting.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Configure security policy settings](how-to-configure-security-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/account-lockout-threshold.md b/windows/keep-secure/account-lockout-threshold.md
new file mode 100644
index 0000000000..93e40cfc90
--- /dev/null
+++ b/windows/keep-secure/account-lockout-threshold.md
@@ -0,0 +1,169 @@
+---
+title: Account lockout threshold (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Account lockout threshold security policy setting.
+ms.assetid: 4904bb40-a2bd-4fef-a102-260ba8d74e30
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Account lockout threshold
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Account lockout threshold** security policy setting.
+
+## Reference
+
+
+The **Account lockout threshold** policy setting determines the number of failed sign-in attempts that will cause a user account to be locked. A locked account cannot be used until you reset it or until the number of minutes specified by the [Account lockout duration](account-lockout-duration.md) policy setting expires. You can set a value from 1 through 999 failed sign-in attempts, or you can specify that the account will never be locked by setting the value to 0. If **Account lockout threshold** is set to a number greater than zero, **Account lockout duration** must be greater than or equal to the value of [Reset account lockout counter after](reset-account-lockout-counter-after.md).
+
+Failed password attempts on workstations or member servers that have been locked by using CTRL+ALT+DELETE or password-protected screen savers do not count as failed sign-in attempts unless [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md) is set to **Enabled**. If Interactive logon: Require Domain Controller authentication to unlock workstation is enabled, repeated failed password attempts to unlock the workstation will count against the account lockout threshold.
+
+Brute force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. Limiting the number of failed sign-ins that can be performed nearly eliminates the effectiveness of such attacks.
+
+However, it is important to note that a denial-of-service (DoS) attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of **Account lockout threshold**, the attacker could potentially lock every account.
+
+### Possible values
+
+It is possible to configure the following values for the **Account lockout threshold** policy setting:
+
+-   A user-defined number from 0 through 999
+
+-   Not defined
+
+Because vulnerabilities can exist when this value is configured and when it is not, organizations should weigh their identified threats and the risks that they are trying to mitigate. For information these settings, see [Countermeasure](#bkmk-countermeasure) in this topic
+
+### Best practices
+
+The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, a setting above 4 and below 10 could be an acceptable starting point for your organization.
+
+**Important**  
+Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#bkmk-impleconsiderations) in this topic.
+
+ 
+
+### Location
+
+**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**
+
+### Default values
+
+The following table lists the actual and effective default policy values. Default values are also listed on the property page for the policy setting.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or Group Policy Object (GPO)</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>0 invalid sign-in attempts</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>0 invalid sign-in attempts</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>0 invalid sign-in attempts</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>0 invalid sign-in attempts</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Effective GPO default settings on client computers</p></td>
+<td align="left"><p>0 invalid sign-in attempts</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Policy management
+
+This section describes features and tools that are available to help you manage this policy setting.
+
+### Restart requirements
+
+None. Changes to this policy setting become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
+### <a href="" id="bkmk-impleconsiderations"></a>Implementation considerations
+
+Implementation of this policy setting is dependent on your operational environment. You should consider threat vectors, deployed operating systems, and deployed apps, for example:
+
+-   The likelihood of an account theft or a DoS attack is based on the security design for your systems and environment. You should set the account lockout threshold in consideration of the known and perceived risk of those threats.
+
+-   When negotiating encryption types between clients, servers, and domain controllers, the Kerberos protocol can automatically retry account sign-in attempts that count toward the threshold limits that you set in this policy setting. In environments where different versions of the operating system are deployed, encryption type negotiation increases.
+
+-   Not all apps that are used in your environment effectively manage how many times a user can attempt to sign-in. For instance, if a connection drops repeatedly when a user is running the app, all subsequent failed sign-in attempts count toward the account lockout threshold.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Brute force password attacks can use automated methods to try millions of password combinations for any user account. The effectiveness of such attacks can be almost eliminated if you limit the number of failed sign-in attempts that can be performed.
+
+However, a DoS attack could be performed on a domain that has an account lockout threshold configured. An attacker could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the account lockout threshold, the attacker might be able to lock every account without needing any special privileges or being authenticated in the network.
+
+**Note**  
+Offline password attacks are not countered by this policy setting.
+
+ 
+
+### <a href="" id="bkmk-countermeasure"></a>Countermeasure
+
+Because vulnerabilities can exist when this value is configured and when it is not configured, two distinct countermeasures are defined. Organizations should weigh the choice between the two, based on their identified threats and the risks that they want to mitigate. The two countermeasure options are:
+
+-   Configure the **Account lockout threshold** setting to 0. This configuration ensures that accounts will not be locked, and it will prevent a DoS attack that intentionally attempts to lock accounts. This configuration also helps reduce Help Desk calls because users cannot accidentally lock themselves out of their accounts. Because it does not prevent a brute force attack, this configuration should be chosen only if both of the following criteria are explicitly met:
+
+    -   The password policy setting requires all users to have complex passwords of 8 or more characters.
+
+    -   A robust audit mechanism is in place to alert administrators when a series of failed sign-ins occur in the environment.
+
+-   Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account.
+
+    A good recommendation for such a configuration is 50 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but does not prevent a DoS attack. We recommend this option if your organization cannot implement complex password requirements and an audit policy that alerts administrators to a series of failed sign-in attempts.
+
+    Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it is needed to help mitigate massive lockouts caused by an attack on your systems.
+
+### Potential impact
+
+If this policy setting is enabled, a locked account is not usable until it is reset by an administrator or until the account lockout duration expires. Enabling this setting will likely generate a number of additional Help Desk calls.
+
+If you configure the **Account lockout threshold** policy setting to 0, there is a possibility that an malicious user's attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism is not in place.
+
+If you configure this policy setting to a number greater than 0, an attacker can easily lock any accounts for which the account name is known. This is especially dangerous considering that no credentials other than access to the network are necessary to lock the accounts.
+
+## Related topics
+
+
+[Account Lockout Policy](account-lockout-policy.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/account-policies.md b/windows/keep-secure/account-policies.md
new file mode 100644
index 0000000000..3aab5ebc1d
--- /dev/null
+++ b/windows/keep-secure/account-policies.md
@@ -0,0 +1,73 @@
+---
+title: Account Policies (Windows 10)
+description: An overview of account policies in Windows and provides links to policy descriptions.
+ms.assetid: 711b3797-b87a-4cd9-a2e3-1f8ef18688fb
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Account Policies
+
+
+**Applies to**
+
+-   Windows 10
+
+An overview of account policies in Windows and provides links to policy descriptions.
+
+All account policies settings applied by using Group Policy are applied at the domain level. Default values are present in the built-in default domain controller policy for Password Policy settings, Account Lockout Policy settings, and Kerberos Policy settings. The domain account policy becomes the default local account policy of any device that is a member of the domain. If these policies are set at any level below the domain level in Active Directory Domain Services (AD DS), they affect only local accounts on member servers.
+
+**Note**  
+Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain. These domain-wide account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these account policy settings from the default domain policy Group Policy Object (GPO).
+
+ 
+
+The only exception is when another account policy is defined for an organizational unit (OU). The account policy settings for the OU affect the local policy on any computers that are contained in the OU. For example, if an OU policy defines a maximum password age that differs from the domain-level account policy, the OU policy will be applied and enforced only when users log on to the local computer. The default local computer policies apply only to computers that are in a workgroup or in a domain where neither an OU account policy nor a domain policy applies.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Password Policy](password-policy.md)</p></td>
+<td align="left"><p>An overview of password policies for Windows and links to information for each policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Account Lockout Policy](account-lockout-policy.md)</p></td>
+<td align="left"><p>Describes the Account Lockout Policy settings and links to information about each policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Kerberos Policy](kerberos-policy.md)</p></td>
+<td align="left"><p>Describes the Kerberos Policy settings and provides links to policy setting descriptions.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Configure security policy settings](how-to-configure-security-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/accounts-administrator-account-status.md b/windows/keep-secure/accounts-administrator-account-status.md
new file mode 100644
index 0000000000..280cd87d5b
--- /dev/null
+++ b/windows/keep-secure/accounts-administrator-account-status.md
@@ -0,0 +1,168 @@
+---
+title: Accounts Administrator account status (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Accounts Administrator account status security policy setting.
+ms.assetid: 71a3bd48-1014-49e0-a936-bfe9433af23e
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Accounts: Administrator account status
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Accounts: Administrator account status** security policy setting.
+
+## Reference
+
+
+This security setting determines whether the local administrator account is enabled or disabled.
+
+If you try to enable the administrator account after it has been disabled, and if the current administrator password does not meet the password requirements, you cannot enable the account. In this case, an alternative member of the Administrators group must reset the password on the administrator account.
+
+If you disable this policy setting, and one of the following conditions exists on the computer, the administrator account is not disabled.
+
+1.  No other local administrator account exists
+
+2.  The administrator account is currently in use
+
+3.  All other local administrator accounts are:
+
+    1.  Disabled
+
+    2.  Listed in the [Deny log on locally](deny-log-on-locally.md) User Rights Assignment
+
+If the current administrator password does not meet the password requirements, you will not be able to enable the administrator account again after it has been disabled. In this case, another member of the Administrators group must set the password on the administrator account.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+By default, this setting is **Not defined** on domain controllers and **Enabled** on stand-alone servers.
+
+### Best practices
+
+-   Disabling the administrator account can become a maintenance issue under certain circumstances. For example, in a domain environment, if the secure channel that constitutes your connection fails for any reason, and there is no other local administrator account, you must restart the computer in safe mode to fix the problem that broke your connection status.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+Disabling the administrator account can become a maintenance issue under certain circumstances. Reasons that an organization might consider disabling the built-in administrator account include:
+
+-   For some organizations, periodically changing the passwords for local accounts can be a daunting management challenge.
+
+-   By default, the administrator account cannot be locked—no matter how many failed attempts to sign in a user accrues. This makes it a prime target for brute-force, password-guessing attacks.
+
+-   This account has a well-known security identifier (SID). Some non-Microsoft tools allow you to authenticate over the network by specifying the SID rather than the account name. This means that even if you rename the administrator account, a malicious user could start a brute-force attack by using the SID.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Safe mode considerations
+
+When you start a device in safe mode, the disabled administrator account is enabled only if the computer is non-domain joined and there are no other active local administrator accounts. If the computer is joined to a domain, the disabled administrator account is not enabled.
+
+If the administrator account is disabled, you can still access the computer by using safe mode with the current administrative credentials. For example, if a failure occurs using a secure channel with a domain-joined computer, and there is no other local administrator account, you must restart the device in safe mode to fix the failure.
+
+### How to access a disabled Administrator account
+
+You can use the following methods to access a disabled Administrator account:
+
+-   When there is only one local administrator account that is disabled, start the device in safe mode (locally or over a network), and sign in by using the credentials for the administrator account on that computer.
+
+-   When there are local administrator accounts in addition to the built-in account, start the computer in safe mode (locally or over a network), and sign in by using the credentials for the administrator account on that device. An alternate method is to sign in to Windows by using another local Administrator account that was created.
+
+-   When multiple domain-joined servers have a disabled local Administrator account that can be accessed in safe mode, you can remotely run psexec by using the following command: **net user administrator /active: no**.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+The built-in administrator account cannot be locked out no matter how many failed logons it accrues, which makes it a prime target for brute-force attacks that attempt to guess passwords. Also, this account has a well-known security identifier (SID), and there are non-Microsoft tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute-force attack by using the SID to log on. All other accounts that are members of the Administrator's group have the safeguard of locking out the account if the number of failed logons exceeds its configured maximum.
+
+### Countermeasure
+
+Disable the **Accounts: Administrator account status** setting so that the built-in Administrator account cannot be used in a normal system startup.
+
+If it is very difficult to maintain a regular schedule for periodic password changes for local accounts, you can disable the built-in administrator account instead of relying on regular password changes to protect it from attack.
+
+### Potential impact
+
+Maintenance issues can arise under certain circumstances if you disable the administrator account. For example, if the secure channel between a member computer and the domain controller fails in a domain environment for any reason and there is no other local administrator account, you must restart in safe mode to fix the problem that caused the secure channel to fail.
+
+If the current administrator password does not meet the password requirements, you cannot enable the administrator account after it is disabled. If this situation occurs, another member of the administrators group must set the password on the administrator account.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/accounts-block-microsoft-accounts.md b/windows/keep-secure/accounts-block-microsoft-accounts.md
new file mode 100644
index 0000000000..4326f9a355
--- /dev/null
+++ b/windows/keep-secure/accounts-block-microsoft-accounts.md
@@ -0,0 +1,134 @@
+---
+title: Accounts Block Microsoft accounts (Windows 10)
+description: Describes the best practices, location, values, management, and security considerations for the Accounts Block Microsoft accounts security policy setting.
+ms.assetid: 94c76f45-057c-4d80-8d01-033cf28ef2f7
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Accounts: Block Microsoft accounts
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, management, and security considerations for the **Accounts: Block Microsoft accounts** security policy setting.
+
+## Reference
+
+
+This policy setting prevents users from adding new Microsoft accounts on a device
+
+If you click the **Users can’t add Microsoft accounts** setting option, users will not be able to create new Microsoft accounts on a computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
+
+If you click the **Users can’t add or log on with Microsoft accounts** setting option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator to log on to a computer and manage the system.
+
+If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
+
+### Possible values
+
+-   This policy is disabled
+
+-   Users can’t add Microsoft accounts
+
+-   Users can’t add or log on with Microsoft accounts
+
+By default, this setting is not defined on domain controllers and disabled on stand-alone servers.
+
+### Best practices
+
+-   By disabling or not configuring this policy setting on the client computer, users will be able to use their Microsoft account, local account, or domain account for their sign-in session to Windows. It also enables the user to connect a local or domain account to a Microsoft account. This provides a convenient option for your users.
+
+-   If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users will not be able to create new Microsoft accounts on a computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of the countermeasure implementation.
+
+### Vulnerability
+
+Although Microsoft accounts are password-protected, they also have the potential of greater exposure outside of the enterprise. Additionally, if the owner of a Microsoft account is not easily distinguishable, auditing and forensics become more difficult.
+
+### Countermeasure
+
+Require only domain accounts in your enterprise by limiting the use of Microsoft accounts. Click the **Users can’t add Microsoft accounts** setting option so that users will not be able to create new Microsoft accounts on a device, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account.
+
+### Potential impact
+
+Establishing greater control over accounts in your organization can give you more secure management capabilities, including procedures around password resets.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/accounts-guest-account-status.md b/windows/keep-secure/accounts-guest-account-status.md
new file mode 100644
index 0000000000..8636ac74e3
--- /dev/null
+++ b/windows/keep-secure/accounts-guest-account-status.md
@@ -0,0 +1,117 @@
+---
+title: Accounts Guest account status (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Accounts Guest account status security policy setting.
+ms.assetid: 07e53fc5-b495-4d02-ab42-5b245d10d0ce
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Accounts: Guest account status
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Accounts: Guest account status** security policy setting.
+
+## Reference
+
+
+The **Accounts: Guest account status** policy setting determines whether the Guest account is enabled or disabled.
+
+This account allows unauthenticated network users to gain access to the system by logging on as a Guest with no password. Unauthorized users can access any resources that are accessible to the Guest account over the network. This means that any network shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group will be accessible over the network. This can lead to the exposure or corruption of data.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+Set **Accounts: Guest account status** to Disabled so that the built-in Guest account is no longer usable. All network users will have to authenticate before they can access shared resources on the system. If the Guest account is disabled and [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md) is set to **Guest only**, network logons—such as those performed by the SMB Service—will fail.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+The default Guest account allows unauthenticated network users to log on as a Guest with no password. These unauthorized users could access any resources that are accessible to the Guest account over the network. This capability means that any shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group are accessible over the network, which could lead to the exposure or corruption of data.
+
+### Countermeasure
+
+Disable the **Accounts: Guest account status** setting so that the built-in Guest account cannot be used.
+
+### Potential impact
+
+All network users must be authenticated before they can access shared resources. If you disable the Guest account and the **Network Access: Sharing and Security Model** option is set to **Guest Only**, network logons, such as those performed by the Microsoft Network Server (SMB Service), fail. This policy setting should have little impact on most organizations because it is the default setting starting with Windows Vista and Windows Server 2003.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/keep-secure/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
new file mode 100644
index 0000000000..50c2375ce6
--- /dev/null
+++ b/windows/keep-secure/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
@@ -0,0 +1,140 @@
+---
+title: Accounts Limit local account use of blank passwords to console logon only (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Accounts Limit local account use of blank passwords to console logon only security policy setting.
+ms.assetid: a1bfb58b-1ae8-4de9-832b-aa889a6e64bd
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Accounts: Limit local account use of blank passwords to console logon only
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Accounts: Limit local account use of blank passwords to console logon only** security policy setting.
+
+## Reference
+
+
+The **Accounts: Limit local account use of blank passwords to console logon only** policy setting determines whether remote interactive logons by network services such as Remote Desktop Services, Telnet, and File Transfer Protocol (FTP) are allowed for local accounts that have blank passwords. If this policy setting is enabled, a local account must have a nonblank password to be used to perform an interactive or network logon from a remote client.
+
+This policy setting does not affect interactive logons that are performed physically at the console or logons that use domain accounts. It is possible for non-Microsoft applications that use remote interactive logons to bypass this policy setting.
+
+Blank passwords are a serious threat to computer security and they should be forbidden through both corporate policy and suitable technical measures. Nevertheless, if a user with the ability to create new accounts creates one that has bypassed your domain-based password policy settings, that account might have a blank password. For example, a user could build a stand-alone system, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the account name can then use accounts with blank passwords to log on to systems.
+
+Devices that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the device can log on by using a user account that does not have a password. This is especially important for portable devices.
+
+If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+-   It is advisable to set **Accounts: Limit local account use of blank passwords to console logon only** to Enabled.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Policy conflict considerations
+
+The policy as distributed through the GPO takes precedence over the locally configured policy setting on a computer joined to a domain. On the domain controller, use ADSI Edit or the dsquery command to determine effective minimum password length.
+
+### Group Policy
+
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Blank passwords are a serious threat to computer security, and they should be forbidden through organizational policy and suitable technical measures. Starting with Windows Server 2003, the default settings for Active Directory domains require complex passwords of at least seven characters, and eight characters starting with Windows Server 2008. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on.
+
+### Countermeasure
+
+Enable the **Accounts: Limit local account use of blank passwords to console logon only** setting.
+
+### Potential impact
+
+None. This is the default configuration.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/accounts-rename-administrator-account.md b/windows/keep-secure/accounts-rename-administrator-account.md
new file mode 100644
index 0000000000..235aa109e5
--- /dev/null
+++ b/windows/keep-secure/accounts-rename-administrator-account.md
@@ -0,0 +1,136 @@
+---
+title: Accounts Rename administrator account (Windows 10)
+description: This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.
+ms.assetid: d21308eb-7c60-4e48-8747-62b8109844f9
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Accounts: Rename administrator account
+
+
+**Applies to**
+
+-   Windows 10
+
+This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.
+
+## Reference
+
+
+The **Accounts: Rename administrator account** policy setting determines whether a different account name is associated with the security identifier (SID) for the administrator account.
+
+Because the administrator account exists on all Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), renaming the account makes it slightly more difficult for attackers to guess this user name and password combination.
+
+Rename the Administrator account by specifying a value for the **Accounts: Rename administrator account** policy setting.
+
+### Possible values
+
+-   User-defined text
+
+-   Not defined
+
+### Best practices
+
+-   Be sure to inform users who are authorized to use this account of the new account name.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrator</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Administrator</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrator</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrator</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
+### Policy conflict considerations
+
+None.
+
+### Group Policy
+
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+The Administrator account exists on all versions Windows 10 for desktop editions. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination. Beginning with Windows Vista, the person who installs the operating system specifies an account that is the first member of the Administrator group and has full rights to configure the computer so this countermeasure is applied by default on new installations. If a device is upgraded from a previous version of Windows, the account with the name administrator is retained with all the rights and privileges that were defined for the account in the previous installation.
+
+The built-in administrator account cannot be locked out, regardless of how many times an attacker might use a bad password. This capability makes the administrator account a popular target for brute-force attacks that attempt to guess passwords. The value of this countermeasure is lessened because this account has a well-known SID, and there are non-Microsoft tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute-force attack by using the SID to log on.
+
+### Countermeasure
+
+Specify a new name in the **Accounts: Rename administrator account** setting to rename the Administrator account.
+
+### Potential impact
+
+You must provide users who are authorized to use this account with the new account name. (The guidance for this setting assumes that the Administrator account was not disabled.)
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/accounts-rename-guest-account.md b/windows/keep-secure/accounts-rename-guest-account.md
new file mode 100644
index 0000000000..97861315e1
--- /dev/null
+++ b/windows/keep-secure/accounts-rename-guest-account.md
@@ -0,0 +1,132 @@
+---
+title: Accounts Rename guest account (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Accounts Rename guest account security policy setting.
+ms.assetid: 9b8052b4-bbb9-4cc1-bfee-ce25390db707
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Accounts: Rename guest account
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Accounts: Rename guest account** security policy setting.
+
+## Reference
+
+
+The **Accounts: Rename guest account** policy setting determines whether a different account name is associated with the security identifier (SID) for the Guest account.
+
+### Possible values
+
+-   *User-defined text*
+
+-   Guest
+
+### Best practices
+
+1.  For devices in unsecured locations, renaming the account makes it more difficult for unauthorized users to guess it.
+
+2.  For computers in secured or trusted locations, keeping the name of the account as Guest provides consistency among devices
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Guest</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Guest</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Guest</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Guest</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Guest</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p><em>User-defined text</em></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Policy conflict considerations
+
+None.
+
+### Group Policy
+
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+The guest account exists in all Windows server and client operating system versions beginning with Windows Server 2003 and Windows XP Professional. Because the account name is well known, it provides a vector for a malicious user to get access to network resources and attempt to elevate privileges or install software that could be used for a later attack on your system.
+
+### Countermeasure
+
+Specify a new name in the **Accounts: Rename guest account** setting to rename the Guest account. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination.
+
+### Potential impact
+
+There should be little impact because the Guest account is disabled by default in Windows 2000 Server, Windows Server 2003, and Windows XP. For later operating systems, the policy is enabled with **Guest** as the default.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/act-as-part-of-the-operating-system.md b/windows/keep-secure/act-as-part-of-the-operating-system.md
new file mode 100644
index 0000000000..7606abc181
--- /dev/null
+++ b/windows/keep-secure/act-as-part-of-the-operating-system.md
@@ -0,0 +1,138 @@
+---
+title: Act as part of the operating system (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Act as part of the operating system security policy setting.
+ms.assetid: c1b7e084-a9f7-4377-b678-07cc913c8b0c
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Act as part of the operating system
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Act as part of the operating system** security policy setting.
+
+## Reference
+
+
+The **Act as part of the operating system** policy setting determines whether a process can assume the identity of any user and thereby gain access to the resources that the user is authorized to access. Typically, only low-level authentication services require this user right. Potential access is not limited to what is associated with the user by default. The calling process may request that arbitrary additional privileges be added to the access token. The calling process may also build an access token that does not provide a primary identity for auditing in the system event logs.
+
+Constant: SeTcbPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not defined
+
+### Best practices
+
+-   Do not assign this right to any user accounts. Only assign this user right to trusted users.
+
+-   If a service requires this user right, configure the service to log on by using the local System account, which inherently includes this user right. Do not create a separate account and assign this user right to it.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client computer effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+The **Act as part of the operating system** user right is extremely powerful. Users with this user right can take complete control of the device and erase evidence of their activities.
+
+### Countermeasure
+
+Restrict the **Act as part of the operating system** user right to as few accounts as possible—it should not even be assigned to the Administrators group under typical circumstances. When a service requires this user right, configure the service to log on with the Local System account, which inherently includes this privilege. Do not create a separate account and assign this user right to it.
+
+### Potential impact
+
+There should be little or no impact because the **Act as part of the operating system** user right is rarely needed by any accounts other than the Local System account.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md b/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md
new file mode 100644
index 0000000000..6916504ad6
--- /dev/null
+++ b/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md
@@ -0,0 +1,321 @@
+---
+title: AD DS schema extensions to support TPM backup (Windows 10)
+description: This topic provides more details about this change and provides template schema extensions that you can incorporate into your organization.
+ms.assetid: beb7097c-e674-4eab-b8e2-6f67c85d1f3f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# AD DS schema extensions to support TPM backup
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic provides more details about this change and provides template schema extensions that you can incorporate into your organization.
+
+## Why a schema extension is needed
+
+
+The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 schemas. Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change. If Active Directory backup of the TPM owner authorization value is enabled in a Windows Server 2008 R2 environment without extending the schema, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8. The following are the two schema extensions that you can use to bring your Windows Server 2008 R2 domain to parity with Windows Server 2012:
+
+### <a href="" id="tpmschemaextension-ldf-"></a>TpmSchemaExtension.ldf
+
+This schema extension brings parity with the Windows Server 2012 schema and is required if you want to store the TPM owner authorization value for a computer running Windows 8 in a Windows Server 2008 R2 AD DS domain. With this extension the TPM owner authorization information will be stored in a separate TPM object linked to the corresponding computer object.
+
+``` syntax
+#===============================================================================
+#
+# Active Directory Domain Services schema extension for 
+# BitLocker Drive Encryption and Trusted Platform Module (TPM) recovery
+#
+# This file contains attributes and class objects that enable Windows Server
+# 2008 and Windows Server 2008 R2 domain controllers to store TPM recovery
+# information in a new, TPM-specific location.
+#
+# Change History: 
+#   07/2010 - Created
+#
+# To extend the schema, use the LDIFDE tool on the schema master of the forest.
+#
+# Sample command:
+#   ldifde -i -v -f TPMSchemaExtension.ldf -c "DC=X" "DC=nttest,dc=microsoft,dc=com" -k -j .
+#
+# For more information on LDIFDE tool, see
+# http://support.microsoft.com/default.aspx?scid=kb;en-us;237677 
+#
+#===============================================================================
+
+#===============================================================================
+# New schema attributes
+#===============================================================================
+
+#
+# ms-TPM-Srk-Pub-Thumbprint
+# GUID: 19d706eb-4d76-44a2-85d6-1c342be3be37
+#
+dn: CN=ms-TPM-Srk-Pub-Thumbprint,CN=Schema,CN=Configuration,DC=X
+changetype: add
+objectClass: attributeSchema
+ldapDisplayName: msTPM-SrkPubThumbprint
+adminDisplayName: TPM-SrkPubThumbprint
+adminDescription: This attribute contains the thumbprint of the SrkPub corresponding to a particular TPM. This helps to index the TPM devices in the directory.
+attributeId: 1.2.840.113556.1.4.2107
+attributeSyntax: 2.5.5.10
+omSyntax: 4
+isSingleValued: TRUE
+searchFlags: 11
+schemaIdGuid:: 6wbXGXZNokSF1hw0K+O+Nw==
+showInAdvancedViewOnly: TRUE
+isMemberOfPartialAttributeSet: FALSE
+rangeUpper: 20
+
+#
+# ms-TPM-Owner-Information-Temp
+# GUID: c894809d-b513-4ff8-8811-f4f43f5ac7bc
+#
+dn: CN=ms-TPM-Owner-Information-Temp,CN=Schema,CN=Configuration,DC=X
+changetype: add
+objectClass: attributeSchema
+ldapDisplayName: msTPM-OwnerInformationTemp
+adminDisplayName: TPM-OwnerInformationTemp
+adminDescription: This attribute contains temporary owner information for a particular TPM.
+attributeId: 1.2.840.113556.1.4.2108
+attributeSyntax: 2.5.5.12
+omSyntax: 64
+isSingleValued: TRUE
+searchFlags: 640
+rangeUpper: 128
+schemaIdGuid:: nYCUyBO1+E+IEfT0P1rHvA==
+showInAdvancedViewOnly: TRUE
+isMemberOfPartialAttributeSet: FALSE
+
+#
+# ms-TPM-Tpm-Information-For-Computer
+# GUID: ea1b7b93-5e48-46d5-bc6c-4df4fda78a35
+#
+dn: CN=ms-TPM-Tpm-Information-For-Computer,CN=Schema,CN=Configuration,DC=X
+changetype: add
+objectClass: attributeSchema
+ldapDisplayName: msTPM-TpmInformationForComputer
+adminDisplayName: TPM-TpmInformationForComputer
+adminDescription: This attribute links a Computer object to a TPM object.
+attributeId: 1.2.840.113556.1.4.2109
+attributeSyntax: 2.5.5.1
+omSyntax: 127
+isSingleValued: TRUE
+searchFlags: 16
+omObjectClass:: KwwCh3McAIVK
+schemaIdGuid:: k3sb6khe1Ua8bE30/aeKNQ==
+showInAdvancedViewOnly: TRUE
+isMemberOfPartialAttributeSet: FALSE
+linkId: 2182
+
+#
+# ms-TPM-TpmInformation-For-Computer-BL
+# GUID: 14fa84c9-8ecd-4348-bc91-6d3ced472ab7
+#
+dn: CN=ms-TPM-Tpm-Information-For-Computer-BL,CN=Schema,CN=Configuration,DC=X
+changetype: add
+objectClass: attributeSchema
+ldapDisplayName: msTPM-TpmInformationForComputerBL
+adminDisplayName: TPM-TpmInformationForComputerBL
+adminDescription: This attribute links a TPM object to the Computer objects associated with it.
+attributeId: 1.2.840.113556.1.4.2110
+attributeSyntax: 2.5.5.1
+omSyntax: 127
+isSingleValued: FALSE
+searchFlags: 0
+omObjectClass:: KwwCh3McAIVK
+schemaIdGuid:: yYT6FM2OSEO8kW087Ucqtw==
+showInAdvancedViewOnly: TRUE
+systemOnly: TRUE
+linkId: 2183
+
+#
+# Commit the new attributes
+#
+
+dn:
+changetype: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+#
+# Modify the Computer schema to support the TPM link
+#
+
+dn: CN=computer,CN=Schema,CN=Configuration,DC=X
+changetype: modify
+add: mayContain
+mayContain: msTPM-TpmInformationForComputer
+-
+
+#
+# Commit the modification to the computer class
+#
+
+dn:
+changetype: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+#===============================================================================
+# New schema classes
+#===============================================================================
+
+#
+# ms-TPM-Information-Objects-Container
+# GUID: e027a8bd-6456-45de-90a3-38593877ee74
+#
+dn: CN=ms-TPM-Information-Objects-Container,CN=Schema,CN=Configuration,DC=X
+changetype: add
+objectClass: classSchema
+ldapDisplayName: msTPM-InformationObjectsContainer
+adminDisplayName: TPM-InformationObjectsContainer
+adminDescription: Container for TPM objects.
+governsID: 1.2.840.113556.1.5.276
+objectClassCategory: 1
+subClassOf: top
+systemMustContain: cn
+systemPossSuperiors: domain
+systemPossSuperiors: domainDNS
+schemaIdGUID:: vagn4FZk3kWQozhZOHfudA==
+defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;LOLCCCRP;;;DC)
+defaultHidingValue: TRUE
+defaultObjectCategory: CN=ms-TPM-Information-Objects-Container,CN=Schema,CN=Configuration,DC=X
+
+#
+# ms-TPM-Information-Object
+# GUID: 85045b6a-47a6-4243-a7cc-6890701f662c
+#
+# NOTE: If the 'defaultSecurityDescriptor' value below is changed,
+#   also change the other '.ldf' files in this directory, as appropriate.
+#
+dn: CN=ms-TPM-Information-Object,CN=Schema,CN=Configuration,DC=X
+changetype: add
+objectClass: classSchema
+ldapDisplayName: msTPM-InformationObject
+adminDisplayName: TPM-InformationObject
+adminDescription: This class contains recovery information for a Trusted Platform Module (TPM) device.
+governsID: 1.2.840.113556.1.5.275
+objectClassCategory: 1
+subClassOf: top
+systemMustContain: msTPM-OwnerInformation
+systemMayContain: msTPM-SrkPubThumbprint
+systemMayContain: msTPM-OwnerInformationTemp
+systemPossSuperiors: 1.2.840.113556.1.5.276
+schemaIdGUID:: alsEhaZHQ0KnzGiQcB9mLA==
+defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLO;;;DC)(A;;WP;;;CO)
+defaultHidingValue: TRUE
+defaultObjectCategory: CN=ms-TPM-Information-Object,CN=Schema,CN=Configuration,DC=X
+#
+# NOTE: If the 'defaultSecurityDescriptor' value above is changed,
+#   also change the other '.ldf' files in this directory, as appropriate.
+#
+
+#
+# Commit the new TPM object class
+#
+
+dn:
+changetype: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+#===============================================================================
+# New objects
+#===============================================================================
+
+#
+# Add the TPM container to its location in the directory
+#
+dn: CN=TPM Devices,DC=X
+changetype: add
+objectClass: msTPM-InformationObjectsContainer
+```
+
+You should be aware that only the Computer object that has created the TPM object can update it. This means that any subsequent updates to the TPM objects will not succeed in dual boot scenarios or scenarios where the computer is reimaged resulting in a new AD computer object being created. If you are planning to support such scenarios, you will need to update the schema further as shown in the schema extension example, TpmSchemaExtensionACLChanges.ldf.
+
+### TpmSchemaExtensionACLChanges.ldf
+
+This schema update modifies the ACLs on the TPM object to be less restrictive so that any subsequent operating system which takes ownership of the computer object can update the owner authorization value in AD DS.
+
+**Important**  
+After implementing this schema update, any computer in the domain can update the OwnerAuth of the TPM object (although it cannot read the OwnerAuth). When using this extension, perform a regular backup of the TPM objects and enable auditing to track the changes for these objects.
+
+ 
+
+``` syntax
+#===============================================================================
+#
+# Active Directory Domain Services schema extension for 
+# BitLocker Drive Encryption and Trusted Platform Module (TPM) recovery
+#
+# This file modifies a class object that enables Windows Server 2008
+# and Windows Server 2008 R2 domain controllers to store TPM recovery
+# information in a new, TPM-specific location.
+#
+# This file converts the standard schema extension in which only the creator
+# of an 'ms-TPM-Information-Object' can write to the object to the Open
+# schema extension in which any Domain Computer can write to the object.
+#
+# This conversion does not apply to any 'ms-TPM-Information-Object' that
+# was created before the conversion.
+
+#
+# Change History: 
+#   12/2011 - Created
+#
+# To change the schema, use the LDIFDE tool on the schema master of the forest.
+#
+# Sample command:
+#   ldifde -i -v -f TpmSchemaExtensionACLChanges.ldf
+#      -c "DC=X" "DC=nttest,dc=microsoft,dc=com" -k -j .
+#
+# For more information on LDIFDE tool, see
+# http://support.microsoft.com/default.aspx?scid=kb;en-us;237677 
+#
+#===============================================================================
+
+#
+# Modify the TPM-Information-Object class schema 'defaultSecurityDescriptor' to
+# allow any Domain Computer to write its properties (including the TPM OwnerAuth
+# value) from allowing only the creating Computer object to write its properties
+#
+# NOTE: Keep any changes to the 'defaultSecurityDescriptor' value in synchronization
+#   with the value in the TPM-Information-Object class description in the
+#   'TpmSchemaExtension.ldf' file
+#
+
+dn: CN=ms-TPM-Information-Object,CN=Schema,CN=Configuration,DC=X
+changetype: modify
+replace: defaultSecurityDescriptor
+defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPLO;;;DC)
+-
+
+#
+# Commit the modification to the TPM-Information-Object schema
+#
+
+dn:
+changetype: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+```
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
new file mode 100644
index 0000000000..7a3fe8957c
--- /dev/null
+++ b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
@@ -0,0 +1,126 @@
+---
+title: Add multiple apps to your enterprise data protection (EDP) Protected Apps list (Windows 10)
+description: Add multiple apps to your enterprise data protection (EDP) Protected Apps list at the same time, by using the Microsoft Intune Custom URI functionality and the AppLocker Group Policy.
+ms.assetid: b50db35d-a2a9-4b78-a95d-a1b066e66880
+keywords: ["EDP", "Enterprise Data Protection", "protected apps", "protected app list"]
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: eross-msft
+---
+
+# Add multiple apps to your enterprise data protection (EDP) Protected Apps list
+**Applies to:**
+
+-   Windows 10 Insider Preview
+-   Windows 10 Mobile Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
+
+Add multiple apps to your enterprise data protection (EDP) **Protected Apps** list at the same time, by using the Microsoft Intune Custom URI functionality and the AppLocker Group Policy. For more info about how to create a custom URI using Intune, see [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330).
+
+**Important**  
+Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy.
+
+If you only want to add one app at a time, you can follow the instructions in the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic.
+
+**To add Universal Windows Platform (UWP) apps**
+
+1.  Go to the AppLocker Group Policy UI by opening a command line window and running secpol.msc. The local security policy MMC snap-in opens showing the **Security Settings**.
+
+2.  Double-click **Application Control Policies**, double-click **AppLocker**, right-click **Packaged app Rules**, and then click **Automatically Generate Rules**.<p>
+The **Automatically Generate Packaged app Rules** wizard opens, letting you create EDP-protected app polices for all of the installed apps on the device or for packaged apps within a specific folder.
+
+3.  In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.<p>
+You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users.
+
+4.  Type the name you’ll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.<p>
+This name should be easily recognizable, such as *EDP_UniversalApps_Rules*.
+
+5.  In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.<p>
+**Important**<br>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.<p>
+**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass enterprise data protection (EDP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
+
+6.  In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
+
+7.  In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.<p>
+**Important**<br>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
+
+8.  Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
+
+9.  Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
+
+10. In the **Add one or more OMA-URI settings that control functionality on Windows devices** box, click **Add**.
+
+11. Type your new **Setting Name** and **Description** into the associated boxes, keeping the default **Data Type** of **String**.
+
+12. In the **OMA-URI** box, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>/StoreApp EXE`
+
+13. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
+
+14. Copy the text that has a **Type** of Appx, within the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
+
+    ```
+    <RuleCollection Type="Appx" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
+    ```
+
+15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.<p>
+After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
+
+**To add Classic Windows applications**
+
+1.  Go to the AppLocker Group Policy UI by opening a command line window and running secpol.msc. The local security policy MMC snap-in opens showing the **Security Settings**.
+
+2.  Double-click **Application Control Policies**, double-click **AppLocker**, right-click **Executable Rules**, and then click **Automatically Generate Rules**.<p>
+The **Automatically Generate Executable Rules** wizard opens, letting you create EDP-protected app polices by analyzing the files within a specific folder.
+
+3.  In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.<p>
+You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users.
+
+4.  Type the name you’ll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.<p>
+This name should be easily recognizable, such as *EDP_ClassicApps_Rules*.
+
+5.  In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.<p>
+**Important**<br>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.<p>
+**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass enterprise data protection (EDP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
+
+6.  In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
+
+7.  In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.<p>
+**Important**<br>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
+
+8.  Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
+
+9.  Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
+
+10. In the **Add one or more OMA-URI settings that control functionality on Windows devices** box, click **Add**.
+
+11. Type your new **Setting Name** and **Description** into the associated boxes, keeping the default **Data Type** of **String**.
+
+12. In the **OMA-URI** box, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>/EXE`
+
+13. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
+
+14. Copy the text that has a **Type** of EXE, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
+
+    ``` 
+    <RuleCollection Type="Exe" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
+    ```
+
+15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.<p>
+After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
+
+##Related topics
+- [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
+- [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)
+- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
+
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
new file mode 100644
index 0000000000..6a390e94d9
--- /dev/null
+++ b/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
@@ -0,0 +1,31 @@
+---
+title: Add rules for packaged apps to existing AppLocker rule-set (Windows 10)
+description: This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
+ms.assetid: 758c2a9f-c2a3-418c-83bc-fd335a94097f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Add rules for packaged apps to existing AppLocker rule-set
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
+
+You can create packaged app rules for the computers running Windows Server 2012 or Windows 8 and later in your domain by updating your existing AppLocker rule set. All you need is a computer running at least Windows 8. Download and install the Remote Server Administration Toolkit (RSAT) from the Microsoft Download Center.
+
+RSAT comes with the Group Policy Management Console which allows you to edit the GPO or GPOs where your existing AppLocker policy are authored. RSAT has the necessary files required to author packaged app rules. Packaged app rules will be ignored on computers running Windows 7 and earlier but will be enforced on those computers in your domain running at least Windows Server 2012 and Windows 8.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/add-workstations-to-domain.md b/windows/keep-secure/add-workstations-to-domain.md
new file mode 100644
index 0000000000..c16e08f043
--- /dev/null
+++ b/windows/keep-secure/add-workstations-to-domain.md
@@ -0,0 +1,144 @@
+---
+title: Add workstations to domain (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Add workstations to domain security policy setting.
+ms.assetid: b0c21af4-c928-4344-b1f1-58ef162ad0b3
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Add workstations to domain
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Add workstations to domain** security policy setting.
+
+## Reference
+
+
+This policy setting determines which users can add a device to a specific domain. For it to take effect, it must be assigned so that it applies to at least one domain controller. A user who is assigned this user right can add up to ten workstations to the domain.
+
+Adding a machine account to the domain allows the device to participate in Active Directory-based networking.
+
+Constant: SeMachineAccountPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not Defined
+
+### Best practices
+
+-   Configure this setting so that only authorized members of the IT team are allowed to add devices to the domain.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\User Rights Assignment\\
+
+### Default values
+
+By default, this setting allows access for Authenticated Users on domain controllers, and it is not defined on stand-alone servers.
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Authenticated Users</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+Users can also join a computer to a domain if they have the Create Computer Objects permission for an organizational unit (OU) or for the Computers container in the directory. Users who are assigned this permission can add an unlimited number of devices to the domain regardless of whether they have the **Add workstations to domain** user right.
+
+Furthermore, machine accounts that are created by means of the **Add workstations to domain** user right have Domain Administrators as the owner of the machine account. Machine accounts that are created by means of permissions on the computer’s container use the creator as the owner of the machine account. If a user has permissions on the container and also has the **Add workstation to domain** user right, the device is added based on the computer container permissions rather than the user right.
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This policy has the following security considerations:
+
+### Vulnerability
+
+The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization does not want its users to have administrative privileges on their devices, users could install Windows on their computers and then add the computers to the domain. The user would know the password for the local administrator account, could log on with that account, and then add a personal domain account to the local Administrators group.
+
+### Countermeasure
+
+Configure this setting so that only authorized members of the IT team are allowed to add computers to the domain.
+
+### Potential impact
+
+For organizations that have never allowed users to set up their own computers and add them to the domain, this countermeasure has no impact. For those that have allowed some or all users to configure their own devices, this countermeasure forces the organization to establish a formal process for these procedures going forward. It does not affect existing computers unless they are removed from and then added to the domain.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/adjust-memory-quotas-for-a-process.md b/windows/keep-secure/adjust-memory-quotas-for-a-process.md
new file mode 100644
index 0000000000..c49d52f51b
--- /dev/null
+++ b/windows/keep-secure/adjust-memory-quotas-for-a-process.md
@@ -0,0 +1,154 @@
+---
+title: Adjust memory quotas for a process (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Adjust memory quotas for a process security policy setting.
+ms.assetid: 6754a2c8-6d07-4567-9af3-335fd8dd7626
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Adjust memory quotas for a process
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Adjust memory quotas for a process** security policy setting.
+
+## Reference
+
+
+This privilege determines who can change the maximum memory that can be consumed by a process. This privilege is useful for system tuning on a group or user basis.
+
+This user right is defined in the Default Domain Controller Group Policy Object (GPO) and in the local security policy of workstations and servers.
+
+Constant: SeIncreaseQuotaPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not Defined
+
+### Best practices
+
+1.  Restrict the **Adjust memory quotas for a process** user right to only users who require the ability to adjust memory quotas to perform their jobs.
+
+2.  If this user right is necessary for a user account, it can be assigned to a local machine account instead of to a domain account.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\User Rights Assignment\\
+
+### Default values
+
+By default, members of the Administrators, Local Service, and Network Service groups have this right.
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Administrators</p>
+<p>Local Service</p>
+<p>Network Service</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p>
+<p>Local Service</p>
+<p>Network Service</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Local Service</p>
+<p>Network Service</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Local Service</p>
+<p>Network Service</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Local Service</p>
+<p>Network Service</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Local Service</p>
+<p>Network Service</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+A user with the **Adjust memory quotas for a process** privilege can reduce the amount of memory that is available to any process, which could cause business-critical network applications to become slow or to fail. This privilege could be used by a malicious user to start a denial-of-service (DoS) attack.
+
+### Countermeasure
+
+Restrict the **Adjust memory quotas for a process** user right to users who require it to perform their jobs, such as application administrators who maintain database management systems or domain administrators who manage the organization's directory and its supporting infrastructure.
+
+### Potential impact
+
+Organizations that have not restricted users to roles with limited privileges may find it difficult to impose this countermeasure. Also, if you have installed optional components such as ASP.NET or IIS, you may need to assign the **Adjust memory quotas for a process** user right to additional accounts that are required by those components. IIS requires that this privilege be explicitly assigned to the IWAM\_&lt;ComputerName&gt;, Network Service, and Service accounts. Otherwise, this countermeasure should have no impact on most computers. If this user right is necessary for a user account, it can be assigned to a local computer account instead of to a domain account.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/administer-applocker.md b/windows/keep-secure/administer-applocker.md
new file mode 100644
index 0000000000..f2aa9aa68d
--- /dev/null
+++ b/windows/keep-secure/administer-applocker.md
@@ -0,0 +1,138 @@
+---
+title: Administer AppLocker (Windows 10)
+description: This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
+ms.assetid: 511a3b6a-175f-4d6d-a6e0-c1780c02e818
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Administer AppLocker
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
+
+AppLocker helps administrators control how users can access and use files, such as executable files, packaged apps, scripts, Windows Installer files, and DLLs. Using AppLocker, you can:
+
+-   Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file.
+
+-   Assign a rule to a security group or an individual user.
+
+-   Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run, except Registry Editor (regedit.exe).
+
+-   Use audit-only mode to deploy the policy and understand its impact before enforcing it.
+
+-   Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, the existing policy is overwritten.
+
+-   Simplify creating and managing AppLocker rules by using AppLocker PowerShell cmdlets.
+
+**Note**  
+For more info about enhanced capabilities of AppLocker to control Windows apps, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md).
+
+ 
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Maintain AppLocker policies](maintain-applocker-policies.md)</p></td>
+<td align="left"><p>This topic describes how to maintain rules within AppLocker policies.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Edit an AppLocker policy](edit-an-applocker-policy.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes the steps required to modify an AppLocker policy.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Test and update an AppLocker policy](test-and-update-an-applocker-policy.md)</p></td>
+<td align="left"><p>This topic discusses the steps required to test an AppLocker policy prior to deployment.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Optimize AppLocker performance](optimize-applocker-performance.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes how to optimize AppLocker policy enforcement.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Working with AppLocker rules](working-with-applocker-rules.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Working with AppLocker policies](working-with-applocker-policies.md)</p></td>
+<td align="left"><p>This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-using-snapins"></a>Using the MMC snap-ins to administer AppLocker
+
+
+You can administer AppLocker policies by using the Group Policy Management Console to create or edit a Group Policy Object (GPO), or to create or edit an AppLocker policy on a local computer by using the Local Group Policy Editor snap-in or the Local Security Policy snap-in (secpol.msc).
+
+### Administer Applocker using Group Policy
+
+You must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. Also, the Group Policy Management feature must be installed on the computer.
+
+1.  Open the Group Policy Management Console (GPMC).
+
+2.  Locate the GPO that contains the AppLocker policy to modify, right-click the GPO, and then click **Edit**.
+
+3.  In the console tree, double-click **Application Control Policies**, double-click **AppLocker**, and then click the rule collection that you want to create the rule for.
+
+### Administer AppLocker on the local PC
+
+1.  Click **Start**, type **local security policy**, and then click **Local Security Policy**.
+
+2.  If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+
+3.  In the console tree of the snap-in, double-click **Application Control Policies**, double-click **AppLocker**, and then click the rule collection that you want to create the rule for.
+
+## Using Windows PowerShell to administer AppLocker
+
+
+For how-to info about administering AppLocker with Windows PowerShell, see [Use the AppLocker Windows PowerShell Cmdlets](use-the-applocker-windows-powershell-cmdlets.md). For reference info and examples how to administer AppLocker with Windows PowerShell, see the [AppLocker cmdlets](http://technet.microsoft.com/library/hh847210.aspx).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/administer-security-policy-settings.md b/windows/keep-secure/administer-security-policy-settings.md
new file mode 100644
index 0000000000..5c25499e20
--- /dev/null
+++ b/windows/keep-secure/administer-security-policy-settings.md
@@ -0,0 +1,497 @@
+---
+title: Administer security policy settings (Windows 10)
+description: This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.
+ms.assetid: 7617d885-9d28-437a-9371-171197407599
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Administer security policy settings
+
+
+**Applies to**
+
+-   Windows 10
+
+This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.
+
+Security policy settings should be used as part of your overall security implementation to help secure domain controllers, servers, client devices, and other resources in your organization.
+
+Security settings policies are rules that you can configure on a device, or multiple devices, for the purpose of protecting resources on a device or network. The Security Settings extension of the Local Group Policy Editor snap-in (Gpedit.msc) allows you to define security configurations as part of a Group Policy Object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, and organizational units, and they enable administrators to manage security settings for multiple computers from any device joined to the domain.
+
+Security settings can control:
+
+-   User authentication to a network or device.
+
+-   The resources that users are permitted to access.
+
+-   Whether to record a user’s or group’s actions in the event log.
+
+-   Membership in a group.
+
+For info about each setting, including descriptions, default settings, and management and security considerations, see [Security policy settings reference](security-policy-settings-reference.md).
+
+To manage security configurations for multiple computers, you can use one of the following options:
+
+-   Edit specific security settings in a GPO.
+
+-   Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, or applied to a local device, or it can be used to analyze security.
+
+## <a href="" id="what-s-changed-in-how-settings-are-administered-"></a>What’s changed in how settings are administered?
+
+
+Over time, new ways to manage security policy settings have been introduced, which include new operating system features and the addition of new settings. The following table lists different means by which security policy settings can be administered.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Tool or feature</th>
+<th align="left">Description and use</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Security Policy snap-in](#bkmk-secpol)</p></td>
+<td align="left"><p>Secpol.msc</p>
+<p>MMC snap-in designed to manage only security policy settings.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Security editor command line tool](#bkmk-secedit)</p></td>
+<td align="left"><p>Secedit.exe</p>
+<p>Configures and analyzes system security by comparing your current configuration to specified security templates.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Security Compliance Manager](#bkmk-scm)</p></td>
+<td align="left"><p>Tool download</p>
+<p>A Solution Accelerator that helps you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and Microsoft applications.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Security Configuration Wizard](#bkmk-scw)</p></td>
+<td align="left"><p>Scw.exe</p>
+<p>SCW is a role-based tool available on servers only: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Security Configuration Manager tool](#bkmk-scmtool)</p></td>
+<td align="left"><p>This tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Group Policy](#bkmk-grouppolicy)</p></td>
+<td align="left"><p>Gpmc.msc and Gpedit.msc</p>
+<p>The Group Policy Management Console uses the Group Policy Object editor to expose the local Security options, which can then be incorporated into Group Policy Objects for distribution throughout the domain. The Local Group Policy Editor performs similar functions on the local device.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Software Restriction Policies</p>
+<p>See [Administer Software Restriction Policies](http://technet.microsoft.com/library/hh994606.aspx).</p></td>
+<td align="left"><p>Gpedit.msc</p>
+<p>Software Restriction Policies (SRP) is a Group Policy-based feature that identifies software programs running on computers in a domain, and it controls the ability of those programs to run.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>AppLocker</p>
+<p>See [Administer AppLocker](administer-applocker.md).</p></td>
+<td align="left"><p>Gpedit.msc</p>
+<p>Prevents malicious software (malware) and unsupported applications from affecting computers in your environment, and it prevents users in your organization from installing and using unauthorized applications.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-secpol"></a>Using the Local Security Policy snap-in
+
+
+The Local Security Policy snap-in (Secpol.msc) restricts the view of local policy objects to the following policies and features:
+
+-   Account Policies
+
+-   Local Policies
+
+-   Windows Firewall with Advanced Security
+
+-   Network List Manager Policies
+
+-   Public Key Policies
+
+-   Software Restriction Policies
+
+-   Application Control Policies
+
+-   IP Security Policies on Local Computer
+
+-   Advanced Audit Policy Configuration
+
+Policies set locally might be overwritten if the computer is joined to the domain.
+
+The Local Security Policy snap-in is part of the Security Configuration Manager tool set. For info about other tools in this tool set, see [Working with the Security Configuration Manager](#bkmk-scmtool) in this topic.
+
+## <a href="" id="bkmk-secedit"></a>Using the secedit command-line tool
+
+
+The secedit command-line tool works with security templates and provides six primary functions:
+
+-   The **Configure** parameter helps you resolve security discrepancies between devices by applying the correct security template to the errant server.
+
+-   The **Analyze** parameter compares the server’s security configuration with the selected template.
+
+-   The **Import** parameter allows you to create a database from an existing template. The Security Configuration and Analysis tool does this also.
+
+-   The **Export** parameter allows you to export the settings from a database into a security settings template.
+
+-   The **Validate** parameter allows you to validate the syntax of each or any lines of text that you created or added to a security template. This ensures that if the template fails to apply syntax, the template will not be the issue.
+
+-   The **Generate Rollback** parameter saves the server’s current security settings into a security template so it can be used to restore most of the server’s security settings to a known state. The exceptions are that, when applied, the rollback template will not change access control list entries on files or registry entries that were changed by the most recently applied template.
+
+## <a href="" id="bkmk-scm"></a>Using the Security Compliance Manager
+
+
+The Security Compliance Manager is a downloadable tool that helps you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and for Microsoft applications. It contains a complete database of recommended security settings, methods to customize your baselines, and the option to implement those settings in multiple formats—including XLS, GPOs, Desired Configuration Management (DCM) packs, or Security Content Automation Protocol (SCAP). The Security Compliance Manager is used to export the baselines to your environment to automate the security baseline deployment and compliance verification process.
+
+**To administer security policies by using the Security Compliance Manager**
+
+1.  Download the most recent version. You can find out more info on the [Microsoft Security Guidance](http://blogs.technet.com/b/secguide/) blog.
+
+2.  Read the relevant security baseline documentation that is included in this tool.
+
+3.  Download and import the relevant security baselines. The installation process steps you through baseline selection.
+
+4.  Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines.
+
+## <a href="" id="bkmk-scw"></a>Using the Security Configuration Wizard
+
+
+The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. A security policy that you create with SCW is an .xml file that, when applied, configures services, network security, specific registry values, and audit policy. SCW is a role-based tool: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles. For example, a server might be a file server, a print server, or a domain controller.
+
+The following are considerations for using SCW:
+
+-   SCW disables unnecessary services and provides Windows Firewall with Advanced Security support.
+
+-   Security policies that are created with SCW are not the same as security templates, which are files with an .inf extension. Security templates contain more security settings than those that can be set with SCW. However, it is possible to include a security template in an SCW security policy file.
+
+-   You can deploy security policies that you create with SCW by using Group Policy.
+
+-   SCW does not install or uninstall the features necessary for the server to perform a role. You can install server role-specific features through Server Manager.
+
+-   SCW detects server role dependencies. If you select a server role, it automatically selects dependent server roles.
+
+-   All apps that use the IP protocol and ports must be running on the server when you run SCW.
+
+-   In some cases, you must be connected to the Internet to use the links in the SCW help.
+
+**Note**  
+The SCW is available only on Windows Server and only applicable to server installations.
+
+ 
+
+The SCW can be accessed through Server Manager or by running scw.exe. The wizard steps you through server security configuration to:
+
+-   Create a security policy that can be applied to any server on your network.
+
+-   Edit an existing security policy.
+
+-   Apply an existing security policy.
+
+-   Roll back the last applied security policy.
+
+The Security Policy Wizard configures services and network security based on the server’s role, as well as configures auditing and registry settings.
+
+For more information about SCW, including procedures, see [Security Configuration Wizard](http://technet.microsoft.com/library/cc754997.aspx).
+
+## <a href="" id="bkmk-scmtool"></a>Working with the Security Configuration Manager
+
+
+The Security Configuration Manager tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.
+
+For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager](http://technet.microsoft.com/library/cc758219(WS.10).aspx).
+
+The following table lists the features of the Security Configuration Manager.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Security Configuration Manager tools</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Security Configuration and Analysis](#bkmk-seccfgana)</p></td>
+<td align="left"><p>Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Security templates](#bkmk-sectmpl)</p></td>
+<td align="left"><p>Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Security Settings extension to Group Policy](#bkmk-secextensions)</p></td>
+<td align="left"><p>Edits individual security settings on a domain, site, or organizational unit.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Local Security Policy](#bkmk-localsecpol)</p></td>
+<td align="left"><p>Edits individual security settings on your local computer.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Secedit</p></td>
+<td align="left"><p>Automates security configuration tasks at a command prompt.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="bkmk-seccfgana"></a>Security Configuration and Analysis
+
+Security Configuration and Analysis is an MMC snap-in for analyzing and configuring local system security.
+
+### <a href="" id="h2-359808543"></a>Security analysis
+
+The state of the operating system and apps on a device is dynamic. For example, you may need to temporarily change security levels so that you can immediately resolve an administration or network issue. However, this change can often go unreversed. This means that a computer may no longer meet the requirements for enterprise security.
+
+Regular analysis enables you to track and ensure an adequate level of security on each computer as part of an enterprise risk management program. You can tune the security levels and, most importantly, detect any security flaws that may occur in the system over time.
+
+Security Configuration and Analysis enables you to quickly review security analysis results. It presents recommendations alongside of current system settings and uses visual flags or remarks to highlight any areas where the current settings do not match the proposed level of security. Security Configuration and Analysis also offers the ability to resolve any discrepancies that analysis reveals.
+
+### <a href="" id="h2-359810173"></a>Security configuration
+
+Security Configuration and Analysis can also be used to directly configure local system security. Through its use of personal databases, you can import security templates that have been created with Security Templates and apply these templates to the local computer. This immediately configures the system security with the levels specified in the template.
+
+### <a href="" id="bkmk-sectmpl"></a>Security templates
+
+With the Security Templates snap-in for Microsoft Management Console, you can create a security policy for your device or for your network. It is a single point of entry where the full range of system security can be taken into account. The Security Templates snap-in does not introduce new security parameters, it simply organizes all existing security attributes into one place to ease security administration.
+
+Importing a security template to a Group Policy Object eases domain administration by configuring security for a domain or organizational unit at once.
+
+To apply a security template to your local device, you can use Security Configuration and Analysis or the secedit command-line tool.
+
+Security templates can be used to define:
+
+-   Account Policies
+
+    -   Password Policy
+
+    -   Account Lockout Policy
+
+    -   Kerberos Policy
+
+-   Local Policies
+
+    -   Audit Policy
+
+    -   User Rights Assignment
+
+    -   Security Options
+
+-   Event Log: Application, system, and security Event Log settings
+
+-   Restricted Groups: Membership of security-sensitive groups
+
+-   System Services: Startup and permissions for system services
+
+-   Registry: Permissions for registry keys
+
+-   File System: Permissions for folders and files
+
+Each template is saved as a text-based .inf file. This enables you to copy, paste, import, or export some or all of the template attributes. With the exceptions of Internet Protocol security and public key policies, all security attributes can be contained in a security template.
+
+### <a href="" id="bkmk-secextensions"></a>Security settings extension to Group Policy
+
+Organizational units, domains, and sites are linked to Group Policy Objects. The security settings tool allows you change the security configuration of the Group Policy Object, in turn, affecting multiple computers. With security settings, you can modify the security settings of many devices, depending on the Group Policy Object you modify, from just one device joined to a domain.
+
+Security settings or security policies are rules that are configured on a device or multiple device for protecting resources on a device or network. Security settings can control:
+
+-   How users are authenticated to a network or device
+
+-   What resources users are authorized to use.
+
+-   Whether or not a user's or group's actions are recorded in the event log.
+
+-   Group membership.
+
+You can change the security configuration on multiple computers in two ways:
+
+-   Create a security policy by using a security template with Security Templates, and then import the template through security settings to a Group Policy Object.
+
+-   Change a few select settings with security settings.
+
+### <a href="" id="bkmk-localsecpol"></a>Local Security Policy
+
+A security policy is a combination of security settings that affect the security on a device. You can use your local security policy to edit account policies and local policies on your local device
+
+With the local security policy, you can control:
+
+-   Who accesses your device.
+
+-   What resources users are authorized to use on your device.
+
+-   Whether or not a user’s or group's actions are recorded in the event log.
+
+If your local device is joined to a domain, you are subject to obtaining a security policy from the domain's policy or from the policy of any organizational unit that you are a member of. If you are getting a policy from more than one source, conflicts are resolved in the following order of precedence.
+
+1.  Organizational unit policy
+
+2.  Domain policy
+
+3.  Site policy
+
+4.  Local computer policy
+
+If you modify the security settings on your local device by using the local security policy, then you are directly modifying the settings on your device. Therefore, the settings take effect immediately, but this may only be temporary. The settings will actually remain in effect on your local device until the next refresh of Group Policy security settings, when the security settings that are received from Group Policy will override your local settings wherever there are conflicts.
+
+### Using the Security Configuration Manager
+
+For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager How To](http://technet.microsoft.com/library/cc784762(WS.10).aspx). This section contains information in this topic about:
+
+-   [Applying security settings](#bkmk-applysecsettings)
+
+-   [Importing and exporting security templates](#bkmk-impexpsectmpl)
+
+-   [Analyzing security and viewing results](#bkmk-anasecviewresults)
+
+-   [Resolving security discrepancies](#bkmk-resolvesecdiffs)
+
+-   [Automating security configuration tasks](#bkmk-autoseccfgtasks)
+
+### <a href="" id="bkmk-applysecsettings"></a>Applying security settings
+
+Once you have edited the security settings, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object:
+
+-   When a device is restarted, the settings on that device will be refreshed.
+
+-   To force a device to refresh its security settings as well as all Group Policy settings, use gpupdate.exe.
+
+**Precedence of a policy when more than one policy is applied to a computer**
+
+For security settings that are defined by more than one policy, the following order of precedence is observed:
+
+1.  Organizational Unit Policy
+
+2.  Domain Policy
+
+3.  Site Policy
+
+4.  Local computer Policy
+
+For example, a workstation that is joined to a domain will have its local security settings overridden by the domain policy wherever there is a conflict. Likewise, if the same workstation is a member of an Organizational Unit, the settings applied from the Organizational Unit's policy will override both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence.
+
+**Note**  
+Use gpresult.exe to find out what policies are applied to a device and in what order.
+
+For domain accounts, there can be only one account policy that includes password policies, account lockout policies, and Kerberos policies.
+
+ 
+
+**Persistence in security settings**
+
+Security settings may still persist even if a setting is no longer defined in the policy that originally applied it.
+
+Persistence in security settings occurs when:
+
+-   The setting has not been previously defined for the device.
+
+-   The setting is for a registry object.
+
+-   The setting is for a file system object.
+
+All settings applied through local policy or a Group Policy Object are stored in a local database on your device. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the device. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database, then the setting does not revert to anything and remains defined as is. This behavior is sometimes called "tattooing."
+
+Registry and file settings will maintain the values applied through policy until that setting is set to other values.
+
+**Filtering security settings based on group membership**
+
+You can also decide what users or groups will or will not have a Group Policy Object applied to them regardless of what computer they have logged onto by denying them either the Apply Group Policy or Read permission on that Group Policy Object. Both of these permissions are needed to apply Group Policy.
+
+### <a href="" id="bkmk-impexpsectmpl"></a>Importing and exporting security templates
+
+Security Configuration and Analysis provides the ability to import and export security templates into or from a database.
+
+If you have made any changes to the analysis database, you can save those settings by exporting them into a template. The export feature provides the ability to save the analysis database settings as a new template file. This template file can then be used to analyze or configure a system, or it can be imported to a Group Policy Object.
+
+### <a href="" id="bkmk-anasecviewresults"></a>Analyzing security and viewing results
+
+Security Configuration and Analysis performs security analysis by comparing the current state of system security against an *analysis database*. During creation, the analysis database uses at least one security template. If you choose to import more than one security template, the database will merge the various templates and create one composite template. It resolves conflicts in order of import; the last template that is imported takes precedence.
+
+Security Configuration and Analysis displays the analysis results by security area, using visual flags to indicate problems. It displays the current system and base configuration settings for each security attribute in the security areas. To change the analysis database settings, right-click the entry, and then click **Properties**.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Visual flag</th>
+<th align="left">Meaning</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Red X</p></td>
+<td align="left"><p>The entry is defined in the analysis database and on the system, but the security setting values do not match.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Green check mark</p></td>
+<td align="left"><p>The entry is defined in the analysis database and on the system and the setting values match.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Question mark</p></td>
+<td align="left"><p>The entry is not defined in the analysis database and, therefore, was not analyzed.</p>
+<p>If an entry is not analyzed, it may be that it was not defined in the analysis database or that the user who is running the analysis may not have sufficient permission to perform analysis on a specific object or area.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Exclamation point</p></td>
+<td align="left"><p>This item is defined in the analysis database, but does not exist on the actual system. For example, there may be a restricted group that is defined in the analysis database but does not actually exist on the analyzed system.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>No highlight</p></td>
+<td align="left"><p>The item is not defined in the analysis database or on the system.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+If you choose to accept the current settings, the corresponding value in the base configuration is modified to match them. If you change the system setting to match the base configuration, the change will be reflected when you configure the system with Security Configuration and Analysis.
+
+To avoid continued flagging of settings that you have investigated and determined to be reasonable, you can modify the base configuration. The changes are made to a copy of the template.
+
+### <a href="" id="bkmk-resolvesecdiffs"></a>Resolving security discrepancies
+
+You can resolve discrepancies between analysis database and system settings by:
+
+-   Accepting or changing some or all of the values that are flagged or not included in the configuration, if you determine that the local system security levels are valid due to the context (or role) of that computer. These attribute values are then updated in the database and applied to the system when you click **Configure Computer Now**.
+
+-   Configuring the system to the analysis database values, if you determine the system is not in compliance with valid security levels.
+
+-   Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system.
+
+Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file.
+
+You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies. In general, do not use **Configure Computer Now** when you are analyzing security for domain-based clients, since you will have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object.
+
+### <a href="" id="bkmk-autoseccfgtasks"></a>Automating security configuration tasks
+
+By calling the secedit.exe tool at a command prompt from a batch file or automatic task scheduler, you can use it to automatically create and apply templates, and analyze system security. You can also run it dynamically from a command prompt.
+
+Secedit.exe is useful when you have multiple devices on which security must be analyzed or configured, and you need to perform these tasks during off-hours.
+
+## <a href="" id="bkmk-grouppolicy"></a>Working with Group Policy tools
+
+
+Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. For Group Policy settings that affect only a local device or user, you can use the Local Group Policy Editor. You can manage Group Policy settings and Group Policy Preferences in an Active Directory Domain Services (AD DS) environment through the Group Policy Management Console (GPMC). Group Policy management tools also are included in the Remote Server Administration Tools pack to provide a way for you to administer Group Policy settings from your desktop.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/advanced-security-audit-policy-settings.md b/windows/keep-secure/advanced-security-audit-policy-settings.md
new file mode 100644
index 0000000000..41e24e9099
--- /dev/null
+++ b/windows/keep-secure/advanced-security-audit-policy-settings.md
@@ -0,0 +1,216 @@
+---
+title: Advanced security audit policy settings (Windows 10)
+description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
+ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Advanced security audit policy settings
+
+
+**Applies to**
+
+-   Windows 10
+
+This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
+
+The security audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as:
+
+-   A group administrator has modified settings or data on servers that contain finance information.
+
+-   An employee within a defined group has accessed an important file.
+
+-   The correct system access control list (SACL) is applied to every file and folder or registry key on a computer or file share as a verifiable safeguard against undetected access.
+
+You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local computer or by using Group Policy.
+
+These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
+
+Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories:
+
+**Account Logon**
+
+Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and events, which track attempts to access a particular computer, settings and events in this category focus on the account database that is used. This category includes the following subcategories:
+
+-   [Audit Credential Validation](audit-credential-validation.md)
+
+-   [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
+
+-   [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
+
+-   [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+**Account Management**
+
+The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups. This category includes the following subcategories:
+
+-   [Audit Application Group Management](audit-application-group-management.md)
+
+-   [Audit Computer Account Management](audit-computer-account-management.md)
+
+-   [Audit Distribution Group Management](audit-distribution-group-management.md)
+
+-   [Audit Other Account Management Events](audit-other-account-management-events.md)
+
+-   [Audit Security Group Management](audit-security-group-management.md)
+
+-   [Audit User Account Management](audit-user-account-management.md)
+
+**Detailed Tracking**
+
+Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual applications and users on that computer, and to understand how a computer is being used. This category includes the following subcategories:
+
+-   [Audit DPAPI Activity](audit-dpapi-activity.md)
+
+-   [Audit PNP activity](audit-pnp-activity.md)
+
+-   [Audit Process Creation](audit-process-creation.md)
+
+-   [Audit Process Termination](audit-process-termination.md)
+
+-   [Audit RPC Events](audit-rpc-events.md)
+
+**DS Access**
+
+DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events are logged only on domain controllers. This category includes the following subcategories:
+
+-   [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+-   [Audit Directory Service Access](audit-directory-service-access.md)
+
+-   [Audit Directory Service Changes](audit-directory-service-changes.md)
+
+-   [Audit Directory Service Replication](audit-directory-service-replication.md)
+
+**Logon/Logoff**
+
+Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. This category includes the following subcategories:
+
+-   [Audit Account Lockout](audit-account-lockout.md)
+
+-   [Audit User/Device Claims](audit-user-device-claims.md)
+
+-   [Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)
+
+-   [Audit Group Membership](audit-group-membership.md)
+
+-   [Audit IPsec Main Mode](audit-ipsec-main-mode.md)
+
+-   [Audit IPsec Quick Mode](audit-ipsec-quick-mode.md)
+
+-   [Audit Logoff](audit-logoff.md)
+
+-   [Audit Logon](audit-logon.md)
+
+-   [Audit Network Policy Server](audit-network-policy-server.md)
+
+-   [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+-   [Audit Special Logon](audit-special-logon.md)
+
+**Object Access**
+
+Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate object Aaccess auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses.
+
+Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#bkmk-globalobjectaccess).
+
+This category includes the following subcategories:
+
+-   [Audit Application Generated](audit-application-generated.md)
+
+-   [Audit Certification Services](audit-certification-services.md)
+
+-   [Audit Detailed File Share](audit-detailed-file-share.md)
+
+-   [Audit File Share](audit-file-share.md)
+
+-   [Audit File System](audit-file-system.md)
+
+-   [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+-   [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
+
+-   [Audit Handle Manipulation](audit-handle-manipulation.md)
+
+-   [Audit Kernel Object](audit-kernel-object.md)
+
+-   [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+-   [Audit Registry](audit-registry.md)
+
+-   [Audit Removable Storage](audit-removable-storage.md)
+
+-   [Audit SAM](audit-sam.md)
+
+-   [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
+
+**Policy Change**
+
+Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, monitoring changes or attempts to change these policies can be an important aspect of security management for a network. This category includes the following subcategories:
+
+-   [Audit Audit Policy Change](audit-audit-policy-change.md)
+
+-   [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+-   [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+-   [Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)
+
+-   [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+-   [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+**Privilege Use**
+
+Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. This category includes the following subcategories:
+
+-   [Audit Non-Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
+
+-   [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
+
+-   [Audit Other Privilege Use Events](audit-other-privilege-use-events.md)
+
+**System**
+
+System security policy settings and audit events allow you to track system-level changes to a computer that are not included in other categories and that have potential security implications. This category includes the following subcategories:
+
+-   [Audit IPsec Driver](audit-ipsec-driver.md)
+
+-   [Audit Other System Events](audit-other-system-events.md)
+
+-   [Audit Security State Change](audit-security-state-change.md)
+
+-   [Audit Security System Extension](audit-security-system-extension.md)
+
+-   [Audit System Integrity](audit-system-integrity.md)
+
+**Global Object Access**
+
+Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to every object of that type.
+
+Auditors will be able to prove that every resource in the system is protected by an audit policy by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
+
+Resource SACLs are also useful for diagnostic scenarios. For example, setting the Global Object Access Auditing policy to log all the activity for a specific user and enabling the policy to track "Access denied" events for the file system or registry can help administrators quickly identify which object in a system is denying a user access.
+
+**Note**  
+If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
+
+ 
+
+This category includes the following subcategories:
+
+-   [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)
+
+-   [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/advanced-security-auditing-faq.md b/windows/keep-secure/advanced-security-auditing-faq.md
new file mode 100644
index 0000000000..b63076029e
--- /dev/null
+++ b/windows/keep-secure/advanced-security-auditing-faq.md
@@ -0,0 +1,283 @@
+---
+title: Advanced security auditing FAQ (Windows 10)
+description: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
+ms.assetid: 80f8f187-0916-43c2-a7e8-ea712b115a06
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Advanced security auditing FAQ
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
+
+-   [What is Windows security auditing and why might I want to use it?](#bkmk-1)
+
+-   [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#bkmk-2)
+
+-   [What is the interaction between basic audit policy settings and advanced audit policy settings?](#bkmk-3)
+
+-   [How are audit settings merged by Group Policy?](#bkmk-4)
+
+-   [What is the difference between an object DACL and an object SACL?](#bkmk-14)
+
+-   [Why are audit policies applied on a per-computer basis rather than per user?](#bkmk-13)
+
+-   [What are the differences in auditing functionality between versions of Windows?](#bkmk-12)
+
+-   [Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000 Server?](#bkmk-15)
+
+-   [What is the difference between success and failure events? Is something wrong if I get a failure audit?](#bkmk-5)
+
+-   [How can I set an audit policy that affects all objects on a computer?](#bkmk-6)
+
+-   [How do I figure out why someone was able to access a resource?](#bkmk-7)
+
+-   [How do I know when changes are made to access control settings, by whom, and what the changes were?](#bkmk-8)
+
+-   [How can I roll back security audit policies from the advanced audit policy to the basic audit policy?](#bkmk-19)
+
+-   [How can I monitor if changes are made to audit policy settings?](#bkmk-10)
+
+-   [How can I minimize the number of events that are generated?](#bkmk-16)
+
+-   [What are the best tools to model and manage audit policy?](#bkmk-17)
+
+-   [Where can I find information about all the possible events that I might receive?](#bkmk-11)
+
+-   [Where can I find more detailed information?](#bkmk-18)
+
+## <a href="" id="bkmk-1"></a>What is Windows security auditing and why might I want to use it?
+
+
+Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows operating systems, security auditing is more narrowly defined as the features and services that enable an administrator to log and review events for specified security-related activities.
+
+Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities.
+
+## <a href="" id="bkmk-2"></a>What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?
+
+
+The basic security audit policy settings in **Security Settings\\Local Policies\\Audit Policy** and the advanced security audit policy settings in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** appear to overlap, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe.
+
+There are a number of additional differences between the security audit policy settings in these two locations.
+
+There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are not interested in tracking.
+
+In addition, if you enable success auditing for the basic **Audit account logon events** setting, only success events will be logged for all account logon–related behaviors. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing.
+
+The nine basic settings under **Security Settings\\Local Policies\\Audit Policy** were introduced in Windows 2000. Therefore, they are available in all versions of Windows released since then. The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running Windows 7, Windows Server 2008, and later.
+
+## <a href="" id="bkmk-3"></a>What is the interaction between basic audit policy settings and advanced audit policy settings?
+
+
+Basic audit policy settings are not compatible with advanced audit policy settings that are applied by using Group Policy. When advanced audit policy settings are applied by using Group Policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using Group Policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings.
+
+Editing and applying the advanced audit policy settings in Local Security Policy modifies the local Group Policy Object (GPO), so changes made here may not be exactly reflected in Auditpol.exe if there are policies from other domain GPOs or logon scripts. Both types of policies can be edited and applied by using domain GPOs, and these settings will override any conflicting local audit policy settings. However, because the basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain in the effective audit policy. Policy changes that are applied by using local or domain Group Policy settings are reflected as soon as the new policy is applied.
+
+**Important**  
+Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting.
+
+If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
+
+ 
+
+## <a href="" id="bkmk-4"></a>How are audit settings merged by Group Policy?
+
+
+By default, policy options that are set in GPOs and linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is linked at a lower level.
+
+For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing).
+
+The rules that govern how Group Policy settings are applied propagate to the subcategory level of audit policy settings. This means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Auditing subcategory</th>
+<th align="left">Setting configured in an OU GPO (higher priority)</th>
+<th align="left">Setting configured in a domain GPO (lower priority)</th>
+<th align="left">Resulting policy for the target computer</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Detailed File Share Auditing</p></td>
+<td align="left"><p>Success</p></td>
+<td align="left"><p>Failure</p></td>
+<td align="left"><p>Success</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Process Creation Auditing</p></td>
+<td align="left"><p>Disabled</p></td>
+<td align="left"><p>Success</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Logon Auditing</p></td>
+<td align="left"><p>Success</p></td>
+<td align="left"><p>Failure</p></td>
+<td align="left"><p>Failure</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-14"></a>What is the difference between an object DACL and an object SACL?
+
+
+All objects in Active Directory Domain Services (AD DS), and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object's security descriptor can contain two types of ACLs:
+
+-   A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access
+
+-   A system access control list (SACL) that controls how access is audited
+
+The access control model that is used in Windows is administered at the object level by setting different levels of access, or permissions, to objects. If permissions are configured for an object, its security descriptor contains a DACL with security identifiers (SIDs) for the users and groups that are allowed or denied access.
+
+If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing is not completely configured unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied.
+
+## <a href="" id="bkmk-13"></a>Why are audit policies applied on a per-computer basis rather than per user?
+
+
+In security auditing in Windows, the computer, objects on the computer, and related resources are the primary recipients of actions by clients including applications, other computers, and users. In a security breach, malicious users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer and the objects and resources on that computer.
+
+In addition, because audit policy capabilities can vary between computers running different versions of Windows, the best way to ensure that the audit policy is applied correctly is to base these settings on the computer instead of the user.
+
+However, in cases where you want audit settings to apply only to specified groups of users, you can accomplish this by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events.
+
+## <a href="" id="bkmk-12"></a>What are the differences in auditing functionality between versions of Windows?
+
+
+Basic audit policy settings are available in all versions of Windows since Windows 2000, and they can be applied locally or by using Group Policy. Advanced audit policy settings were introduced in Windows Vista and Windows Server 2008, but the settings can only be applied by using logon scripts in those versions. Advanced audit policy settings, which were introduced in Windows 7 and Windows Server 2008 R2, can be configured and applied by using local and domain Group Policy settings.
+
+## <a href="" id="bkmk-15"></a>Can I use advanced audit policies from a domain controller running Windows Server 2003 or Windows 2000 Server?
+
+
+To use advanced audit policy settings, your domain controller must be installed on a computer running Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 with Service Pack 2 (SP2). Windows 2000 Server is not supported.
+
+## <a href="" id="bkmk-5"></a>What is the difference between success and failure events? Is something wrong if I get a failure audit?
+
+
+A success audit event is triggered when a defined action, such as accessing a file share, is completed successfully.
+
+A failure audit event is triggered when a defined action, such as a user logon, is not completed successfully.
+
+The appearance of failure audit events in the event log does not necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may simply mean that a user mistyped his or her password.
+
+## <a href="" id="bkmk-6"></a>How can I set an audit policy that affects all objects on a computer?
+
+
+System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a system. This has been difficult to accomplish because the system access control lists (SACLs) that govern auditing are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have to check every object to be sure that no changes have been made—even temporarily to a single SACL.
+
+Introduced in Windows Server 2008 R2 and Windows 7, security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This can be useful for verifying that all critical files, folders, and registry settings on a computer are protected, and for identifying when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy (or a single registry setting SACL and a global object access auditing policy) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy.
+
+## <a href="" id="bkmk-7"></a>How do I figure out why someone was able to access a resource?
+
+
+Often it is not enough to know simply that an object such as a file or folder was accessed. You may also want to know why the user was able to access this resource. You can obtain this forensic data by configuring the **Audit Handle Manipulation** setting with the **Audit File System** or with the **Audit Registry** audit setting.
+
+## <a href="" id="bkmk-8"></a>How do I know when changes are made to access control settings, by whom, and what the changes were?
+
+
+To track access control changes on computers running Windows Server 2016 Technical Preview, Windows Server 2012 R2, Windows Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable the following settings, which track changes to DACLs:
+
+-   **Audit File System** subcategory: Enable for success, failure, or success and failure
+
+-   **Audit Authorization Policy Change** setting: Enable for success, failure, or success and failure
+
+-   A SACL with **Write** and **Take ownership** permissions: Apply to the object that you want to monitor
+
+In Windows XP and Windows Server 2003, you need to use the **Audit policy change** subcategory.
+
+## <a href="" id="bkmk-19"></a>How can I roll back security audit policies from the advanced audit policy to the basic audit policy?
+
+
+Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you subsequently change the advanced audit policy setting to **Not configured**, you need to complete the following steps to restore the original basic security audit policy settings:
+
+1.  Set all Advanced Audit Policy subcategories to **Not configured**.
+
+2.  Delete all audit.csv files from the %SYSVOL% folder on the domain controller.
+
+3.  Reconfigure and apply the basic audit policy settings.
+
+Unless you complete all of these steps, the basic audit policy settings will not be restored.
+
+## <a href="" id="bkmk-10"></a>How can I monitor if changes are made to audit policy settings?
+
+
+Changes to security audit policies are critical security events. You can use the **Audit Audit Policy Change** setting to determine if the operating system generates audit events when the following types of activities take place:
+
+-   Permissions and audit settings on the audit policy object are changed
+
+-   The system audit policy is changed
+
+-   Security event sources are registered or unregistered
+
+-   Per-user audit settings are changed
+
+-   The value of **CrashOnAuditFail** is modified
+
+-   Audit settings on a file or registry key are changed
+
+-   A Special Groups list is changed
+
+## <a href="" id="bkmk-16"></a>How can I minimize the number of events that are generated?
+
+
+Finding the right balance between auditing enough network and computer activity and auditing too little network and computer activity can be challenging. You can achieve this balance by identifying the most important resources, critical activities, and users or groups of users. Then design a security audit policy that targets these resources, activities, and users. Useful guidelines and recommendations for developing an effective security auditing strategy can be found in [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md).
+
+## <a href="" id="bkmk-17"></a>What are the best tools to model and manage audit policies?
+
+
+The integration of advanced audit policy settings with domain Group Policy, introduced in Windows 7 and Windows Server 2008 R2, is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy Group Policy Objects for a domain can also be used to plan and deploy security audit policies.
+
+On an individual computer, the Auditpol command-line tool can be used to complete a number of important audit policy–related management tasks.
+
+In addition, there are a number of computer management products, such as the Audit Collection Services in the Microsoft System Center Operations Manager products, which can be used to collect and filter event data.
+
+## <a href="" id="bkmk-11"></a>Where can I find information about all the possible events that I might receive?
+
+
+Users who examine the security event log for the first time can be a bit overwhelmed by the number of audit events that are stored there (which can quickly number in the thousands) and by the structured information that is included for each audit event. Additional information about these events, and the settings used to generate them, can be obtained from the following resources:
+
+-   [Windows 8 and Windows Server 2012 Security Event Details](http://www.microsoft.com/download/details.aspx?id=35753)
+
+-   [Security Audit Events for Windows 7 and Windows Server 2008 R2](http://go.microsoft.com/fwlink/p/?linkid=157780)
+
+-   [Security Audit Events for Windows Server 2008 and Windows Vista](http://go.microsoft.com/fwlink/p/?linkid=121868)
+
+-   [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+## <a href="" id="bkmk-18"></a>Where can I find more detailed information?
+
+
+To learn more about security audit policies, see the following resources:
+
+-   [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md)
+
+-   [Security Monitoring and Attack Detection Planning Guide](http://social.technet.microsoft.com/wiki/contents/articles/325.advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx)
+
+-   [Security Audit Events for Windows 7 and Windows Server 2008 R2](http://go.microsoft.com/fwlink/p/?linkid=157780)
+
+-   [Security Audit Events for Windows Server 2008 and Windows Vista](http://go.microsoft.com/fwlink/p/?LinkId=121868)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/advanced-security-auditing.md b/windows/keep-secure/advanced-security-auditing.md
new file mode 100644
index 0000000000..df557dbfd4
--- /dev/null
+++ b/windows/keep-secure/advanced-security-auditing.md
@@ -0,0 +1,65 @@
+---
+title: Advanced security audit policies (Windows 10)
+description: Advanced security audit policy settings are found in Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies and appear to overlap with basic security audit policies, but they are recorded and applied differently.
+ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Advanced security audit policies
+
+
+**Applies to**
+
+-   Windows 10
+
+Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently.
+
+When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md)</p></td>
+<td align="left"><p>This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Advanced security auditing FAQ](advanced-security-auditing-faq.md)</p></td>
+<td align="left"><p>This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)</p></td>
+<td align="left"><p>This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)</p></td>
+<td align="left"><p>This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/allow-log-on-locally.md b/windows/keep-secure/allow-log-on-locally.md
new file mode 100644
index 0000000000..5201d11f22
--- /dev/null
+++ b/windows/keep-secure/allow-log-on-locally.md
@@ -0,0 +1,185 @@
+---
+title: Allow log on locally (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on locally security policy setting.
+ms.assetid: d9e5e1f3-3bff-4da7-a9a2-4bb3e0c79055
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Allow log on locally
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Allow log on locally** security policy setting.
+
+## Reference
+
+
+This policy setting determines which users can start an interactive session on the device. Users must have this user right to log on over a Remote Desktop Services session that is running on a Windows-based member device or domain controller.
+
+**Note**  
+Users who do not have this right are still able to start a remote interactive session on the device if they have the **Allow logon through Remote Desktop Services** right.
+
+ 
+
+Constant: SeInteractiveLogonRight
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not Defined
+
+By default, the members of the following groups have this right on workstations and servers:
+
+-   Administrators
+
+-   Backup Operators
+
+-   Users
+
+By default, the members of the following groups have this right on domain controllers:
+
+-   Account Operators
+
+-   Administrators
+
+-   Backup Operators
+
+-   Print Operators
+
+-   Server Operators
+
+### Best practices
+
+1.  Restrict this user right to legitimate users who must log on to the console of the device.
+
+2.  If you selectively remove default groups, you can limit the abilities of users who are assigned to specific administrative roles in your organization.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Account Operators</p>
+<p>Administrators</p>
+<p>Backup Operators</p>
+<p>Print Operators</p>
+<p>Server Operators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p>
+<p>Users</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Account Operators</p>
+<p>Administrators</p>
+<p>Backup Operators</p>
+<p>Print Operators</p>
+<p>Server Operators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p>
+<p>Users</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p>
+<p>Users</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+Restarting the device is not required to implement this change.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+Modifying this setting might affect compatibility with clients, services, and applications. Use caution when removing service accounts that are used by components and by programs on member devices and on domain controllers in the domain from the default domain controller's policy. Also use caution when removing users or security groups that log on to the console of member devices in the domain, or removing service accounts that are defined in the local Security Accounts Manager (SAM) database of member devices or of workgroup devices.
+
+If you want to grant a user account the ability to log on locally to a domain controller, you must make that user a member of a group that already has the **Allowed logon locally** system right or grant the right to that user account.
+
+The domain controllers in the domain share the Default Domain Controllers Group Policy Object (GPO). When you grant an account the **Allow logon locally** right, you are allowing that account to log on locally to all domain controllers in the domain.
+
+If the Users group is listed in the **Allow log on locally** setting for a GPO, all domain users can log on locally. The Users built-in group contains Domain Users as a member.
+
+### Group Policy
+
+Group Policy settings are applied through GPOs in the following order, which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Any account with the **Allow log on locally** user right can log on to the console of the device. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges.
+
+### Countermeasure
+
+For domain controllers, assign the **Allow log on locally** user right only to the Administrators group. For other server roles, you may choose to add Backup Operators in addition to Administrators. For end-user computers, you should also assign this right to the Users group.
+
+Alternatively, you can assign groups such as Account Operators, Server Operators, and Guests to the **Deny log on locally** user right.
+
+### Potential impact
+
+If you remove these default groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. If you have installed optional components such as ASP.NET or IIS, you may need to assign the **Allow log on locally** user right to additional accounts that are required by those components. IIS requires that this user right be assigned to the IUSR\_*&lt;ComputerName&gt;* account. You should confirm that delegated activities are not adversely affected by any changes that you make to the **Allow log on locally** user rights assignments.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/allow-log-on-through-remote-desktop-services.md b/windows/keep-secure/allow-log-on-through-remote-desktop-services.md
new file mode 100644
index 0000000000..81cc1e9800
--- /dev/null
+++ b/windows/keep-secure/allow-log-on-through-remote-desktop-services.md
@@ -0,0 +1,154 @@
+---
+title: Allow log on through Remote Desktop Services (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on through Remote Desktop Services security policy setting.
+ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Allow log on through Remote Desktop Services
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Allow log on through Remote Desktop Services** security policy setting.
+
+## Reference
+
+
+This policy setting determines which users or groups can access the logon screen of a remote device through a Remote Desktop Services connection. It is possible for a user to establish a Remote Desktop Services connection to a particular server but not be able to log on to the console of that same server.
+
+Constant: SeRemoteInteractiveLogonRight
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not Defined
+
+### Best practices
+
+-   To control who can open a Remote Desktop Services connection and log on to the device, add users to or remove users from the Remote Desktop Users group.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default, members of the Administrators group have this right on domain controllers, workstations, and servers. The Remote Desktops Users group also has this right on workstations and servers.
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Remote Desktop Users</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Remote Desktop Users</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Remote Desktop Users</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes different features and tools available to help you manage this policy.
+
+### Group Policy
+
+To use Remote Desktop Services to successfully log on to a remote device, the user or group must be a member of the Remote Desktop Users or Administrators group and be granted the **Allow log on through Remote Desktop Services** right. It is possible for a user to establish an Remote Desktop Services session to a particular server, but not be able to log on to the console of that same server.
+
+To exclude users or groups, you can assign the **Deny log on through Remote Desktop Services** user right to those users or groups. However, be careful when you use this method because you could create conflicts for legitimate users or groups that have been allowed access through the **Allow log on through Remote Desktop Services** user right.
+
+For more information, see [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md).
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+Group Policy settings are applied through GPOs in the following order, which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Any account with the **Allow log on through Remote Desktop Services** user right can log on to the remote console of the device. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges.
+
+### Countermeasure
+
+For domain controllers, assign the **Allow log on through Remote Desktop Services** user right only to the Administrators group. For other server roles and devices, add the Remote Desktop Users group. For servers that have the Remote Desktop (RD) Session Host role service enabled and do not run in Application Server mode, ensure that only authorized IT personnel who must manage the computers remotely belong to these groups.
+
+**Caution**  
+For RD Session Host servers that run in Application Server mode, ensure that only users who require access to the server have accounts that belong to the Remote Desktop Users group because this built-in group has this logon right by default.
+
+ 
+
+Alternatively, you can assign the **Deny log on through Remote Desktop Services** user right to groups such as Account Operators, Server Operators, and Guests. However, be careful when you use this method because you could block access to legitimate administrators who also belong to a group that has the **Deny log on through Remote Desktop Services** user right.
+
+### Potential impact
+
+Removal of the **Allow log on through Remote Desktop Services** user right from other groups (or membership changes in these default groups) could limit the abilities of users who perform specific administrative roles in your environment. You should confirm that delegated activities are not adversely affected.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/applocker-architecture-and-components.md b/windows/keep-secure/applocker-architecture-and-components.md
new file mode 100644
index 0000000000..04cbfb9e54
--- /dev/null
+++ b/windows/keep-secure/applocker-architecture-and-components.md
@@ -0,0 +1,48 @@
+---
+title: AppLocker architecture and components (Windows 10)
+description: This topic for IT professional describes AppLocker’s basic architecture and its major components.
+ms.assetid: efdd8494-553c-443f-bd5f-c8976535135a
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# AppLocker architecture and components
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professional describes AppLocker’s basic architecture and its major components.
+
+AppLocker relies on the Application Identity service to provide attributes for a file and to evaluate the AppLocker policy for the file. AppLocker policies are conditional access control entries (ACEs), and policies are evaluated by using the attribute-based access control **SeAccessCheckWithSecurityAttributes** or **AuthzAccessCheck** functions.
+
+AppLocker provides three ways to intercept and validate if a file is allowed to execute according to an AppLocker policy.
+
+**A new process is created**
+
+When a new process is created, such as an executable file or a Universal Windows app is run, AppLocker invokes the Application Identity component to calculate the attributes of the main executable file used to create a new process. It then updates the new process's token with these attributes and checks the AppLocker policy to verify that the executable file is allowed to run.
+
+**A DLL is loaded**
+
+When a new DLL loads, a notification is sent to AppLocker to verify that the DLL is allowed to load. AppLocker calls the Application Identity component to calculate the file attributes. It duplicates the existing process token and replaces those Application Identity attributes in the duplicated token with attributes of the loaded DLL. AppLocker then evaluates the policy for this DLL, and the duplicated token is discarded. Depending on the result of this check, the system either continues to load the DLL or stops the process.
+
+**A script is run**
+
+Before a script file is run, the script host (for example. for .ps1 files the script host is PowerShell) invokes AppLocker to verify the script. AppLocker invokes the Application Identity component in user-mode with the file name or file handle to calculate the file properties. The script file then is evaluated against the AppLocker policy to verify that it is allowed to run. In each case, the actions taken by AppLocker are written to the event log.
+
+## Related topics
+
+
+[AppLocker technical reference](applocker-technical-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/applocker-functions.md b/windows/keep-secure/applocker-functions.md
new file mode 100644
index 0000000000..70f5f69402
--- /dev/null
+++ b/windows/keep-secure/applocker-functions.md
@@ -0,0 +1,104 @@
+---
+title: AppLocker functions (Windows 10)
+description: This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
+ms.assetid: bf704198-9e74-4731-8c5a-ee0512df34d2
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# AppLocker functions
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
+
+## Functions
+
+
+The following list includes the SRP functions beginning with Windows Server 2003 and AppLocker functions beginning with Windows Server 2008 R2 and links to current documentation on MSDN:
+
+-   [SaferGetPolicyInformation Function](http://go.microsoft.com/fwlink/p/?LinkId=159781)
+
+-   [SaferCreateLevel Function](http://go.microsoft.com/fwlink/p/?LinkId=159782)
+
+-   [SaferCloseLevel Function](http://go.microsoft.com/fwlink/p/?LinkId=159783)
+
+-   [SaferIdentifyLevel Function](http://go.microsoft.com/fwlink/p/?LinkId=159784)
+
+-   [SaferComputeTokenFromLevel Function](http://go.microsoft.com/fwlink/p/?LinkId=159785)
+
+-   [SaferGetLevelInformation Function](http://go.microsoft.com/fwlink/p/?LinkId=159787)
+
+-   [SaferRecordEventLogEntry Function](http://go.microsoft.com/fwlink/p/?LinkId=159789)
+
+-   [SaferiIsExecutableFileType Function](http://go.microsoft.com/fwlink/p/?LinkId=159790)
+
+## Security level ID
+
+
+AppLocker and SRP use the security level IDs to stipulate the access requirements to files listed in policies. The following table shows those security levels supported in SRP and AppLocker.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Security level ID</th>
+<th align="left">SRP</th>
+<th align="left">AppLocker</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>SAFER_LEVELID_FULLYTRUSTED</p></td>
+<td align="left"><p>Supported</p></td>
+<td align="left"><p>Supported</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>SAFER_LEVELID_NORMALUSER</p></td>
+<td align="left"><p>Supported</p></td>
+<td align="left"><p>Not supported</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>SAFER_LEVELID_CONSTRAINED</p></td>
+<td align="left"><p>Supported</p></td>
+<td align="left"><p>Not supported</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>SAFER_LEVELID_UNTRUSTED</p></td>
+<td align="left"><p>Supported</p></td>
+<td align="left"><p>Not supported</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>SAFER_LEVELID_DISALLOWED</p></td>
+<td align="left"><p>Supported</p></td>
+<td align="left"><p>Supported</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+In addition, URL zone ID is not supported in AppLocker.
+
+## Related topics
+
+
+[AppLocker technical reference](applocker-technical-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/applocker-overview.md b/windows/keep-secure/applocker-overview.md
new file mode 100644
index 0000000000..1e78269e28
--- /dev/null
+++ b/windows/keep-secure/applocker-overview.md
@@ -0,0 +1,241 @@
+---
+title: AppLocker (Windows 10)
+description: This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies.
+ms.assetid: 94b57864-2112-43b6-96fb-2863c985dc9a
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# AppLocker
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
+
+AppLocker can help you:
+
+-   Define rules based on file attributes that persist across app updates, such as the publisher name (derived from the digital signature), product name, file name, and file version. You can also create rules based on the file path and hash.
+
+-   Assign a rule to a security group or an individual user.
+
+-   Create exceptions to rules. For example, you can create a rule that allows all users to run all Windows binaries, except the Registry Editor (regedit.exe).
+
+-   Use audit-only mode to deploy the policy and understand its impact before enforcing it.
+
+-   Create rules on a staging server, test them, then export them to your production environment and import them into a Group Policy Object.
+
+-   Simplify creating and managing AppLocker rules by using Windows PowerShell.
+
+AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of Help Desk calls that result from users running unapproved apps. AppLocker addresses the following app security scenarios:
+
+-   **Application inventory**
+
+    AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is registered in event logs. These events can be collected for further analysis. Windows PowerShell cmdlets also help you analyze this data programmatically.
+
+-   **Protection against unwanted software**
+
+    AppLocker has the ability to deny apps from running when you exclude them from the list of allowed apps. When AppLocker rules are enforced in the production environment, any apps that are not included in the allowed rules are blocked from running.
+
+-   **Licensing conformance**
+
+    AppLocker can help you create rules that preclude unlicensed software from running and restrict licensed software to authorized users.
+
+-   **Software standardization**
+
+    AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This permits a more uniform app deployment.
+
+-   **Manageability improvement**
+
+    AppLocker includes a number of improvements in manageability as compared to its predecessor Software Restriction Policies. Importing and exporting policies, automatic generation of rules from multiple files, audit-only mode deployment, and Windows PowerShell cmdlets are a few of the improvements over Software Restriction Policies.
+
+## New and changed functionality
+
+
+To find out what's new in AppLocker for Windows 10, see [What's new in AppLocker?](../whats-new/applocker.md)
+
+## When to use AppLocker
+
+
+In many organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. Access control technologies, such as Active Directory Rights Management Services (AD RMS) and access control lists (ACLs), help control what users are allowed to access.
+
+However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. AppLocker can help mitigate these types of security breaches by restricting the files that users or groups are allowed to run.
+
+Software publishers are beginning to create more apps that can be installed by non-administrative users. This could jeopardize an organization's written security policy and circumvent traditional app control solutions that rely on the inability of users to install apps. By creating an allowed list of approved files and apps, AppLocker helps prevent such per-user apps from running. Because AppLocker can control DLLs, it is also useful to control who can install and run ActiveX controls.
+
+AppLocker is ideal for organizations that currently use Group Policy to manage their PCs.
+
+The following are examples of scenarios in which AppLocker can be used:
+
+-   Your organization's security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users.
+
+-   An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
+
+-   The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
+
+-   The license to an app has been revoked or it is expired in your organization, so you need to prevent it from being used by everyone.
+
+-   A new app or a new version of an app is deployed, and you need to prevent users from running the old version.
+
+-   Specific software tools are not allowed within the organization, or only specific users should have access to those tools.
+
+-   A single user or small group of users needs to use a specific app that is denied for all others.
+
+-   Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
+
+-   In addition to other measures, you need to control the access to sensitive data through app usage.
+
+AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
+
+## System requirements
+
+
+AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. Group Policy is required to distribute Group Policy Objects that contain AppLocker policies. For more info, see [Requirements to Use AppLocker](requirements-to-use-applocker.md).
+
+AppLocker rules can be created on domain controllers.
+
+## Installing AppLocker
+
+
+AppLocker is included with enterprise-level editions of Windows. You can author AppLocker rules for a single computer or for a group of computers. For a single computer, you can author the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can author the rules within a Group Policy Object by using the Group Policy Management Console (GPMC).
+
+**Note**  
+The GPMC is available in client computers running Windows only by installing the Remote Server Administration Tools. On computer running Windows Server, you must install the Group Policy Management feature.
+
+ 
+
+### Using AppLocker on Server Core
+
+AppLocker on Server Core installations is not supported.
+
+### Virtualization considerations
+
+You can administer AppLocker policies by using a virtualized instance of Windows provided it meets all the system requirements listed previously. You can also run Group Policy in a virtualized instance. However, you do risk losing the policies that you created and maintain if the virtualized instance is removed or fails.
+
+### Security considerations
+
+Application control policies specify which apps are allowed to run on the local computer.
+
+The variety of forms that malicious software can take make it difficult for users to know what is safe to run. When activated, malicious software can damage content on a hard disk drive, flood a network with requests to cause a denial-of-service (DoS) attack, send confidential information to the Internet, or compromise the security of a computer.
+
+The countermeasure is to create a sound design for your application control policies on PCs in your organization, and then thoroughly test the policies in a lab environment before you deploy them in a production environment. AppLocker can be part of your app control strategy because you can control what software is allowed to run on your computers.
+
+A flawed application control policy implementation can disable necessary applications or allow malicious or unintended software to run. Therefore, it is important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies.
+
+For additional information about specific security issues, see [Security considerations for AppLocker](security-considerations-for-applocker.md).
+
+When you use AppLocker to create application control policies, you should be aware of the following security considerations:
+
+-   Who has the rights to set AppLocker policies?
+
+-   How do you validate that the policies are enforced?
+
+-   What events should you audit?
+
+For reference in your security planning, the following table identifies the baseline settings for a PC with AppLocker installed:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Accounts created</p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Authentication method</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Management interfaces</p></td>
+<td align="left"><p>AppLocker can be managed by using a Microsoft Management Console snap-in, Group Policy Management, and Windows PowerShell</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Ports opened</p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Minimum privileges required</p></td>
+<td align="left"><p>Administrator on the local computer; Domain Admin, or any set of rights that allow you to create, edit and distribute Group Policy Objects.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Protocols used</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Scheduled Tasks</p></td>
+<td align="left"><p>Appidpolicyconverter.exe is put in a scheduled task to be run on demand.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Security Policies</p></td>
+<td align="left"><p>None required. AppLocker creates security policies.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>System Services required</p></td>
+<td align="left"><p>Application Identity service (appidsvc) runs under LocalServiceAndNoImpersonation.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Storage of credentials</p></td>
+<td align="left"><p>None</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Administer AppLocker](administer-applocker.md)</p></td>
+<td align="left"><p>This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[AppLocker design guide](applocker-policies-design-guide.md)</p></td>
+<td align="left"><p>This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[AppLocker deployment guide](applocker-policies-deployment-guide.md)</p></td>
+<td align="left"><p>This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[AppLocker technical reference](applocker-technical-reference.md)</p></td>
+<td align="left"><p>This overview topic for IT professionals provides links to the topics in the technical reference.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/applocker-policies-deployment-guide.md b/windows/keep-secure/applocker-policies-deployment-guide.md
new file mode 100644
index 0000000000..4f51483547
--- /dev/null
+++ b/windows/keep-secure/applocker-policies-deployment-guide.md
@@ -0,0 +1,103 @@
+---
+title: AppLocker deployment guide (Windows 10)
+description: This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
+ms.assetid: 38632795-be13-46b0-a7af-487a4340bea1
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# AppLocker deployment guide
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
+
+This guide provides steps based on your design and planning investigation for deploying application control policies by using AppLocker. It is intended for security architects, security administrators, and system administrators. Through a sequential and iterative deployment process, you can create application control policies, test and adjust the policies, and implement a method for maintaining those policies as the needs in your organization change.
+
+This guide covers the use of Software Restriction Policies (SRP) in conjunction with AppLocker policies to control application usage. For a comparison of SRP and AppLocker, see [Using Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md) in this guide. To understand if AppLocker is the correct application control solution for you, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md).
+
+## Prerequisites to deploying AppLocker policies
+
+
+The following are prerequisites or recommendations to deploying policies:
+
+-   Understand the capabilities of AppLocker:
+
+    -   [AppLocker](applocker-overview.md)
+
+-   Document your application control policy deployment plan by addressing these tasks:
+
+    -   [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md)
+
+    -   [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
+
+    -   [Determine your application control objectives](determine-your-application-control-objectives.md)
+
+    -   [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
+
+    -   [Select types of rules to create](select-types-of-rules-to-create.md)
+
+    -   [Determine Group Policy Structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+
+    -   [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
+
+    -   [Create your AppLocker planning document](create-your-applocker-planning-document.md)
+
+## Contents of this guide
+
+
+This guide provides steps based on your design and planning investigation for deploying application control policies created and maintained by AppLocker for computers running any of the supported versions of Windows listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md)</p></td>
+<td align="left"><p>This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Requirements for Deploying AppLocker Policies](requirements-for-deploying-applocker-policies.md)</p></td>
+<td align="left"><p>This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md)</p></td>
+<td align="left"><p>This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Create Your AppLocker policies](create-your-applocker-policies.md)</p></td>
+<td align="left"><p>This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)</p></td>
+<td align="left"><p>This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/applocker-policies-design-guide.md b/windows/keep-secure/applocker-policies-design-guide.md
new file mode 100644
index 0000000000..13f4d2f528
--- /dev/null
+++ b/windows/keep-secure/applocker-policies-design-guide.md
@@ -0,0 +1,83 @@
+---
+title: AppLocker design guide (Windows 10)
+description: This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
+ms.assetid: 1c8e4a7b-3164-4eb4-9277-11b1d5a09c7b
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# AppLocker design guide
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
+
+This guide provides important designing and planning information for deploying application control policies by using AppLocker. It is intended for security architects, security administrators, and system administrators. Through a sequential and iterative process, you can create an AppLocker policy deployment plan for your organization that will address your specific application control requirements by department, organizational unit, or business group.
+
+This guide does not cover the deployment of application control policies by using Software Restriction Policies (SRP). However, SRP is discussed as a deployment option in conjunction with AppLocker policies. For info about these options, see [Determine your application control objectives](determine-your-application-control-objectives.md).
+
+To understand if AppLocker is the correct application control solution for your organization, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md).
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)</p></td>
+<td align="left"><p>This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Determine your application control objectives](determine-your-application-control-objectives.md)</p></td>
+<td align="left"><p>This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)</p></td>
+<td align="left"><p>This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Select the types of rules to create](select-types-of-rules-to-create.md)</p></td>
+<td align="left"><p>This topic lists resources you can use when selecting your application control policy rules by using AppLocker.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)</p></td>
+<td align="left"><p>This overview topic describes the process to follow when you are planning to deploy AppLocker rules.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Plan for AppLocker policy management](plan-for-applocker-policy-management.md)</p></td>
+<td align="left"><p>This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Create your AppLocker planning document](create-your-applocker-planning-document.md)</p></td>
+<td align="left"><p>This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+After careful design and detailed planning, the next step is to deploy AppLocker policies. [AppLocker Deployment Guide](applocker-policies-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/applocker-policy-use-scenarios.md b/windows/keep-secure/applocker-policy-use-scenarios.md
new file mode 100644
index 0000000000..6420217c2e
--- /dev/null
+++ b/windows/keep-secure/applocker-policy-use-scenarios.md
@@ -0,0 +1,82 @@
+---
+title: AppLocker policy use scenarios (Windows 10)
+description: This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
+ms.assetid: 33f71578-89f0-4063-ac04-cf4f4ca5c31f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# AppLocker policy use scenarios
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
+
+AppLocker can help you improve the management of application control and the maintenance of application control policies. Application control scenarios addressed by AppLocker can be categorized as follows:
+
+1.  **App inventory**
+
+    AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is collected in event logs for further analysis. Windows PowerShell cmdlets are also available to help you understand app usage and access.
+
+2.  **Protection against unwanted software**
+
+    AppLocker has the ability to deny apps from running simply by excluding them from the list of allowed apps per business group or user. If an app is not specifically identified by its publisher, installation path, or file hash, the attempt to run the application fails.
+
+3.  **Licensing conformance**
+
+    AppLocker can provide an inventory of software usage within your organization, so you can identify the software that corresponds to your software licensing agreements and restrict application usage based on licensing agreements.
+
+4.  **Software standardization**
+
+    AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This permits a more uniform app deployment.
+
+5.  **Manageability improvement**
+
+    AppLocker policies can be modified and deployed through your existing Group Policy infrastructure and can work in conjunction with policies created by using Software Restriction Policies. As you manage ongoing change in your support of a business group's apps, you can modify policies and use the AppLocker cmdlets to test the policies for the expected results. You can also design application control policies for situations in which users share computers.
+
+### Use scenarios
+
+The following are examples of scenarios in which AppLocker can be used:
+
+-   Your organization implements a policy to standardize the applications used within each business group, so you need to determine the expected usage compared to the actual usage.
+
+-   The security policy for application usage has changed, and you need to evaluate where and when those deployed apps are being accessed.
+
+-   Your organization's security policy dictates the use of only licensed software, so you need to determine which apps are not licensed or prevent unauthorized users from running licensed software.
+
+-   An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
+
+-   Your organization needs to restrict the use of Universal Windows apps to just those your organization approves of or develops.
+
+-   The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
+
+-   The license to an app has been revoked or is expired in your organization, so you need to prevent it from being used by everyone.
+
+-   A new app or a new version of an app is deployed, and you need to allow certain groups to use it.
+
+-   Specific software tools are not allowed within the organization, or only specific users have access to those tools.
+
+-   A single user or small group of users needs to use a specific app that is denied for all others.
+
+-   Some computers in your organization are shared by people who have different software usage needs.
+
+-   In addition to other measures, you need to control the access to sensitive data through app usage.
+
+## Related topics
+
+
+[AppLocker technical reference](applocker-technical-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/applocker-processes-and-interactions.md b/windows/keep-secure/applocker-processes-and-interactions.md
new file mode 100644
index 0000000000..65ed48a32a
--- /dev/null
+++ b/windows/keep-secure/applocker-processes-and-interactions.md
@@ -0,0 +1,127 @@
+---
+title: AppLocker processes and interactions (Windows 10)
+description: This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
+ms.assetid: 0beec616-6040-4be7-8703-b6c919755d8e
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# AppLocker processes and interactions
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
+
+## How policies are implemented by AppLocker
+
+
+AppLocker policies are collections of AppLocker rules that might contain any one of the enforcement settings configured. When applied, each rule is evaluated within the policy and the collection of rules is applied according to the enforcement setting and according to your Group Policy structure.
+
+The AppLocker policy is enforced on a computer through the Application Identity service, which is the engine that evaluates the policies. If the service is not running, policies will not be enforced. The Application Identity service returns the information from the binary—even if product or binary names are empty—to the results pane of the Local Security Policy snap-in.
+
+AppLocker policies are stored in a security descriptor format according to Application Identity service requirements. It uses file path, hash, or fully qualified binary name attributes to form allow or deny actions on a rule. Each rule is stored as an access control entry (ACE) in the security descriptor and contains the following information:
+
+-   Either an allow or a deny ACE ("XA" or "XD" in security descriptor definition language (SDDL) form).
+
+-   The user security identifier (SID) that this rule is applicable to. (The default is the authenticated user SID, or "AU" in SDDL.)
+
+-   The rule condition containing the **appid** attributes.
+
+For example, an SDDL for a rule that allows all files in the %windir% directory to run uses the following format: XA;;FX;;;AU;(APPID://PATH == "%windir%\\\*").
+
+An AppLocker policy for DLLs and executable files is read and cached by kernel mode code, which is part of appid.sys. Whenever a new policy is applied, appid.sys is notified by a policy converter task. For other file types, the AppLocker policy is read every time a **SaferIdentifyLevel** call is made.
+
+### Understanding AppLocker rules
+
+An AppLocker rule is a control placed on a file to govern whether or not it is allowed to run for a specific user or group. Rules apply to five different types, or collections, of files:
+
+-   An executable rule controls whether a user or group can run an executable file. Executable files most often have the .exe or .com file name extensions and apply to applications.
+
+-   A script rule controls whether a user or group can run scripts with a file name extension of .ps1, .bat, .cmd, .vbs, and .js.
+
+-   A Windows Installer rule controls whether a user or group can run files with a file name extension of .msi, mst and .msp (Windows Installer patch).
+
+-   A DLL rule controls whether a user or group can run files with a file name extension of .dll and .ocx.
+
+-   A packaged app and packaged app installer rule controls whether a user or group can run or install a packaged app. A Packaged app installer has the .appx extension.
+
+There are three different types of conditions that can be applied to rules:
+
+-   A publisher condition on a rule controls whether a user or group can run files from a specific software publisher. The file must be signed.
+
+-   A path condition on a rule controls whether a user or group can run files from within a specific directory or its subdirectories.
+
+-   A file hash condition on a rule controls whether a user or group can run files with matching encrypted hashes.
+
+<!-- -->
+
+-   [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md)
+
+    An AppLocker rule collection is a set of rules that apply to one of the following types: executable files, Windows Installer files, scripts, DLLs, and packaged apps.
+
+-   [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md)
+
+    Rule conditions are criteria that the AppLocker rule is based on. Primary conditions are required to create an AppLocker rule. The three primary rule conditions are publisher, path, and file hash.
+
+    -   [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md)
+
+    -   [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md)
+
+    -   [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md)
+
+-   [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
+
+    AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection.
+
+    -   [Executable rules in AppLocker](executable-rules-in-applocker.md)
+
+    -   [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md)
+
+    -   [Script rules in AppLocker](script-rules-in-applocker.md)
+
+    -   [DLL rules in AppLocker](dll-rules-in-applocker.md)
+
+    -   [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md)
+
+-   [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md)
+
+    You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow only a subset of a user group to use an application, you can create a special rule for that subset.
+
+-   [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) and [Understanding AppLocker allow and deny actions on Rules](understanding-applocker-allow-and-deny-actions-on-rules.md)
+
+    Each AppLocker rule collection functions as an allowed list of files.
+
+### Understanding AppLocker policies
+
+An AppLocker policy is a set of rule collections and their corresponding configured enforcement settings that have been applied to one or more computers.
+
+-   [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)
+
+    Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy. By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced.
+
+### Understanding AppLocker and Group Policy
+
+Group Policy can be used to create, modify, and distribute AppLocker policies in separate objects or in combination with other policies.
+
+-   [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md)
+
+    When Group Policy is used to distribute AppLocker policies, rule collections that are not configured will be enforced. Group Policy does not overwrite or replace rules that are already present in a linked Group Policy Object (GPO) and applies the AppLocker rules in addition to existing rules. AppLocker processes the explicit deny rule configuration before the allow rule configuration, and for rule enforcement, the last write to the GPO is applied.
+
+## Related topics
+
+
+[AppLocker technical reference](applocker-technical-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/applocker-settings.md b/windows/keep-secure/applocker-settings.md
new file mode 100644
index 0000000000..03daf2f9c0
--- /dev/null
+++ b/windows/keep-secure/applocker-settings.md
@@ -0,0 +1,79 @@
+---
+title: AppLocker settings (Windows 10)
+description: This topic for the IT professional lists the settings used by AppLocker.
+ms.assetid: 9cb4aa19-77c0-4415-9968-bd07dab86839
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# AppLocker settings
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional lists the settings used by AppLocker.
+
+The following table describes the settings and values used by AppLocker.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Registry path</p></td>
+<td align="left"><p>Policies are stored in <strong>\HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\SrpV2</strong></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Firewall ports</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Security policies</p></td>
+<td align="left"><p>Custom created, no default</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Group Policy settings</p></td>
+<td align="left"><p>Custom created, no default</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Network ports</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Service accounts</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Performance counters</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[AppLocker technical reference](applocker-technical-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/applocker-technical-reference.md b/windows/keep-secure/applocker-technical-reference.md
new file mode 100644
index 0000000000..417a1e29d0
--- /dev/null
+++ b/windows/keep-secure/applocker-technical-reference.md
@@ -0,0 +1,89 @@
+---
+title: AppLocker technical reference (Windows 10)
+description: This overview topic for IT professionals provides links to the topics in the technical reference.
+ms.assetid: 2b2678f8-c46b-4e1d-b8c5-037c0be255ab
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# AppLocker technical reference
+
+
+**Applies to**
+
+-   Windows 10
+
+This overview topic for IT professionals provides links to the topics in the technical reference.
+
+AppLocker advances the application control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[What Is AppLocker?](what-is-applocker.md)</p></td>
+<td align="left"><p>This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Requirements to use AppLocker](requirements-to-use-applocker.md)</p></td>
+<td align="left"><p>This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[AppLocker policy use scenarios](applocker-policy-use-scenarios.md)</p></td>
+<td align="left"><p>This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[How AppLocker works](how-applocker-works-techref.md)</p></td>
+<td align="left"><p>This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[AppLocker architecture and components](applocker-architecture-and-components.md)</p></td>
+<td align="left"><p>This topic for IT professional describes AppLocker’s basic architecture and its major components.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[AppLocker processes and interactions](applocker-processes-and-interactions.md)</p></td>
+<td align="left"><p>This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[AppLocker functions](applocker-functions.md)</p></td>
+<td align="left"><p>This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Security considerations for AppLocker](security-considerations-for-applocker.md)</p></td>
+<td align="left"><p>This topic for the IT professional describes the security considerations you need to address when implementing AppLocker.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Tools to Use with AppLocker](tools-to-use-with-applocker.md)</p></td>
+<td align="left"><p>This topic for the IT professional describes the tools available to create and administer AppLocker policies.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[AppLocker Settings](applocker-settings.md)</p></td>
+<td align="left"><p>This topic for the IT professional lists the settings used by AppLocker.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md
new file mode 100644
index 0000000000..23a70a9f8c
--- /dev/null
+++ b/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -0,0 +1,55 @@
+---
+title: Apply a basic audit policy on a file or folder (Windows 10)
+description: You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.
+ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Apply a basic audit policy on a file or folder
+
+
+**Applies to**
+
+-   Windows 10
+
+You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.
+
+To complete this procedure, you must be logged on as a member of the built-in Administrators group or you must have been granted the **Manage auditing and security log** right.
+
+**To apply or modify auditing policy settings for a local file or folder**
+
+1.  2.Right-click the file or folder that you want to audit, click **Properties**, and then click the **Security** tab.
+2.  Click **Advanced**.
+3.  In the **Advanced Security Settings** dialog box, click the **Auditing** tab, and then click **Continue**.
+4.  Do one of the following:
+    -   To set up auditing for a new user or group, click **Add**. Click **Select a principal**, type the name of the user or group that you want, and then click **OK**.
+    -   To remove auditing for an existing group or user, click the group or user name, click **Remove**, click **OK**, and then skip the rest of this procedure.
+    -   To view or change auditing for an existing group or user, click its name, and then click **Edit.**
+
+5.  In the **Type** box, indicate what actions you want to audit by selecting the appropriate check boxes:
+    -   To audit successful events, click **Success.**
+    -   To audit failure events, click **Fail.**
+    -   To audit all events, click **All.**
+
+**Important**  Before setting up auditing for files and folders, you must enable object access auditing by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
+
+ 
+
+## Additional considerations
+
+
+-   After object access auditing is enabled, view the security log in Event Viewer to review the results of your changes.
+-   You can set up file and folder auditing only on NTFS drives.
+-   Because the security log is limited in size, select the files and folders to be audited carefully. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-account-lockout.md b/windows/keep-secure/audit-account-lockout.md
new file mode 100644
index 0000000000..0731e562be
--- /dev/null
+++ b/windows/keep-secure/audit-account-lockout.md
@@ -0,0 +1,62 @@
+---
+title: Audit Account Lockout (Windows 10)
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit Account Lockout, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
+ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Account Lockout
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+This topic for the IT professional describes the advanced security audit policy setting, **Audit Account Lockout**, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
+
+If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and failure audits record unsuccessful attempts.
+
+Account lockout events are essential for understanding user activity and detecting potential attacks.
+
+Event volume: Low
+
+Default setting: Success
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4625</p></td>
+<td align="left"><p>An account failed to log on.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-application-generated.md b/windows/keep-secure/audit-application-generated.md
new file mode 100644
index 0000000000..5fac3e3ba7
--- /dev/null
+++ b/windows/keep-secure/audit-application-generated.md
@@ -0,0 +1,77 @@
+---
+title: Audit Application Generated (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Application Generated, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs).
+ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Application Generated
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Application Generated**, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs).
+
+The following events can generate audit activity:
+
+-   Creation, deletion, or initialization of an application client context
+
+-   Application operations
+
+Applications that are designed to use the Windows Auditing APIs can use this subcategory to log auditing events that are related to those APIs. The level, volume, relevance, and importance of these audit events depend on the application that generates them. The operating system logs the events as they are generated by the application.
+
+Event volume: Depends on the installed app's use of the Windows Auditing APIs
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4665</p></td>
+<td align="left"><p>An attempt was made to create an application client context.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4666</p></td>
+<td align="left"><p>An application attempted an operation:</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4667</p></td>
+<td align="left"><p>An application client context was deleted.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4668</p></td>
+<td align="left"><p>An application was initialized.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-application-group-management.md b/windows/keep-secure/audit-application-group-management.md
new file mode 100644
index 0000000000..1dbeea62df
--- /dev/null
+++ b/windows/keep-secure/audit-application-group-management.md
@@ -0,0 +1,99 @@
+---
+title: Audit Application Group Management (Windows 10)
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit Application Group Management, which determines whether the operating system generates audit events when application group management tasks are performed.
+ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Application Group Management
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the advanced security audit policy setting, **Audit Application Group Management**, which determines whether the operating system generates audit events when application group management tasks are performed.
+
+Application group management tasks include:
+
+-   An application group is created, changed, or deleted.
+
+-   A member is added to or removed from an application group.
+
+Event volume: Low
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4783</p></td>
+<td align="left"><p>A basic application group was created.</p>
+<p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4784</p></td>
+<td align="left"><p>A basic application group was changed.</p>
+<p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4785</p></td>
+<td align="left"><p>A member was added to a basic application group.</p>
+<p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4786</p></td>
+<td align="left"><p>A member was removed from a basic application group.</p>
+<p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4787</p></td>
+<td align="left"><p>A non-member was added to a basic application group.</p>
+<p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4788</p></td>
+<td align="left"><p>A non-member was removed from a basic application group.</p>
+<p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4789</p></td>
+<td align="left"><p>A basic application group was deleted.</p>
+<p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4790</p></td>
+<td align="left"><p>An LDAP query group was created.</p>
+<p></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-audit-policy-change.md b/windows/keep-secure/audit-audit-policy-change.md
new file mode 100644
index 0000000000..70984b9dcc
--- /dev/null
+++ b/windows/keep-secure/audit-audit-policy-change.md
@@ -0,0 +1,126 @@
+---
+title: Audit Audit Policy Change (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Audit Policy Change, which determines whether the operating system generates audit events when changes are made to audit policy.
+ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Audit Policy Change
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Audit Policy Change**, which determines whether the operating system generates audit events when changes are made to audit policy.
+
+Changes to audit policy that are audited include:
+
+-   Changing permissions and audit settings on the audit policy object (by using **auditpol /set /sd**).
+
+-   Changing the system audit policy.
+
+-   Registering and unregistering security event sources.
+
+-   Changing per-user audit settings.
+
+-   Changing the value of **CrashOnAuditFail**.
+
+-   Changing audit settings on an object (for example, modifying the system access control list (SACL) for a file or registry key).
+
+    **Note**  
+    SACL change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change.
+
+     
+
+-   Changing anything in the Special Groups list.
+
+**Important**  
+Changes to the audit policy are critical security events.
+
+ 
+
+Event volume: Low
+
+Default: Success
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4715</p></td>
+<td align="left"><p>The audit policy (SACL) on an object was changed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4719</p></td>
+<td align="left"><p>System audit policy was changed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4817</p></td>
+<td align="left"><p>Auditing settings on an object were changed.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>This event is logged only on computers running the supported versions of the Windows operating system.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4902</p></td>
+<td align="left"><p>The Per-user audit policy table was created.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4904</p></td>
+<td align="left"><p>An attempt was made to register a security event source.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4905</p></td>
+<td align="left"><p>An attempt was made to unregister a security event source.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4906</p></td>
+<td align="left"><p>The CrashOnAuditFail value has changed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4907</p></td>
+<td align="left"><p>Auditing settings on object were changed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4908</p></td>
+<td align="left"><p>Special Groups Logon table modified.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4912</p></td>
+<td align="left"><p>Per User Audit Policy was changed.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md b/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md
new file mode 100644
index 0000000000..ead3ed4c81
--- /dev/null
+++ b/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md
@@ -0,0 +1,253 @@
+---
+title: Audit Audit the access of global system objects (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Audit Audit the access of global system objects security policy setting.
+ms.assetid: 20d40a79-ce89-45e6-9bb4-148f83958460
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit: Audit the access of global system objects
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Audit: Audit the access of global system objects** security policy setting.
+
+## Reference
+
+
+If you enable this policy setting, a default system access control list (SACL) is applied when the device creates system objects such as mutexes, events, semaphores, and MS-DOS® devices. If you also enable the [Audit object access](basic-audit-object-access.md) audit setting, access to these system objects is audited.
+
+Global system objects, also known as "base system objects" or "base named objects," are temporary kernel objects that have had names assigned to them by the application or system component that created them. These objects are most commonly used to synchronize multiple applications or multiple parts of a complex application. Because they have names, these objects are global in scope and, therefore, visible to all processes on the device. These objects all have a security descriptor; but typically, they do not have a NULL SACL. If you enable this policy setting and it takes effect at startup time, the kernel assigns a SACL to these objects when they are created.
+
+The threat is that a globally visible named object, if incorrectly secured, might be acted on by a malicious program that knows the name of the object. For instance, if a synchronization object such as a mutex has a poorly constructed discretionary access control list (DACL), a malicious program can access that mutex by name and cause the program that created it to malfunction. However, the risk of this occurring is very low.
+
+Enabling this policy setting can generate a large number of security events, especially on busy domain controllers and application servers. This might cause servers to respond slowly and force the security log to record numerous events of little significance. Auditing for access to global system objects is an all-or-nothing affair; there is no way to filter which events get recorded and which do not. Even if an organization has the resources to analyze events generated when this policy setting is enabled, it is unlikely to have the source code or a description of what each named object is used for; therefore, it is unlikely that many organizations could benefit from enabling this policy setting.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+-   Use the advanced security audit policy option, [Audit Kernel Object](audit-kernel-object.md) in Advanced Security Audit Policy Settings\\Object Access, to reduce the number of unrelated audit events that you generate.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+A restart of the computer is required before this policy will be effective when changes to this policy are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
+
+### Auditing
+
+To audit attempts to access global system objects, you can use one of two security audit policy settings:
+
+-   [Audit Kernel Object](audit-kernel-object.md) in Advanced Security Audit Policy Settings\\Object Access
+
+-   [Audit object access](basic-audit-object-access.md) under Security Settings\\Local Policies\\Audit Policy
+
+If possible, use the Advanced Security Audit Policy option to reduce the number of unrelated audit events that you generate.
+
+If the [Audit Kernel Object](audit-kernel-object.md) setting is configured, the following events are generated:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4659</p></td>
+<td align="left"><p>A handle to an object was requested with intent to delete.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4660</p></td>
+<td align="left"><p>An object was deleted.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4661</p></td>
+<td align="left"><p>A handle to an object was requested.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4663</p></td>
+<td align="left"><p>An attempt was made to access an object.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+If the [Audit Kernel Object](audit-kernel-object.md) setting is configured, the following events are generated.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>560</p></td>
+<td align="left"><p>Access was granted to an already existing object.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>562</p></td>
+<td align="left"><p>A handle to an object was closed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>563</p></td>
+<td align="left"><p>An attempt was made to open an object with the intent to delete it.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile().</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>564</p></td>
+<td align="left"><p>A protected object was deleted.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>565</p></td>
+<td align="left"><p>Access was granted to an already existing object type.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>567</p></td>
+<td align="left"><p>A permission associated with a handle was used.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>569</p></td>
+<td align="left"><p>The resource manager in Authorization Manager attempted to create a client context.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>570</p></td>
+<td align="left"><p>A client attempted to access an object.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>An event will be generated for every attempted operation on the object.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+A globally visible named object, if incorrectly secured, could be acted upon by malicious software by using the name of the object. For instance, if a synchronization object such as a mutex had a poorly chosen discretionary access control list (DACL), malicious software could access that mutex by name and cause the program that created it to malfunction. However, the risk of such an occurrence is very low.
+
+### Countermeasure
+
+Enable the **Audit: Audit the access of global system objects** setting.
+
+### Potential impact
+
+If you enable the **Audit: Audit the access of global system objects** setting, a large number of security events could be generated, especially on busy domain controllers and application servers. Such an occurrence could cause servers to respond slowly and force the Security log to record numerous events of little significance. This policy setting can only be enabled or disabled, and there is no way to choose which events are recorded from this setting. Even organizations that have the resources to analyze events that are generated by this policy setting are not likely to have the source code or a description of what each named object is used for. Therefore, it is unlikely that most organizations would benefit by enabling this policy setting.
+
+To reduce the number of audit events generated, use the advanced audit policy.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md
new file mode 100644
index 0000000000..ab4fd042a3
--- /dev/null
+++ b/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md
@@ -0,0 +1,134 @@
+---
+title: Audit Audit the use of Backup and Restore privilege (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Audit Audit the use of Backup and Restore privilege security policy setting.
+ms.assetid: f656a2bb-e8d6-447b-8902-53df3a7756c5
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit: Audit the use of Backup and Restore privilege
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Audit: Audit the use of Backup and Restore privilege** security policy setting.
+
+## Reference
+
+
+The **Audit: Audit the use of Backup and Restore privilege** policy setting determines whether to audit the use of all user rights, including Backup and Restore, when the **Audit privilege use** policy setting is configured. Enabling both policy settings generates an audit event for every file that is backed up or restored.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+-   Set **Audit: Audit the use of Backup and Restore privilege** to Disabled. Enabling this policy setting can generate a large number of security events, which might cause servers to respond slowly and force the security event log to record numerous events of little significance.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
+### Auditing
+
+Enabling this policy setting in conjunction with the **Audit privilege use** policy setting records any instance of user rights that are being exercised in the security log. If **Audit privilege use** is enabled but **Audit: Audit the use of Backup and Restore privilege** is disabled, when users use backup or restore user rights, those events will not be audited.
+
+Enabling this policy setting when the **Audit privilege use** policy setting is also enabled generates an audit event for every file that is backed up or restored. This can help you to track down an administrator who is accidentally or maliciously restoring data in an unauthorized manner.
+
+Alternately, you can use the advanced audit policy, [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md), which can help you manage the number of events generated.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+When the backup and restore function is used, it creates a copy of the file system that is identical to the target of the backup. Making regular backup and restore volumes is an important part of your incident response plan. However, a malicious user could use a legitimate backup copy to gain access to information or to impersonate a legitimate network resource to compromise your enterprise.
+
+### Countermeasure
+
+Enable the **Audit: Audit the use of Backup and Restore privilege** setting. Alternatively, implement automatic log backup by configuring the **AutoBackupLogFiles** registry key. If you enable this option when the [Audit privilege use](basic-audit-privilege-use.md) setting is also enabled, an audit event is generated for every file that is backed up or restored. This information could help you to identify an account that was used to accidentally or maliciously restore data in an unauthorized manner.
+
+For more information about configuring this key, see Microsoft Knowledge Base article [100879](http://go.microsoft.com/fwlink/p/?LinkId=100879).
+
+### Potential impact
+
+If you enable this policy setting, a large number of security events could be generated, which could cause servers to respond slowly and force the security event log to record numerous events of little significance. If you increase the security event log size to reduce the chances of a system shutdown, an excessively large log file may affect system performance.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-authentication-policy-change.md b/windows/keep-secure/audit-authentication-policy-change.md
new file mode 100644
index 0000000000..2a5dc7e290
--- /dev/null
+++ b/windows/keep-secure/audit-authentication-policy-change.md
@@ -0,0 +1,116 @@
+---
+title: Audit Authentication Policy Change (Windows 10)
+description: This topic for the IT professional describes this Advanced Security Audit policy setting, Audit Authentication Policy Change, which determines whether the operating system generates audit events when changes are made to authentication policy.
+ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Authentication Policy Change
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes this Advanced Security Audit policy setting, **Audit Authentication Policy Change**, which determines whether the operating system generates audit events when changes are made to authentication policy.
+
+Changes made to authentication policy include:
+
+-   Creation, modification, and removal of forest and domain trusts.
+
+-   Changes to Kerberos policy under **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy**.
+
+    **Note**  
+    The audit event is logged when the policy is applied, not when settings are modified by the administrator.
+
+     
+
+-   When any of the following user rights is granted to a user or group:
+
+    -   **Access this computer from the network**
+
+    -   **Allow logon locally**
+
+    -   **Allow logon through Remote Desktop**
+
+    -   **Logon as a batch job**
+
+    -   **Logon as a service**
+
+-   Namespace collision, such as when an added trust collides with an existing namespace name.
+
+This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups.
+
+Event volume: Low
+
+Default: Success
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4713</p></td>
+<td align="left"><p>Kerberos policy was changed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4716</p></td>
+<td align="left"><p>Trusted domain information was modified.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4717</p></td>
+<td align="left"><p>System security access was granted to an account.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4718</p></td>
+<td align="left"><p>System security access was removed from an account.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4739</p></td>
+<td align="left"><p>Domain Policy was changed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4864</p></td>
+<td align="left"><p>A namespace collision was detected.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4865</p></td>
+<td align="left"><p>A trusted forest information entry was added.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4866</p></td>
+<td align="left"><p>A trusted forest information entry was removed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4867</p></td>
+<td align="left"><p>A trusted forest information entry was modified.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-authorization-policy-change.md b/windows/keep-secure/audit-authorization-policy-change.md
new file mode 100644
index 0000000000..0194d0a071
--- /dev/null
+++ b/windows/keep-secure/audit-authorization-policy-change.md
@@ -0,0 +1,79 @@
+---
+title: Audit Authorization Policy Change (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Authorization Policy Change, which determines whether the operating system generates audit events when specific changes are made to the authorization policy.
+ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Authorization Policy Change
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Authorization Policy Change**, which determines whether the operating system generates audit events when specific changes are made to the authorization policy.
+
+Authorization policy changes that can be audited include:
+
+-   Assigning or removing user rights (privileges) such as **SeCreateTokenPrivilege**, except for the system access rights that are audited by using the [Audit Authentication Policy Change](audit-authentication-policy-change.md) subcategory.
+
+-   Changing the Encrypting File System (EFS) policy.
+
+Event volume: Low
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4704</p></td>
+<td align="left"><p>A user right was assigned.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4705</p></td>
+<td align="left"><p>A user right was removed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4706</p></td>
+<td align="left"><p>A new trust was created to a domain.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4707</p></td>
+<td align="left"><p>A trust to a domain was removed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4714</p></td>
+<td align="left"><p>Encrypted data recovery policy was changed.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-central-access-policy-staging.md b/windows/keep-secure/audit-central-access-policy-staging.md
new file mode 100644
index 0000000000..61ee3a28e8
--- /dev/null
+++ b/windows/keep-secure/audit-central-access-policy-staging.md
@@ -0,0 +1,57 @@
+---
+title: Audit Central Access Policy Staging (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Central Access Policy Staging, which determines permissions on a Central Access Policy.
+ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Central Access Policy Staging
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Central Access Policy Staging**, which determines permissions on a Central Access Policy.
+
+Event volume: Medium
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4818</p></td>
+<td align="left"><p>Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-certification-services.md b/windows/keep-secure/audit-certification-services.md
new file mode 100644
index 0000000000..ea8af0a656
--- /dev/null
+++ b/windows/keep-secure/audit-certification-services.md
@@ -0,0 +1,203 @@
+---
+title: Audit Certification Services (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Certification Services, which determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.
+ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Certification Services
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Certification Services**, which determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.
+
+Examples of AD CS operations include:
+
+-   AD CS starts, shuts down, is backed up, or is restored.
+
+-   Certificate revocation list (CRL)-related tasks are performed.
+
+-   Certificates are requested, issued, or revoked.
+
+-   Certificate manager settings for AD CS are changed.
+
+-   The configuration and properties of the certification authority (CA) are changed.
+
+-   AD CS templates are modified.
+
+-   Certificates are imported.
+
+-   A CA certificate is published to Active Directory Domain Services.
+
+-   Security permissions for AD CS role services are modified.
+
+-   Keys are archived, imported, or retrieved.
+
+-   The OCSP Responder Service is started or stopped.
+
+Monitoring these operational events is important to ensure that AD CS role services are functioning properly.
+
+Event volume: Low to medium on servers that host AD CS role services
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4868</p></td>
+<td align="left"><p>The certificate manager denied a pending certificate request.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4869</p></td>
+<td align="left"><p>Certificate Services received a resubmitted certificate request.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4870</p></td>
+<td align="left"><p>Certificate Services revoked a certificate.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4871</p></td>
+<td align="left"><p>Certificate Services received a request to publish the certificate revocation list (CRL).</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4872</p></td>
+<td align="left"><p>Certificate Services published the certificate revocation list (CRL).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4873</p></td>
+<td align="left"><p>A certificate request extension changed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4874</p></td>
+<td align="left"><p>One or more certificate request attributes changed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4875</p></td>
+<td align="left"><p>Certificate Services received a request to shut down.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4876</p></td>
+<td align="left"><p>Certificate Services backup started.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4877</p></td>
+<td align="left"><p>Certificate Services backup completed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4878</p></td>
+<td align="left"><p>Certificate Services restore started.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4879</p></td>
+<td align="left"><p>Certificate Services restore completed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4880</p></td>
+<td align="left"><p>Certificate Services started.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4881</p></td>
+<td align="left"><p>Certificate Services stopped.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4882</p></td>
+<td align="left"><p>The security permissions for Certificate Services changed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4883</p></td>
+<td align="left"><p>Certificate Services retrieved an archived key.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4884</p></td>
+<td align="left"><p>Certificate Services imported a certificate into its database.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4885</p></td>
+<td align="left"><p>The audit filter for Certificate Services changed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4886</p></td>
+<td align="left"><p>Certificate Services received a certificate request.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4887</p></td>
+<td align="left"><p>Certificate Services approved a certificate request and issued a certificate.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4888</p></td>
+<td align="left"><p>Certificate Services denied a certificate request.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4889</p></td>
+<td align="left"><p>Certificate Services set the status of a certificate request to pending.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4890</p></td>
+<td align="left"><p>The certificate manager settings for Certificate Services changed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4891</p></td>
+<td align="left"><p>A configuration entry changed in Certificate Services.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4892</p></td>
+<td align="left"><p>A property of Certificate Services changed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4893</p></td>
+<td align="left"><p>Certificate Services archived a key.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4894</p></td>
+<td align="left"><p>Certificate Services imported and archived a key.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4895</p></td>
+<td align="left"><p>Certificate Services published the CA certificate to Active Directory Domain Services.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4896</p></td>
+<td align="left"><p>One or more rows have been deleted from the certificate database.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4897</p></td>
+<td align="left"><p>Role separation enabled:</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4898</p></td>
+<td align="left"><p>Certificate Services loaded a template.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-computer-account-management.md b/windows/keep-secure/audit-computer-account-management.md
new file mode 100644
index 0000000000..a461349a08
--- /dev/null
+++ b/windows/keep-secure/audit-computer-account-management.md
@@ -0,0 +1,67 @@
+---
+title: Audit Computer Account Management (Windows 10)
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit Computer Account Management, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
+ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Computer Account Management
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the advanced security audit policy setting, **Audit Computer Account Management**, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
+
+This policy setting is useful for tracking account-related changes to computers that are members of a domain.
+
+Event volume: Low
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4741</p></td>
+<td align="left"><p>A computer account was created.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4742</p></td>
+<td align="left"><p>A computer account was changed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4743</p></td>
+<td align="left"><p>A computer account was deleted.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-credential-validation.md b/windows/keep-secure/audit-credential-validation.md
new file mode 100644
index 0000000000..3a0818f62d
--- /dev/null
+++ b/windows/keep-secure/audit-credential-validation.md
@@ -0,0 +1,82 @@
+---
+title: Audit Credential Validation (Windows 10)
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit Credential Validation, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
+ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Credential Validation
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+This topic for the IT professional describes the advanced security audit policy setting, **Audit Credential Validation**, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
+
+These events occur on the computer that is authoritative for the credentials as follows:
+
+-   For domain accounts, the domain controller is authoritative.
+
+-   For local accounts, the local computer is authoritative.
+
+Event volume: High on domain controllers
+
+Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they may occur in conjunction with or on separate computers from Logon and Logoff events.
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4774</p></td>
+<td align="left"><p>An account was mapped for logon.</p>
+<p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4775</p></td>
+<td align="left"><p>An account could not be mapped for logon.</p>
+<p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4776</p></td>
+<td align="left"><p>The domain controller attempted to validate the credentials for an account.</p>
+<p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4777</p></td>
+<td align="left"><p>The domain controller failed to validate the credentials for an account.</p>
+<p></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-detailed-directory-service-replication.md b/windows/keep-secure/audit-detailed-directory-service-replication.md
new file mode 100644
index 0000000000..058f7ae1f1
--- /dev/null
+++ b/windows/keep-secure/audit-detailed-directory-service-replication.md
@@ -0,0 +1,87 @@
+---
+title: Audit Detailed Directory Service Replication (Windows 10)
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit Detailed Directory Service Replication, which determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers.
+ms.assetid: 1b89c8f5-bce7-4b20-8701-42585c7ab993
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Detailed Directory Service Replication
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the advanced security audit policy setting, **Audit Detailed Directory Service Replication**, which determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers.
+
+This audit subcategory can be useful to diagnose replication issues.
+
+Event volume: These events can create a very high volume of event data.
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4928</p></td>
+<td align="left"><p>An Active Directory replica source naming context was established.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4929</p></td>
+<td align="left"><p>An Active Directory replica source naming context was removed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4930</p></td>
+<td align="left"><p>An Active Directory replica source naming context was modified.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4931</p></td>
+<td align="left"><p>An Active Directory replica destination naming context was modified.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4934</p></td>
+<td align="left"><p>Attributes of an Active Directory object were replicated.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4935</p></td>
+<td align="left"><p>Replication failure begins.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4936</p></td>
+<td align="left"><p>Replication failure ends.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4937</p></td>
+<td align="left"><p>A lingering object was removed from a replica.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-detailed-file-share.md b/windows/keep-secure/audit-detailed-file-share.md
new file mode 100644
index 0000000000..fc3a48ffb3
--- /dev/null
+++ b/windows/keep-secure/audit-detailed-file-share.md
@@ -0,0 +1,64 @@
+---
+title: Audit Detailed File Share (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Detailed File Share, which allows you to audit attempts to access files and folders on a shared folder.
+ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Detailed File Share
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Detailed File Share**, which allows you to audit attempts to access files and folders on a shared folder.
+
+The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client computer and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access.
+
+**Note**  
+There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited.
+
+ 
+
+Event volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>5145</p></td>
+<td align="left"><p>A network share object was checked to see whether the client can be granted desired access.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-directory-service-access.md b/windows/keep-secure/audit-directory-service-access.md
new file mode 100644
index 0000000000..5977f8db1c
--- /dev/null
+++ b/windows/keep-secure/audit-directory-service-access.md
@@ -0,0 +1,64 @@
+---
+title: Audit Directory Service Access (Windows 10)
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Access, which determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed.
+ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Directory Service Access
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Access**, which determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed.
+
+These events are similar to the Directory Service Access events in previous versions of the Windows Server operating systems.
+
+**Important**  
+Audit events are generated only on objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches the SACL settings.
+
+ 
+
+Event volume: High on servers running AD DS role services; none on client computers
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4662</p></td>
+<td align="left"><p>An operation was performed on an object.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-directory-service-changes.md b/windows/keep-secure/audit-directory-service-changes.md
new file mode 100644
index 0000000000..5eb81446dc
--- /dev/null
+++ b/windows/keep-secure/audit-directory-service-changes.md
@@ -0,0 +1,94 @@
+---
+title: Audit Directory Service Changes (Windows 10)
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Changes, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS).
+ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Directory Service Changes
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Changes**, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS).
+
+The types of changes that are reported are:
+
+-   Create
+
+-   Delete
+
+-   Modify
+
+-   Move
+
+-   Undelete
+
+Directory Service Changes auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed.
+
+**Important**  
+Audit events are generated only for objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches their SACL settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema.
+
+ 
+
+This subcategory only logs events on domain controllers. Changes to Active Directory objects are important events to track in order to understand the state of the network policy.
+
+Event volume: High on domain controllers; none on client computers
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>5136</p></td>
+<td align="left"><p>A directory service object was modified.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5137</p></td>
+<td align="left"><p>A directory service object was created.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5138</p></td>
+<td align="left"><p>A directory service object was undeleted.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5139</p></td>
+<td align="left"><p>A directory service object was moved.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5141</p></td>
+<td align="left"><p>A directory service object was deleted.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-directory-service-replication.md b/windows/keep-secure/audit-directory-service-replication.md
new file mode 100644
index 0000000000..c316768163
--- /dev/null
+++ b/windows/keep-secure/audit-directory-service-replication.md
@@ -0,0 +1,61 @@
+---
+title: Audit Directory Service Replication (Windows 10)
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Replication, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends.
+ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Directory Service Replication
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Replication**, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends.
+
+Event volume: Medium on domain controllers; none on client computers
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4932</p></td>
+<td align="left"><p>Synchronization of a replica of an Active Directory naming context has begun.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4933</p></td>
+<td align="left"><p>Synchronization of a replica of an Active Directory naming context has ended.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-distribution-group-management.md b/windows/keep-secure/audit-distribution-group-management.md
new file mode 100644
index 0000000000..7dcf6a5049
--- /dev/null
+++ b/windows/keep-secure/audit-distribution-group-management.md
@@ -0,0 +1,122 @@
+---
+title: Audit Distribution Group Management (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Distribution Group Management, which determines whether the operating system generates audit events for specific distribution-group management tasks.
+ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Distribution Group Management
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Distribution Group Management**, which determines whether the operating system generates audit events for specific distribution-group management tasks.
+
+Tasks for distribution-group management that can be audited include:
+
+-   A distribution group is created, changed, or deleted.
+
+-   A member is added to or removed from a distribution group.
+
+This subcategory to which this policy belongs is logged only on domain controllers.
+
+**Note**  
+Distribution groups cannot be used to manage access control permissions.
+
+ 
+
+Event volume: Low
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4744</p></td>
+<td align="left"><p>A security-disabled local group was created.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4745</p></td>
+<td align="left"><p>A security-disabled local group was changed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4746</p></td>
+<td align="left"><p>A member was added to a security-disabled local group.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4747</p></td>
+<td align="left"><p>A member was removed from a security-disabled local group.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4748</p></td>
+<td align="left"><p>A security-disabled local group was deleted.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4749</p></td>
+<td align="left"><p>A security-disabled global group was created.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4750</p></td>
+<td align="left"><p>A security-disabled global group was changed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4751</p></td>
+<td align="left"><p>A member was added to a security-disabled global group.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4752</p></td>
+<td align="left"><p>A member was removed from a security-disabled global group.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4753</p></td>
+<td align="left"><p>A security-disabled global group was deleted.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4759</p></td>
+<td align="left"><p>A security-disabled universal group was created.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4760</p></td>
+<td align="left"><p>A security-disabled universal group was changed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4761</p></td>
+<td align="left"><p>A member was added to a security-disabled universal group.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4762</p></td>
+<td align="left"><p>A member was removed from a security-disabled universal group.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-dpapi-activity.md b/windows/keep-secure/audit-dpapi-activity.md
new file mode 100644
index 0000000000..310cb480c6
--- /dev/null
+++ b/windows/keep-secure/audit-dpapi-activity.md
@@ -0,0 +1,74 @@
+---
+title: Audit DPAPI Activity (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit DPAPI Activity, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI).
+ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit DPAPI Activity
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit DPAPI Activity**, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI).
+
+DPAPI is used to protect secret information such as stored passwords and key information. For more information about DPAPI, see [Windows Data Protection](http://go.microsoft.com/fwlink/p/?linkid=121720) (http://go.microsoft.com/fwlink/p/?linkid=121720).
+
+Event volume: Low
+
+Default: Not configured
+
+If this policy setting is configured, the following events appear on computers running the supported versions of the Windows operating system as designated in the **Applies To** list at the beginning of this topic, in addition to Windows Server 2008 and Windows Vista.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4692</p></td>
+<td align="left"><p>Backup of data protection master key was attempted.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4693</p></td>
+<td align="left"><p>Recovery of data protection master key was attempted.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4694</p></td>
+<td align="left"><p>Protection of auditable protected data was attempted.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4695</p></td>
+<td align="left"><p>Unprotection of auditable protected data was attempted.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related resource
+
+
+[Advanced Security Audit Policy Settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-file-share.md b/windows/keep-secure/audit-file-share.md
new file mode 100644
index 0000000000..9eb592c046
--- /dev/null
+++ b/windows/keep-secure/audit-file-share.md
@@ -0,0 +1,89 @@
+---
+title: Audit File Share (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File Share, which determines whether the operating system generates audit events when a file share is accessed.
+ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit File Share
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit File Share**, which determines whether the operating system generates audit events when a file share is accessed.
+
+Audit events are not generated when shares are created, deleted, or when share permissions change.
+
+**Note**  
+There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all shares on the system will be audited.
+
+ 
+
+Combined with File System auditing, File Share auditing enables you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access.
+
+Event volume: High on a file server or domain controller (due to SYSVOL access by client computers for policy processing)
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>5140</p></td>
+<td align="left"><p>A network share object was accessed.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>This event is logged on computers running Windows 10, Windows Server 2016 Technical Preview, Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5142</p></td>
+<td align="left"><p>A network share object was added.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5143</p></td>
+<td align="left"><p>A network share object was modified.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5144</p></td>
+<td align="left"><p>A network share object was deleted.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5168</p></td>
+<td align="left"><p>SPN check for SMB/SMB2 failed.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-file-system.md b/windows/keep-secure/audit-file-system.md
new file mode 100644
index 0000000000..66dfba0a30
--- /dev/null
+++ b/windows/keep-secure/audit-file-system.md
@@ -0,0 +1,74 @@
+---
+title: Audit File System (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File System, which determines whether the operating system generates audit events when users attempt to access file system objects.
+ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit File System
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit File System**, which determines whether the operating system generates audit events when users attempt to access file system objects.
+
+Audit events are generated only for objects that have configured system access control lists (SACLs), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.
+
+If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL.
+
+These events are essential for tracking activity for file objects that are sensitive or valuable and require extra monitoring.
+
+Event volume: Varies, depending on how file system SACLs are configured
+
+No audit events are generated for the default file system SACLs.
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4664</p></td>
+<td align="left"><p>An attempt was made to create a hard link.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4985</p></td>
+<td align="left"><p>The state of a transaction has changed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5051</p></td>
+<td align="left"><p>A file was virtualized.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-filtering-platform-connection.md b/windows/keep-secure/audit-filtering-platform-connection.md
new file mode 100644
index 0000000000..eac628b63b
--- /dev/null
+++ b/windows/keep-secure/audit-filtering-platform-connection.md
@@ -0,0 +1,105 @@
+---
+title: Audit Filtering Platform Connection (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Connection, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform.
+ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Filtering Platform Connection
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Connection**, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform.
+
+Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
+
+This security policy enables you to audit the following types of actions:
+
+-   The Windows Firewall service blocks an application from accepting incoming connections on the network.
+
+-   The Windows Filtering Platform allows or blocks a connection.
+
+-   The Windows Filtering Platform permits or blocks a bind to a local port.
+
+-   The Windows Filtering Platform permits or blocks an application or service from listening for incoming connections on a port.
+
+Event volume: High
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>5031</p></td>
+<td align="left"><p>The Windows Firewall Service blocked an application from accepting incoming connections on the network.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5140</p></td>
+<td align="left"><p>A network share object was accessed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5150</p></td>
+<td align="left"><p>The Windows Filtering Platform blocked a packet.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5151</p></td>
+<td align="left"><p>A more restrictive Windows Filtering Platform filter has blocked a packet.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5154</p></td>
+<td align="left"><p>The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5155</p></td>
+<td align="left"><p>The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5156</p></td>
+<td align="left"><p>The Windows Filtering Platform has allowed a connection.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5157</p></td>
+<td align="left"><p>The Windows Filtering Platform has blocked a connection.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5158</p></td>
+<td align="left"><p>The Windows Filtering Platform has permitted a bind to a local port.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5159</p></td>
+<td align="left"><p>The Windows Filtering Platform has blocked a bind to a local port.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-filtering-platform-packet-drop.md b/windows/keep-secure/audit-filtering-platform-packet-drop.md
new file mode 100644
index 0000000000..2390c68fdd
--- /dev/null
+++ b/windows/keep-secure/audit-filtering-platform-packet-drop.md
@@ -0,0 +1,65 @@
+---
+title: Audit Filtering Platform Packet Drop (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Packet Drop, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform.
+ms.assetid: 95457601-68d1-4385-af20-87916ddab906
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Filtering Platform Packet Drop
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Packet Drop**, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform.
+
+Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
+
+A high rate of dropped packets may indicate that there have been attempts to gain unauthorized access to computers on your network.
+
+Event volume: High
+
+Default setting: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>5152</p></td>
+<td align="left"><p>The Windows Filtering Platform blocked a packet.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5153</p></td>
+<td align="left"><p>A more restrictive Windows Filtering Platform filter has blocked a packet.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-filtering-platform-policy-change.md b/windows/keep-secure/audit-filtering-platform-policy-change.md
new file mode 100644
index 0000000000..98335becd4
--- /dev/null
+++ b/windows/keep-secure/audit-filtering-platform-policy-change.md
@@ -0,0 +1,239 @@
+---
+title: Audit Filtering Platform Policy Change (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Policy Change, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions.
+ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Filtering Platform Policy Change
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Policy Change**, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions.
+
+Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
+
+This security policy setting determines whether the operating system generates audit events for:
+
+-   IPsec services status.
+
+-   Changes to IPsec settings.
+
+-   Status and changes to the Windows Filtering Platform engine and providers.
+
+-   IPsec Policy Agent service activities.
+
+Event volume: Low
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4709</p></td>
+<td align="left"><p>IPsec Services was started.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4710</p></td>
+<td align="left"><p>IPsec Services was disabled.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4711</p></td>
+<td align="left"><p>May contain any one of the following:</p>
+<ul>
+<li><p>PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.</p></li>
+<li><p>PAStore Engine applied Active Directory storage IPsec policy on the computer.</p></li>
+<li><p>PAStore Engine applied local registry storage IPsec policy on the computer.</p></li>
+<li><p>PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.</p></li>
+<li><p>PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.</p></li>
+<li><p>PAStore Engine failed to apply local registry storage IPsec policy on the computer.</p></li>
+<li><p>PAStore Engine failed to apply some rules of the active IPsec policy on the computer.</p></li>
+<li><p>PAStore Engine failed to load directory storage IPsec policy on the computer.</p></li>
+<li><p>PAStore Engine loaded directory storage IPsec policy on the computer.</p></li>
+<li><p>PAStore Engine failed to load local storage IPsec policy on the computer.</p></li>
+<li><p>PAStore Engine loaded local storage IPsec policy on the computer.</p></li>
+<li><p>PAStore Engine polled for changes to the active IPsec policy and detected no changes.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4712</p></td>
+<td align="left"><p>IPsec Services encountered a potentially serious failure.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5040</p></td>
+<td align="left"><p>A change has been made to IPsec settings. An Authentication Set was added.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5041</p></td>
+<td align="left"><p>A change has been made to IPsec settings. An Authentication Set was modified.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5042</p></td>
+<td align="left"><p>A change has been made to IPsec settings. An Authentication Set was deleted.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5043</p></td>
+<td align="left"><p>A change has been made to IPsec settings. A Connection Security Rule was added.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5044</p></td>
+<td align="left"><p>A change has been made to IPsec settings. A Connection Security Rule was modified.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5045</p></td>
+<td align="left"><p>A change has been made to IPsec settings. A Connection Security Rule was deleted.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5046</p></td>
+<td align="left"><p>A change has been made to IPsec settings. A Crypto Set was added.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5047</p></td>
+<td align="left"><p>A change has been made to IPsec settings. A Crypto Set was modified.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5048</p></td>
+<td align="left"><p>A change has been made to IPsec settings. A Crypto Set was deleted.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5440</p></td>
+<td align="left"><p>The following callout was present when the Windows Filtering Platform Base Filtering Engine started.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5441</p></td>
+<td align="left"><p>The following filter was present when the Windows Filtering Platform Base Filtering Engine started.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5442</p></td>
+<td align="left"><p>The following provider was present when the Windows Filtering Platform Base Filtering Engine started.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5443</p></td>
+<td align="left"><p>The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5444</p></td>
+<td align="left"><p>The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5446</p></td>
+<td align="left"><p>A Windows Filtering Platform callout has been changed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5448</p></td>
+<td align="left"><p>A Windows Filtering Platform provider has been changed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5449</p></td>
+<td align="left"><p>A Windows Filtering Platform provider context has been changed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5450</p></td>
+<td align="left"><p>A Windows Filtering Platform sub-layer has been changed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5456</p></td>
+<td align="left"><p>PAStore Engine applied Active Directory storage IPsec policy on the computer.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5457</p></td>
+<td align="left"><p>PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5458</p></td>
+<td align="left"><p>PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5459</p></td>
+<td align="left"><p>PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5460</p></td>
+<td align="left"><p>PAStore Engine applied local registry storage IPsec policy on the computer.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5461</p></td>
+<td align="left"><p>PAStore Engine failed to apply local registry storage IPsec policy on the computer.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5462</p></td>
+<td align="left"><p>PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5463</p></td>
+<td align="left"><p>PAStore Engine polled for changes to the active IPsec policy and detected no changes.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5464</p></td>
+<td align="left"><p>PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5465</p></td>
+<td align="left"><p>PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5466</p></td>
+<td align="left"><p>PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5467</p></td>
+<td align="left"><p>PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5468</p></td>
+<td align="left"><p>PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5471</p></td>
+<td align="left"><p>PAStore Engine loaded local storage IPsec policy on the computer.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5472</p></td>
+<td align="left"><p>PAStore Engine failed to load local storage IPsec policy on the computer.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5473</p></td>
+<td align="left"><p>PAStore Engine loaded directory storage IPsec policy on the computer.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5474</p></td>
+<td align="left"><p>PAStore Engine failed to load directory storage IPsec policy on the computer.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5477</p></td>
+<td align="left"><p>PAStore Engine failed to add quick mode filter.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md
new file mode 100644
index 0000000000..4ebdec9654
--- /dev/null
+++ b/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md
@@ -0,0 +1,143 @@
+---
+title: Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings security policy setting.
+ms.assetid: 8ddc06bc-b6d6-4bac-9051-e0d77035bd4e
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** security policy setting.
+
+## Reference
+
+
+You can manage your audit policy in a more precise way by using audit policy subcategories.
+
+There are over 40 auditing subcategories that provide precise details about activities on a device. For info about these subcategories, see the [Advanced security audit policy settings](advanced-security-audit-policy-settings.md).
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+### Best practices
+
+-   Leave the setting enabled. This provides the ability to audit events at the category level without revising a policy.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
+
+### Auditing
+
+To manage an audit policy by using subcategories without requiring a change to Group Policy, the SCENoApplyLegacyAuditPolicy registry value , prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool.
+
+If the category level audit policy that is set here is not consistent with the events that are currently being generated, the cause might be that this registry key is set.
+
+### Command-line tools
+
+You can use auditpol.exe to display and manage audit policies from a command prompt.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events, and the key information that needed to be audited was difficult to find.
+
+### Countermeasure
+
+Enable audit policy subcategories as needed to track specific events.
+
+### Potential impacts
+
+If you attempt to modify an audit setting by using Group Policy after enabling this setting through the command-line tools, the Group Policy audit setting is ignored in favor of the custom policy setting. To modify audit settings by using Group Policy, you must first disable the **SCENoApplyLegacyAuditPolicy** key.
+
+**Important**  
+Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events that are generated can make it difficult to find other types of entries in the security event log. Such a configuration could also have a significant impact on system performance.
+
+ 
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-group-membership.md b/windows/keep-secure/audit-group-membership.md
new file mode 100644
index 0000000000..d135909f8c
--- /dev/null
+++ b/windows/keep-secure/audit-group-membership.md
@@ -0,0 +1,67 @@
+---
+title: Audit Group Membership (Windows 10)
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit Group Membership, which enables you to audit group memberships when they are enumerated on the client PC.
+ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Group Membership
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the advanced security audit policy setting, **Audit Group Membership**, which enables you to audit group memberships when they are enumerated on the client PC.
+
+This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created.
+
+For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
+
+**Note**  You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**.
+
+ 
+
+Multiple events are generated if the group membership information cannot fit in a single security audit event
+
+Event volume: High
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4627</p></td>
+<td align="left"><p>Group membership information.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-handle-manipulation.md b/windows/keep-secure/audit-handle-manipulation.md
new file mode 100644
index 0000000000..e54f17a6f2
--- /dev/null
+++ b/windows/keep-secure/audit-handle-manipulation.md
@@ -0,0 +1,72 @@
+---
+title: Audit Handle Manipulation (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Handle Manipulation, which determines whether the operating system generates audit events when a handle to an object is opened or closed.
+ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Handle Manipulation
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Handle Manipulation**, which determines whether the operating system generates audit events when a handle to an object is opened or closed.
+
+Only objects with configured system access control lists (SACLs) generate these events, and only if the attempted handle operation matches the SACL.
+
+**Important**  
+Handle Manipulation events are generated only for object types where the corresponding File System or Registry Object Access subcategory is enabled. For more information, see [Audit File System](audit-file-system.md) or [Audit Registry](audit-registry.md).
+
+ 
+
+Event volume: High, depending on how SACLs are configured
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4656</p></td>
+<td align="left"><p>A handle to an object was requested.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4658</p></td>
+<td align="left"><p>The handle to an object was closed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4690</p></td>
+<td align="left"><p>An attempt was made to duplicate a handle to an object.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-ipsec-driver.md b/windows/keep-secure/audit-ipsec-driver.md
new file mode 100644
index 0000000000..8945926bb1
--- /dev/null
+++ b/windows/keep-secure/audit-ipsec-driver.md
@@ -0,0 +1,115 @@
+---
+title: Audit IPsec Driver (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit IPsec Driver, which determines whether the operating system generates audit events for the activities of the IPsec driver.
+ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit IPsec Driver
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit IPsec Driver**, which determines whether the operating system generates audit events for the activities of the IPsec driver.
+
+The IPsec driver, using the IP Filter List from the active IPsec policy, watches for outbound IP packets that must be secured and inbound IP packets that must be verified and decrypted. This security policy setting reports on the following activities of the IPsec driver:
+
+-   Startup and shutdown of IPsec services.
+
+-   Packets dropped due to integrity-check failure.
+
+-   Packets dropped due to replay-check failure.
+
+-   Packets dropped due to being in plaintext.
+
+-   Packets received with an incorrect Security Parameter Index (SPI). (This can indicate malfunctioning hardware or interoperability problems.)
+
+-   Failure to process IPsec filters.
+
+A high rate of packet drops by the IPsec filter driver may indicate attempts to gain access to the network by unauthorized systems.
+
+Failure to process IPsec filters poses a potential security risk because some network interfaces may not get the protection that is provided by the IPsec filter.
+
+Event volume: Medium
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4960</p></td>
+<td align="left"><p>IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4961</p></td>
+<td align="left"><p>IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4962</p></td>
+<td align="left"><p>IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4963</p></td>
+<td align="left"><p>IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4965</p></td>
+<td align="left"><p>IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5478</p></td>
+<td align="left"><p>IPsec Services has started successfully.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5479</p></td>
+<td align="left"><p>IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5480</p></td>
+<td align="left"><p>IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5483</p></td>
+<td align="left"><p>IPsec Services failed to initialize RPC server. IPsec Services could not be started.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5484</p></td>
+<td align="left"><p>IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5485</p></td>
+<td align="left"><p>IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-ipsec-extended-mode.md b/windows/keep-secure/audit-ipsec-extended-mode.md
new file mode 100644
index 0000000000..22d1af6a85
--- /dev/null
+++ b/windows/keep-secure/audit-ipsec-extended-mode.md
@@ -0,0 +1,127 @@
+---
+title: Audit IPsec Extended Mode (Windows 10)
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Extended Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
+ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit IPsec Extended Mode
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Extended Mode**, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
+
+IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers.
+
+AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports main-mode and quick-mode negotiation. AuthIP also supports Extended Mode, a part of IPsec peer negotiation during which a second round of authentication can be performed. Extended Mode, which is optional, can be used for multiple authentications. For example, with extended mode you can perform separate computer-based and user-based authentications.
+
+Event volume: High
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4978</p></td>
+<td align="left"><p>During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4979</p></td>
+<td align="left"><p>IPsec Main Mode and Extended Mode security associations were established.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>This event provides event data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint, Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, and Extended Mode Information.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4980</p></td>
+<td align="left"><p>IPsec Main Mode and Extended Mode security associations were established.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>This event provides event audit data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint. Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information:</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4981</p></td>
+<td align="left"><p>IPsec Main Mode and Extended Mode security associations were established.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, and Extended Mode Information.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4982</p></td>
+<td align="left"><p>IPsec Main Mode and Extended Mode security associations were established.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4983</p></td>
+<td align="left"><p>An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, and Failure Information.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4984</p></td>
+<td align="left"><p>An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>This event provides event audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-ipsec-main-mode.md b/windows/keep-secure/audit-ipsec-main-mode.md
new file mode 100644
index 0000000000..fb2d8b42d3
--- /dev/null
+++ b/windows/keep-secure/audit-ipsec-main-mode.md
@@ -0,0 +1,109 @@
+---
+title: Audit IPsec Main Mode (Windows 10)
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Main Mode, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
+ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit IPsec Main Mode
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Main Mode**, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
+
+IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers.
+
+AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports Main Mode and Quick Mode negotiation.
+
+Main Mode Internet Key Exchange (IKE) negotiation establishes a secure channel, known as the Internet Security Association and Key Management Protocol (ISAKMP) security association (SA), between two computers. To establish the secure channel, Main Mode negotiation determines a set of cryptographic protection suites, exchanges keying material to establish the shared secret key, and authenticates computer identities.
+
+Event volume: High
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4646</p></td>
+<td align="left"><p>Security ID: %1</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4650</p></td>
+<td align="left"><p>An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4651</p></td>
+<td align="left"><p>An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4652</p></td>
+<td align="left"><p>An IPsec Main Mode negotiation failed.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>This audit event returns detailed audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Additional Information, and Failure Information.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4653</p></td>
+<td align="left"><p>An IPsec Main Mode negotiation failed.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>This audit event returns detailed audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4655</p></td>
+<td align="left"><p>An IPsec Main Mode security association ended.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4976</p></td>
+<td align="left"><p>During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5049</p></td>
+<td align="left"><p>An IPsec Security Association was deleted.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5453</p></td>
+<td align="left"><p>An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-ipsec-quick-mode.md b/windows/keep-secure/audit-ipsec-quick-mode.md
new file mode 100644
index 0000000000..dbbd645b9e
--- /dev/null
+++ b/windows/keep-secure/audit-ipsec-quick-mode.md
@@ -0,0 +1,71 @@
+---
+title: Audit IPsec Quick Mode (Windows 10)
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Quick Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
+ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit IPsec Quick Mode
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Quick Mode**, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
+
+IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers.
+
+AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports Main Mode and Quick Mode negotiation.
+
+Quick Mode (also known as Phase 2) IKE negotiation establishes a secure channel between two computers to protect data. Because this phase involves the establishment of security associations (SAs) that are negotiated on behalf of the IPsec service, the SAs that are created during Quick Mode are called the IPsec SAs. During Quick Mode, keying material is refreshed or, if necessary, new keys are generated. A protection suite that protects specified IP traffic is also selected. A protection suite is a defined set of data integrity or data encryption settings. Quick Mode is not considered a complete exchange because it is dependent on a Main Mode exchange.
+
+Event volume: High
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4977</p></td>
+<td align="left"><p>During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5451</p></td>
+<td align="left"><p>An IPsec Quick Mode security association was established.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5452</p></td>
+<td align="left"><p>An IPsec Quick Mode security association ended.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-kerberos-authentication-service.md b/windows/keep-secure/audit-kerberos-authentication-service.md
new file mode 100644
index 0000000000..aaa0076939
--- /dev/null
+++ b/windows/keep-secure/audit-kerberos-authentication-service.md
@@ -0,0 +1,68 @@
+---
+title: Audit Kerberos Authentication Service (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Authentication Service, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
+ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Kerberos Authentication Service
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kerberos Authentication Service**, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
+
+If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful attempts and Failure audits record unsuccessful attempts.
+
+Event volume: High on Kerberos Key Distribution Center servers
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4768</p></td>
+<td align="left"><p>A Kerberos authentication ticket (TGT) was requested.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4771</p></td>
+<td align="left"><p>Kerberos preauthentication failed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4772</p></td>
+<td align="left"><p>A Kerberos authentication ticket request failed.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-kerberos-service-ticket-operations.md b/windows/keep-secure/audit-kerberos-service-ticket-operations.md
new file mode 100644
index 0000000000..ccd1d1a83b
--- /dev/null
+++ b/windows/keep-secure/audit-kerberos-service-ticket-operations.md
@@ -0,0 +1,68 @@
+---
+title: Audit Kerberos Service Ticket Operations (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Service Ticket Operations, which determines whether the operating system generates security audit events for Kerberos service ticket requests.
+ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Kerberos Service Ticket Operations
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kerberos Service Ticket Operations**, which determines whether the operating system generates security audit events for Kerberos service ticket requests.
+
+Events are generated every time Kerberos is used to authenticate a user who wants to access a protected network resource. Kerberos service ticket operation audit events can be used to track user activity.
+
+Event volume:
+
+-   High on a domain controller that is in a Key Distribution Center (KDC)
+
+-   Low on domain members
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4769</p></td>
+<td align="left"><p>A Kerberos service ticket was requested.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4770</p></td>
+<td align="left"><p>A Kerberos service ticket was renewed.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-kernel-object.md b/windows/keep-secure/audit-kernel-object.md
new file mode 100644
index 0000000000..8eec2824ea
--- /dev/null
+++ b/windows/keep-secure/audit-kernel-object.md
@@ -0,0 +1,79 @@
+---
+title: Audit Kernel Object (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kernel Object, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
+ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Kernel Object
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kernel Object**, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
+
+Only kernel objects with a matching system access control list (SACL) generate security audit events. The audits generated are usually useful only to developers.
+
+Typically, kernel objects are given SACLs only if the **AuditBaseObjects** or **AuditBaseDirectories** auditing options are enabled.
+
+**Note**  
+The **Audit: Audit the access of global system objects** policy setting controls the default SACL of kernel objects.
+
+ 
+
+Event volume: High if you have enabled one of the Global Object Access Auditing settings
+
+Default setting: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4659</p></td>
+<td align="left"><p>A handle to an object was requested with intent to delete.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4660</p></td>
+<td align="left"><p>An object was deleted.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4661</p></td>
+<td align="left"><p>A handle to an object was requested.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4663</p></td>
+<td align="left"><p>An attempt was made to access an object.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-logoff.md b/windows/keep-secure/audit-logoff.md
new file mode 100644
index 0000000000..fca6ed6c10
--- /dev/null
+++ b/windows/keep-secure/audit-logoff.md
@@ -0,0 +1,71 @@
+---
+title: Audit Logoff (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logoff, which determines whether the operating system generates audit events when logon sessions are terminated.
+ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Logoff
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Logoff**, which determines whether the operating system generates audit events when logon sessions are terminated.
+
+These events occur on the computer that was accessed. In the case of an interactive logon, these events are generated on the computer that was logged on to.
+
+**Note**  
+There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record.
+
+ 
+
+Logon events are essential to understanding user activity and detecting potential attacks. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown; in this case, a logoff event is not generated.
+
+Event volume: Low
+
+Default: Success
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4634</p></td>
+<td align="left"><p>An account was logged off.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4647</p></td>
+<td align="left"><p>User initiated logoff.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-logon.md b/windows/keep-secure/audit-logon.md
new file mode 100644
index 0000000000..581f4860fe
--- /dev/null
+++ b/windows/keep-secure/audit-logon.md
@@ -0,0 +1,82 @@
+---
+title: Audit Logon (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logon, which determines whether the operating system generates audit events when a user attempts to log on to a computer.
+ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Logon
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Logon**, which determines whether the operating system generates audit events when a user attempts to log on to a computer.
+
+These events are related to the creation of logon sessions and occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For a network logon, such as accessing a share, events are generated on the computer that hosts the resource that was accessed.
+
+The following events are recorded:
+
+-   Logon success and failure.
+
+-   Logon attempts by using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials. This most commonly occurs in batch configurations such as scheduled tasks, or when using the Runas command.
+
+-   Security identifiers (SIDs) are filtered.
+
+Logon events are essential to tracking user activity and detecting potential attacks.
+
+Event volume: Low on a client computer; medium on a domain controller or network server
+
+Default: Success for client computers; success and failure for servers
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4624</p></td>
+<td align="left"><p>An account was successfully logged on.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4625</p></td>
+<td align="left"><p>An account failed to log on.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4648</p></td>
+<td align="left"><p>A logon was attempted using explicit credentials.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4675</p></td>
+<td align="left"><p>SIDs were filtered.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md b/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md
new file mode 100644
index 0000000000..f448d5882b
--- /dev/null
+++ b/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md
@@ -0,0 +1,125 @@
+---
+title: Audit MPSSVC Rule-Level Policy Change (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit MPSSVC Rule-Level Policy Change, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).
+ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit MPSSVC Rule-Level Policy Change
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit MPSSVC Rule-Level Policy Change**, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).
+
+The Microsoft Protection Service, which is used by Windows Firewall, is an integral part of the computer’s threat protection against malware. The tracked activities include:
+
+-   Active policies when the Windows Firewall service starts.
+
+-   Changes to Windows Firewall rules.
+
+-   Changes to the Windows Firewall exception list.
+
+-   Changes to Windows Firewall settings.
+
+-   Rules ignored or not applied by the Windows Firewall service.
+
+-   Changes to Windows Firewall Group Policy settings.
+
+Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks.
+
+Event volume: Low
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4944</p></td>
+<td align="left"><p>The following policy was active when the Windows Firewall started.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4945</p></td>
+<td align="left"><p>A rule was listed when the Windows Firewall started.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4946</p></td>
+<td align="left"><p>A change has been made to Windows Firewall exception list. A rule was added.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4947</p></td>
+<td align="left"><p>A change has been made to Windows Firewall exception list. A rule was modified.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4948</p></td>
+<td align="left"><p>A change has been made to Windows Firewall exception list. A rule was deleted.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4949</p></td>
+<td align="left"><p>Windows Firewall settings were restored to the default values.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4950</p></td>
+<td align="left"><p>A Windows Firewall setting has changed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4951</p></td>
+<td align="left"><p>A rule has been ignored because its major version number was not recognized by Windows Firewall.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4952</p></td>
+<td align="left"><p>Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4953</p></td>
+<td align="left"><p>A rule has been ignored by Windows Firewall because it could not parse the rule.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4954</p></td>
+<td align="left"><p>Windows Firewall Group Policy settings have changed. The new settings have been applied.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4956</p></td>
+<td align="left"><p>Windows Firewall has changed the active profile.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4957</p></td>
+<td align="left"><p>Windows Firewall did not apply the following rule:</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4958</p></td>
+<td align="left"><p>Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-network-policy-server.md b/windows/keep-secure/audit-network-policy-server.md
new file mode 100644
index 0000000000..0901a69905
--- /dev/null
+++ b/windows/keep-secure/audit-network-policy-server.md
@@ -0,0 +1,91 @@
+---
+title: Audit Network Policy Server (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Network Policy Server, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock).
+ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Network Policy Server
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Network Policy Server**, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock).
+
+NAP events can be used to help understand the overall health of the network.
+
+Event volume: Medium to high on servers that are running Network Policy Server (NPS); moderate on other servers or on client computers
+
+Default: Success and failure
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>6272</p></td>
+<td align="left"><p>Network Policy Server granted access to a user.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>6273</p></td>
+<td align="left"><p>Network Policy Server denied access to a user.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>6274</p></td>
+<td align="left"><p>Network Policy Server discarded the request for a user.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>6275</p></td>
+<td align="left"><p>Network Policy Server discarded the accounting request for a user.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>6276</p></td>
+<td align="left"><p>Network Policy Server quarantined a user.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>6277</p></td>
+<td align="left"><p>Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>6278</p></td>
+<td align="left"><p>Network Policy Server granted full access to a user because the host met the defined health policy.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>6279</p></td>
+<td align="left"><p>Network Policy Server locked the user account due to repeated failed authentication attempts.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>6280</p></td>
+<td align="left"><p>Network Policy Server unlocked the user account.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-non-sensitive-privilege-use.md b/windows/keep-secure/audit-non-sensitive-privilege-use.md
new file mode 100644
index 0000000000..ac2879b686
--- /dev/null
+++ b/windows/keep-secure/audit-non-sensitive-privilege-use.md
@@ -0,0 +1,129 @@
+---
+title: Audit Non-Sensitive Privilege Use (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
+ms.assetid: 8fd74783-1059-443e-aa86-566d78606627
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Non-Sensitive Privilege Use
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Non-Sensitive Privilege Use**, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
+
+The following privileges are non-sensitive:
+
+-   **Access Credential Manager as a trusted caller**
+
+-   **Access this computer from the network**
+
+-   **Add workstations to domain**
+
+-   **Adjust memory quotas for a process**
+
+-   **Allow log on locally**
+
+-   **Allow log on through Terminal Services**
+
+-   **Bypass traverse checking**
+
+-   **Change the system time**
+
+-   **Create a page file**
+
+-   **Create global objects**
+
+-   **Create permanent shared objects**
+
+-   **Create symbolic links**
+
+-   **Deny access to this computer from the network**
+
+-   **Deny log on as a batch job**
+
+-   **Deny log on as a service**
+
+-   **Deny log on locally**
+
+-   **Deny log on through Terminal Services**
+
+-   **Force shutdown from a remote system**
+
+-   **Increase a process working set**
+
+-   **Increase scheduling priority**
+
+-   **Lock pages in memory**
+
+-   **Log on as a batch job**
+
+-   **Log on as a service**
+
+-   **Modify an object label**
+
+-   **Perform volume maintenance tasks**
+
+-   **Profile single process**
+
+-   **Profile system performance**
+
+-   **Remove computer from docking station**
+
+-   **Shut down the system**
+
+-   **Synchronize directory service data**
+
+If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful attempts, and failure audits record unsuccessful attempts.
+
+Event volume: Very high
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4672</p></td>
+<td align="left"><p>Special privileges assigned to new logon.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4673</p></td>
+<td align="left"><p>A privileged service was called.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4674</p></td>
+<td align="left"><p>An operation was attempted on a privileged object.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-other-account-logon-events.md b/windows/keep-secure/audit-other-account-logon-events.md
new file mode 100644
index 0000000000..36d1c35cf5
--- /dev/null
+++ b/windows/keep-secure/audit-other-account-logon-events.md
@@ -0,0 +1,116 @@
+---
+title: Audit Other Account Logon Events (Windows 10)
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit Other Account Logon Events, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.
+ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Other Account Logon Events
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the advanced security audit policy setting, **Audit Other Account Logon Events**, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.
+
+Examples can include the following:
+
+-   Remote Desktop session disconnections
+
+-   New Remote Desktop sessions
+
+-   Locking and unlocking a workstation
+
+-   Invoking a screen saver
+
+-   Dismissing a screen saver
+
+-   Detection of a Kerberos replay attack, in which a Kerberos request with identical information was received twice
+
+    **Note**  
+    This condition could be caused by a network misconfiguration.
+
+     
+
+-   Access to a wireless network granted to a user or computer account
+
+-   Access to a wired 802.1x network granted to a user or computer account
+
+Event volume: Varies, depending on system use
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4649</p></td>
+<td align="left"><p>A replay attack was detected.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4778</p></td>
+<td align="left"><p>A session was reconnected to a Window Station.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4779</p></td>
+<td align="left"><p>A session was disconnected from a Window Station.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4800</p></td>
+<td align="left"><p>The workstation was locked.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4801</p></td>
+<td align="left"><p>The workstation was unlocked.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4802</p></td>
+<td align="left"><p>The screen saver was invoked.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4803</p></td>
+<td align="left"><p>The screen saver was dismissed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5378</p></td>
+<td align="left"><p>The requested credentials delegation was disallowed by policy.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5632</p></td>
+<td align="left"><p>A request was made to authenticate to a wireless network.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5633</p></td>
+<td align="left"><p>A request was made to authenticate to a wired network.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-other-account-management-events.md b/windows/keep-secure/audit-other-account-management-events.md
new file mode 100644
index 0000000000..78a7da62bd
--- /dev/null
+++ b/windows/keep-secure/audit-other-account-management-events.md
@@ -0,0 +1,74 @@
+---
+title: Audit Other Account Management Events (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Account Management Events, which determines whether the operating system generates user account management audit events.
+ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Other Account Management Events
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Account Management Events**, which determines whether the operating system generates user account management audit events.
+
+Events can be generated for user account management auditing when:
+
+-   The password hash of an account is accessed. This typically happens when the Active Directory Migration Tool (ADMT) is moving password data.
+
+-   The Password Policy Checking application programming interface (API) is called. Calls to this function could be part of an attack from a malicious application that is testing whether password complexity policy settings are being applied.
+
+-   Changes are made to domain policy under **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** or **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**.
+
+**Note**  
+These events are logged when the domain policy is applied (on refresh or restart), not when settings are modified by an administrator.
+
+ 
+
+Event volume: Low
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event Message Summary</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4782</p></td>
+<td align="left"><p>The password hash for an account was accessed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4793</p></td>
+<td align="left"><p>The Password Policy Checking API was called.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-other-logonlogoff-events.md b/windows/keep-secure/audit-other-logonlogoff-events.md
new file mode 100644
index 0000000000..c38d1fcc1a
--- /dev/null
+++ b/windows/keep-secure/audit-other-logonlogoff-events.md
@@ -0,0 +1,109 @@
+---
+title: Audit Other Logon/Logoff Events (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, which determines whether Windows generates audit events for other logon or logoff events.
+ms.assetid: 76d987cd-1917-4907-a739-dd642609a458
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Other Logon/Logoff Events
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Logon/Logoff Events**, which determines whether Windows generates audit events for other logon or logoff events.
+
+These other logon or logoff events include:
+
+-   A Remote Desktop session connects or disconnects.
+
+-   A workstation is locked or unlocked.
+
+-   A screen saver is invoked or dismissed.
+
+-   A replay attack is detected. This event indicates that a Kerberos request was received twice with identical information. This condition could also be caused by network misconfiguration.
+
+-   A user is granted access to a wireless network. It can either be a user account or the computer account.
+
+-   A user is granted access to a wired 802.1x network. It can either be a user account or the computer account.
+
+Logon events are essential to understanding user activity and detecting potential attacks.
+
+Event volume: Low
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4649</p></td>
+<td align="left"><p>A replay attack was detected.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4778</p></td>
+<td align="left"><p>A session was reconnected to a Window Station.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4779</p></td>
+<td align="left"><p>A session was disconnected from a Window Station.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4800</p></td>
+<td align="left"><p>The workstation was locked.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4801</p></td>
+<td align="left"><p>The workstation was unlocked.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4802</p></td>
+<td align="left"><p>The screen saver was invoked.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4803</p></td>
+<td align="left"><p>The screen saver was dismissed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5378</p></td>
+<td align="left"><p>The requested credentials delegation was disallowed by policy.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5632</p></td>
+<td align="left"><p>A request was made to authenticate to a wireless network.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5633</p></td>
+<td align="left"><p>A request was made to authenticate to a wired network.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-other-object-access-events.md b/windows/keep-secure/audit-other-object-access-events.md
new file mode 100644
index 0000000000..4998656c13
--- /dev/null
+++ b/windows/keep-secure/audit-other-object-access-events.md
@@ -0,0 +1,121 @@
+---
+title: Audit Other Object Access Events (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Object Access Events, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects.
+ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Other Object Access Events
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Object Access Events**, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects.
+
+For scheduler jobs, the following actions are audited:
+
+-   Job created.
+
+-   Job deleted.
+
+-   Job enabled.
+
+-   Job disabled.
+
+-   Job updated.
+
+For COM+ objects, the following actions are audited:
+
+-   Catalog object added.
+
+-   Catalog object updated.
+
+-   Catalog object deleted.
+
+Event volume: Low
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4671</p></td>
+<td align="left"><p>An application attempted to access a blocked ordinal through the TBS.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4691</p></td>
+<td align="left"><p>Indirect access to an object was requested.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4698</p></td>
+<td align="left"><p>A scheduled task was created.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4699</p></td>
+<td align="left"><p>A scheduled task was deleted.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4700</p></td>
+<td align="left"><p>A scheduled task was enabled.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4701</p></td>
+<td align="left"><p>A scheduled task was disabled.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4702</p></td>
+<td align="left"><p>A scheduled task was updated.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5148</p></td>
+<td align="left"><p>The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5149</p></td>
+<td align="left"><p>The DoS attack has subsided and normal processing is being resumed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5888</p></td>
+<td align="left"><p>An object in the COM+ Catalog was modified.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5889</p></td>
+<td align="left"><p>An object was deleted from the COM+ Catalog.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5890</p></td>
+<td align="left"><p>An object was added to the COM+ Catalog.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-other-policy-change-events.md b/windows/keep-secure/audit-other-policy-change-events.md
new file mode 100644
index 0000000000..33f1800b16
--- /dev/null
+++ b/windows/keep-secure/audit-other-policy-change-events.md
@@ -0,0 +1,119 @@
+---
+title: Audit Other Policy Change Events (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Policy Change Events, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category.
+ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Other Policy Change Events
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Policy Change Events**, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category.
+
+These other activities in the Policy Change category that can be audited include:
+
+-   Trusted Platform Module (TPM) configuration changes.
+
+-   Kernel-mode cryptographic self tests.
+
+-   Cryptographic provider operations.
+
+-   Cryptographic context operations or modifications.
+
+Event volume: Low
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4670</p></td>
+<td align="left"><p>Permissions on an object were changed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4909</p></td>
+<td align="left"><p>The local policy settings for the TBS were changed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4910</p></td>
+<td align="left"><p>The group policy settings for the TBS were changed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5063</p></td>
+<td align="left"><p>A cryptographic provider operation was attempted.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5064</p></td>
+<td align="left"><p>A cryptographic context operation was attempted.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5065</p></td>
+<td align="left"><p>A cryptographic context modification was attempted.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5066</p></td>
+<td align="left"><p>A cryptographic function operation was attempted.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5067</p></td>
+<td align="left"><p>A cryptographic function modification was attempted.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5068</p></td>
+<td align="left"><p>A cryptographic function provider operation was attempted.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5069</p></td>
+<td align="left"><p>A cryptographic function property operation was attempted.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5070</p></td>
+<td align="left"><p>A cryptographic function property modification was attempted.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5447</p></td>
+<td align="left"><p>A Windows Filtering Platform filter has been changed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>6144</p></td>
+<td align="left"><p>Security policy in the group policy objects has been applied successfully.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>6145</p></td>
+<td align="left"><p>One or more errors occurred while processing security policy in the group policy objects.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-other-privilege-use-events.md b/windows/keep-secure/audit-other-privilege-use-events.md
new file mode 100644
index 0000000000..65b5146b7b
--- /dev/null
+++ b/windows/keep-secure/audit-other-privilege-use-events.md
@@ -0,0 +1,32 @@
+---
+title: Audit Other Privilege Use Events (Windows 10)
+description: This security policy setting is not used.
+ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Other Privilege Use Events
+
+
+**Applies to**
+
+-   Windows 10
+
+This security policy setting is not used.
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-other-system-events.md b/windows/keep-secure/audit-other-system-events.md
new file mode 100644
index 0000000000..9b5457b2a3
--- /dev/null
+++ b/windows/keep-secure/audit-other-system-events.md
@@ -0,0 +1,154 @@
+---
+title: Audit Other System Events (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other System Events, which determines whether the operating system audits various system events.
+ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Other System Events
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other System Events**, which determines whether the operating system audits various system events.
+
+The system events in this category include:
+
+-   Startup and shutdown of the Windows Firewall service and driver.
+
+-   Security policy processing by the Windows Firewall service.
+
+-   Cryptography key file and migration operations.
+
+**Important**  
+Failure to start the Windows Firewall service may result in a computer that is not fully protected against network threats.
+
+ 
+
+Event volume: Low
+
+Default: Success and failure
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>5024</p></td>
+<td align="left"><p>The Windows Firewall Service has started successfully.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5025</p></td>
+<td align="left"><p>The Windows Firewall Service has been stopped.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5027</p></td>
+<td align="left"><p>The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5028</p></td>
+<td align="left"><p>The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5029</p></td>
+<td align="left"><p>The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5030</p></td>
+<td align="left"><p>The Windows Firewall Service failed to start.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5032</p></td>
+<td align="left"><p>Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5033</p></td>
+<td align="left"><p>The Windows Firewall Driver has started successfully.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5034</p></td>
+<td align="left"><p>The Windows Firewall Driver has been stopped.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5035</p></td>
+<td align="left"><p>The Windows Firewall Driver failed to start.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5037</p></td>
+<td align="left"><p>The Windows Firewall Driver detected critical runtime error. Terminating.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5058</p></td>
+<td align="left"><p>Key file operation.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5059</p></td>
+<td align="left"><p>Key migration operation.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>6400</p></td>
+<td align="left"><p>BranchCache: Received an incorrectly formatted response while discovering availability of content.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>6401</p></td>
+<td align="left"><p>BranchCache: Received invalid data from a peer. Data discarded.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>6402</p></td>
+<td align="left"><p>BranchCache: The message to the hosted cache offering it data is incorrectly formatted.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>6403</p></td>
+<td align="left"><p>BranchCache: The hosted cache sent an incorrectly formatted response to the client.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>6404</p></td>
+<td align="left"><p>BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>6405</p></td>
+<td align="left"><p>BranchCache: %2 instance(s) of event id %1 occurred.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>6406</p></td>
+<td align="left"><p>%1 registered to Windows Firewall to control filtering for the following: %2</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>6407</p></td>
+<td align="left"><p>1%</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>6408</p></td>
+<td align="left"><p>Registered product %1 failed and Windows Firewall is now controlling the filtering for %2</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-pnp-activity.md b/windows/keep-secure/audit-pnp-activity.md
new file mode 100644
index 0000000000..c36f2bb35f
--- /dev/null
+++ b/windows/keep-secure/audit-pnp-activity.md
@@ -0,0 +1,61 @@
+---
+title: Audit PNP Activity (Windows 10)
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit PNP Activity, which determines when plug and play detects an external device.
+ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit PNP Activity
+
+
+**Applies to**
+
+-   Windows 10
+
+\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\]
+
+This topic for the IT professional describes the advanced security audit policy setting, **Audit PNP Activity**, which determines when plug and play detects an external device.
+
+A PnP audit event can be used to track down changes in system hardware and will be logged on the machine where the change took place. For example, when a keyboard is plugged into a PC a PnP event is triggered.
+
+Event volume: Varies, depending on how the computer is used
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>6416</p></td>
+<td align="left"><p>A new external device was recognized by the system.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-policy.md b/windows/keep-secure/audit-policy.md
new file mode 100644
index 0000000000..c955e349c7
--- /dev/null
+++ b/windows/keep-secure/audit-policy.md
@@ -0,0 +1,56 @@
+---
+title: Audit Policy (Windows 10)
+description: Provides information about basic audit policies that are available in Windows and links to information about each setting.
+ms.assetid: 2e8ea400-e555-43e5-89d6-0898cb89da90
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Policy
+
+
+**Applies to**
+
+-   Windows 10
+
+Provides information about basic audit policies that are available in Windows and links to information about each setting.
+
+The security audit policy settings under **Security Settings\\Local Policies\\Audit Policy** provide broad security audit capabilities for client devices and servers that cannot use advanced security audit policy settings.
+
+The basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** are:
+
+[Audit account logon events](basic-audit-account-logon-events.md)
+
+[Audit account management](basic-audit-account-management.md)
+
+[Audit directory service access](basic-audit-directory-service-access.md)
+
+[Audit logon events](basic-audit-logon-events.md)
+
+[Audit object access](basic-audit-object-access.md)
+
+[Audit policy change](basic-audit-policy-change.md)
+
+[Audit privilege use](basic-audit-privilege-use.md)
+
+[Audit process tracking](basic-audit-process-tracking.md)
+
+[Audit system events](basic-audit-system-events.md)
+
+## Related topics
+
+
+[Configure security policy settings](how-to-configure-security-policy-settings.md)
+
+[Security auditing](security-auditing-overview.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-process-creation.md b/windows/keep-secure/audit-process-creation.md
new file mode 100644
index 0000000000..217836dc17
--- /dev/null
+++ b/windows/keep-secure/audit-process-creation.md
@@ -0,0 +1,64 @@
+---
+title: Audit Process Creation (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Creation, which determines whether the operating system generates audit events when a process is created (starts).
+ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Process Creation
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Process Creation**, which determines whether the operating system generates audit events when a process is created (starts).
+
+These audit events can help you track user activity and understand how a computer is being used. Information includes the name of the program or the user that created the process.
+
+Event volume: Low to medium, depending on system usage
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4688</p></td>
+<td align="left"><p>A new process has been created.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4696</p></td>
+<td align="left"><p>A primary token was assigned to a process.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-process-termination.md b/windows/keep-secure/audit-process-termination.md
new file mode 100644
index 0000000000..ac362e72be
--- /dev/null
+++ b/windows/keep-secure/audit-process-termination.md
@@ -0,0 +1,64 @@
+---
+title: Audit Process Termination (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Termination, which determines whether the operating system generates audit events when an attempt is made to end a process.
+ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Process Termination
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Process Termination**, which determines whether the operating system generates audit events when an attempt is made to end a process.
+
+Success audits record successful attempts and Failure audits record unsuccessful attempts.
+
+If you do not configure this policy setting, no audit event is generated when a process ends.
+
+This policy setting can help you track user activity and understand how the computer is used.
+
+Event volume: Varies, depending on how the computer is used
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4689</p></td>
+<td align="left"><p>A process has exited.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-registry.md b/windows/keep-secure/audit-registry.md
new file mode 100644
index 0000000000..f8c60d1b1f
--- /dev/null
+++ b/windows/keep-secure/audit-registry.md
@@ -0,0 +1,66 @@
+---
+title: Audit Registry (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Registry, which determines whether the operating system generates audit events when users attempt to access registry objects.
+ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Registry
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Registry**, which determines whether the operating system generates audit events when users attempt to access registry objects.
+
+Audit events are generated only for objects that have configured system access control lists (SACLs) specified, and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.
+
+If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching SACL.
+
+Event volume: Low to medium, depending on how registry SACLs are configured
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4657</p></td>
+<td align="left"><p>A registry value was modified.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5039</p></td>
+<td align="left"><p>A registry key was virtualized.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-removable-storage.md b/windows/keep-secure/audit-removable-storage.md
new file mode 100644
index 0000000000..6046b1b29c
--- /dev/null
+++ b/windows/keep-secure/audit-removable-storage.md
@@ -0,0 +1,140 @@
+---
+title: Audit Removable Storage (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Removable Storage, which determines .
+ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Removable Storage
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Removable Storage**, which determines .
+
+Event volume:
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4663</p></td>
+<td align="left"><p>An attempt was made to access an object.</p>
+<p>Subject:</p>
+<p>Security ID: %1</p>
+<p>Account Name: %2</p>
+<p>Account Domain: %3</p>
+<p>Logon ID: %4</p>
+<p>Object:</p>
+<p>Object Server: %5</p>
+<p>Object Type: %6</p>
+<p>Object Name: %7</p>
+<p>Handle ID: %8</p>
+<p>Process Information:</p>
+<p>Process ID: %11</p>
+<p>Process Name: %12</p>
+<p>Access Request Information:</p>
+<p>Accesses: %9</p>
+<p>Access Mask: %10</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4659</p></td>
+<td align="left"><p>A handle to an object was requested with intent to delete.</p>
+<p>Subject:</p>
+<p>Security ID: %1</p>
+<p>Account Name: %2</p>
+<p>Account Domain: %3</p>
+<p>Logon ID: %4</p>
+<p>Object:</p>
+<p>Object Server: %5</p>
+<p>Object Type: %6</p>
+<p>Object Name: %7</p>
+<p>Handle ID: %8</p>
+<p>Process Information:</p>
+<p>Process ID: %13</p>
+<p>Access Request Information:</p>
+<p>Transaction ID: %9</p>
+<p>Accesses: %10</p>
+<p>Access Mask: %11</p>
+<p>Privileges Used for Access Check: %12</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4818</p></td>
+<td align="left"><p>Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.</p>
+<p>Subject:</p>
+<p>Security ID: %1</p>
+<p>Account Name: %2</p>
+<p>Account Domain: %3</p>
+<p>Logon ID: %4</p>
+<p>Object:</p>
+<p>Object Server: %5</p>
+<p>Object Type: %6</p>
+<p>Object Name: %7</p>
+<p>Handle ID: %8</p>
+<p>Process Information:</p>
+<p>Process ID: %9</p>
+<p>Process Name: %10</p>
+<p>Current Central Access Policy results:</p>
+<p>Access Reasons: %11</p>
+<p>Proposed Central Access Policy results that differ from the current Central Access Policy results:</p>
+<p>Access Reasons: %12</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4656</p></td>
+<td align="left"><p>A handle to an object was requested.</p>
+<p>Subject:</p>
+<p>Security ID: %1</p>
+<p>Account Name: %2</p>
+<p>Account Domain: %3</p>
+<p>Logon ID: %4</p>
+<p>Object:</p>
+<p>Object Server: %5</p>
+<p>Object Type: %6</p>
+<p>Object Name: %7</p>
+<p>Handle ID: %8</p>
+<p>Resource Attributes: %17</p>
+<p>Process Information:</p>
+<p>Process ID: %15</p>
+<p>Process Name: %16</p>
+<p>Access Request Information:</p>
+<p>Transaction ID: %9</p>
+<p>Accesses: %10</p>
+<p>Access Reasons: %11</p>
+<p>Access Mask: %12</p>
+<p>Privileges Used for Access Check: %13</p>
+<p>Restricted SID Count: %14</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-rpc-events.md b/windows/keep-secure/audit-rpc-events.md
new file mode 100644
index 0000000000..de4ec1bad5
--- /dev/null
+++ b/windows/keep-secure/audit-rpc-events.md
@@ -0,0 +1,59 @@
+---
+title: Audit RPC Events (Windows 10)
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit RPC Events, which determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made.
+ms.assetid: 868aec2d-93b4-4bc8-a150-941f88838ba6
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit RPC Events
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the advanced security audit policy setting, **Audit RPC Events**, which determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made.
+
+RPC is a technology for creating distributed client/server programs. RPC is an interprocess communication technique that enables client and server software to communicate. For more information, see [What Is RPC?](http://technet.microsoft.com/library/cc787851.aspx).
+
+Event volume: High on RPC servers
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>5712</p></td>
+<td align="left"><p>A Remote Procedure Call (RPC) was attempted.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-sam.md b/windows/keep-secure/audit-sam.md
new file mode 100644
index 0000000000..9afb708e33
--- /dev/null
+++ b/windows/keep-secure/audit-sam.md
@@ -0,0 +1,98 @@
+---
+title: Audit SAM (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects.
+ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit SAM
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit SAM**, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects.
+
+The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer.
+
+SAM objects include the following:
+
+-   SAM\_ALIAS: A local group
+
+-   SAM\_GROUP: A group that is not a local group
+
+-   SAM\_USER: A user account
+
+-   SAM\_DOMAIN: A domain
+
+-   SAM\_SERVER: A computer account
+
+If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits record successful attempts, and failure audits record unsuccessful attempts.
+
+**Note**  
+Only the SACL for SAM\_SERVER can be modified.
+
+ 
+
+Changes to user and group objects are tracked by the Account Management audit category. However, user accounts with enough privileges could potentially alter the files in which the account and password information is stored in the system, bypassing any Account Management events.
+
+Event volume: High on domain controllers
+
+**Note**  
+For information about reducing the number of events generated in this subcategory, see [KB841001](http://go.microsoft.com/fwlink/p/?LinkId=121698).
+
+ 
+
+Default setting: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4659</p></td>
+<td align="left"><p>A handle to an object was requested with intent to delete.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4660</p></td>
+<td align="left"><p>An object was deleted.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4661</p></td>
+<td align="left"><p>A handle to an object was requested.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4663</p></td>
+<td align="left"><p>An attempt was made to access an object.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-security-group-management.md b/windows/keep-secure/audit-security-group-management.md
new file mode 100644
index 0000000000..c4112315d8
--- /dev/null
+++ b/windows/keep-secure/audit-security-group-management.md
@@ -0,0 +1,127 @@
+---
+title: Audit Security Group Management (Windows 10)
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit Security Group Management, which determines whether the operating system generates audit events when specific security group management tasks are performed.
+ms.assetid: ac2ee101-557b-4c84-b9fa-4fb23331f1aa
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Security Group Management
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the advanced security audit policy setting, **Audit Security Group Management**, which determines whether the operating system generates audit events when specific security group management tasks are performed.
+
+Tasks for security group management include:
+
+-   A security group is created, changed, or deleted.
+
+-   A member is added to or removed from a security group.
+
+-   A group's type is changed.
+
+Security groups can be used for access control permissions and also as distribution lists.
+
+Event volume: Low
+
+Default: Success
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4727</p></td>
+<td align="left"><p>A security-enabled global group was created.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4728</p></td>
+<td align="left"><p>A member was added to a security-enabled global group.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4729</p></td>
+<td align="left"><p>A member was removed from a security-enabled global group.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4730</p></td>
+<td align="left"><p>A security-enabled global group was deleted.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4731</p></td>
+<td align="left"><p>A security-enabled local group was created.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4732</p></td>
+<td align="left"><p>A member was added to a security-enabled local group.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4733</p></td>
+<td align="left"><p>A member was removed from a security-enabled local group.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4734</p></td>
+<td align="left"><p>A security-enabled local group was deleted.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4735</p></td>
+<td align="left"><p>A security-enabled local group was changed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4737</p></td>
+<td align="left"><p>A security-enabled global group was changed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4754</p></td>
+<td align="left"><p>A security-enabled universal group was created.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4755</p></td>
+<td align="left"><p>A security-enabled universal group was changed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4756</p></td>
+<td align="left"><p>A member was added to a security-enabled universal group.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4757</p></td>
+<td align="left"><p>A member was removed from a security-enabled universal group.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4758</p></td>
+<td align="left"><p>A security-enabled universal group was deleted.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4764</p></td>
+<td align="left"><p>A group's type was changed.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-security-state-change.md b/windows/keep-secure/audit-security-state-change.md
new file mode 100644
index 0000000000..f20c08fa77
--- /dev/null
+++ b/windows/keep-secure/audit-security-state-change.md
@@ -0,0 +1,91 @@
+---
+title: Audit Security State Change (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system.
+ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Security State Change
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Security State Change**, which determines whether Windows generates audit events for changes in the security state of a system.
+
+Changes in the security state of the operating system include:
+
+-   System startup and shutdown.
+
+-   Change of system time.
+
+-   System recovery from **CrashOnAuditFail**. This event is logged after a system reboots following **CrashOnAuditFail**.
+
+    **Important**  
+    Some auditable activity may not be recorded when a system restarts due to **CrashOnAuditFail**.
+
+     
+
+System startup and shutdown events are important for understanding system usage.
+
+Event volume: Low
+
+Default: Success
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event Message Summary</th>
+<th align="left">Minimum Requirement</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4608</p></td>
+<td align="left"><p>Windows is starting up.</p></td>
+<td align="left"><p>Windows Vista, Windows Server 2008</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4609</p></td>
+<td align="left"><p>Windows is shutting down.</p></td>
+<td align="left"><p>Windows Vista, Windows Server 2008</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4616</p></td>
+<td align="left"><p>The system time was changed.</p></td>
+<td align="left"><p>Windows Vista, Windows Server 2008</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4621</p></td>
+<td align="left"><p>Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.</p></td>
+<td align="left"><p>Windows Vista, Windows Server 2008</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-security-system-extension.md b/windows/keep-secure/audit-security-system-extension.md
new file mode 100644
index 0000000000..ace6274636
--- /dev/null
+++ b/windows/keep-secure/audit-security-system-extension.md
@@ -0,0 +1,87 @@
+---
+title: Audit Security System Extension (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security System Extension, which determines whether the operating system generates audit events related to security system extensions.
+ms.assetid: 9f3c6bde-42b2-4a0a-b353-ed3106ebc005
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Security System Extension
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Security System Extension**, which determines whether the operating system generates audit events related to security system extensions.
+
+Changes to security system extensions in the operating system include the following activities:
+
+-   A security extension code is loaded (such as an authentication, notification, or security package). A security extension code registers with the Local Security Authority and will be used and trusted to authenticate logon attempts, submit logon requests, and be notified of any account or password changes. Examples of this extension code are Security Support Providers, such as Kerberos and NTLM.
+
+-   A service is installed. An audit log is generated when a service is registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account.
+
+**Important**  
+Attempts to install or load security system extensions or services are critical system events that could indicate a security breach.
+
+ 
+
+Event volume: Low
+
+These events are expected to appear more on a domain controller than on client computers or member servers.
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4610</p></td>
+<td align="left"><p>An authentication package has been loaded by the Local Security Authority.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4611</p></td>
+<td align="left"><p>A trusted logon process has been registered with the Local Security Authority.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4614</p></td>
+<td align="left"><p>A notification package has been loaded by the Security Account Manager.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4622</p></td>
+<td align="left"><p>A security package has been loaded by the Local Security Authority.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4697</p></td>
+<td align="left"><p>A service was installed in the system.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-sensitive-privilege-use.md b/windows/keep-secure/audit-sensitive-privilege-use.md
new file mode 100644
index 0000000000..339007cdc8
--- /dev/null
+++ b/windows/keep-secure/audit-sensitive-privilege-use.md
@@ -0,0 +1,99 @@
+---
+title: Audit Sensitive Privilege Use (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Sensitive Privilege Use, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used.
+ms.assetid: 915abf50-42d2-45f6-9fd1-e7bd201b193d
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Sensitive Privilege Use
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Sensitive Privilege Use**, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used.
+
+Actions that can be audited include:
+
+-   A privileged service is called.
+
+-   One of the following privileges is called:
+
+    **Act as part of the operating system**
+
+    **Back up files and directories**
+
+    **Create a token object**
+
+    **Debug programs**
+
+    **Enable computer and user accounts to be trusted for delegation**
+
+    **Generate security audits**
+
+    **Impersonate a client after authentication**
+
+    **Load and unload device drivers**
+
+    **Manage auditing and security log**
+
+    **Modify firmware environment values**
+
+    **Replace a process-level token**
+
+    **Restore files and directories**
+
+    **Take ownership of files or other objects**
+
+If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful attempts, and failure audits record unsuccessful attempts.
+
+Event volume: High
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4672</p></td>
+<td align="left"><p>Special privileges assigned to new logon.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4673</p></td>
+<td align="left"><p>A privileged service was called.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4674</p></td>
+<td align="left"><p>An operation was attempted on a privileged object.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
new file mode 100644
index 0000000000..dd3b82a5bd
--- /dev/null
+++ b/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
@@ -0,0 +1,150 @@
+---
+title: Audit Shut down system immediately if unable to log security audits (Windows 10)
+description: Describes the best practices, location, values, management practices, and security considerations for the Audit Shut down system immediately if unable to log security audits security policy setting.
+ms.assetid: 2cd23cd9-0e44-4d0b-a1f1-39fc29303826
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit: Shut down system immediately if unable to log security audits
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, management practices, and security considerations for the **Audit: Shut down system immediately if unable to log security audits** security policy setting.
+
+## Reference
+
+
+The **Audit: Shut down system immediately if unable to log security audits** policy setting determines whether the system shuts down if it is unable to log security events. This policy setting is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log those events. Microsoft has chosen to meet this requirement by halting the system and displaying a Stop message in the case of a failure of the auditing system. Enabling this policy setting stops the system if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the value of **Retention method for security log** is **Do not overwrite events (clear log manually)** or **Overwrite events by days**.
+
+With **Audit: Shut down system immediately if unable to log security audits** set to **Enabled**, if the security log is full and an existing entry cannot be overwritten, the following Stop message appears:
+
+<table>
+<colgroup>
+<col width="100%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>STOP: C0000244 {Audit Failed}</p>
+<p>An attempt to generate a security audit failed.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+To recover, you must log on, archive the log (optional), clear the log, and reset this option as desired.
+
+If the computer is unable to record events to the security log, critical evidence or important troubleshooting information might not be available for review after a security incident.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+-   Depending on your security audit requirements, you can enable the **Audit: Shut down system immediately if unable to log security audits** setting to ensure that security auditing information is captured for review. However, enabling this setting will increase the number of events logged.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+The administrative burden of enabling this policy setting can be very high, especially if you also set the **Retention method for security log** to **Do not overwrite events (clear log manually)**. This setting turns a repudiation threat (a backup operator could deny that they backed up or restored data) into a denial-of-service threat, because a server can be forced to shut down if it is overwhelmed with logon events and other security events that are written to the security log. Additionally, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system will guarantee that the file system's integrity will be maintained during a sudden system shutdown, it cannot guarantee that every data file for every application will still be in a usable form when the system is restarted.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+Modifying this setting may affect compatibility with clients, services, and applications.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+If the computer is unable to record events to the security event log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of security event log events to purposely force a shutdown.
+
+### Countermeasure
+
+Enable the **Audit: Shut down system immediately if unable to log security audits** setting to ensure that security auditing information is captured for review.
+
+### Potential impact
+
+If you enable this policy setting, the administrative burden can be significant, especially if you also configure the **Retention method for the Security log** to **Do not overwrite events** (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the security event log. Also, because the shutdown is abrupt, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system maintains its integrity when this type of computer shutdown occurs, there is no guarantee that every data file for every application will still be in a usable form when the device restarts.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-special-logon.md b/windows/keep-secure/audit-special-logon.md
new file mode 100644
index 0000000000..b95710f26b
--- /dev/null
+++ b/windows/keep-secure/audit-special-logon.md
@@ -0,0 +1,66 @@
+---
+title: Audit Special Logon (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Special Logon, which determines whether the operating system generates audit events under special sign on (or log on) circumstances.
+ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit Special Logon
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Special Logon**, which determines whether the operating system generates audit events under special sign on (or log on) circumstances.
+
+This security policy setting determines whether the operating system generates audit events when:
+
+-   A special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
+
+-   A member of a special group logs on. Special Groups is a Windows feature that enables the administrator to find out when a member of a certain group has logged on. The administrator can set a list of group security identifiers (SIDs) in the registry. If any of these SIDs is added to a token during logon and this auditing subcategory is enabled, a security event is logged. For more information about this feature, see [article 947223](http://go.microsoft.com/fwlink/p/?linkid=120183) in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/p/?linkid=120183).
+
+Users holding special privileges can potentially make changes to the system. We recommend that you track their activity.
+
+Event volume: Low
+
+Default: Success
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4964</p></td>
+<td align="left"><p>Special groups have been assigned to a new logon.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-system-integrity.md b/windows/keep-secure/audit-system-integrity.md
new file mode 100644
index 0000000000..b9e785f0b3
--- /dev/null
+++ b/windows/keep-secure/audit-system-integrity.md
@@ -0,0 +1,115 @@
+---
+title: Audit System Integrity (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit System Integrity, which determines whether the operating system audits events that violate the integrity of the security subsystem.
+ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit System Integrity
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit System Integrity**, which determines whether the operating system audits events that violate the integrity of the security subsystem.
+
+Activities that violate the integrity of the security subsystem include the following:
+
+-   Audited events are lost due to a failure of the auditing system.
+
+-   A process uses an invalid local procedure call (LPC) port in an attempt to impersonate a client, reply to a client address space, read to a client address space, or write from a client address space.
+
+-   A remote procedure call (RPC) integrity violation is detected.
+
+-   A code integrity violation with an invalid hash value of an executable file is detected.
+
+-   Cryptographic tasks are performed.
+
+**Important**  
+Violations of security subsystem integrity are critical and could indicate a potential security attack.
+
+ 
+
+Event volume: Low
+
+Default: Success and failure
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4612</p></td>
+<td align="left"><p>Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4615</p></td>
+<td align="left"><p>Invalid use of LPC port.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4618</p></td>
+<td align="left"><p>A monitored security event pattern has occurred.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4816</p></td>
+<td align="left"><p>RPC detected an integrity violation while decrypting an incoming message.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5038</p></td>
+<td align="left"><p>Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5056</p></td>
+<td align="left"><p>A cryptographic self-test was performed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5057</p></td>
+<td align="left"><p>A cryptographic primitive operation failed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5060</p></td>
+<td align="left"><p>Verification operation failed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5061</p></td>
+<td align="left"><p>Cryptographic operation.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5062</p></td>
+<td align="left"><p>A kernel-mode cryptographic self-test was performed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>6281</p></td>
+<td align="left"><p>Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-user-account-management.md b/windows/keep-secure/audit-user-account-management.md
new file mode 100644
index 0000000000..406ceb5ef9
--- /dev/null
+++ b/windows/keep-secure/audit-user-account-management.md
@@ -0,0 +1,133 @@
+---
+title: Audit User Account Management (Windows 10)
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit User Account Management, which determines whether the operating system generates audit events when specific user account management tasks are performed.
+ms.assetid: f7e72998-3858-4197-a443-19586ecc4bfb
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit User Account Management
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the advanced security audit policy setting, **Audit User Account Management**, which determines whether the operating system generates audit events when specific user account management tasks are performed.
+
+Tasks that are audited for user account management include:
+
+-   A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or unlocked.
+
+-   A user account password is set or changed.
+
+-   Security identifier (SID) history is added to a user account.
+
+-   The Directory Services Restore Mode password is set.
+
+-   Permissions are changed on accounts that are members of administrator groups.
+
+-   Credential Manager credentials are backed up or restored.
+
+This policy setting is essential for tracking events that involve provisioning and managing user accounts.
+
+Event volume: Low
+
+Default: Success
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4720</p></td>
+<td align="left"><p>A user account was created.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4722</p></td>
+<td align="left"><p>A user account was enabled.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4723</p></td>
+<td align="left"><p>An attempt was made to change an account's password.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4724</p></td>
+<td align="left"><p>An attempt was made to reset an account's password.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4725</p></td>
+<td align="left"><p>A user account was disabled.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4726</p></td>
+<td align="left"><p>A user account was deleted.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4738</p></td>
+<td align="left"><p>A user account was changed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4740</p></td>
+<td align="left"><p>A user account was locked out.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4765</p></td>
+<td align="left"><p>SID History was added to an account.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4766</p></td>
+<td align="left"><p>An attempt to add SID History to an account failed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4767</p></td>
+<td align="left"><p>A user account was unlocked.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4780</p></td>
+<td align="left"><p>The ACL was set on accounts which are members of administrators groups.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4781</p></td>
+<td align="left"><p>The name of an account was changed:</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>4794</p></td>
+<td align="left"><p>An attempt was made to set the Directory Services Restore Mode.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>5376</p></td>
+<td align="left"><p>Credential Manager credentials were backed up.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>5377</p></td>
+<td align="left"><p>Credential Manager credentials were restored from a backup.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/audit-user-device-claims.md b/windows/keep-secure/audit-user-device-claims.md
new file mode 100644
index 0000000000..6d913998df
--- /dev/null
+++ b/windows/keep-secure/audit-user-device-claims.md
@@ -0,0 +1,75 @@
+---
+title: Audit User/Device Claims (Windows 10)
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit User/Device Claims, which enables you to audit security events that are generated by user and device claims.
+ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit User/Device Claims
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the advanced security audit policy setting, **Audit User/Device Claims**, which enables you to audit security events that are generated by user and device claims.
+
+Event volume:
+
+Default: Not configured
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Event message</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>4626</p></td>
+<td align="left"><p>User / Device claims information.</p>
+<p>Subject:</p>
+<p>Security ID: %1</p>
+<p>Account Name: %2</p>
+<p>Account Domain: %3</p>
+<p>Logon ID: %4</p>
+<p>Logon Type:%9</p>
+<p>New Logon:</p>
+<p>Security ID: %5</p>
+<p>Account Name: %6</p>
+<p>Account Domain: %7</p>
+<p>Logon ID: %8</p>
+<p>Event in sequence: %10 of %11</p>
+<p>User Claims: %12</p>
+<p>Device Claims: %13</p>
+<p>The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.</p>
+<p>The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).</p>
+<p>The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.</p>
+<p>This event is generated when the Audit User/Device claims subcategory is configured and the user’s logon token contains user/device claims information. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/back-up-files-and-directories.md b/windows/keep-secure/back-up-files-and-directories.md
new file mode 100644
index 0000000000..fa7650f9c0
--- /dev/null
+++ b/windows/keep-secure/back-up-files-and-directories.md
@@ -0,0 +1,173 @@
+---
+title: Back up files and directories (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting.
+ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Back up files and directories
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Back up files and directories** security policy setting.
+
+## Reference
+
+
+This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This user right is effective only when an application attempts access through the NTFS backup application programming interface (API) through a backup tool such as NTBACKUP.EXE. Otherwise, standard file and directory permissions apply.
+
+This user right is similar to granting the following permissions to the user or group you have selected on all files and folders on the system:
+
+-   Traverse Folder/Execute File
+
+-   List Folder/Read Data
+
+-   Read Attributes
+
+-   Read Extended Attributes
+
+-   Read Permissions
+
+Default on workstations and servers:
+
+-   Administrators
+
+-   Backup Operators
+
+Default on domain controllers:
+
+-   Administrators
+
+-   Backup Operators
+
+-   Server Operators
+
+Constant: SeBackupPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not Defined
+
+### Best practices
+
+1.  Restrict the **Back up files and directories** user right to members of the IT team who must back up organizational data as part of their daily job responsibilities. Because there is no way to be sure that a user is backing up data, stealing data, or copying data to be distributed, only assign this user right to trusted users.
+
+2.  If you are using backup software that runs under specific service accounts, only these accounts (and not the IT staff) should have the **Back up files and directories** user right.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default, this right is granted to Administrators and Backup Operators on workstations and servers. On domain controllers, Administrators, Backup Operators, and Server Operators have this right.
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p>
+<p>Server Operators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p>
+<p>Server Operators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Users who can back up data from a device could take the backup media to a non-domain computer on which they have administrative privileges, and then restore the data. They could take ownership of the files and view any unencrypted data that is contained within the backup set.
+
+### Countermeasure
+
+Restrict the **Back up files and directories** user right to members of the IT team who must back up organizational data as part of their daily job responsibilities. If you are using backup software that runs under specific service accounts, only these accounts (and not the IT staff) should have the **Back up files and directories** user right.
+
+### Potential impact
+
+Changes in the membership of the groups that have the **Back up files and directories** user right could limit the abilities of users who are assigned to specific administrative roles in your environment. You should confirm that authorized backup administrators can still perform backup operations.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
new file mode 100644
index 0000000000..0aca86ef95
--- /dev/null
+++ b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
@@ -0,0 +1,749 @@
+---
+title: Backup the TPM recovery Information to AD DS (Windows 10)
+description: This topic for the IT professional describes how to back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer.
+ms.assetid: 62bcec80-96a1-464e-8b3f-d177a7565ac5
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Backup the TPM recovery Information to AD DS
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes how to back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer.
+
+## About administering TPM remotely
+
+
+Backing up the TPM owner information for a computer allows administrators in a domain to remotely configure the TPM security hardware on the local computer. For example, administrators might want to reset the TPM to the manufacturer’s defaults when they decommission or repurpose computers, without having to be present at the computer.
+
+You can use AD DS to store TPM owner information for use in recovery situations where the TPM owner has forgotten the password or where you must take control of the TPM. There is only one TPM owner password per computer; therefore, the hash of the TPM owner password can be stored as an attribute of the computer object in AD DS. The attribute has the common name (CN) of **ms-TPM-OwnerInformation**.
+
+**Note**  
+The TPM owner authorization value is stored in AD DS, and it is present in a TPM owner password file as a SHA-1 hash of the TPM owner password, which is base 64–encoded. The actual owner password is not stored.
+
+ 
+
+Domain controllers running Windows Server 2012 R2 or Windows Server 2012 include the required AD DS schema objects by default. However, if your domain controller is running Windows Server 2008 R2, you need to update the schema as described in [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
+
+This topic contains procedures, some of which are dependent on Visual Basic scripts, to recover TPM information and decommission TPM on remote computers. Sample scripts are available, which you can customize to meet the requirements of your environment.
+
+In this topic:
+
+1.  [Check status of prerequisites](#bkmk-prereqs)
+
+2.  [Set permissions to back up password information](#bkmk-setperms)
+
+3.  [Configure Group Policy to back up TPM recovery information in AD DS](#bkmk-configuregp)
+
+4.  [Use AD DS to recover TPM information](#bkmk-useit)
+
+5.  [Sample scripts](#bkmk-adds-tpm-scripts)
+
+## <a href="" id="bkmk-prereqs"></a>Check status of prerequisites
+
+
+Before you begin your backup, ensure that the following prerequisites are met:
+
+1.  All domain controllers that are accessible by client computers that will be using TPM services are running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 with the updated schema.
+
+    **Tip**  
+    For more info about the schema extensions that are required for a TPM backup in Active Directory domains that are running Windows Server 2008 R2, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
+
+     
+
+2.  You have domain administrator rights in the target forest, or you are using an account that has been granted appropriate permissions to extend the schema for the target forest. Members of the Enterprise Admins or Schema Admins groups are examples of accounts that have the appropriate permissions.
+
+## <a href="" id="bkmk-setperms"></a>Set permissions to back up password information
+
+
+This procedure uses the sample script [Add-TPMSelfWriteACE.vbs](#bkmk-add-tpmselfwriteace) to add an access control entry (ACE) so that backing up TPM recovery information is possible. A client computer cannot back up TPM owner information until this ACE is added.
+
+This script is run on the domain controller that you will use to administer the TPM recovery information, and it operates under the following assumptions:
+
+-   You have domain administrator credentials to set permissions for the top-level domain object.
+
+-   Your target domain is the same as the domain for the user account that is running the script. For example, running the script as TESTDOMAIN\\admin will extend permissions for TESTDOMAIN.
+
+    **Note**  
+    You might need to modify the sample script if you want to set permissions for multiple domains, but you do not have domain administrator accounts for each of those domains. Find the variable **strPathToDomain** in the script, and modify it for your target domain, for example:
+
+    `LDAP://DC=testdomain,DC=nttest,DC=microsoft,DC=com`
+
+     
+
+-   Your domain is configured so that permissions are inherited from the top-level domain object to targeted computer objects.
+
+    Permissions will not take effect if any container in the hierarchy does not allow inherited permissions. By default, permissions inheritance is set in AD DS. If you are not sure whether your configuration differs from this default, you can continue with the setup steps to set the permissions. You can then verify your configuration as described later in this topic. Or you can click the **Effective Permissions** button while viewing the properties of a computer object, then check that **Self** is approved to write the **msTPM-OwnerInformation** attribute.
+
+**To add an ACE to allow TPM recovery information backup**
+
+1.  Open the sample script **Add-TPMSelfWriteACE.vbs**.
+
+    The script contains a permission extension, and you must modify the value of **strPathToDomain** by using your domain name.
+
+2.  Save your modifications to the script.
+
+3.  Type the following at a command prompt, and then press ENTER:
+
+    **cscript Add-TPMSelfWriteACE.vbs**
+
+This script adds a single ACE to the top-level domain object. The ACE is an inheritable permission that allows the computer (SELF) to write to the **ms-TPM-OwnerInformation** attribute for computer objects in the domain.
+
+Complete the following procedure to check that the correct permissions are set and to remove TPM and BitLocker ACEs from the top-level domain, if necessary.
+
+**Manage ACEs configured on TPM schema objects**
+
+1.  Open the sample script **List-ACEs.vbs**.
+
+2.  Modify **List-ACEs.vbs**.
+
+    You must modify:
+
+    -   Value of **strPathToDomain**: Use your domain name.
+
+    -   Filter options: The script sets a filter to address BitLocker and TPM schema objects, so you must modify **If IsFilterActive ()** if you want to list or remove other schema objects.
+
+3.  Save your modifications to the script.
+
+4.  Type the following at a command prompt, and then press ENTER:
+
+    **cscript List-ACEs.vbs**
+
+    With this script you can optionally remove ACEs from BitLocker and TPM schema objects on the top-level domain.
+
+## <a href="" id="bkmk-configuregp"></a>Configure Group Policy to back up TPM recovery information in AD DS
+
+
+Use these procedures to configure the [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-addsbu) policy setting on a local computer. In a production environment, an efficient way to do this is to create or edit a Group Policy Object (GPO) that can target client computers in the domain.
+
+**To enable local policy setting to back up TPM recovery information to AD DS**
+
+1.  Sign in to a domain-joined computer by using a domain account that is a member of the local Administrators group.
+
+2.  Open the Local Group Policy Editor (gpedit.msc), and in the console tree, navigate to **Computer Configuration\\Administrative Templates\\System**.
+
+3.  Click **Trusted Platform Module Services**.
+
+4.  Double-click **Turn on TPM backup to Active Directory Domain Services**.
+
+5.  Click **Enabled**, and then click **OK**.
+
+**Important**  
+When this setting is enabled, the TPM owner password cannot be set or changed unless the computer is connected to the domain and AD DS backup of the TPM recovery information succeeds.
+
+ 
+
+## <a href="" id="bkmk-useit"></a>Use AD DS to recover TPM information
+
+
+When you need to recover the TPM owner information from AD DS and use it to manage the TPM, you need to read the **ms-TPM-OwnerInformation** object from AD DS, and then manually create a TPM owner password backup file that can be supplied when TPM owner credentials are required.
+
+**To obtain TPM owner backup information from AD DS and create a password file**
+
+1.  Sign in to a domain controller by using domain administrator credentials.
+
+2.  Copy the sample script file, [Get-TPMOwnerInfo.vbs](#ms-tpm-ownerinformation), to a location on your computer.
+
+3.  Open a Command Prompt window, and change the default location to the location of the sample script files you saved in the previous step.
+
+4.  At the command prompt, type **cscript Get-TPMOwnerInfo.vbs**.
+
+    The expected output is a string that is the hash of the password that you created earlier.
+
+    **Note**  
+    If you receive the error message, "Active Directory: The directory property cannot be found in the cache," verify that you are using a domain administrator account, which is required to read the **ms-TPM-OwnerInformation** attribute.
+
+    The only exception to this requirement is that if users are the Creator Owner of computer objects that they join to the domain, they can possibly read the TPM owner information for their computer objects.
+
+     
+
+5.  Open Notepad or another text editor, and copy the following code sample into the file, and replace *TpmOwnerPasswordHash* with the string that you recorded in the previous step.
+
+    ``` syntax
+    <?xml version="1.0" encoding="UTF-8"?>
+    <!--
+    This page is a backup of Trusted Platform Module (TPM) owner
+    authorization information. Upon request, use the authorization information to
+    prove ownership of the computer's TPM.
+
+
+    IMPORTANT: Please keep this file in a secure location away from your computer's
+    local hard drive.
+    -->
+    <tpmOwnerData version="1.0" softwareAuthor="Microsoft Windows [Version 6.1.7600]" creationDate="2009-11-11T14:39:29-08:00" creationUser="DOMAIN\username" machineName="mymachine">
+                    <tpmInfo manufacturerId="1096043852"/>
+                    <ownerAuth>TpmOwnerPasswordHash</ownerAuth>
+    </tpmOwnerData>
+    ```
+
+6.  Save this file with a .tpm extension on a removable storage device, such as a USB flash drive. When you access the TPM, and you are required to provide the TPM owner password, choose the option for reading the password from a file and provide the path to this file.
+
+## <a href="" id="bkmk-adds-tpm-scripts"></a>Sample scripts
+
+
+You can use all or portions of the following sample scripts, which are used in the preceding procedures, to configure AD DS for backing up TPM recovery information. Customization is required depending on how your environment is configured.
+
+-   [Add-TPMSelfWriteACE.vbs: Use to add the access control entry (ACE) for the TPM to AD DS](#bkmk-add-tpmselfwriteace)
+
+-   [List-ACEs.vbs: Use to list or remove the ACEs that are configured on BitLocker and TPM schema objects](#bkmk-list-aces)
+
+-   [Get-TPMOwnerInfo.vbs: Use to retrieve the TPM recovery information from AD DS for a particular computer](#bkmk-get-tpmownerinfo)
+
+### <a href="" id="bkmk-add-tpmselfwriteace"></a>Add-TPMSelfWriteACE.vbs
+
+This script adds the access control entry (ACE) for the TPM to AD DS so that the computer can back up TPM recovery information in AD DS.
+
+``` syntax
+'===============================================================================
+'
+' This script demonstrates the addition of an Access Control Entry (ACE)
+' to allow computers to write Trusted Platform Module (TPM) 
+' recovery information to Active Directory.
+'
+' This script creates a SELF ACE on the top-level domain object, and
+' assumes that inheritance of ACL's from the top-level domain object to 
+' down-level computer objects are enabled.
+'
+' 
+'
+' Last Updated: 12/05/2012
+' Last Reviewed: 12/05/2012
+' Microsoft Corporation
+'
+' Disclaimer
+' 
+' The sample scripts are not supported under any Microsoft standard support program
+' or service. The sample scripts are provided AS IS without warranty of any kind. 
+' Microsoft further disclaims all implied warranties including, without limitation, 
+' any implied warranties of merchantability or of fitness for a particular purpose. 
+' The entire risk arising out of the use or performance of the sample scripts and 
+' documentation remains with you. In no event shall Microsoft, its authors, or 
+' anyone else involved in the creation, production, or delivery of the scripts be 
+' liable for any damages whatsoever (including, without limitation, damages for loss 
+' of business profits, business interruption, loss of business information, or 
+' other pecuniary loss) arising out of the use of or inability to use the sample 
+' scripts or documentation, even if Microsoft has been advised of the possibility 
+' of such damages.
+'
+' Version 1.0.2 - Tested and re-released for Windows 8 and Windows Server 2012 
+
+' 
+'===============================================================================
+
+' --------------------------------------------------------------------------------
+' Access Control Entry (ACE) constants 
+' --------------------------------------------------------------------------------
+
+'- From the ADS_ACETYPE_ENUM enumeration
+Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT      = &H5   'Allows an object to do something
+
+'- From the ADS_ACEFLAG_ENUM enumeration
+Const ADS_ACEFLAG_INHERIT_ACE                = &H2   'ACE can be inherited to child objects
+Const ADS_ACEFLAG_INHERIT_ONLY_ACE           = &H8   'ACE does NOT apply to target (parent) object
+
+'- From the ADS_RIGHTS_ENUM enumeration
+Const ADS_RIGHT_DS_WRITE_PROP                = &H20  'The right to write object properties
+Const ADS_RIGHT_DS_CREATE_CHILD              = &H1   'The right to create child objects
+
+'- From the ADS_FLAGTYPE_ENUM enumeration
+Const ADS_FLAG_OBJECT_TYPE_PRESENT           = &H1   'Target object type is present in the ACE 
+Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2   'Target inherited object type is present in the ACE 
+
+' --------------------------------------------------------------------------------
+' TPM and FVE schema object GUID's 
+' --------------------------------------------------------------------------------
+
+'- ms-TPM-OwnerInformation attribute
+SCHEMA_GUID_MS_TPM_OWNERINFORMATION = "{AA4E1A6D-550D-4E05-8C35-4AFCB917A9FE}"
+
+'- ms-FVE-RecoveryInformation object
+SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION = "{EA715D30-8F53-40D0-BD1E-6109186D782C}"
+
+'- Computer object
+SCHEMA_GUID_COMPUTER = "{BF967A86-0DE6-11D0-A285-00AA003049E2}"
+
+'Reference: "Platform SDK: Active Directory Schema"
+
+
+
+
+' --------------------------------------------------------------------------------
+' Set up the ACE to allow write of TPM owner information
+' --------------------------------------------------------------------------------
+
+Set objAce1 = createObject("AccessControlEntry")
+
+objAce1.AceFlags = ADS_ACEFLAG_INHERIT_ACE + ADS_ACEFLAG_INHERIT_ONLY_ACE
+objAce1.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
+objAce1.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT + ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
+
+objAce1.Trustee = "SELF"
+objAce1.AccessMask = ADS_RIGHT_DS_WRITE_PROP 
+objAce1.ObjectType = SCHEMA_GUID_MS_TPM_OWNERINFORMATION
+objAce1.InheritedObjectType = SCHEMA_GUID_COMPUTER
+
+
+
+' --------------------------------------------------------------------------------
+' NOTE: BY default, the "SELF" computer account can create 
+' BitLocker recovery information objects and write BitLocker recovery properties
+'
+' No additional ACE's are needed.
+' --------------------------------------------------------------------------------
+
+
+' --------------------------------------------------------------------------------
+' Connect to Discretional ACL (DACL) for domain object
+' --------------------------------------------------------------------------------
+
+Set objRootLDAP = GetObject("LDAP://rootDSE")
+strPathToDomain = "LDAP://" & objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com
+
+Set objDomain = GetObject(strPathToDomain)
+
+WScript.Echo "Accessing object: " + objDomain.Get("distinguishedName")
+
+Set objDescriptor = objDomain.Get("ntSecurityDescriptor")
+Set objDacl = objDescriptor.DiscretionaryAcl
+
+ 
+' --------------------------------------------------------------------------------
+' Add the ACEs to the Discretionary ACL (DACL) and set the DACL
+' --------------------------------------------------------------------------------
+
+objDacl.AddAce objAce1
+
+objDescriptor.DiscretionaryAcl = objDacl
+objDomain.Put "ntSecurityDescriptor", Array(objDescriptor)
+objDomain.SetInfo
+
+WScript.Echo "SUCCESS!"
+```
+
+### <a href="" id="bkmk-list-aces"></a>List-ACEs.vbs
+
+This script lists or removes the ACEs that are configured on BitLocker and TPM schema objects for the top-level domain. This enables you to verify that the expected ACEs have been added appropriately or to remove any ACEs that are related to BitLocker or the TPM, if necessary.
+
+``` syntax
+'===============================================================================
+'
+' This script lists the access control entries (ACE's) configured on 
+' Trusted Platform Module (TPM) and BitLocker Drive Encryption (BDE) schema objects 
+' for the top-level domain.
+'
+' You can use this script to check that the correct permissions have been set and
+' to remove TPM and BitLocker ACE's from the top-level domain.
+'
+' 
+' Last Updated: 12/05/2012
+' Last Reviewed: 12/02/2012
+'
+' Microsoft Corporation
+'
+' Disclaimer
+' 
+' The sample scripts are not supported under any Microsoft standard support program
+' or service. The sample scripts are provided AS IS without warranty of any kind. 
+' Microsoft further disclaims all implied warranties including, without limitation, 
+' any implied warranties of merchantability or of fitness for a particular purpose. 
+' The entire risk arising out of the use or performance of the sample scripts and 
+' documentation remains with you. In no event shall Microsoft, its authors, or 
+' anyone else involved in the creation, production, or delivery of the scripts be 
+' liable for any damages whatsoever (including, without limitation, damages for loss 
+' of business profits, business interruption, loss of business information, or 
+' other pecuniary loss) arising out of the use of or inability to use the sample 
+' scripts or documentation, even if Microsoft has been advised of the possibility 
+' of such damages.
+'
+' Version 1.0.2 - Tested and re-released for Windows 8 and Windows Server 2012
+' 
+'===============================================================================
+
+' --------------------------------------------------------------------------------
+' Usage
+' --------------------------------------------------------------------------------
+
+Sub ShowUsage
+   Wscript.Echo "USAGE: List-ACEs"
+   Wscript.Echo "List access permissions for BitLocker and TPM schema objects"
+   Wscript.Echo ""
+   Wscript.Echo "USAGE: List-ACEs -remove"
+   Wscript.Echo "Removes access permissions for BitLocker and TPM schema objects"
+   WScript.Quit
+End Sub
+
+
+' --------------------------------------------------------------------------------
+' Parse Arguments
+' --------------------------------------------------------------------------------
+
+Set args = WScript.Arguments
+
+Select Case args.Count
+  
+  Case 0
+      ' do nothing - checks for ACE's 
+      removeACE = False
+      
+  Case 1
+    If args(0) = "/?" Or args(0) = "-?" Then
+      ShowUsage
+    Else 
+      If UCase(args(0)) = "-REMOVE" Then
+            removeACE = True
+      End If
+    End If
+
+  Case Else
+    ShowUsage
+
+End Select
+
+' --------------------------------------------------------------------------------
+' Configuration of the filter to show/remove only ACE's for BDE and TPM objects
+' --------------------------------------------------------------------------------
+
+'- ms-TPM-OwnerInformation attribute
+SCHEMA_GUID_MS_TPM_OWNERINFORMATION = "{AA4E1A6D-550D-4E05-8C35-4AFCB917A9FE}"
+
+'- ms-FVE-RecoveryInformation object
+SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION = "{EA715D30-8F53-40D0-BD1E-6109186D782C}"
+
+' Use this filter to list/remove only ACEs related to TPM and BitLocker
+
+aceGuidFilter = Array(SCHEMA_GUID_MS_TPM_OWNERINFORMATION, _
+                      SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION)
+
+
+' Note to script source reader:
+' Uncomment the following line to turn off the filter and list all ACEs
+'aceGuidFilter = Array()
+
+
+' --------------------------------------------------------------------------------
+' Helper functions related to the list filter for listing or removing ACE's
+' --------------------------------------------------------------------------------
+
+Function IsFilterActive()
+
+    If Join(aceGuidFilter) = "" Then
+       IsFilterActive = False
+    Else 
+       IsFilterActive = True
+    End If
+
+End Function
+
+
+Function isAceWithinFilter(ace) 
+
+    aceWithinFilter = False  ' assume first not pass the filter
+
+    For Each guid In aceGuidFilter 
+
+        If ace.ObjectType = guid Or ace.InheritedObjectType = guid Then
+           isAceWithinFilter = True           
+        End If
+    Next
+
+End Function
+
+Sub displayFilter
+    For Each guid In aceGuidFilter
+       WScript.echo guid
+    Next
+End Sub
+
+
+' --------------------------------------------------------------------------------
+' Connect to Discretional ACL (DACL) for domain object
+' --------------------------------------------------------------------------------
+
+Set objRootLDAP = GetObject("LDAP://rootDSE")
+strPathToDomain = "LDAP://" & objRootLDAP.Get("defaultNamingContext") ' e.g. dc=fabrikam,dc=com
+
+Set domain = GetObject(strPathToDomain)
+
+WScript.Echo "Accessing object: " + domain.Get("distinguishedName")
+WScript.Echo ""
+
+Set descriptor = domain.Get("ntSecurityDescriptor")
+Set dacl = descriptor.DiscretionaryAcl
+
+
+' --------------------------------------------------------------------------------
+' Show Access Control Entries (ACE's)
+' --------------------------------------------------------------------------------
+
+' Loop through the existing ACEs, including all ACEs if the filter is not active
+
+i = 1 ' global index
+c = 0 ' found count - relevant if filter is active
+
+For Each ace In dacl
+
+ If IsFilterActive() = False or isAceWithinFilter(ace) = True Then
+
+    ' note to script source reader:
+    ' echo i to show the index of the ACE
+    
+    WScript.echo ">            AceFlags: " & ace.AceFlags
+    WScript.echo ">             AceType: " & ace.AceType
+    WScript.echo ">               Flags: " & ace.Flags
+    WScript.echo ">          AccessMask: " & ace.AccessMask
+    WScript.echo ">          ObjectType: " & ace.ObjectType
+    WScript.echo "> InheritedObjectType: " & ace.InheritedObjectType
+    WScript.echo ">             Trustee: " & ace.Trustee
+    WScript.echo ""
+
+
+    if IsFilterActive() = True Then
+      c = c + 1
+
+      ' optionally include this ACE in removal list if configured
+      ' note that the filter being active is a requirement since we don't
+      ' want to accidentally remove all ACEs
+
+      If removeACE = True Then
+        dacl.RemoveAce ace  
+      End If
+
+    end if
+
+  End If 
+
+  i = i + 1
+
+Next
+
+
+' Display number of ACEs found
+
+If IsFilterActive() = True Then
+
+  WScript.echo c & " ACE(s) found in " & domain.Get("distinguishedName") _
+                 & " related to BitLocker and TPM" 'note to script source reader: change this line if you configure your own 
+
+filter
+
+  ' note to script source reader: 
+  ' uncomment the following lines if you configure your own filter
+  'WScript.echo ""
+  'WScript.echo "The following filter was active: "
+  'displayFilter
+  'Wscript.echo ""
+
+Else
+
+  i = i - 1
+  WScript.echo i & " total ACE(s) found in " & domain.Get("distinguishedName")
+  
+End If
+
+
+' --------------------------------------------------------------------------------
+' Optionally remove ACE's on a filtered list
+' --------------------------------------------------------------------------------
+
+if removeACE = True and IsFilterActive() = True then
+
+  descriptor.DiscretionaryAcl =  dacl
+  domain.Put "ntSecurityDescriptor", Array(descriptor)
+  domain.setInfo
+
+  WScript.echo c & " ACE(s) removed from " & domain.Get("distinguishedName")
+
+else 
+
+  if removeACE = True then
+
+    WScript.echo "You must specify a filter to remove ACEs from " & domain.Get("distinguishedName") 
+ 
+ end if
+
+
+end if
+```
+
+### <a href="" id="bkmk-get-tpmownerinfo"></a>Get-TPMOwnerInfo.vbs
+
+This script retrieves TPM recovery information from AD DS for a particular computer so that you can verify that only domain administrators (or delegated roles) can read backed up TPM recovery information and verify that the information is being backed up correctly.
+
+``` syntax
+'=================================================================================
+'
+' This script demonstrates the retrieval of Trusted Platform Module (TPM) 
+' recovery information from Active Directory for a particular computer.
+'
+' It returns the TPM owner information stored as an attribute of a 
+' computer object.
+'
+' Last Updated: 12/05/2012
+' Last Reviewed: 12/05/2012
+'
+' Microsoft Corporation
+'
+' Disclaimer
+' 
+' The sample scripts are not supported under any Microsoft standard support program
+' or service. The sample scripts are provided AS IS without warranty of any kind. 
+' Microsoft further disclaims all implied warranties including, without limitation, 
+' any implied warranties of merchantability or of fitness for a particular purpose. 
+' The entire risk arising out of the use or performance of the sample scripts and 
+' documentation remains with you. In no event shall Microsoft, its authors, or 
+' anyone else involved in the creation, production, or delivery of the scripts be 
+' liable for any damages whatsoever (including, without limitation, damages for loss 
+' of business profits, business interruption, loss of business information, or 
+' other pecuniary loss) arising out of the use of or inability to use the sample 
+' scripts or documentation, even if Microsoft has been advised of the possibility 
+' of such damages.
+'
+' Version 1.0 - Initial release
+' Version 1.1 - Updated GetStrPathToComputer to search the global catalog.
+' Version 1.1.2 - Tested and re-released for Windows 8 and Windows Server 2012
+' 
+'=================================================================================
+
+
+' --------------------------------------------------------------------------------
+' Usage
+' --------------------------------------------------------------------------------
+
+Sub ShowUsage
+   Wscript.Echo "USAGE: Get-TpmOwnerInfo [Optional Computer Name]"
+   Wscript.Echo "If no computer name is specified, the local computer is assumed."
+   WScript.Quit
+End Sub
+
+' --------------------------------------------------------------------------------
+' Parse Arguments
+' --------------------------------------------------------------------------------
+
+Set args = WScript.Arguments
+
+Select Case args.Count
+  
+  Case 0
+      ' Get the name of the local computer      
+      Set objNetwork = CreateObject("WScript.Network")
+      strComputerName = objNetwork.ComputerName
+    
+  Case 1
+    If args(0) = "/?" Or args(0) = "-?" Then
+      ShowUsage
+    Else
+      strComputerName = args(0)
+    End If
+  
+  Case Else
+    ShowUsage
+
+End Select
+
+
+' --------------------------------------------------------------------------------
+' Get path to Active Directory computer object associated with the computer name
+' --------------------------------------------------------------------------------
+
+Function GetStrPathToComputer(strComputerName) 
+
+    ' Uses the global catalog to find the computer in the forest
+    ' Search also includes deleted computers in the tombstone
+
+    Set objRootLDAP = GetObject("LDAP://rootDSE")
+    namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com    
+
+    strBase = "<GC://" & namingContext & ">"
+ 
+    Set objConnection = CreateObject("ADODB.Connection") 
+    Set objCommand = CreateObject("ADODB.Command") 
+    objConnection.Provider = "ADsDSOOBject" 
+    objConnection.Open "Active Directory Provider" 
+    Set objCommand.ActiveConnection = objConnection 
+
+    strFilter = "(&(objectCategory=Computer)(cn=" &  strComputerName & "))"
+    strQuery = strBase & ";" & strFilter  & ";distinguishedName;subtree" 
+
+    objCommand.CommandText = strQuery 
+    objCommand.Properties("Page Size") = 100 
+    objCommand.Properties("Timeout") = 100
+    objCommand.Properties("Cache Results") = False 
+
+    ' Enumerate all objects found. 
+
+    Set objRecordSet = objCommand.Execute 
+    If objRecordSet.EOF Then
+      WScript.echo "The computer name '" &  strComputerName & "' cannot be found."
+      WScript.Quit 1
+    End If
+
+    ' Found object matching name
+
+    Do Until objRecordSet.EOF 
+      dnFound = objRecordSet.Fields("distinguishedName")
+      GetStrPathToComputer = "LDAP://" & dnFound
+      objRecordSet.MoveNext 
+    Loop 
+
+
+    ' Clean up. 
+    Set objConnection = Nothing 
+    Set objCommand = Nothing 
+    Set objRecordSet = Nothing 
+
+End Function
+
+' --------------------------------------------------------------------------------
+' Securely access the Active Directory computer object using Kerberos
+' --------------------------------------------------------------------------------
+
+Set objDSO = GetObject("LDAP:")
+strPath = GetStrPathToComputer(strComputerName)
+
+
+WScript.Echo "Accessing object: " + strPath
+
+Const ADS_SECURE_AUTHENTICATION = 1
+Const ADS_USE_SEALING = 64 '0x40
+Const ADS_USE_SIGNING = 128 '0x80
+
+Set objComputer = objDSO.OpenDSObject(strPath, vbNullString, vbNullString, _
+                                   ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)
+
+' --------------------------------------------------------------------------------
+' Get the TPM owner information from the Active Directory computer object
+' --------------------------------------------------------------------------------
+
+strOwnerInformation = objComputer.Get("msTPM-OwnerInformation")
+WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation
+```
+
+## Additional resources
+
+
+[Trusted Platform Module technology overview](trusted-platform-module-overview.md)
+
+[TPM fundamentals](tpm-fundamentals.md)
+
+[TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
+
+[TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
+
+[AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md)
+
+[Prepare your organization for BitLocker: Planning and Policies](http://technet.microsoft.com/library/jj592683.aspx), see TPM considerations
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/basic-audit-account-logon-events.md b/windows/keep-secure/basic-audit-account-logon-events.md
new file mode 100644
index 0000000000..ebac5ddb27
--- /dev/null
+++ b/windows/keep-secure/basic-audit-account-logon-events.md
@@ -0,0 +1,60 @@
+---
+title: Audit account logon events (Windows 10)
+description: Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
+ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit account logon events
+
+
+**Applies to**
+
+-   Windows 10
+
+Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
+
+This security setting determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Account logon events are generated when a domain user account is authenticated on a domain controller. The event is logged in the domain controller's security log. Logon events are generated when a local user is authenticated on a local computer. The event is logged in the local security log. Account logoff events are not generated.
+
+If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when an account logon attempt succeeds. Failure audits generate an audit entry when an account logon attempt fails.
+
+To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
+
+**Default**: Success
+
+## Configure this audit setting
+
+
+You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
+
+| Logon events | Description                                                                                                                          |
+|--------------|--------------------------------------------------------------------------------------------------------------------------------------|
+| 672          | An authentication service (AS) ticket was successfully issued and validated.                                                         |
+| 673          | A ticket granting service (TGS) ticket was granted.                                                                                  |
+| 674          | A security principal renewed an AS ticket or TGS ticket.                                                                             |
+| 675          | Preauthentication failed. This event is generated on a Key Distribution Center (KDC) when a user types in an incorrect password.     |
+| 676          | Authentication ticket request failed. This event is not generated in Windows XP or in the Windows Server 2003 family.                |
+| 677          | A TGS ticket was not granted. This event is not generated in Windows XP or in the Windows Server 2003 family.                        |
+| 678          | An account was successfully mapped to a domain account.                                                                              |
+| 681          | Logon failure. A domain account logon was attempted. This event is not generated in Windows XP or in the Windows Server 2003 family. |
+| 682          | A user has reconnected to a disconnected terminal server session.                                                                    |
+| 683          | A user disconnected a terminal server session without logging off.                                                                   |
+
+ 
+
+## Related topics
+
+
+[Basic security audit policy settings](basic-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/basic-audit-account-management.md b/windows/keep-secure/basic-audit-account-management.md
new file mode 100644
index 0000000000..54b8232935
--- /dev/null
+++ b/windows/keep-secure/basic-audit-account-management.md
@@ -0,0 +1,254 @@
+---
+title: Audit account management (Windows 10)
+description: Determines whether to audit each event of account management on a device.
+ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit account management
+
+
+**Applies to**
+
+-   Windows 10
+
+Determines whether to audit each event of account management on a device.
+
+Examples of account management events include:
+
+-   A user account or group is created, changed, or deleted.
+
+-   A user account is renamed, disabled, or enabled.
+
+-   A password is set or changed.
+
+If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails. To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
+
+**Default:**
+
+-   Success on domain controllers.
+
+-   No auditing on member servers.
+
+## Configure this audit setting
+
+
+You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Account management events</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">624</td>
+<td align="left">A user account was created.</td>
+</tr>
+<tr class="even">
+<td align="left">627</td>
+<td align="left">A user password was changed.</td>
+</tr>
+<tr class="odd">
+<td align="left">628</td>
+<td align="left">A user password was set.</td>
+</tr>
+<tr class="even">
+<td align="left">630</td>
+<td align="left">A user account was deleted.</td>
+</tr>
+<tr class="odd">
+<td align="left">631</td>
+<td align="left">A global group was created.</td>
+</tr>
+<tr class="even">
+<td align="left">632</td>
+<td align="left">A member was added to a global group.</td>
+</tr>
+<tr class="odd">
+<td align="left">633</td>
+<td align="left">A member was removed from a global group.</td>
+</tr>
+<tr class="even">
+<td align="left">634</td>
+<td align="left">A global group was deleted.</td>
+</tr>
+<tr class="odd">
+<td align="left">635</td>
+<td align="left">A new local group was created.</td>
+</tr>
+<tr class="even">
+<td align="left">636</td>
+<td align="left">A member was added to a local group.</td>
+</tr>
+<tr class="odd">
+<td align="left">637</td>
+<td align="left">A member was removed from a local group.</td>
+</tr>
+<tr class="even">
+<td align="left">638</td>
+<td align="left">A local group was deleted.</td>
+</tr>
+<tr class="odd">
+<td align="left">639</td>
+<td align="left">A local group account was changed.</td>
+</tr>
+<tr class="even">
+<td align="left">641</td>
+<td align="left">A global group account was changed.</td>
+</tr>
+<tr class="odd">
+<td align="left">642</td>
+<td align="left">A user account was changed</td>
+</tr>
+<tr class="even">
+<td align="left">643</td>
+<td align="left">A domain policy was modified.</td>
+</tr>
+<tr class="odd">
+<td align="left">644</td>
+<td align="left">A user account was auto locked.</td>
+</tr>
+<tr class="even">
+<td align="left">645</td>
+<td align="left">A computer account was created.</td>
+</tr>
+<tr class="odd">
+<td align="left">646</td>
+<td align="left">A computer account was changed.</td>
+</tr>
+<tr class="even">
+<td align="left">647</td>
+<td align="left">A computer account was deleted.</td>
+</tr>
+<tr class="odd">
+<td align="left">648</td>
+<td align="left">A local security group with security disabled was created.
+<div class="alert">
+<strong>Note</strong>  SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks.
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left">649</td>
+<td align="left">A local security group with security disabled was changed.</td>
+</tr>
+<tr class="odd">
+<td align="left">650</td>
+<td align="left">A member was added to a security-disabled local security group.</td>
+</tr>
+<tr class="even">
+<td align="left">651</td>
+<td align="left">A member was removed from a security-disabled local security group.</td>
+</tr>
+<tr class="odd">
+<td align="left">652</td>
+<td align="left">A security-disabled local group was deleted.</td>
+</tr>
+<tr class="even">
+<td align="left">653</td>
+<td align="left">A security-disabled global group was created.</td>
+</tr>
+<tr class="odd">
+<td align="left">645</td>
+<td align="left">A security-disabled global group was changed.</td>
+</tr>
+<tr class="even">
+<td align="left">655</td>
+<td align="left">A member was added to a security-disabled global group.</td>
+</tr>
+<tr class="odd">
+<td align="left">656</td>
+<td align="left">A member was removed from a security-disabled global group.</td>
+</tr>
+<tr class="even">
+<td align="left">657</td>
+<td align="left">A security-disabled global group was deleted.</td>
+</tr>
+<tr class="odd">
+<td align="left">658</td>
+<td align="left">A security-enabled universal group was created.</td>
+</tr>
+<tr class="even">
+<td align="left">659</td>
+<td align="left">A security-enabled universal group was changed.</td>
+</tr>
+<tr class="odd">
+<td align="left">660</td>
+<td align="left">A member was added to a security-enabled universal group.</td>
+</tr>
+<tr class="even">
+<td align="left">661</td>
+<td align="left">A member was removed from a security-enabled universal group.</td>
+</tr>
+<tr class="odd">
+<td align="left">662</td>
+<td align="left">A security-enabled universal group was deleted.</td>
+</tr>
+<tr class="even">
+<td align="left">663</td>
+<td align="left">A security-disabled universal group was created.</td>
+</tr>
+<tr class="odd">
+<td align="left">664</td>
+<td align="left">A security-disabled universal group was changed.</td>
+</tr>
+<tr class="even">
+<td align="left">665</td>
+<td align="left">A member was added to a security-disabled universal group.</td>
+</tr>
+<tr class="odd">
+<td align="left">666</td>
+<td align="left">A member was removed from a security-disabled universal group.</td>
+</tr>
+<tr class="even">
+<td align="left">667</td>
+<td align="left">A security-disabled universal group was deleted.</td>
+</tr>
+<tr class="odd">
+<td align="left">668</td>
+<td align="left">A group type was changed.</td>
+</tr>
+<tr class="even">
+<td align="left">684</td>
+<td align="left">Set the security descriptor of members of administrative groups.</td>
+</tr>
+<tr class="odd">
+<td align="left">685</td>
+<td align="left">Set the security descriptor of members of administrative groups.
+<div class="alert">
+<strong>Note</strong>  Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged.
+</div>
+<div>
+ 
+</div></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Basic security audit policy settings](basic-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/basic-audit-directory-service-access.md b/windows/keep-secure/basic-audit-directory-service-access.md
new file mode 100644
index 0000000000..4ec4bdf05a
--- /dev/null
+++ b/windows/keep-secure/basic-audit-directory-service-access.md
@@ -0,0 +1,62 @@
+---
+title: Audit directory service access (Windows 10)
+description: Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
+ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit directory service access
+
+
+**Applies to**
+
+-   Windows 10
+
+\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\]
+
+Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
+
+By default, this value is set to no auditing in the Default Domain Controller Group Policy object (GPO), and it remains undefined for workstations and servers where it has no meaning.
+
+If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an Active Directory object that has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an Active Directory object that has a SACL specified. To set this value to **No auditing,** in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
+
+**Note**  
+You can set a SACL on an Active Directory object by using the **Security** tab in that object's **Properties** dialog box. This is the same as Audit object access, except that it applies only to Active Directory objects and not to file system and registry objects.
+
+ 
+
+**Default:**
+
+-   Success on domain controllers.
+
+-   Undefined for a member server.
+
+## Configure this audit setting
+
+
+You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
+
+There is only one directory service access event, which is identical to the Object Access security event message 566.
+
+| Directory service access events | Description                            |
+|---------------------------------|----------------------------------------|
+| 566                             | A generic object operation took place. |
+
+ 
+
+## Related topics
+
+
+[Basic security audit policy settings](basic-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/basic-audit-logon-events.md b/windows/keep-secure/basic-audit-logon-events.md
new file mode 100644
index 0000000000..0b162e2b7a
--- /dev/null
+++ b/windows/keep-secure/basic-audit-logon-events.md
@@ -0,0 +1,93 @@
+---
+title: Audit logon events (Windows 10)
+description: Determines whether to audit each instance of a user logging on to or logging off from a device.
+ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit logon events
+
+
+**Applies to**
+
+-   Windows 10
+
+\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\]
+
+Determines whether to audit each instance of a user logging on to or logging off from a device.
+
+Account logon events are generated on domain controllers for domain account activity and on local devices for local account activity. If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation or server, and they generate an account logon event on the domain controller. Additionally, interactive logons to a member server or workstation that use a domain account generate a logon event on the domain controller as the logon scripts and policies are retrieved when a user logs on. For more info about account logon events, see [Audit account logon events](basic-audit-account-logon-events.md).
+
+If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit entry when a logon attempt fails.
+
+To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
+
+## Configure this audit setting
+
+
+You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
+
+| Logon events | Description                                                                                                                                                                                                     |
+|--------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 528          | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.                                                                                          |
+| 529          | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.                                                                                                     |
+| 530          | Logon failure. A logon attempt was made user account tried to log on outside of the allowed time.                                                                                                               |
+| 531          | Logon failure. A logon attempt was made using a disabled account.                                                                                                                                               |
+| 532          | Logon failure. A logon attempt was made using an expired account.                                                                                                                                               |
+| 533          | Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer.                                                                                                                |
+| 534          | Logon failure. The user attempted to log on with a type that is not allowed.                                                                                                                                    |
+| 535          | Logon failure. The password for the specified account has expired.                                                                                                                                              |
+| 536          | Logon failure. The Net Logon service is not active.                                                                                                                                                             |
+| 537          | Logon failure. The logon attempt failed for other reasons.                                                                                                                                                      |
+| 538          | The logoff process was completed for a user.                                                                                                                                                                    |
+| 539          | Logon failure. The account was locked out at the time the logon attempt was made.                                                                                                                               |
+| 540          | A user successfully logged on to a network.                                                                                                                                                                     |
+| 541          | Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel. |
+| 542          | A data channel was terminated.                                                                                                                                                                                  |
+| 543          | Main mode was terminated.                                                                                                                                                                                       |
+| 544          | Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated.                                                                                        |
+| 545          | Main mode authentication failed because of a Kerberos failure or a password that is not valid.                                                                                                                  |
+| 546          | IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid.                                                  |
+| 547          | A failure occurred during an IKE handshake.                                                                                                                                                                     |
+| 548          | Logon failure. The security ID (SID) from a trusted domain does not match the account domain SID of the client.                                                                                                 |
+| 549          | Logon failure. All SIDs corresponding to untrusted namespaces were filtered out during an authentication across forests.                                                                                        |
+| 550          | Notification message that could indicate a possible denial-of-service attack.                                                                                                                                   |
+| 551          | A user initiated the logoff process.                                                                                                                                                                            |
+| 552          | A user successfully logged on to a computer using explicit credentials while already logged on as a different user.                                                                                             |
+| 682          | A user has reconnected to a disconnected terminal server session.                                                                                                                                               |
+| 683          | A user disconnected a terminal server session without logging off.                                                                                                                                              |
+
+ 
+
+When event 528 is logged, a logon type is also listed in the event log. The following table describes each logon type.
+
+| Logon type | Logon title       | Description                                                                                                                                                                                                                                                                                                                |
+|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 2          | Interactive       | A user logged on to this computer.                                                                                                                                                                                                                                                                                         |
+| 3          | Network           | A user or computer logged on to this computer from the network.                                                                                                                                                                                                                                                            |
+| 4          | Batch             | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.                                                                                                                                                                                         |
+| 5          | Service           | A service was started by the Service Control Manager.                                                                                                                                                                                                                                                                      |
+| 7          | Unlock            | This workstation was unlocked.                                                                                                                                                                                                                                                                                             |
+| 8          | NetworkCleartext  | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
+| 9          | NewCredentials    | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.                                                                                                                 |
+| 10         | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop.                                                                                                                                                                                                                                      |
+| 11         | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.                                                                                                                                                    |
+
+ 
+
+## Related topics
+
+
+[Basic security audit policy settings](basic-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/basic-audit-object-access.md b/windows/keep-secure/basic-audit-object-access.md
new file mode 100644
index 0000000000..84b7afbcea
--- /dev/null
+++ b/windows/keep-secure/basic-audit-object-access.md
@@ -0,0 +1,246 @@
+---
+title: Audit object access (Windows 10)
+description: Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.
+ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit object access
+
+
+**Applies to**
+
+-   Windows 10
+
+Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.
+
+If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an object that has an appropriate SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an object that has a SACL specified.
+
+To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
+
+**Note**  You can set a SACL on a file system object using the **Security** tab in that object's **Properties** dialog box.
+
+ 
+
+**Default:** No auditing.
+
+## Configure this audit setting
+
+
+You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Object access events</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">560</td>
+<td align="left">Access was granted to an already existing object.</td>
+</tr>
+<tr class="even">
+<td align="left">562</td>
+<td align="left">A handle to an object was closed.</td>
+</tr>
+<tr class="odd">
+<td align="left">563</td>
+<td align="left">An attempt was made to open an object with the intent to delete it.
+<div class="alert">
+<strong>Note</strong>  This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile().
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left">564</td>
+<td align="left">A protected object was deleted.</td>
+</tr>
+<tr class="odd">
+<td align="left">565</td>
+<td align="left">Access was granted to an already existing object type.</td>
+</tr>
+<tr class="even">
+<td align="left">567</td>
+<td align="left">A permission associated with a handle was used.
+<div class="alert">
+<strong>Note</strong>  A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used.
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left">568</td>
+<td align="left">An attempt was made to create a hard link to a file that is being audited.</td>
+</tr>
+<tr class="even">
+<td align="left">569</td>
+<td align="left">The resource manager in Authorization Manager attempted to create a client context.</td>
+</tr>
+<tr class="odd">
+<td align="left">570</td>
+<td align="left">A client attempted to access an object.
+<div class="alert">
+<strong>Note</strong>  An event will be generated for every attempted operation on the object.
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left">571</td>
+<td align="left">The client context was deleted by the Authorization Manager application.</td>
+</tr>
+<tr class="odd">
+<td align="left">572</td>
+<td align="left">The administrator manager initialized the application.</td>
+</tr>
+<tr class="even">
+<td align="left">772</td>
+<td align="left">The certificate manager denied a pending certificate request.</td>
+</tr>
+<tr class="odd">
+<td align="left">773</td>
+<td align="left">Certificate Services received a resubmitted certificate request.</td>
+</tr>
+<tr class="even">
+<td align="left">774</td>
+<td align="left">Certificate Services revoked a certificate.</td>
+</tr>
+<tr class="odd">
+<td align="left">775</td>
+<td align="left">Certificate Services received a request to publish the certificate revocation list (CRL).</td>
+</tr>
+<tr class="even">
+<td align="left">776</td>
+<td align="left">Certificate Services published the certificate revocation list (CRL).</td>
+</tr>
+<tr class="odd">
+<td align="left">777</td>
+<td align="left">A certificate request extension was made.</td>
+</tr>
+<tr class="even">
+<td align="left">778</td>
+<td align="left">One or more certificate request attributes changed.</td>
+</tr>
+<tr class="odd">
+<td align="left">779</td>
+<td align="left">Certificate Services received a request to shutdown.</td>
+</tr>
+<tr class="even">
+<td align="left">780</td>
+<td align="left">Certificate Services backup started.</td>
+</tr>
+<tr class="odd">
+<td align="left">781</td>
+<td align="left">Certificate Services backup completed</td>
+</tr>
+<tr class="even">
+<td align="left">782</td>
+<td align="left">Certificate Services restore started.</td>
+</tr>
+<tr class="odd">
+<td align="left">783</td>
+<td align="left">Certificate Services restore completed.</td>
+</tr>
+<tr class="even">
+<td align="left">784</td>
+<td align="left">Certificate Services started.</td>
+</tr>
+<tr class="odd">
+<td align="left">785</td>
+<td align="left">Certificate Services stopped.</td>
+</tr>
+<tr class="even">
+<td align="left">786</td>
+<td align="left">The security permissions for Certificate Services changed.</td>
+</tr>
+<tr class="odd">
+<td align="left">787</td>
+<td align="left">Certificate Services retrieved an archived key.</td>
+</tr>
+<tr class="even">
+<td align="left">788</td>
+<td align="left">Certificate Services imported a certificate into its database.</td>
+</tr>
+<tr class="odd">
+<td align="left">789</td>
+<td align="left">The audit filter for Certificate Services changed.</td>
+</tr>
+<tr class="even">
+<td align="left">790</td>
+<td align="left">Certificate Services received a certificate request.</td>
+</tr>
+<tr class="odd">
+<td align="left">791</td>
+<td align="left">Certificate Services approved a certificate request and issued a certificate.</td>
+</tr>
+<tr class="even">
+<td align="left">792</td>
+<td align="left">Certificate Services denied a certificate request.</td>
+</tr>
+<tr class="odd">
+<td align="left">793</td>
+<td align="left">Certificate Services set the status of a certificate request to pending.</td>
+</tr>
+<tr class="even">
+<td align="left">794</td>
+<td align="left">The certificate manager settings for Certificate Services changed.</td>
+</tr>
+<tr class="odd">
+<td align="left">795</td>
+<td align="left">A configuration entry changed in Certificate Services.</td>
+</tr>
+<tr class="even">
+<td align="left">796</td>
+<td align="left">A property of Certificate Services changed.</td>
+</tr>
+<tr class="odd">
+<td align="left">797</td>
+<td align="left">Certificate Services archived a key.</td>
+</tr>
+<tr class="even">
+<td align="left">798</td>
+<td align="left">Certificate Services imported and archived a key.</td>
+</tr>
+<tr class="odd">
+<td align="left">799</td>
+<td align="left">Certificate Services published the CA certificate to Active Directory.</td>
+</tr>
+<tr class="even">
+<td align="left">800</td>
+<td align="left">One or more rows have been deleted from the certificate database.</td>
+</tr>
+<tr class="odd">
+<td align="left">801</td>
+<td align="left">Role separation enabled.</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Basic security audit policy settings](basic-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/basic-audit-policy-change.md b/windows/keep-secure/basic-audit-policy-change.md
new file mode 100644
index 0000000000..48eb4dc41b
--- /dev/null
+++ b/windows/keep-secure/basic-audit-policy-change.md
@@ -0,0 +1,172 @@
+---
+title: Audit policy change (Windows 10)
+description: Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
+ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit policy change
+
+
+**Applies to**
+
+-   Windows 10
+
+Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
+
+If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a change to user rights assignment policies, audit policies, or trust policies is successful. Failure audits generate an audit entry when a change to user rights assignment policies, audit policies, or trust policies fails.
+
+To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
+
+**Default:**
+
+-   Success on domain controllers.
+
+-   No auditing on member servers.
+
+## Configure this audit setting
+
+
+You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Policy change events</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">608</td>
+<td align="left">A user right was assigned.</td>
+</tr>
+<tr class="even">
+<td align="left">609</td>
+<td align="left">A user right was removed.</td>
+</tr>
+<tr class="odd">
+<td align="left">610</td>
+<td align="left">A trust relationship with another domain was created.</td>
+</tr>
+<tr class="even">
+<td align="left">611</td>
+<td align="left">A trust relationship with another domain was removed.</td>
+</tr>
+<tr class="odd">
+<td align="left">612</td>
+<td align="left">An audit policy was changed.</td>
+</tr>
+<tr class="even">
+<td align="left">613</td>
+<td align="left">An Internet Protocol security (IPSec) policy agent started.</td>
+</tr>
+<tr class="odd">
+<td align="left">614</td>
+<td align="left">An IPSec policy agent was disabled.</td>
+</tr>
+<tr class="even">
+<td align="left">615</td>
+<td align="left">An IPSec policy agent changed.</td>
+</tr>
+<tr class="odd">
+<td align="left">616</td>
+<td align="left">An IPSec policy agent encountered a potentially serious failure.</td>
+</tr>
+<tr class="even">
+<td align="left">617</td>
+<td align="left">A Kerberos policy changed.</td>
+</tr>
+<tr class="odd">
+<td align="left">618</td>
+<td align="left">Encrypted Data Recovery policy changed.</td>
+</tr>
+<tr class="even">
+<td align="left">620</td>
+<td align="left">A trust relationship with another domain was modified.</td>
+</tr>
+<tr class="odd">
+<td align="left">621</td>
+<td align="left">System access was granted to an account.</td>
+</tr>
+<tr class="even">
+<td align="left">622</td>
+<td align="left">System access was removed from an account.</td>
+</tr>
+<tr class="odd">
+<td align="left">623</td>
+<td align="left">Per user auditing policy was set for a user.</td>
+</tr>
+<tr class="even">
+<td align="left">625</td>
+<td align="left">Per user audit policy was refreshed.</td>
+</tr>
+<tr class="odd">
+<td align="left">768</td>
+<td align="left">A collision was detected between a namespace element in one forest and a namespace element in another forest.
+<div class="alert">
+<strong>Note</strong>  When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each entry type. For example, fields such as DNS name, NetBIOS name, and SID are not valid for an entry of type 'TopLevelName'.
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left">769</td>
+<td align="left">Trusted forest information was added.
+<div class="alert">
+<strong>Note</strong>  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type &quot;TopLevelName&quot;.
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left">770</td>
+<td align="left">Trusted forest information was deleted.
+<div class="alert">
+<strong>Note</strong>  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type &quot;TopLevelName&quot;.
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left">771</td>
+<td align="left">Trusted forest information was modified.
+<div class="alert">
+<strong>Note</strong>  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type &quot;TopLevelName&quot;.
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left">805</td>
+<td align="left">The event log service read the security log configuration for a session.</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Basic security audit policy settings](basic-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/basic-audit-privilege-use.md b/windows/keep-secure/basic-audit-privilege-use.md
new file mode 100644
index 0000000000..bf1b98b716
--- /dev/null
+++ b/windows/keep-secure/basic-audit-privilege-use.md
@@ -0,0 +1,94 @@
+---
+title: Audit privilege use (Windows 10)
+description: Determines whether to audit each instance of a user exercising a user right.
+ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit privilege use
+
+
+**Applies to**
+
+-   Windows 10
+
+Determines whether to audit each instance of a user exercising a user right.
+
+If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit this type of event at all. Success audits generate an audit entry when the exercise of a user right succeeds. Failure audits generate an audit entry when the exercise of a user right fails.
+
+To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
+
+**Default:** No auditing.
+
+Audits are not generated for use of the following user rights, even if success audits or failure audits are specified for **Audit privilege use**. Enabling auditing of these user rights tend to generate many events in the security log which may impede your computer's performance. To audit the following user rights, enable the **FullPrivilegeAuditing** registry key.
+
+-   Bypass traverse checking
+
+-   Debug programs
+
+-   Create a token object
+
+-   Replace process level token
+
+-   Generate security audits
+
+-   Back up files and directories
+
+-   Restore files and directories
+
+## Configure this audit setting
+
+
+You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Privilege use events</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">576</td>
+<td align="left">Specified privileges were added to a user's access token.
+<div class="alert">
+<strong>Note</strong>  This event is generated when the user logs on.
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left">577</td>
+<td align="left">A user attempted to perform a privileged system service operation.</td>
+</tr>
+<tr class="odd">
+<td align="left">578</td>
+<td align="left">Privileges were used on an already open handle to a protected object.</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Basic security audit policy settings](basic-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/basic-audit-process-tracking.md b/windows/keep-secure/basic-audit-process-tracking.md
new file mode 100644
index 0000000000..d0efa7d0b8
--- /dev/null
+++ b/windows/keep-secure/basic-audit-process-tracking.md
@@ -0,0 +1,110 @@
+---
+title: Audit process tracking (Windows 10)
+description: Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
+ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit process tracking
+
+
+**Applies to**
+
+-   Windows 10
+
+Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
+
+If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when the process being tracked succeeds. Failure audits generate an audit entry when the process being tracked fails.
+
+To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
+
+**Default:** No auditing.
+
+## Configure this this security setting
+
+
+You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Process tracking events</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">592</td>
+<td align="left">A new process was created.</td>
+</tr>
+<tr class="even">
+<td align="left">593</td>
+<td align="left">A process exited.</td>
+</tr>
+<tr class="odd">
+<td align="left">594</td>
+<td align="left">A handle to an object was duplicated.</td>
+</tr>
+<tr class="even">
+<td align="left">595</td>
+<td align="left">Indirect access to an object was obtained.</td>
+</tr>
+<tr class="odd">
+<td align="left">596</td>
+<td align="left">A data protection master key was backed up.
+<div class="alert">
+<strong>Note</strong>  The master key is used by the CryptProtectData and CryptUnprotectData routines, and Encrypting File System (EFS). The master key is backed up each time a new one is created. (The default setting is 90 days.) The key is usually backed up to a domain controller.
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left">597</td>
+<td align="left">A data protection master key was recovered from a recovery server.</td>
+</tr>
+<tr class="odd">
+<td align="left">598</td>
+<td align="left">Auditable data was protected.</td>
+</tr>
+<tr class="even">
+<td align="left">599</td>
+<td align="left">Auditable data was unprotected.</td>
+</tr>
+<tr class="odd">
+<td align="left">600</td>
+<td align="left">A process was assigned a primary token.</td>
+</tr>
+<tr class="even">
+<td align="left">601</td>
+<td align="left">A user attempted to install a service.</td>
+</tr>
+<tr class="odd">
+<td align="left">602</td>
+<td align="left">A scheduler job was created.</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Basic security audit policy settings](basic-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/basic-audit-system-events.md b/windows/keep-secure/basic-audit-system-events.md
new file mode 100644
index 0000000000..34f4206e90
--- /dev/null
+++ b/windows/keep-secure/basic-audit-system-events.md
@@ -0,0 +1,106 @@
+---
+title: Audit system events (Windows 10)
+description: Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
+ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Audit system events
+
+
+**Applies to**
+
+-   Windows 10
+
+Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
+
+If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit entry when a logon attempt fails.
+
+To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
+
+**Default:**
+
+-   Success on domain controllers.
+
+-   No auditing on member servers.
+
+## Configure this audit setting
+
+
+You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Logon events</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">512</td>
+<td align="left">Windows is starting up.</td>
+</tr>
+<tr class="even">
+<td align="left">513</td>
+<td align="left">Windows is shutting down.</td>
+</tr>
+<tr class="odd">
+<td align="left">514</td>
+<td align="left">An authentication package was loaded by the Local Security Authority.</td>
+</tr>
+<tr class="even">
+<td align="left">515</td>
+<td align="left">A trusted logon process has registered with the Local Security Authority.</td>
+</tr>
+<tr class="odd">
+<td align="left">516</td>
+<td align="left">Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.</td>
+</tr>
+<tr class="even">
+<td align="left">517</td>
+<td align="left">The audit log was cleared.</td>
+</tr>
+<tr class="odd">
+<td align="left">518</td>
+<td align="left">A notification package was loaded by the Security Accounts Manager.</td>
+</tr>
+<tr class="even">
+<td align="left">519</td>
+<td align="left">A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space.</td>
+</tr>
+<tr class="odd">
+<td align="left">520</td>
+<td align="left">The system time was changed.
+<div class="alert">
+<strong>Note</strong>  This audit normally appears twice.
+</div>
+<div>
+ 
+</div></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Basic security audit policy settings](basic-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/basic-security-audit-policies.md b/windows/keep-secure/basic-security-audit-policies.md
new file mode 100644
index 0000000000..8aaba83b70
--- /dev/null
+++ b/windows/keep-secure/basic-security-audit-policies.md
@@ -0,0 +1,77 @@
+---
+title: Basic security audit policies (Windows 10)
+description: Before you implement auditing, you must decide on an auditing policy.
+ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Basic security audit policies
+
+
+**Applies to**
+
+-   Windows 10
+
+Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization.
+
+The event categories that you can choose to audit are:
+
+-   Audit account logon events
+-   Audit account management
+-   Audit directory service access
+-   Audit logon events
+-   Audit object access
+-   Audit policy change
+-   Audit privilege use
+-   Audit process tracking
+-   Audit system events
+
+If you choose to audit access to objects as part of your audit policy, you must enable either the audit directory service access category (for auditing objects on a domain controller), or the audit object access category (for auditing objects on a member server or workstation). Once you have enabled the object access category, you can specify the types of access you want to audit for each group or user.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Create a basic audit policy for an event category](create-a-basic-audit-policy-settings-for-an-event-category.md)</p></td>
+<td align="left"><p>By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Apply a basic audit policy on a file or folder](apply-a-basic-audit-policy-on-a-file-or-folder.md)</p></td>
+<td align="left"><p>You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[View the security event log](view-the-security-event-log.md)</p></td>
+<td align="left"><p>The security log records each event as defined by the audit policies you set on each object.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Basic security audit policy settings](basic-security-audit-policy-settings.md)</p></td>
+<td align="left"><p>Basic security audit policy settings are found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/basic-security-audit-policy-settings.md b/windows/keep-secure/basic-security-audit-policy-settings.md
new file mode 100644
index 0000000000..f59bbe3000
--- /dev/null
+++ b/windows/keep-secure/basic-security-audit-policy-settings.md
@@ -0,0 +1,88 @@
+---
+title: Basic security audit policy settings (Windows 10)
+description: Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
+ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Basic security audit policy settings
+
+
+**Applies to**
+
+-   Windows 10
+
+Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Audit account logon events](basic-audit-account-logon-events.md)</p></td>
+<td align="left"><p>Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Audit account management](basic-audit-account-management.md)</p></td>
+<td align="left"><p>Determines whether to audit each event of account management on a device.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Audit directory service access](basic-audit-directory-service-access.md)</p></td>
+<td align="left"><p>Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Audit logon events](basic-audit-logon-events.md)</p></td>
+<td align="left"><p>Determines whether to audit each instance of a user logging on to or logging off from a device.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Audit object access](basic-audit-object-access.md)</p></td>
+<td align="left"><p>Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Audit policy change](basic-audit-policy-change.md)</p></td>
+<td align="left"><p>Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Audit privilege use](basic-audit-privilege-use.md)</p></td>
+<td align="left"><p>Determines whether to audit each instance of a user exercising a user right.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Audit process tracking](basic-audit-process-tracking.md)</p></td>
+<td align="left"><p>Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Audit system events](basic-audit-system-events.md)</p></td>
+<td align="left"><p>Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Basic security audit policy settings](basic-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/bcd-settings-and-bitlocker.md b/windows/keep-secure/bcd-settings-and-bitlocker.md
new file mode 100644
index 0000000000..c245fc0a1b
--- /dev/null
+++ b/windows/keep-secure/bcd-settings-and-bitlocker.md
@@ -0,0 +1,1005 @@
+---
+title: BCD settings and BitLocker (Windows 10)
+description: This topic for IT professionals describes the BCD settings that are used by BitLocker.
+ms.assetid: c4ab7ac9-16dc-4c7e-b061-c0b0deb2c4fa
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# BCD settings and BitLocker
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes the BCD settings that are used by BitLocker.
+
+When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive boot configuration data (BCD) settings have not changed since BitLocker was last enabled, resumed, or recovered.
+
+## BitLocker and BCD Settings
+
+
+In Windows 7 and Windows Server 2008 R2, BitLocker validated nearly all BCD settings with the winload, winresume, and memtest prefixes. However, this high degree of validation caused BitLocker to go into recovery mode for benign setting changes, for example, when applying a language pack BitLocker would enter recovery.
+
+In Windows 8, Windows Server 2012, and later operating systems BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If you believe that there is a risk in excluding a particular BCD setting from the validation profile, you can increase BCD validation coverage to suit your validation preferences. Alternatively, if a default BCD setting is persistently triggering recovery for benign changes, then you can exclude that BCD setting from the validation profile.
+
+### When secure boot is enabled
+
+Computers with UEFI firmware can use Secure Boot to provide enhanced boot security. When BitLocker is able to use Secure Boot for platform and BCD integrity validation, as defined by the **Allow Secure Boot for integrity validation** group policy setting, the **Use enhanced Boot Configuration Data validation profile** group policy is ignored.
+
+One of the benefits of using Secure Boot is that it can correct BCD settings during boot without triggering recovery events. Secure Boot enforces the same BCD settings as BitLocker. Secure Boot BCD enforcement is not configurable from within the operating system.
+
+## Customizing BCD validation settings
+
+
+To modify the BCD settings BitLocker validates the IT Pro will add or exclude BCD settings from the platform validation profile by enabling and configuring the **Use enhanced Boot Configuration Data validation profile** Group Policy setting.
+
+For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. BCD settings are either associated with a specific boot application or can apply to all boot applications by associating a prefix to the BCD setting entered in the Group Policy setting. Prefix values include:
+
+-   winload
+
+-   winresume
+
+-   memtest
+
+-   all
+
+All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a “friendly name.”
+
+The BCD setting hex value is reported when BitLocker enters recovery mode and is stored in the event log (event ID 523). The hex value uniquely identifies which BCD setting caused the recovery event.
+
+You can quickly obtain the friendly name for the BCD settings on your computer by using the command “`bcdedit.exe /enum all`”.
+
+Not all BCD settings have friendly names, for those settings the hex value is the only way to configure an exclusion policy.
+
+When specifying BCD values in the **Use enhanced Boot Configuration Data validation profile** Group Policy setting, use the following syntax:
+
+-   Prefix the setting with the boot application prefix
+
+-   Append a colon ‘:’
+
+-   Append either the hex value or the friendly name
+
+-   If entering more than one BCD setting, you will need to enter each BCD setting on a new line
+
+For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f4`” yield the same value.
+
+Setting that applies to all boot applications may be applied only to an individual application, however the reverse is not true. For example, one can specify either: “`all:locale`” or “`winresume:locale`”, but as the bcd setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields.
+
+**Note**  
+Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.
+
+ 
+
+### Default BCD validation profile
+
+The following table contains the default BCD validation profile used by BitLocker in Windows 8, Windows Server 2012, and later operating systems:
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Hex Value</th>
+<th align="left">Prefix</th>
+<th align="left">Friendly Name</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>0x11000001</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>device</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x12000002</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>path</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x12000030</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>loadoptions</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x16000010</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>bootdebug</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x16000040</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>advancedoptions</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x16000041</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>optionsedit</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x16000048</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>nointegritychecks</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x16000049</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>testsigning</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x16000060</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>isolatedcontext</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x1600007b</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>forcefipscrypto</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x22000002</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>systemroot</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x22000011</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>kernel</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x22000012</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>hal</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x22000053</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>evstore</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x25000020</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>nx</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x25000052</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>restrictapiccluster</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x26000022</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>winpe</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x26000025</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>lastknowngood</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x26000081</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>safebootalternateshell</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x260000a0</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>debug</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x260000f2</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>hypervisordebug</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x26000116</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>hypervisorusevapic</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x21000001</p></td>
+<td align="left"><p>winresume</p></td>
+<td align="left"><p>filedevice</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x22000002</p></td>
+<td align="left"><p>winresume</p></td>
+<td align="left"><p>filepath</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x26000006</p></td>
+<td align="left"><p>winresume</p></td>
+<td align="left"><p>debugoptionenabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Full list of friendly names for ignored BCD settings
+
+This following is a full list of BCD settings with friendly names which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker–protected operating system drive to be unlocked.
+
+**Note**  
+Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list.
+
+ 
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Hex Value</th>
+<th align="left">Prefix</th>
+<th align="left">Friendly Name</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>0x12000004</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>description</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x12000005</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>locale</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x12000016</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>targetname</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x12000019</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>busparams</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x1200001d</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>key</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x1200004a</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>fontpath</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x14000006</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>inherit</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x14000008</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>recoverysequence</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x15000007</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>truncatememory</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x1500000c</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>firstmegabytepolicy</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x1500000d</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>relocatephysical</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x1500000e</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>avoidlowmemory</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x15000011</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>debugtype</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x15000012</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>debugaddress</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x15000013</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>debugport</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x15000014</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>baudrate</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x15000015</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>channel</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x15000018</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>debugstart</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x1500001a</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>hostip</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x1500001b</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>port</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x15000022</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>emsport</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x15000023</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>emsbaudrate</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x15000042</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>keyringaddress</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x15000047</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>configaccesspolicy</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x1500004b</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>integrityservices</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x1500004c</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>volumebandid</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x15000051</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>initialconsoleinput</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x15000052</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>graphicsresolution</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x15000065</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>displaymessage</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x15000066</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>displaymessageoverride</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x16000009</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>recoveryenabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x1600000b</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>badmemoryaccess</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x1600000f</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>traditionalkseg</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x16000017</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>noumex</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x1600001c</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>dhcp</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x1600001e</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>vm</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x16000020</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>bootems</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x16000046</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>graphicsmodedisabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x16000050</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>extendedinput</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x16000053</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>restartonfailure</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x16000054</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>highestmode</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x1600006c</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>bootuxdisabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x16000072</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>nokeyboard</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x16000074</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>bootshutdowndisabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x1700000a</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>badmemorylist</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x17000077</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>allowedinmemorysettings</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x22000040</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>fverecoveryurl</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x22000041</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>fverecoverymessage</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x31000003</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>ramdisksdidevice</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x32000004</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>ramdisksdipath</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x35000001</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>ramdiskimageoffset</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x35000002</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>ramdisktftpclientport</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x35000005</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>ramdiskimagelength</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x35000007</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>ramdisktftpblocksize</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x35000008</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>ramdisktftpwindowsize</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x36000006</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>exportascd</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x36000009</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>ramdiskmcenabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x3600000a</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>ramdiskmctftpfallback</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x3600000b</p></td>
+<td align="left"><p>all</p></td>
+<td align="left"><p>ramdisktftpvarwindow</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x21000001</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>osdevice</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x22000013</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>dbgtransport</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x220000f9</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>hypervisorbusparams</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x22000110</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>hypervisorusekey</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x23000003</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>resumeobject</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x25000021</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>pae</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x25000031</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>removememory</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x25000032</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>increaseuserva</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x25000033</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>perfmem</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x25000050</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>clustermodeaddressing</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x25000055</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>x2apicpolicy</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x25000061</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>numproc</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x25000063</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>configflags</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x25000066</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>groupsize</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x25000071</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>msi</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x25000072</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>pciexpress</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x25000080</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>safeboot</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x250000a6</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>tscsyncpolicy</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x250000c1</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>driverloadfailurepolicy</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x250000c2</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>bootmenupolicy</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x250000e0</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>bootstatuspolicy</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x250000f0</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>hypervisorlaunchtype</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x250000f3</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>hypervisordebugtype</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x250000f4</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>hypervisordebugport</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x250000f5</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>hypervisorbaudrate</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x250000f6</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>hypervisorchannel</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x250000f7</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>bootux</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x250000fa</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>hypervisornumproc</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x250000fb</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>hypervisorrootprocpernode</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x250000fd</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>hypervisorhostip</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x250000fe</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>hypervisorhostport</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x25000100</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>tpmbootentropy</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x25000113</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>hypervisorrootproc</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x25000115</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>hypervisoriommupolicy</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x25000120</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>xsavepolicy</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x25000121</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>xsaveaddfeature0</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x25000122</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>xsaveaddfeature1</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x25000123</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>xsaveaddfeature2</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x25000124</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>xsaveaddfeature3</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x25000125</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>xsaveaddfeature4</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x25000126</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>xsaveaddfeature5</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x25000127</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>xsaveaddfeature6</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x25000128</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>xsaveaddfeature7</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x25000129</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>xsaveremovefeature</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x2500012a</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>xsaveprocessorsmask</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x2500012b</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>xsavedisable</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x25000130</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>claimedtpmcounter</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x26000004</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>stampdisks</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x26000010</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>detecthal</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x26000024</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>nocrashautoreboot</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x26000030</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>nolowmem</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x26000040</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>vga</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x26000041</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>quietboot</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x26000042</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>novesa</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x26000043</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>novga</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x26000051</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>usephysicaldestination</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x26000054</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>uselegacyapicmode</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x26000060</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>onecpu</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x26000062</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>maxproc</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x26000064</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>maxgroup</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x26000065</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>groupaware</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x26000070</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>usefirmwarepcisettings</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x26000090</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>bootlog</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x26000091</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>sos</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x260000a1</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>halbreakpoint</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x260000a2</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>useplatformclock</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x260000a3</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>forcelegacyplatform</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x260000a4</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>useplatformtick</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x260000a5</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>disabledynamictick</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x260000b0</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>ems</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x260000c3</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>onetimeadvancedoptions</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x260000c4</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>onetimeoptionsedit</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x260000e1</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>disableelamdrivers</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x260000f8</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>hypervisordisableslat</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x260000fc</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>hypervisoruselargevtlb</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x26000114</p></td>
+<td align="left"><p>winload</p></td>
+<td align="left"><p>hypervisordhcp</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x21000005</p></td>
+<td align="left"><p>winresume</p></td>
+<td align="left"><p>associatedosdevice</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x25000007</p></td>
+<td align="left"><p>winresume</p></td>
+<td align="left"><p>bootux</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x25000008</p></td>
+<td align="left"><p>winresume</p></td>
+<td align="left"><p>bootmenupolicy</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x26000003</p></td>
+<td align="left"><p>winresume</p></td>
+<td align="left"><p>customsettings</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x26000004</p></td>
+<td align="left"><p>winresume</p></td>
+<td align="left"><p>pae</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x25000001</p></td>
+<td align="left"><p>memtest</p></td>
+<td align="left"><p>passcount</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x25000002</p></td>
+<td align="left"><p>memtest</p></td>
+<td align="left"><p>testmix</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x25000005</p></td>
+<td align="left"><p>memtest</p></td>
+<td align="left"><p>stridefailcount</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x25000006</p></td>
+<td align="left"><p>memtest</p></td>
+<td align="left"><p>invcfailcount</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x25000007</p></td>
+<td align="left"><p>memtest</p></td>
+<td align="left"><p>matsfailcount</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x25000008</p></td>
+<td align="left"><p>memtest</p></td>
+<td align="left"><p>randfailcount</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x25000009</p></td>
+<td align="left"><p>memtest</p></td>
+<td align="left"><p>chckrfailcount</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>0x26000003</p></td>
+<td align="left"><p>memtest</p></td>
+<td align="left"><p>cacheenable</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>0x26000004</p></td>
+<td align="left"><p>memtest</p></td>
+<td align="left"><p>failuresenabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/bitlocker-basic-deployment.md b/windows/keep-secure/bitlocker-basic-deployment.md
new file mode 100644
index 0000000000..e6eceae5d1
--- /dev/null
+++ b/windows/keep-secure/bitlocker-basic-deployment.md
@@ -0,0 +1,665 @@
+---
+title: BitLocker basic deployment (Windows 10)
+description: This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
+ms.assetid: 97c646cb-9e53-4236-9678-354af41151c4
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# BitLocker basic deployment
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
+
+The following sections provide information that will help you put together your basic deployment plan for implementing BitLocker in your organization:
+
+-   [Using BitLocker to encrypt volumes](#bkmk-dep1)
+
+-   [Down-level compatibility](#bkmk-dep2)
+
+-   [Using manage-bde to encrypt volumes with BitLocker](#bkmk-dep3)
+
+-   [Using PowerShell to encrypt volumes with BitLocker](#bkmk-dep4)
+
+## <a href="" id="bkmk-dep1"></a>Using BitLocker to encrypt volumes
+
+
+BitLocker provides full volume encryption (FVE) for operating system volumes, as well as fixed and removable data volumes. To support fully encrypted operating system volumes, BitLocker uses an unencrypted system volume for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems.
+
+In the event that the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes.
+
+**Note**  
+For more info about using this tool, see [Bdehdcfg](http://technet.microsoft.com/library/ee732026.aspx) in the Command-Line Reference.
+
+ 
+
+BitLocker encryption can be done using the following methods:
+
+-   BitLocker control panel
+
+-   Windows Explorer
+
+-   manage-bde command line interface
+
+-   BitLocker Windows PowerShell cmdlets
+
+### Encrypting volumes using the BitLocker control panel
+
+Encrypting volumes with the BitLocker control panel is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
+
+To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume).
+
+### Operating system volume
+
+Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Requirement</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Hardware configuration</p></td>
+<td align="left"><p>The computer must meet the minimum requirements for the supported Windows versions.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Operating system</p></td>
+<td align="left"><p>BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Hardware TPM</p></td>
+<td align="left"><p>TPM version 1.2 or 2.0</p>
+<p>A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>BIOS configuration</p></td>
+<td align="left"><ul>
+<li><p>A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.</p></li>
+<li><p>The boot order must be set to start first from the hard disk, and not the USB or CD drives.</p></li>
+<li><p>The firmware must be able to read from a USB flash drive during startup.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>File system</p></td>
+<td align="left"><p>For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive.</p>
+<p>For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.</p>
+<p>For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Hardware encrypted drive prerequisites (optional)</p></td>
+<td align="left"><p>To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+Upon passing the initial configuration, users are required to enter a password for the volume. If the volume does not pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken.
+
+Once a strong password has been created for the volume, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer cannot access the drive.
+
+You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you are not encrypting. You cannot save the recovery key to the root directory of a non-removable drive and cannot be stored on the encrypted volume. You cannot save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make additional copies.
+
+When the recovery key has been properly stored, the BitLocker Drive Encryption Wizard will prompt the user to choose how to encrypt the drive. There are two options:
+
+-   Encrypt used disk space only - Encrypts only disk space that contains data
+
+-   Encrypt entire drive - Encrypts the entire volume including free space
+
+It is recommended that drives with little to no data utilize the **used disk space only** encryption option and that drives with data or an operating system utilize the **encrypt entire drive** option.
+
+**Note**  
+Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
+
+ 
+
+Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. It is recommended to run this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
+
+After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel.
+
+Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning BitLocker off.
+
+### Data volume
+
+Encrypting data volumes using the BitLocker control panel interface works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the control panel to begin the BitLocker Drive Encryption wizard.
+
+Unlike for operating system volumes, data volumes are not required to pass any configuration tests for the wizard to proceed. Upon launching the wizard, a choice of authentication methods to unlock the drive appears. The available options are **password** and **smart card** and **automatically unlock this drive on this computer**. Disabled by default, the latter option will unlock the data volume without user input when the operating system volume is unlocked.
+
+After selecting the desired authentication method and choosing **Next**, the wizard presents options for storage of the recovery key. These options are the same as for operating system volumes.
+
+With the recovery key saved, selecting **Next** in the wizard will show available options for encryption. These options are the same as for operating system volumes; **used disk space only** and **full drive encryption**. If the volume being encrypted is new or empty, it is recommended that used space only encryption is selected.
+
+With an encryption method chosen, a final confirmation screen displays before beginning the encryption process. Selecting **Start encrypting** will begin encryption.
+
+Encryption status displays in the notification area or within the BitLocker control panel.
+
+### <a href="" id="-onedrive-option-"></a> OneDrive option
+
+There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers are not members of a domain and that the user is using a Microsoft Account. Local accounts do not give the option to utilize OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that are not joined to a domain.
+
+Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
+
+### Using BitLocker within Windows Explorer
+
+Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by right clicking on a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, you must first install the BitLocker and Desktop-Experience features for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel.
+
+## <a href="" id="bkmk-dep2"></a>Down-level compatibility
+
+
+The following table shows the compatibility matrix for systems that have been BitLocker enabled then presented to a different version of Windows.
+
+Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Encryption Type</p></td>
+<td align="left"><p>Windows 10 and Windows 8.1</p></td>
+<td align="left"><p>Windows 8</p></td>
+<td align="left"><p>Windows 7</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Fully encrypted on Windows 8</p></td>
+<td align="left"><p>Presents as fully encrypted</p></td>
+<td align="left"><p>N/A</p></td>
+<td align="left"><p>Presented as fully encrypted</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Used Disk Space Only encrypted on Windows 8</p></td>
+<td align="left"><p>Presents as encrypt on write</p></td>
+<td align="left"><p>N/A</p></td>
+<td align="left"><p>Presented as fully encrypted</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Fully encrypted volume from Windows 7</p></td>
+<td align="left"><p>Presents as fully encrypted</p></td>
+<td align="left"><p>Presented as fully encrypted</p></td>
+<td align="left"><p>N/A</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Partially encrypted volume from Windows 7</p></td>
+<td align="left"><p>Windows 10 and Windows 8.1 will complete encryption regardless of policy</p></td>
+<td align="left"><p>Windows 8 will complete encryption regardless of policy</p></td>
+<td align="left"><p>N/A</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Encrypting volumes using the manage-bde command line interface
+
+Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](http://technet.microsoft.com/library/ff829849.aspx).
+
+Manage-bde offers a multitude of wider options for configuring BitLocker. This means that using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected.
+
+Command line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes.
+
+### Operating system volume
+
+Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on <drive letter>` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key.
+
+**Determining volume status**
+
+A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status:
+
+``` syntax
+manage-bde -status
+```
+
+This command returns the volumes on the target, current encryption status and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment.
+
+**Enabling BitLocker without a TPM**
+
+For example, suppose that you want to enable BitLocker on a computer without a TPM chip. To properly enable BitLocker for the operating system volume, you will need to use a USB flash drive as a startup key to boot (in this example, the drive letter E). You would first create the startup key needed for BitLocker using the –protectors option and save it to the USB drive on E: and then begin the encryption process. You will need to reboot the computer when prompted to complete the encryption process.
+
+``` syntax
+manage-bde –protectors -add C: -startupkey E:
+manage-bde -on C:
+```
+
+**Enabling BitLocker with a TPM only**
+
+It is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is:
+
+``` syntax
+manage-bde -on C:
+```
+
+This will encrypt the drive using the TPM as the protector. If a user is unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information with the command:
+
+``` syntax
+ manage-bde -protectors -get <volume>
+```
+
+**Provisioning BitLocker with two protectors**
+
+Another example is a user on non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. This is done with the command:
+
+``` syntax
+manage-bde -protectors -add C: -pw -sid <user or group>
+```
+
+This command will require the user to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn BitLocker on.
+
+### Data volume
+
+Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on <drive letter>` or users can choose to add protectors to the volume. It is recommended that at least one primary protector and a recovery protector be added to a data volume.
+
+**Enabling BitLocker with a password**
+
+A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on.
+
+``` syntax
+manage-bde -protectors -add -pw C:
+manage-bde -on C:
+```
+
+## <a href="" id="bkmk-dep3"></a>Using manage-bde to encrypt volumes with BitLocker
+
+
+### Encrypting volumes using the BitLocker Windows PowerShell cmdlets
+
+Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Name</strong></p></td>
+<td align="left"><p><strong>Parameters</strong></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Add-BitLockerKeyProtector</strong></p></td>
+<td align="left"><p>-ADAccountOrGroup</p>
+<p>-ADAccountOrGroupProtector</p>
+<p>-Confirm</p>
+<p>-MountPoint</p>
+<p>-Password</p>
+<p>-PasswordProtector</p>
+<p>-Pin</p>
+<p>-RecoveryKeyPath</p>
+<p>-RecoveryKeyProtector</p>
+<p>-RecoveryPassword</p>
+<p>-RecoveryPasswordProtector</p>
+<p>-Service</p>
+<p>-StartupKeyPath</p>
+<p>-StartupKeyProtector</p>
+<p>-TpmAndPinAndStartupKeyProtector</p>
+<p>-TpmAndPinProtector</p>
+<p>-TpmAndStartupKeyProtector</p>
+<p>-TpmProtector</p>
+<p>-WhatIf</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Backup-BitLockerKeyProtector</strong></p></td>
+<td align="left"><p>-Confirm</p>
+<p>-KeyProtectorId</p>
+<p>-MountPoint</p>
+<p>-WhatIf</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Disable-BitLocker</strong></p></td>
+<td align="left"><p>-Confirm</p>
+<p>-MountPoint</p>
+<p>-WhatIf</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Disable-BitLockerAutoUnlock</strong></p></td>
+<td align="left"><p>-Confirm</p>
+<p>-MountPoint</p>
+<p>-WhatIf</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Enable-BitLocker</strong></p></td>
+<td align="left"><p>-AdAccountOrGroup</p>
+<p>-AdAccountOrGroupProtector</p>
+<p>-Confirm</p>
+<p>-EncryptionMethod</p>
+<p>-HardwareEncryption</p>
+<p>-Password</p>
+<p>-PasswordProtector</p>
+<p>-Pin</p>
+<p>-RecoveryKeyPath</p>
+<p>-RecoveryKeyProtector</p>
+<p>-RecoveryPassword</p>
+<p>-RecoveryPasswordProtector</p>
+<p>-Service</p>
+<p>-SkipHardwareTest</p>
+<p>-StartupKeyPath</p>
+<p>-StartupKeyProtector</p>
+<p>-TpmAndPinAndStartupKeyProtector</p>
+<p>-TpmAndPinProtector</p>
+<p>-TpmAndStartupKeyProtector</p>
+<p>-TpmProtector</p>
+<p>-UsedSpaceOnly</p>
+<p>-WhatIf</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Enable-BitLockerAutoUnlock</strong></p></td>
+<td align="left"><p>-Confirm</p>
+<p>-MountPoint</p>
+<p>-WhatIf</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Get-BitLockerVolume</strong></p></td>
+<td align="left"><p>-MountPoint</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Lock-BitLocker</strong></p></td>
+<td align="left"><p>-Confirm</p>
+<p>-ForceDismount</p>
+<p>-MountPoint</p>
+<p>-WhatIf</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Remove-BitLockerKeyProtector</strong></p></td>
+<td align="left"><p>-Confirm</p>
+<p>-KeyProtectorId</p>
+<p>-MountPoint</p>
+<p>-WhatIf</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Resume-BitLocker</strong></p></td>
+<td align="left"><p>-Confirm</p>
+<p>-MountPoint</p>
+<p>-WhatIf</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Suspend-BitLocker</strong></p></td>
+<td align="left"><p>-Confirm</p>
+<p>-MountPoint</p>
+<p>-RebootCount</p>
+<p>-WhatIf</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Unlock-BitLocker</strong></p></td>
+<td align="left"><p>-AdAccountOrGroup</p>
+<p>-Confirm</p>
+<p>-MountPoint</p>
+<p>-Password</p>
+<p>-RecoveryKeyPath</p>
+<p>-RecoveryPassword</p>
+<p>-RecoveryPassword</p>
+<p>-WhatIf</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
+
+A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLocker` volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
+
+Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
+
+**Note**  
+In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
+
+ 
+
+``` syntax
+Get-BitLockerVolume C: | fl
+```
+
+If you wanted to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
+
+A simple script can pipe the values of each **Get-BitLockerVolume** return out to another variable as seen below:
+
+``` syntax
+$vol = Get-BitLockerVolume
+$keyprotectors = $vol.KeyProtector
+```
+
+Using this, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector.
+
+Using this information, we can then remove the key protector for a specific volume using the command:
+
+``` syntax
+Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
+```
+
+**Note**  
+The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
+
+ 
+
+### Operating system volume
+
+Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell.
+
+To enable BitLocker with just the TPM protector. This can be done using the command:
+
+``` syntax
+Enable-BitLocker C:
+```
+
+The example below adds one additional protector, the StartupKey protectors, and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot.
+
+``` syntax
+Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath <path> -SkipHardwareTest
+```
+
+### Data volume
+
+Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password. Last, encryption begins.
+
+``` syntax
+$pw = Read-Host -AsSecureString
+<user inputs password>
+Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
+```
+
+### Using a SID based protector in Windows PowerShell
+
+The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and be unlocked to any member computer of the cluster.
+
+**Warning**  
+The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes.
+
+ 
+
+To add an ADAccountOrGroup protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
+
+``` syntax
+Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
+```
+
+For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command:
+
+``` syntax
+get-aduser -filter {samaccountname -eq "administrator"}
+```
+
+**Note**  
+Use of this command requires the RSAT-AD-PowerShell feature.
+
+ 
+
+**Tip**  
+In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
+
+ 
+
+In the example below, the user wishes to add a domain SID based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:
+
+``` syntax
+Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "<SID>"
+```
+
+**Note**  
+Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
+
+ 
+
+## <a href="" id="bkmk-dep4"></a>Using PowerShell to encrypt volumes with BitLocker
+
+
+### Checking BitLocker status
+
+To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We will look at each of the available methods in the following section.
+
+### Checking BitLocker status with the control panel
+
+Checking BitLocker status with the control panel is the most common method used by most users. Once opened, the status for each volume will display next to the volume description and drive letter. Available status return values with the control panel include:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Status</strong></p></td>
+<td align="left"><p><strong>Description</strong></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>On</strong></p></td>
+<td align="left"><p>BitLocker is enabled for the volume</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Off</strong></p></td>
+<td align="left"><p>BitLocker is not enabled for the volume</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Suspended</strong></p></td>
+<td align="left"><p>BitLocker is suspended and not actively protecting the volume</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Waiting for Activation</strong></p></td>
+<td align="left"><p>BitLocker is enabled with a clear protector key and requires further action to be fully protected</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on volume E. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status.
+
+Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume.
+
+The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process.
+
+Once BitLocker protector activation is completed, the completion notice is displayed.
+
+### Checking BitLocker status with manage-bde
+
+Administrators who prefer a command line interface can utilize manage-bde to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, manage-bde can display the BitLocker version in use, the encryption type, and the protectors associated with a volume.
+
+To check the status of a volume using manage-bde, use the following command:
+
+``` syntax
+manage-bde -status <volume>
+```
+
+**Note**  
+If no volume letter is associated with the -status command, all volumes on the computer display their status.
+
+ 
+
+### Checking BitLocker status with Windows PowerShell
+
+Windows PowerShell commands offer another way to query BitLocker status for volumes. Like manage-bde, Windows PowerShell includes the advantage of being able to check the status of a volume on a remote computer.
+
+Using the Get-BitLockerVolume cmdlet, each volume on the system will display its current BitLocker status. To get information that is more detailed on a specific volume, use the following command:
+
+``` syntax
+Get-BitLockerVolume <volume> -Verbose | fl
+```
+
+This command will display information about the encryption method, volume type, key protectors, etc.
+
+### Provisioning BitLocker during operating system deployment
+
+Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment. This is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.
+
+### Decrypting BitLocker volumes
+
+Decrypting volumes removes BitLocker and any associated protectors from the volumes. Decryption should occur when protection is no longer required. BitLocker decryption should not occur as a troubleshooting step. BitLocker can be removed from a volume using the BitLocker control panel applet, manage-bde, or Windows PowerShell cmdlets. We will discuss each method further below.
+
+### Decrypting volumes using the BitLocker control panel applet
+
+BitLocker decryption using the control panel is done using a Wizard. The control panel can be called from Windows Explorer or by opening the directly. After opening the BitLocker control panel, users will select the Turn off BitLocker option to begin the process.
+
+Once selected, the user chooses to continue by clicking the confirmation dialog. With Turn off BitLocker confirmed, the drive decryption process will begin and report status to the control panel.
+
+The control panel does not report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress.
+
+Once decryption is complete, the drive will update its status in the control panel and is available for encryption.
+
+### Decrypting volumes using the manage-bde command line interface
+
+Decrypting volumes using manage-bde is very straightforward. Decryption with manage-bde offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is:
+
+``` syntax
+manage-bde -off C:
+```
+
+This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If a user wishes to check the status of the decryption, they can use the following command:
+
+``` syntax
+manage-bde -status C:
+```
+
+### Decrypting volumes using the BitLocker Windows PowerShell cmdlets
+
+Decryption with Windows PowerShell cmdlets is straightforward, similar to manage-bde. The additional advantage Windows PowerShell offers is the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt.
+
+Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for additional commands. An example of this command is:
+
+``` syntax
+DisableBitLocker
+```
+
+If a user did not want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is:
+
+``` syntax
+Disable-BitLocker -MountPoint E:,F:,G:
+```
+
+## See also
+
+
+[Prepare your organization for BitLocker: Planning and p\\olicies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
+
+
+[BitLocker recovery guide](bitlocker-recovery-guide-plan.md)
+
+
+[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
+
+
+[BitLocker overview](bitlocker-overview.md)
+
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/bitlocker-countermeasures.md b/windows/keep-secure/bitlocker-countermeasures.md
new file mode 100644
index 0000000000..2b1a79a0b6
--- /dev/null
+++ b/windows/keep-secure/bitlocker-countermeasures.md
@@ -0,0 +1,172 @@
+---
+title: BitLocker Countermeasures (Windows 10)
+description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key.
+ms.assetid: ebdb0637-2597-4da1-bb18-8127964686ea
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# BitLocker Countermeasures
+
+
+**Applies to**
+
+-   Windows 10
+
+Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key.
+
+BitLocker is part of a strategic approach to securing mobile data through encryption technology. Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer. Today, BitLocker helps mitigate unauthorized data access on lost or stolen computers before the operating system is started by:
+
+-   **Encrypting the hard drives on your computer.** For example, you can turn on BitLocker for your operating system drive, a fixed data drive, or a removable data drive (such as a USB flash drive). Turning on BitLocker for your operating system drive encrypts all system files on the operating system drive, including the swap files and hibernation files.
+
+-   **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to help ensure that your data is accessible only if the computer’s boot components appear unaltered and the encrypted disk is located in the original computer.
+
+The sections that follow provide more detailed information about the different technologies that Windows uses to protect against attacks on the BitLocker encryption key in four different boot phases: before startup, during pre-boot, during startup, and finally after startup.
+
+### Protection before startup
+
+Before Windows starts, you must rely on security features implemented as part of the device hardware, including TPM andSecure Boot. Fortunately, many modern computers feature TPM.
+
+**Trusted Platform Module**
+
+Software alone isn’t sufficient to protect a system. After an attacker has compromised software, the software might be unable to detect the compromise. Therefore, a single successful software compromise results in an untrusted system that might never be detected. Hardware, however, is much more difficult to modify.
+
+A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer and communicates with the rest of the system through a hardware bus. Physically, TPMs are designed to be tamper-proof. If an attacker tries to physically retrieve data directly from the chip, they’ll probably destroy the chip in the process.
+
+By binding the BitLocker encryption key with the TPM and properly configuring the device, it’s nearly impossible for an attacker to gain access to the BitLocker-encrypted data without obtaining an authorized user’s credentials. Therefore, computers with a TPM can provide a high level of protection against attacks that attempt to directly retrieve the BitLocker encryption key.
+
+For more info about TPM, see [Trusted Platform Module](trusted-platform-module-overview.md).
+
+**UEFI and Secure Boot**
+
+No operating system can protect a device when the operating system is offline. For that reason, Microsoft worked closely with hardware vendors to require firmware-level protection against boot and rootkits that might compromise an encryption solution’s encryption keys.
+
+The UEFI is a programmable boot environment introduced as a replacement for BIOS, which has for the most part remained unchanged for the past 30 years. Like BIOS, PCs start UEFI before any other software; it initializes devices, and UEFI then starts the operating system’s bootloader. As part of its introduction into the pre–operating system environment, UEFI serves a number of purposes, but one of the key benefits is to protect newer devices against a sophisticated type of malware called a bootkit through the use of its Secure Boot feature.
+
+Recent implementations of UEFI (starting with version 2.3.1) can verify the digital signatures of the device’s firmware before running it. Because only the PC’s hardware manufacturer has access to the digital certificate required to create a valid firmware signature, UEFI can prevent firmware-based bootkits. Thus, UEFI is the first link in the chain of trust.
+
+Secure Boot is the foundation of platform and firmware security and was created to enhance security in the pre-boot environment regardless of device architecture. Using signatures to validate the integrity of firmware images before they are allowed to execute, Secure Boot helps reduce the risk of bootloader attacks. The purpose of Secure Boot is to block untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
+
+With the legacy BIOS boot process, the pre–operating system environment is vulnerable to attacks by redirecting bootloader handoff to possible malicious loaders. These loaders could remain undetected to operating system and antimalware software. The diagram in Figure 1 contrasts the BIOS and UEFI startup processes.
+
+![the bios and uefi startup processes](images/bitlockerprebootprotection-bios-uefi-startup.jpg)
+
+**Figure 1.** The BIOS and UEFI startup processes
+
+With Secure Boot enabled, UEFI, in coordination with the TPM, can examine the bootloader and determine whether it’s trustworthy. To determine whether the bootloader is trustworthy, UEFI examines the bootloader’s digital signature. Using the digital signature, UEFI verifies that the bootloader was signed using a trusted certificate.
+
+If the bootloader passes these two tests, UEFI knows that the bootloader isn’t a bootkit and starts it. At this point, Trusted Boot takes over, and the Windows bootloader, using the same cryptographic technologies that UEFI used to verify the bootloader, then verifies that the Windows system files haven’t been changed.
+
+All Windows 8–certified devices must meet several requirements related to UEFI-based Secure Boot:
+
+-   They must have Secure Boot enabled by default.
+
+-   They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed).
+
+-   They must allow the user to configure Secure Boot to trust other signed bootloaders.
+
+-   Except for Windows RT devices, they must allow the user to completely disable Secure Boot.
+
+These requirements help protect you from rootkits while allowing you to run any operating system you want. You have three options for running non-Microsoft operating systems:
+
+-   **Use an operating system with a certified bootloader.** Microsoft can analyze and sign non-Microsoft bootloaders so that they can be trusted. The Linux community is using this process to enable Linux to take advantage of Secure Boot on Windows-certified devices.
+
+-   **Configure UEFI to trust your custom bootloader.** Your device can trust a signed, non-certified bootloader that you specify in the UEFI database, allowing you to run any operating system, including homemade operating systems.
+
+-   **Turn off Secure Boot.** You can turn off Secure Boot. This does not help protect you from bootkits, however.
+
+To prevent malware from abusing these options, the user has to manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings.
+
+Any device that doesn’t require Secure Boot or a similar bootloader-verification technology, regardless of the architecture or operating system, is vulnerable to bootkits, which can be used to compromise the encryption solution.
+
+UEFI is secure by design, but it’s critical to protect the Secure Boot configuration by using password protection. In addition, although several well-publicized attacks against UEFI have occurred, they were exploiting faulty UEFI implementations. Those attacks are ineffective when UEFI is implemented properly.
+
+For more information about Secure Boot, refer to [Securing the Windows 8.1 Boot Process](http://technet.microsoft.com/windows/dn168167.aspx).
+
+### Protection during pre-boot: Pre-boot authentication
+
+Pre-boot authentication with BitLocker is a process that requires the use of either a Trusted Platform Module (TPM), user input, such as a PIN, or both, depending on hardware and operating system configuration, to authenticate prior to making the contents of the system drive accessible. In the case of BitLocker, BitLocker encrypts the entire drive, including all system files. BitLocker accesses and stores the encryption key in memory only after a pre-boot authentication is completed using one or more of the following options: Trusted Platform Module (TPM), user provides a specific PIN, USB startup key.
+
+If Windows can’t access the encryption key, the device can’t read or edit the files on the system drive. Even if an attacker takes the disk out of the PC or steals the entire PC, they won’t be able to read or edit the files without the encryption key. The only option for bypassing pre-boot authentication is entering the highly complex, 48-digit recovery key.
+
+The BitLocker pre-boot authentication capability is not specifically designed to prevent the operating system from starting: That’s merely a side effect of how BitLocker protects data confidentiality and system integrity. Pre-boot authentication is designed to prevent the encryption key from being loaded to system memory on devices that are vulnerable to certain types of cold boot attacks. Many modern devices prevent an attacker from easily removing the memory, and Microsoft expects those devices to become even more common in the future.
+
+On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways:
+
+-   **TPM-only.** Using TPM-only validation does not require any interaction with the user to decrypt and provide access to the drive. If the TPM validation succeeds, the user logon experience is the same as a standard logon. If the TPM is missing or changed or if the TPM detects changes to critical operating system startup files, BitLocker enters its recovery mode, and the user must enter a recovery password to regain access to the data.
+
+-   **TPM with startup key.** In addition to the protection that the TPM provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume cannot be accessed without the startup key.
+
+-   **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume cannot be accessed without entering the PIN.
+
+-   **TPM with startup key and PIN.** In addition to the core component protection that the TPM provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it cannot be used for access to the drive, because the correct PIN is also required.
+
+For many years, Microsoft has recommended using pre-boot authentication to protect against DMA and memory remanence attacks. Today, Microsoft only recommends using pre-boot authentication on PCs where the mitigations described in this document cannot be implemented. These mitigations may be inherent to the device or may come by way of configurations that IT can provision to devices and Windows itself.
+
+Although effective, pre-boot authentication is inconvenient to users. In addition, if a user forgets their PIN or loses their startup key, they’re denied access to their data until they can contact their organization’s support team to obtain a recovery key. Today, most new PCs running Windows 10, Windows 8.1, or Windows 8 provide sufficient protection against DMA attacks without requiring pre-boot authentication. For example, most modern PCs include USB port options (which are not vulnerable to DMA attacks) but do not include FireWire or Thunderbolt ports (which are vulnerable to DMA attacks).
+
+BitLocker-encrypted devices with DMA ports enabled, including FireWire or Thunderbolt ports, should be configured with pre-boot authentication if they are running Windows 10, Windows 7, Windows 8, or Windows 8.1 and disabling the ports using policy or firmware configuration is not an option. Windows 8.1 and later InstantGo devices do not need pre-boot authentication to defend against DMA-based port attacks, as the ports will not be present on certified devices. A non-InstantGo Windows 8.1 and later device requires pre-boot authentication if DMA ports are enabled on the device and additional mitigations described in this document are not implemented. Many customers find that the DMA ports on their devices are never used, and they choose to eliminate the possibility of an attack by disabling the DMA ports themselves, either at the hardware level or through Group Policy.
+
+Many new mobile devices have the system memory soldered to the motherboard, which helps prevent the cold boot–style attack, where the system memory is frozen, removed, and then placed into another device. Those devices, and most PCs, can still be vulnerable when booting to a malicious operating system, however.
+
+You can mitigate the risk of booting to a malicious operating system:
+
+-   **Windows 10 (without Secure Boot), Windows 8.1 (without Secure Boot), Windows 8 (without UEFI-based Secure Boot), or Windows 7 (with or without a TPM).** Disable booting from external media, and require a firmware password to prevent the attacker from changing that option.
+
+-   **Windows 10, Windows 8.1, or Windows 8 (certified or with Secure Boot).** Password protect the firmware, and do not disable Secure Boot.
+
+### Protection During Startup
+
+During the startup process, Windows 10 uses Trusted Boot and Early Launch Antimalware (ELAM) to examine the integrity of every component. The sections that follow describe these technologies in more detail.
+
+**Trusted Boot**
+
+Trusted Boot takes over where UEFI-based Secure Boot leaves off—during the operating system initialization phase. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM driver. If a file has been modified or is not properly signed with a Microsoft signature, Windows detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
+
+Windows 10 uses Trusted Boot on any hardware platform: It requires neither UEFI nor a TPM. However, without Secure Boot, it’s possible for malware to compromise the startup process prior to Windows starting, at which point Trusted Boot protections could be bypassed or potentially disabled.
+
+**Early Launch Antimalware**
+
+Because UEFI-based Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel or other Windows startup components, the next opportunity for malware to start is by infecting a non-Microsoft boot-related driver. Traditional antimalware apps don’t start until after the boot-related drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work.
+
+The purpose of ELAM is to load an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software.
+
+With this solution in place, boot drivers are initialized based on the classification that the ELAM driver returns according to an initialization policy. IT pros have the ability to change this policy through Group Policy.
+
+ELAM classifies drivers as follows:
+
+-   **Good.** The driver has been signed and has not been tampered with.
+
+-   **Bad.** The driver has been identified as malware. It is recommended that you not allow known bad drivers to be initialized.
+
+-   **Bad but required for boot.** The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.
+
+-   **Unknown.** This driver has not been attested to by your malware-detection application or classified by the ELAM boot-start driver.
+
+While the features listed above protect the Windows boot process from malware threats that could compromise BitLocker security, it is important to note that DMA ports may be enabled during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port related policies that have been configured. This period of time where the encryption key could be exposed to a DMA attack could be less than a minute on recent devices or longer depending on system performance. The use of pre-boot authentication with a PIN can be used to successfully mitigate against an attack.
+
+### Protection After Startup: eliminate DMA availability
+
+Windows InstantGo–certified devices do not have DMA ports, eliminating the risk of DMA attacks. On other devices, you can disable FireWire, Thunderbolt, or other ports that support DMA.
+
+## See also
+
+
+-   [Types of Attacks for Volume Encryption Keys](types-of-attacks-for-volume-encryption-keys.md)
+
+-   [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md)
+
+-   [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)
+
+-   [BitLocker overview](bitlocker-overview.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/bitlocker-frequently-asked-questions.md b/windows/keep-secure/bitlocker-frequently-asked-questions.md
new file mode 100644
index 0000000000..0d127689fd
--- /dev/null
+++ b/windows/keep-secure/bitlocker-frequently-asked-questions.md
@@ -0,0 +1,507 @@
+---
+title: BitLocker frequently asked questions (FAQ) (Windows 10)
+description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
+ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# BitLocker frequently asked questions (FAQ)
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
+
+BitLocker is a data protection feature that encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned as it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
+
+-   [Overview and requirements](#bkmk-overview)
+
+-   [Upgrading](#bkmk-upgrading)
+
+-   [Deployment and administration](#bkmk-deploy)
+
+-   [Key management](#bkmk-keymanagement)
+
+-   [BitLocker To Go](#bkmk-btgsect)
+
+-   [Active Directory Domain Services (AD DS)](#bkmk-adds)
+
+-   [Security](#bkmk-security)
+
+-   [BitLocker Network Unlock](#bkmk-bnusect)
+
+-   [Other questions](#bkmk-other)
+
+## <a href="" id="bkmk-overview"></a>Overview and requirements
+
+
+### <a href="" id="bkmk-whatisbitlocker"></a>How does BitLocker work?
+
+**How BitLocker works with operating system drives**
+
+You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
+
+**How BitLocker works with fixed and removable data drives**
+
+You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods.
+
+### <a href="" id="bkmk-multifactorsupport"></a>Does BitLocker support multifactor authentication?
+
+Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection.
+
+### <a href="" id="bkmk-hsrequirements"></a>What are the BitLocker hardware and software requirements?
+
+**Note**  
+Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker.
+
+ 
+
+### <a href="" id="bkmk-partitions"></a>Why are two partitions required? Why does the system drive have to be so large?
+
+Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive.
+
+### <a href="" id="bkmk-tpmchipsupport"></a>Which Trusted Platform Modules (TPMs) does BitLocker support?
+
+BitLocker supports TPM version 1.2 or higher.
+
+### <a href="" id="bkmk-havetpm"></a>How can I tell if a TPM is on my computer?
+
+Open the TPM MMC console (tpm.msc) and look under the **Status** heading.
+
+### <a href="" id="bkmk-notpm"></a>Can I use BitLocker on an operating system drive without a TPM?
+
+Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.
+
+To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.
+
+### <a href="" id="bkmk-biossupport"></a>How do I obtain BIOS support for the TPM on my computer?
+
+Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements:
+
+-   It is compliant with the TCG standards for a client computer.
+
+-   It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.
+
+### <a href="" id="bkmk-privs"></a>What credentials are required to use BitLocker?
+
+To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.
+
+### <a href="" id="bkmk-bootorder"></a>What is the recommended boot order for computers that are going to be BitLocker-protected?
+
+You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such ach as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked. 
+
+## <a href="" id="bkmk-upgrading"></a>Upgrading
+
+
+### <a href="" id="bkmk-upgradev27"></a>Can I upgrade my Windows 7 or Windows 8 computer to Windows 10 with BitLocker enabled?
+
+Yes. Open the **BitLocker Drive Encryption** Control Panel, click **Manage BitLocker**, and then and click **Suspend**. Suspending protection does not decrypt the drive; it disables the authentication mechanisms used by BitLocker and uses a clear key on the drive to enable access. After the upgrade has completed, open Windows Explorer, right-click the drive, and then click **Resume Protection**. This reapplies the BitLocker authentication methods and deletes the clear key.
+
+### <a href="" id="bkmk-disabledecrypt"></a>What is the difference between suspending and decrypting BitLocker?
+
+**Decrypt** completely removes BitLocker protection and fully decrypts the drive.
+
+**Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
+
+### <a href="" id="bkmk-decryptfirst"></a>Do I have to decrypt my BitLocker-protected drive to download and install system updates and upgrades?
+
+The following table lists what action you need to take before you perform an upgrade or update installation.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Type of update</th>
+<th align="left">Action</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Windows Anytime Upgrade</p></td>
+<td align="left"><p>Decrypt</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Upgrade to Windows 10</p></td>
+<td align="left"><p>Suspend</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Non-Microsoft software updates, such as:</p>
+<ul>
+<li><p>Computer manufacturer firmware updates</p></li>
+<li><p>TPM firmware updates</p></li>
+<li><p>Non-Microsoft application updates that modify boot components</p></li>
+</ul></td>
+<td align="left"><p>Suspend</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Software and operating system updates from Windows Update</p></td>
+<td align="left"><p>Nothing</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Note**  
+If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
+
+ 
+
+## <a href="" id="bkmk-deploy"></a>Deployment and administration
+
+
+### <a href="" id="bkmk-automate"></a>Can BitLocker deployment be automated in an enterprise environment?
+
+Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](http://go.microsoft.com/fwlink/p/?LinkId=80600). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj649829.aspx).
+
+### <a href="" id="bkmk-os"></a>Can BitLocker encrypt more than just the operating system drive?
+
+Yes.
+
+### <a href="" id="bkmk-performance"></a>Is there a noticeable performance impact when BitLocker is enabled on a computer?
+
+Generally it imposes a single-digit percentage performance overhead.
+
+### <a href="" id="bkmk-longencrypt"></a>How long will initial encryption take when BitLocker is turned on?
+
+Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set encryption to occur during times when you will not be using the drive.
+
+You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
+
+### <a href="" id="bkmk-turnoff"></a>What happens if the computer is turned off during encryption or decryption?
+
+If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.
+
+### <a href="" id="bkmk-entiredisk"></a>Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?
+
+No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
+
+### <a href="" id="bkmk-dataunencryptpart"></a>How can I prevent users on a network from storing data on an unencrypted drive?
+
+You can can Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
+
+When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only.
+
+### <a href="" id="bkmk-integrityfail"></a>What system changes would cause the integrity check on my operating system drive to fail?
+
+The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:
+
+-   Moving the BitLocker-protected drive into a new computer.
+
+-   Installing a new motherboard with a new TPM.
+
+-   Turning off, disabling, or clearing the TPM.
+
+-   Changing any boot configuration settings.
+
+-   Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
+
+### <a href="" id="bkmk-examplesosrec"></a>What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
+
+Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password. The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
+
+### <a href="" id="bkmk-driveswap"></a>Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
+
+Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
+
+### <a href="" id="bkmk-altpc"></a>Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
+
+Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
+
+### <a href="" id="bkmk-noturnon"></a>Why is "Turn BitLocker on" not available when I right-click a drive?
+
+Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted.
+
+### <a href="" id="bkmk-r2disks"></a>What type of disk configurations are supported by BitLocker?
+
+Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.
+
+## <a href="" id="bkmk-keymanagement"></a>Key management
+
+
+### <a href="" id="bkmk-key"></a>What is the difference between a TPM owner password, recovery password, recovery key, password, PIN, enhanced PIN, and startup key?
+
+There are multiple keys that can be generated and used by BitLocker. Some keys are required and some are optional protectors you can choose to use depending on the level of security you require.
+
+### <a href="" id="bkmk-recoverypass"></a>How can the recovery password and recovery key be stored?
+
+The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed.
+
+For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive.
+
+A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
+
+### <a href="" id="bkmk-enableauthwodecrypt"></a>Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
+
+You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *&lt;4-20 digit numeric PIN&gt;* with the numeric PIN you want to use:
+
+**manage-bde –protectors –delete %systemdrive% -type tpm**
+
+**manage-bde –protectors –add %systemdrive% -tpmandpin** *&lt;4-20 digit numeric PIN&gt;*
+
+### <a href="" id="bkmk-recoveryinfo"></a>If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
+
+BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
+
+**Important**  
+Store the recovery information in AD DS, along with your Microsoft Account, or another safe location.
+
+ 
+
+### <a href="" id="bkmk-usbdrive"></a>Can the USB flash drive that is used as the startup key also be used to store the recovery key?
+
+While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
+
+### <a href="" id="bkmk-startupkey"></a>Can I save the startup key on multiple USB flash drives?
+
+Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed.
+
+### <a href="" id="bkmk-multikeyoneusb"></a>Can I save multiple (different) startup keys on the same USB flash drive?
+
+Yes, you can save BitLocker startup keys for different computers on the same USB flash drive.
+
+### <a href="" id="bkmk-multikey"></a>Can I generate multiple (different) startup keys for the same computer?
+
+You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.
+
+### <a href="" id="bkmk-multipin"></a>Can I generate multiple PIN combinations?
+
+You cannot generate multiple PIN combinations.
+
+### <a href="" id="bkmk-encryptkeys"></a>What encryption keys are used in BitLocker? How do they work together?
+
+Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios.
+
+### <a href="" id="bkmk-keystorage"></a>Where are the encryption keys stored?
+
+The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.
+
+This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.
+
+### <a href="" id="bkmk-funckey"></a>Why do I have to use the function keys to enter the PIN or the 48-character recovery password?
+
+The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards.
+
+When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment.
+
+### <a href="" id="bkmk-youbrute"></a>How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?
+
+It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer.
+
+The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks.
+
+After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
+
+### <a href="" id="bkmk-tpmprov"></a>How can I determine the manufacturer of my TPM?
+
+You can determine your TPM manufacturer in the TPM MMC console (tpm.msc) under the **TPM Manufacturer Information** heading.
+
+### <a href="" id="bkmk-tpmdam"></a>How can I evaluate a TPM's dictionary attack mitigation mechanism?
+
+The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:
+
+-   How many failed authorization attempts can occur before lockout?
+
+-   What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
+
+-   What actions can cause the failure count and lockout duration to be decreased or reset?
+
+### <a href="" id="bkmk-pinlength"></a>Can PIN length and complexity be managed with Group Policy?
+
+Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy.
+
+For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
+
+## <a href="" id="bkmk-btgsect"></a>BitLocker To Go
+
+
+BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems.
+
+## <a href="" id="bkmk-adds"></a>Active Directory Domain Services (AD DS)
+
+
+### What if BitLocker is enabled on a computer before the computer has joined the domain?
+
+If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered** and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require that the computer be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
+
+For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
+
+The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the C: drive to AD DS, you would use the following command from an elevated command prompt: **manage-bde -protectors -adbackup C:**.
+
+**Important**  
+Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
+
+ 
+
+### <a href="" id="bkmk-addseventlog"></a>Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup?
+
+Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed.
+
+Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.
+
+### <a href="" id="bkmk-refresh"></a>If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?
+
+No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.
+
+### <a href="" id="bkmk-adbackupfails"></a>What happens if the backup initially fails? Will BitLocker retry the backup?
+
+If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS.
+
+When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, **Choose how BitLocker-protected removable data drives can be recovered** policy settings, this prevents users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
+
+For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
+
+When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#bkmk-adretro) to capture the information after connectivity is restored.
+
+## <a href="" id="bkmk-security"></a>Security
+
+
+### <a href="" id="bkmk-form"></a>What form of encryption does BitLocker use? Is it configurable?
+
+BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy.
+
+### <a href="" id="bkmk-config"></a>What is the best practice for using BitLocker on an operating system drive?
+
+The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, plus a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.
+
+### <a href="" id="bkmk-sleep"></a>What are the implications of using the sleep or hibernate power management options?
+
+BitLocker on operating system drives in its basic configuration (with a TPM but without advanced authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires BitLocker authentication. As a best practice, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method.
+
+### <a href="" id="bkmk-root"></a>What are the advantages of a TPM?
+
+Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.
+
+**Note**  
+Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.
+
+ 
+
+## <a href="" id="bkmk-bnusect"></a>BitLocker Network Unlock
+
+
+BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.
+
+To use Network Unlock you must also have a PIN configured for your computer. When your computer is not connected to the network you will need to provide the PIN to unlock it.
+
+BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it.
+
+Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network.
+
+For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
+
+## <a href="" id="bkmk-other"></a>Other questions
+
+
+### <a href="" id="bkmk-kernel"></a>Can I run a kernel debugger with BitLocker?
+
+Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode.
+
+### <a href="" id="bkmk-errorreports"></a>How does BitLocker handle memory dumps?
+
+BitLocker has a storage driver stack that ensures memory dumps are encrypted when BitLocker is enabled.
+
+### <a href="" id="bkmk-smart"></a>Can BitLocker support smart cards for pre-boot authentication?
+
+BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them very difficult.
+
+### <a href="" id="bkmk-driver"></a>Can I use a non-Microsoft TPM driver?
+
+Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker.
+
+### <a href="" id="bkmk-mbr"></a>Can other tools that manage or modify the master boot record work with BitLocker?
+
+We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely.
+
+### <a href="" id="bkmk-syschkfail"></a>Why is the system check failing when I am encrypting my operating system drive?
+
+The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:
+
+-   The computer's BIOS or UEFI firmware cannot read USB flash drives.
+
+-   The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled.
+
+-   There are multiple USB flash drives inserted into the computer.
+
+-   The PIN was not entered correctly.
+
+-   The computer's BIOS or UEFI firmware only supports using the function keys (F1–F10) to enter numerals in the pre-boot environment.
+
+-   The startup key was removed before the computer finished rebooting.
+
+-   The TPM has malfunctioned and fails to unseal the keys.
+
+### <a href="" id="bkmk-usbkeyfail"></a>What can I do if the recovery key on my USB flash drive cannot be read?
+
+Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system.
+
+### <a href="" id="bkmk-usbkeynosave"></a>Why am I unable to save my recovery key to my USB flash drive?
+
+The **Save to USB** option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys.
+
+### <a href="" id="bkmk-noautounlock"></a>Why am I unable to automatically unlock my drive?
+
+Automatic unlocking for fixed data drives requires that the operating system drive also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers.
+
+### <a href="" id="bkmk-blsafemode"></a>Can I use BitLocker in Safe Mode?
+
+Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode.
+
+### <a href="" id="bkmk-lockdata"></a>How do I "lock" a data drive?
+
+Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the –lock command.
+
+**Note**  
+Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible.
+
+ 
+
+The syntax of this command is:
+
+**manage-bde** *&lt;driveletter&gt;* **-lock**
+
+Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer.
+
+### <a href="" id="bkmk-shadowcopy"></a>Can I use BitLocker with the Volume Shadow Copy Service?
+
+Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained.
+
+### <a href="" id="bkmk-vhd"></a>Does BitLocker support virtual hard disks (VHDs)?
+
+BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2.
+
+## More information
+
+
+-   [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
+
+-   [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
+
+-   [BCD settings and BitLocker](bcd-settings-and-bitlocker.md)
+
+-   [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
+
+-   [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
+
+-   [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
+
+-   [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)
+
+-   [BitLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/6f49f904-e04d-4b90-afbc-84bc45d4d30d)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/bitlocker-group-policy-settings.md b/windows/keep-secure/bitlocker-group-policy-settings.md
new file mode 100644
index 0000000000..ca750b9147
--- /dev/null
+++ b/windows/keep-secure/bitlocker-group-policy-settings.md
@@ -0,0 +1,2724 @@
+---
+title: BitLocker Group Policy settings (Windows 10)
+description: This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
+ms.assetid: 4904e336-29fe-4cef-bb6c-3950541864af
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# BitLocker Group Policy settings
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
+
+To control what drive encryption tasks the user can perform from the Windows Control Panel or to modify other configuration options, you can use Group Policy administrative templates or local computer policy settings. How you configure these policy settings depends on how you implement BitLocker and what level of user interaction will be allowed.
+
+**Note**  
+A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](trusted-platform-module-services-group-policy-settings.md).
+
+ 
+
+BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**.
+
+Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. If a computer is not compliant with existing Group Policy settings, BitLocker may not be turned on or modified until the computer is in a compliant state. When a drive is out of compliance with Group Policy settings (for example, if a Group Policy setting was changed after the initial BitLocker deployment in your organization, and then the setting was applied to previously encrypted drives), no change can be made to the BitLocker configuration of that drive except a change that will bring it into compliance.
+
+If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive was initially configured to be unlocked with a password and then Group Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](http://technet.microsoft.com/library/ff829849.aspx) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed.
+
+## <a href="" id="bkmk-gptop"></a>BitLocker Group Policy settings
+
+
+The following sections provide a comprehensive list of BitLocker Group Policy settings that are organized by usage. BitLocker Group Policy settings include settings for specific drive types (operating system drives, fixed data drives, and removable data drives) and settings that are applied to all drives.
+
+The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked.
+
+-   [Allow network unlock at startup](#bkmk-netunlock)
+
+-   [Require additional authentication at startup](#bkmk-unlockpol1)
+
+-   [Allow enhanced PINs for startup](#bkmk-unlockpol2)
+
+-   [Configure minimum PIN length for startup](#bkmk-unlockpol3)
+
+-   [Disallow standard users from changing the PIN or password](#bkmk-dpinchange)
+
+-   [Configure use of passwords for operating system drives](#bkmk-ospw)
+
+-   [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#bkmk-unlockpol4)
+
+-   [Configure use of smart cards on fixed data drives](#bkmk-unlockpol5)
+
+-   [Configure use of passwords on fixed data drives](#bkmk-unlockpol6)
+
+-   [Configure use of smart cards on removable data drives](#bkmk-unlockpol7)
+
+-   [Configure use of passwords on removable data drives](#bkmk-unlockpol8)
+
+-   [Validate smart card certificate usage rule compliance](#bkmk-unlockpol9)
+
+-   [Enable use of BitLocker authentication requiring preboot keyboard input on slates](#bkmk-slates)
+
+The following policy settings are used to control how users can access drives and how they can use BitLocker on their computers.
+
+-   [Deny write access to fixed drives not protected by BitLocker](#bkmk-driveaccess1)
+
+-   [Deny write access to removable drives not protected by BitLocker](#bkmk-driveaccess2)
+
+-   [Control use of BitLocker on removable drives](#bkmk-driveaccess3)
+
+The following policy settings determine the encryption methods and encryption types that are used with BitLocker.
+
+-   [Choose drive encryption method and cipher strength](#bkmk-encryptmeth)
+
+-   [Configure use of hardware-based encryption for fixed data drives](#bkmk-hdefxd)
+
+-   [Configure use of hardware-based encryption for operating system drives](#bkmk-hdeosd)
+
+-   [Configure use of hardware-based encryption for removable data drives](#bkmk-hderdd)
+
+-   [Enforce drive encryption type on fixed data drives](#bkmk-detypefdd)
+
+-   [Enforce drive encryption type on operating system drives](#bkmk-detypeosd)
+
+-   [Enforce drive encryption type on removable data drives](#bkmk-detyperdd)
+
+The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
+
+-   [Choose how BitLocker-protected operating system drives can be recovered](#bkmk-rec1)
+
+-   [Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)](#bkmk-rec2)
+
+-   [Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)](#bkmk-rec3)
+
+-   [Choose default folder for recovery password](#bkmk-rec4)
+
+-   [Choose how BitLocker-protected fixed drives can be recovered](#bkmk-rec6)
+
+-   [Choose how BitLocker-protected removable drives can be recovered](#bkmk-rec7)
+
+-   [Configure the pre-boot recovery message and URL](#bkmk-configurepreboot)
+
+The following policies are used to support customized deployment scenarios in your organization.
+
+-   [Allow Secure Boot for integrity validation](#bkmk-secboot)
+
+-   [Provide the unique identifiers for your organization](#bkmk-depopt1)
+
+-   [Prevent memory overwrite on restart](#bkmk-depopt2)
+
+-   [Configure TPM platform validation profile for BIOS-based firmware configurations](#bkmk-tpmbios)
+
+-   [Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)](#bkmk-depopt3)
+
+-   [Configure TPM platform validation profile for native UEFI firmware configurations](#bkmk-tpmvaluefi)
+
+-   [Reset platform validation data after BitLocker recovery](#bkmk-resetrec)
+
+-   [Use enhanced Boot Configuration Data validation profile](#bkmk-enbcd)
+
+-   [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4)
+
+-   [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5)
+
+### <a href="" id="bkmk-netunlock"></a>Allow network unlock at startup
+
+This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can control whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2012 and Windows 8</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Operating system drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>Clients cannot create and use Network Key Protectors</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. You can use the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that do not have a TPM cannot create network key protectors to automatically unlock by using Network Unlock.
+
+**Note**  
+For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or cannot connect to the domain controller at startup.
+
+ 
+
+For more information about Network Unlock, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
+
+### <a href="" id="bkmk-unlockpol1"></a>Require additional authentication at startup
+
+This policy setting is used to control which unlock options are available for operating system drives.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2008 R2 and Windows 7</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Operating system drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>If one authentication method is required, the other methods cannot be allowed.</p>
+<p>Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the <strong>Deny write access to removable drives not protected by BitLocker</strong> policy setting is enabled.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>Users can configure advanced startup options in the BitLocker Setup Wizard.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>Users can configure only basic options on computers with a TPM.</p>
+<p>Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+If you want to use BitLocker on a computer without a TPM, select the **Allow BitLocker without a compatible TPM** check box. In this mode, a USB drive is required for startup. Key information that is used to encrypt the drive is stored on the USB drive, which creates a USB key. When the USB key is inserted, access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable, you need to use one of the BitLocker recovery options to access the drive.
+
+On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use:
+
+-   only the TPM for authentication
+
+-   insertion of a USB flash drive containing the startup key
+
+-   the entry of a 4-digit to 20-digit personal identification number (PIN)
+
+-   a combination of the PIN and the USB flash drive
+
+There are four options for TPM-enabled computers or devices:
+
+-   Configure TPM startup
+
+    -   Allow TPM
+
+    -   Require TPM
+
+    -   Do not allow TPM
+
+-   Configure TPM startup PIN
+
+    -   Allow startup PIN with TPM
+
+    -   Require startup PIN with TPM
+
+    -   Do not allow startup PIN with TPM
+
+-   Configure TPM startup key
+
+    -   Allow startup key with TPM
+
+    -   Require startup key with TPM
+
+    -   Do not allow startup key with TPM
+
+-   Configure TPM startup key and PIN
+
+    -   Allow TPM startup key with PIN
+
+    -   Require startup key and PIN with TPM
+
+    -   Do not allow TPM startup key with PIN
+
+### <a href="" id="bkmk-unlockpol2"></a>Allow enhanced PINs for startup
+
+This policy setting permits the use of enhanced PINs when you use an unlock method that includes a PIN.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can configure whether enhanced startup PINs are used with BitLocker.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2008 R2 and Windows 7</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Operating system drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>All new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs are not affected.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>Enhanced PINs will not be used.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker.
+
+**Important**  
+Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
+
+ 
+
+### <a href="" id="bkmk-unlockpol3"></a>Configure minimum PIN length for startup
+
+This policy setting is used to set a minimum PIN length when you use an unlock method that includes a PIN.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2008 R2 and Windows 7</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Operating system drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>You can require that users enter a minimum number of digits to when setting their startup PINs.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>Users can configure a startup PIN of any length between 4 and 20 digits.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
+
+### <a href="" id="bkmk-dpinchange"></a>Disallow standard users from changing the PIN or password
+
+This policy setting allows you to configure whether standard users are allowed to change the PIN or password that is used to protect the operating system drive.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can configure whether standard users are allowed to change the PIN or password used to protect the operating system drive.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2012 and Windows 8</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Operating system drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>Standard users are not allowed to change BitLocker PINs or passwords.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>Standard users are permitted to change BitLocker PINs or passwords.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting is applied when you turn on BitLocker.
+
+### <a href="" id="bkmk-ospw"></a>Configure use of passwords for operating system drives
+
+This policy controls how non-TPM based systems utilize the password protector. Used in conjunction with the **Password must meet complexity requirements** policy, this policy allows administrators to require password length and complexity for using the password protector. By default, passwords must be eight characters in length. Complexity configuration options determine how important domain connectivity is for the client. For the strongest password security, administrators should choose **Require password complexity** because it requires domain connectivity, and it requires that the BitLocker password meets the same password complexity requirements as domain sign-in passwords.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can specify the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2012 and Windows 8</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Operating system drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>Passwords cannot be used if FIPS-compliance is enabled.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>The <strong>System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing</strong> policy setting, which is located at <strong>Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options</strong> specifies whether FIPS-compliance is enabled.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select <strong>Require complexity</strong>.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>The default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\** must be also enabled.
+
+**Note**  
+These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
+
+ 
+
+When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there is no password complexity validation.
+
+Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
+
+When this policy setting is enabled, you can set the option **Configure password complexity for operating system drives** to:
+
+-   Allow password complexity
+
+-   Do not allow password complexity
+
+-   Require password complexity
+
+### <a href="" id="bkmk-unlockpol4"></a>Require additional authentication at startup (Windows Server 2008 and Windows Vista)
+
+This policy setting is used to control what unlock options are available for computers running Windows Server 2008 or Windows Vista.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can control whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2008 and Windows Vista</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Operating system drives (Windows Server 2008 and Windows Vista)</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>If you choose to require an additional authentication method, other authentication methods cannot be allowed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with or without a TPM.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>The BitLocker Setup Wizard displays basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB drive that contains a startup key. It can also require users to enter a 4-digit to 20-digit startup PIN.
+
+A USB drive that contains a startup key is needed on computers without a compatible TPM. Without a TPM, BitLocker-encrypted data is protected solely by the key material that is on this USB drive.
+
+There are two options for TPM-enabled computers or devices:
+
+-   Configure TPM startup PIN
+
+    -   Allow startup PIN with TPM
+
+    -   Require startup PIN with TPM
+
+    -   Do not allow startup PIN with TPM
+
+-   Configure TPM startup key
+
+    -   Allow startup key with TPM
+
+    -   Require startup key with TPM
+
+    -   Do not allow startup key with TPM
+
+These options are mutually exclusive. If you require the startup key, you must not allow the startup PIN. If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error will occur.
+
+To hide the advanced page on a TPM-enabled computer or device, set these options to **Do not allow** for the startup key and for the startup PIN.
+
+### <a href="" id="bkmk-unlockpol5"></a>Configure use of smart cards on fixed data drives
+
+This policy setting is used to require, allow, or deny the use of smart cards with fixed data drives.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2008 R2 and Windows 7</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Fixed data drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>To use smart cards with BitLocker, you may also need to modify the object identifier setting in the <strong>Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance</strong> policy setting to match the object identifier of your smart card certificates.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the <strong>Require use of smart cards on fixed data drives</strong> check box.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled</strong></p></td>
+<td align="left"><p>Users cannot use smart cards to authenticate their access to BitLocker-protected fixed data drives.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When not configured</strong></p></td>
+<td align="left"><p>Smart cards can be used to authenticate user access to a BitLocker-protected drive.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+**Note**  
+These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive.
+
+ 
+
+### <a href="" id="bkmk-unlockpol6"></a>Configure use of passwords on fixed data drives
+
+This policy setting is used to require, allow, or deny the use of passwords with fixed data drives.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can specify whether a password is required to unlock BitLocker-protected fixed data drives.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2008 R2 and Windows 7</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Fixed data drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>To use password complexity, the <strong>Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements</strong> policy setting must also be enabled.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>Users can configure a password that meets the requirements you define. To require the use of a password, select <strong>Require password for fixed data drive</strong>. To enforce complexity requirements on the password, select <strong>Require complexity</strong>.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled</strong></p></td>
+<td align="left"><p>The user is not allowed to use a password.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When not configured</strong></p></td>
+<td align="left"><p>Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+When set to **Require complexity**, a connection to a domain controller is necessary to validate the complexity of the password when BitLocker is enabled.
+
+When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password is accepted regardless of the actual password complexity, and the drive is encrypted by using that password as a protector.
+
+When set to **Do not allow complexity**, no password complexity validation is performed.
+
+Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
+
+**Note**  
+These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
+
+ 
+
+For the complexity requirement setting to be effective, the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements** must also be enabled.
+
+This policy setting is configured on a per-computer basis. This means that it applies to local user accounts and domain user accounts. Because the password filter that is used to validate password complexity is located on the domain controllers, local user accounts cannot access the password filter because they are not authenticated for domain access. When this policy setting is enabled, if you sign in with a local user account, and you attempt to encrypt a drive or change a password on an existing BitLocker-protected drive, an "Access denied" error message is displayed. In this situation, the password key protector cannot be added to the drive.
+
+Enabling this policy setting requires that connectivity to a domain be established before adding a password key protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they cannot connect to the domain should be made aware of this requirement so that they can schedule a time when they will be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data drive.
+
+**Important**  
+Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.
+
+ 
+
+### <a href="" id="bkmk-unlockpol7"></a>Configure use of smart cards on removable data drives
+
+This policy setting is used to require, allow, or deny the use of smart cards with removable data drives.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2008 R2 and Windows 7</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Removable data drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>To use smart cards with BitLocker, you may also need to modify the object identifier setting in the <strong>Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance</strong> policy setting to match the object identifier of your smart card certificates.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the <strong>Require use of smart cards on removable data drives</strong> check box.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>Users are not allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When not configured</strong></p></td>
+<td align="left"><p>Smart cards are available to authenticate user access to a BitLocker-protected removable data drive.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+**Note**  
+These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
+
+ 
+
+### <a href="" id="bkmk-unlockpol8"></a>Configure use of passwords on removable data drives
+
+This policy setting is used to require, allow, or deny the use of passwords with removable data drives.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can specify whether a password is required to unlock BitLocker-protected removable data drives.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2008 R2 and Windows 7</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Removable data drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>To use password complexity, the <strong>Password must meet complexity requirements</strong> policy setting, which is located at <strong>Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy</strong> must also be enabled.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>Users can configure a password that meets the requirements you define. To require the use of a password, select <strong>Require password for removable data drive</strong>. To enforce complexity requirements on the password, select <strong>Require complexity</strong>.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled</strong></p></td>
+<td align="left"><p>The user is not allowed to use a password.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When not configured</strong></p></td>
+<td align="left"><p>Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** must also be enabled.
+
+**Note**  
+These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
+
+ 
+
+Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
+
+When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password.
+
+When set to **Allow complexity**, a connection to a domain controller will be attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password will still be accepted regardless of actual password complexity and the drive will be encrypted by using that password as a protector.
+
+When set to **Do not allow complexity**, no password complexity validation will be done.
+
+**Note**  
+Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.
+
+ 
+
+For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](http://technet.microsoft.com/library/jj852211.aspx).
+
+### <a href="" id="bkmk-unlockpol9"></a>Validate smart card certificate usage rule compliance
+
+This policy setting is used to determine what certificate to use with BitLocker.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can associate an object identifier from a smart card certificate to a BitLocker-protected drive.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2008 R2 and Windows 7</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Fixed and removable data drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>The object identifier that is specified in the <strong>Object identifier</strong> setting must match the object identifier in the smart card certificate.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>The default object identifier is used.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+This policy setting is applied when you turn on BitLocker.
+
+The object identifier is specified in the enhanced key usage (EKU) of a certificate. BitLocker can identify which certificates can be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting.
+
+The default object identifier is 1.3.6.1.4.1.311.67.1.1.
+
+**Note**  
+BitLocker does not require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker.
+
+ 
+
+### <a href="" id="bkmk-slates"></a>Enable use of BitLocker authentication requiring preboot keyboard input on slates
+
+This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can allow users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2012 and Windows 8</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Operating system drive</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>Devices must have an alternative means of preboot input (such as an attached USB keyboard).</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>The Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+The Windows touch keyboard (such as used by tablets) is not available in the preboot environment where BitLocker requires additional information, such as a PIN or password.
+
+It is recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard.
+
+When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard.
+
+If you do not enable this policy setting, the following options in the **Require additional authentication at startup** policy might not be available:
+
+-   Configure TPM startup PIN: Required and Allowed
+
+-   Configure TPM startup key and PIN: Required and Allowed
+
+-   Configure use of passwords for operating system drives
+
+### <a href="" id="bkmk-driveaccess1"></a>Deny write access to fixed drives not protected by BitLocker
+
+This policy setting is used to require encryption of fixed drives prior to granting Write access.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can set whether BitLocker protection is required for fixed data drives to be writable on a computer.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2008 R2 and Windows 7</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Fixed data drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>See the Reference section for a description of conflicts.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>All fixed data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>All fixed data drives on the computer are mounted with Read and Write access.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+This policy setting is applied when you turn on BitLocker.
+
+Conflict considerations include:
+
+1.  When this policy setting is enabled, users receive "Access denied" error messages when they try to save data to unencrypted fixed data drives. See the Reference section for additional conflicts.
+
+2.  If BdeHdCfg.exe is run on a computer when this policy setting is enabled, you could encounter the following issues:
+
+    -   If you attempted to shrink the drive and create the system drive, the drive size is successfully reduced and a raw partition is created. However, the raw partition is not formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker."
+
+    -   If you attempt to use unallocated space to create the system drive, a raw partition will be created. However, the raw partition will not be formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker."
+
+    -   If you attempt to merge an existing drive into the system drive, the tool fails to copy the required boot file onto the target drive to create the system drive. The following error message is displayed: "BitLocker setup failed to copy boot files. You may need to manually prepare your drive for BitLocker."
+
+3.  If this policy setting is enforced, a hard drive cannot be repartitioned because the drive is protected. If you are upgrading computers in your organization from a previous version of Windows, and those computers were configured with a single partition, you should create the required BitLocker system partition before you apply this policy setting to the computers.
+
+### <a href="" id="bkmk-driveaccess2"></a>Deny write access to removable drives not protected by BitLocker
+
+This policy setting is used to require that removable drives are encrypted prior to granting Write access, and to control whether BitLocker-protected removable drives that were configured in another organization can be opened with Write access.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can configure whether BitLocker protection is required for a computer to be able to write data to a removable data drive.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2008 R2 and Windows 7</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Removable data drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>See the Reference section for a description of conflicts.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>All removable data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>All removable data drives on the computer are mounted with Read and Write access.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+If the **Deny write access to devices configured in another organization** option is selected, only drives with identification fields that match the computer's identification fields are given Write access. When a removable data drive is accessed, it is checked for a valid identification field and allowed identification fields. These fields are defined by the **Provide the unique identifiers for your organization** policy setting.
+
+**Note**  
+You can override this policy setting with the policy settings under **User Configuration\\Administrative Templates\\System\\Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored.
+
+ 
+
+Conflict considerations include:
+
+1.  Use of BitLocker with the TPM plus a startup key or with the TPM plus a PIN and startup key must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.
+
+2.  Use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.
+
+3.  You must enable the **Provide the unique identifiers for your organization** policy setting if you want to deny Write access to drives that were configured in another organization.
+
+### <a href="" id="bkmk-driveaccess3"></a>Control use of BitLocker on removable drives
+
+This policy setting is used to prevent users from turning BitLocker on or off on removable data drives.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can control the use of BitLocker on removable data drives.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2008 R2 and Windows 7</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Removable data drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>You can select property settings that control how users can configure BitLocker.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled</strong></p></td>
+<td align="left"><p>Users cannot use BitLocker on removable data drives.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When not configured</strong></p></td>
+<td align="left"><p>Users can use BitLocker on removable data drives.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+This policy setting is applied when you turn on BitLocker.
+
+For information about suspending BitLocker protection, see [BitLocker Basic Deployment](http://technet.microsoft.com/library/dn383581.aspx).
+
+The options for choosing property settings that control how users can configure BitLocker are:
+
+-   **Allow users to apply BitLocker protection on removable data drives**   Enables the user to run the BitLocker Setup Wizard on a removable data drive.
+
+-   **Allow users to suspend and decrypt BitLocker on removable data drives**   Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance.
+
+### <a href="" id="bkmk-encryptmeth"></a>Choose drive encryption method and cipher strength
+
+This policy setting is used to control the encryption method and cipher strength.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can control the encryption method and strength for drives.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2012 and Windows 8</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>All drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>You can choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>BitLocker uses the default encryption method of AES 128-bit or the encryption method that is specified by the setup script.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+By default, BitLocker uses AES 128-bit encryption. Available options are AES-128 and AES-256. The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128).
+
+Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
+
+**Warning**  
+This policy does not apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning.
+
+ 
+
+When this policy setting is disabled, BitLocker uses AES with the same bit strength (128-bit or 256-bit) as specified in the policy setting **Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7)**. If neither policy is set, BitLocker uses the default encryption method, AES-128, or the encryption method that is specified in the setup script.
+
+### <a href="" id="bkmk-hdefxd"></a>Configure use of hardware-based encryption for fixed data drives
+
+This policy controls how BitLocker reacts to systems that are equipped with encrypted drives when they are used as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can manage BitLocker’s use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2012 and Windows 8</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Fixed data drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled</strong></p></td>
+<td align="left"><p>BitLocker cannot use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When not configured</strong></p></td>
+<td align="left"><p>BitLocker uses hardware-based encryption with the encryption algorithm that is set for the drive. If hardware-based encryption is not available, BitLocker software-based encryption is used instead.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+**Note**  
+The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
+
+ 
+
+The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
+
+-   Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
+
+-   AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
+
+### <a href="" id="bkmk-hdeosd"></a>Configure use of hardware-based encryption for operating system drives
+
+This policy controls how BitLocker reacts when encrypted drives are used as operating system drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2012 and Windows 8</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Operating system drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled</strong></p></td>
+<td align="left"><p>BitLocker cannot use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive in encrypted.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When not configured</strong></p></td>
+<td align="left"><p>BitLocker uses hardware-based encryption with the encryption algorithm that is set for the drive. If hardware-based encryption is not available, BitLocker software-based encryption is used instead.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+If hardware-based encryption is not available, BitLocker software-based encryption is used instead.
+
+**Note**  
+The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
+
+ 
+
+The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
+
+-   Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
+
+-   AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
+
+### <a href="" id="bkmk-hderdd"></a>Configure use of hardware-based encryption for removable data drives
+
+This policy controls how BitLocker reacts to encrypted drives when they are used as removable data drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2012 and Windows 8</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Removable data drive</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled</strong></p></td>
+<td align="left"><p>BitLocker cannot use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When not configured</strong></p></td>
+<td align="left"><p>BitLocker uses hardware-based encryption with the encryption algorithm that is set for the drive. If hardware-based encryption is not available, BitLocker software-based encryption is used instead.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+If hardware-based encryption is not available, BitLocker software-based encryption is used instead.
+
+**Note**  
+The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
+
+ 
+
+The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
+
+-   Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
+
+-   AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
+
+### <a href="" id="bkmk-detypefdd"></a>Enforce drive encryption type on fixed data drives
+
+This policy controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page so no encryption selection displays to the user.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can configure the encryption type that is used by BitLocker.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2012 and Windows 8</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Fixed data drive</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>This policy defines the encryption type that BitLocker uses to encrypt drives, and the encryption type option is not presented in the BitLocker Setup Wizard.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
+
+**Note**  
+This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
+
+ 
+
+For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx).
+
+### <a href="" id="bkmk-detypeosd"></a>Enforce drive encryption type on operating system drives
+
+This policy controls whether operating system drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can configure the encryption type that is used by BitLocker.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2012 and Windows 8</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Operating system drive</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
+
+**Note**  
+This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
+
+ 
+
+For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx).
+
+### <a href="" id="bkmk-detyperdd"></a>Enforce drive encryption type on removable data drives
+
+This policy controls whether fixed data drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can configure the encryption type that is used by BitLocker.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2012 and Windows 8</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Removable data drive</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
+
+**Note**  
+This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
+
+ 
+
+For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx).
+
+### <a href="" id="bkmk-rec1"></a>Choose how BitLocker-protected operating system drives can be recovered
+
+This policy setting is used to configure recovery methods for operating system drives.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2008 R2 and Windows 7</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Operating system drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>You must disallow the use of recovery keys if the <strong>Deny write access to removable drives not protected by BitLocker</strong> policy setting is enabled.</p>
+<p>When using data recovery agents, you must enable the <strong>Provide the unique identifiers for your organization</strong> policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>You can control the methods that are available to users to recover data from BitLocker-protected operating system drives.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+This policy setting is applied when you turn on BitLocker.
+
+The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from **Public Key Policies**, which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy Editor.
+
+For more information about adding data recovery agents, see [BitLocker basic deployment](bitlocker-basic-deployment.md).
+
+In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password.
+
+Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting.
+
+In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If you select **Store recovery password and key packages**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that is physically corrupted. If you select **Store recovery password only**, only the recovery password is stored in AD DS.
+
+Select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+
+**Note**  
+If the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box is selected, a recovery password is automatically generated.
+
+ 
+
+### <a href="" id="bkmk-rec2"></a>Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)
+
+This policy setting is used to configure recovery methods for BitLocker-protected drives on computers running Windows Server 2008 or Windows Vista.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can control whether the BitLocker Setup Wizard can display and specify BitLocker recovery options.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2008 and Windows Vista</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the <strong>Do not allow</strong> option for both user recovery options, you must enable the <strong>Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)</strong> policy setting to prevent a policy error.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>You can configure the options that the Bitlocker Setup Wizard displays to users for recovering BitLocker encrypted data.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>The BitLocker Setup Wizard presents users with ways to store recovery options.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker.
+
+Two recovery options can be used to unlock BitLocker-encrypted data in the absence of the required startup key information. Users can type a 48-digit numerical recovery password, or they can insert a USB drive that contains a 256-bit recovery key.
+
+Saving the recovery password to a USB drive stores the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. Saving it to a folder stores the 48-digit recovery password as a text file. Printing it sends the 48-digit recovery password to the default printer. For example, not allowing the 48-digit recovery password prevents users from printing or saving recovery information to a folder.
+
+**Important**  
+If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the BitLocker recovery information.
+
+The 48-digit recovery password is not available in FIPS-compliance mode.
+
+ 
+
+**Important**  
+To prevent data loss, you must have a way to recover BitLocker encryption keys. If you do not allow both recovery options, you must enable the backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs.
+
+ 
+
+### <a href="" id="bkmk-rec3"></a>Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
+
+This policy setting is used to configure the storage of BitLocker recovery information in AD DS. This provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can manage the AD DS backup of BitLocker Drive Encryption recovery information.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2008 and Windows Vista</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>BitLocker recovery information is not backed up to AD DS.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+This policy is only applicable to computers running Windows Server 2008 or Windows Vista.
+
+This policy setting is applied when you turn on BitLocker.
+
+BitLocker recovery information includes the recovery password and unique identifier data. You can also include a package that contains an encryption key for a BitLocker-protected drive. This key package is secured by one or more recovery passwords, and it can help perform specialized recovery when the disk is damaged or corrupted.
+
+If you select **Require BitLocker backup to AD DS**, BitLocker cannot be turned on unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible.
+
+A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive. A key package contains a drive’s BitLocker encryption key, which is secured by one or more recovery passwords. Key packages may help perform specialized recovery when the disk is damaged or corrupted.
+
+If the **Require BitLocker backup to AD DS** option is not selected, AD DS backup is attempted, but network or other backup failures do not prevent the BitLocker setup. The Backup process is not automatically retried, and the recovery password might not be stored in AD DS during BitLocker setup.
+
+TPM initialization might be needed during the BitLocker setup. Enable the **Turn on TPM backup to Active Directory Domain Services** policy setting in **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services** to ensure that TPM information is also backed up.
+
+For more information about this setting, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md).
+
+If you are using domain controllers running Windows Server 2003 with Service Pack 1, you must first set up appropriate schema extensions and access control settings on the domain before a backup to AD DS can succeed. For more info, see [Backup the TPM recovery Information to AD DS](backup-tpm-recovery-information-to-ad-ds.md).
+
+### <a href="" id="bkmk-rec4"></a>Choose default folder for recovery password
+
+This policy setting is used to configure the default folder for recovery passwords.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can specify the default path that is displayed when the BitLocker Setup Wizard prompts the user to enter the location of a folder in which to save the recovery password.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Vista</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>All drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>You can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify a fully qualified path or include the target computer's environment variables in the path. If the path is not valid, the BitLocker Setup Wizard displays the computer's top-level folder view.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+This policy setting is applied when you turn on BitLocker.
+
+**Note**  
+This policy setting does not prevent the user from saving the recovery password in another folder.
+
+ 
+
+### <a href="" id="bkmk-rec6"></a>Choose how BitLocker-protected fixed drives can be recovered
+
+This policy setting is used to configure recovery methods for fixed data drives.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2008 R2 and Windows 7</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Fixed data drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>You must disallow the use of recovery keys if the <strong>Deny write access to removable drives not protected by BitLocker</strong> policy setting is enabled.</p>
+<p>When using data recovery agents, you must enable and configure the <strong>Provide the unique identifiers for your organization</strong> policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>You can control the methods that are available to users to recover data from BitLocker-protected fixed data drives.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+This policy setting is applied when you turn on BitLocker.
+
+The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from **Public Key Policies**, which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy Editor.
+
+In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
+
+Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you cannot specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting.
+
+In **Save BitLocker recovery information to Active Directory Doman Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the **Repair-bde** command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS.
+
+For more information about the BitLocker repair tool, see [Repair-bde](http://technet.microsoft.com/library/ff829851.aspx).
+
+Select the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+
+**Note**  
+If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.
+
+ 
+
+### <a href="" id="bkmk-rec7"></a>Choose how BitLocker-protected removable drives can be recovered
+
+This policy setting is used to configure recovery methods for removable data drives.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can control how BitLocker-protected removable data drives are recovered in the absence of the required credentials.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2008 R2 and Windows 7</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Removable data drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>You must disallow the use of recovery keys if the <strong>Deny write access to removable drives not protected by BitLocker</strong> policy setting is enabled.</p>
+<p>When using data recovery agents, you must enable and configure the <strong>Provide the unique identifiers for your organization</strong> policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>You can control the methods that are available to users to recover data from BitLocker-protected removable data drives.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+This policy setting is applied when you turn on BitLocker.
+
+The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected removable data drives. Before a data recovery agent can be used, it must be added from **Public Key Policies** , which is accessed using the GPMC or the Local Group Policy Editor.
+
+In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password.
+
+Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you cannot specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting.
+
+In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for removable data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. If you select **Backup recovery password only**, only the recovery password is stored in AD DS.
+
+Select the **Do not enable BitLocker until recovery information is stored in AD DS for removable data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+
+**Note**  
+If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.
+
+ 
+
+### <a href="" id="bkmk-configurepreboot"></a>Configure the pre-boot recovery message and URL
+
+This policy setting is used to configure the entire recovery message and to replace the existing URL that is displayed on the pre-boot recovery screen when the operating system drive is locked.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can configure the BitLocker recovery screen to display a customized message and URL.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows 10</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Operating system drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives \ Configure pre-boot recovery message and URL</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the <strong>Use default recovery message and URL</strong> option.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>If the setting has not been previously enabled the default pre-boot recovery screen is displayed for BitLocker recovery. If the setting previously was enabled and is subsequently disabled the last message in Boot Configuration Data (BCD) is displayed whether it was the default recovery message or the custom message.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+Enabling the **Configure the pre-boot recovery message and URL** policy setting allows you to customize the default recovery screen message and URL to assist customers in recovering their key.
+
+Once you enable the setting you have three options:
+
+-   If you select the **Use default recovery message and URL** option, the default BitLocker recovery message and URL will be displayed on the pre-boot recovery screen.
+
+-   If you select the **Use custom recovery message** option, type the custom message in the **Custom recovery message option** text box. The message that you type in the **Custom recovery message option** text box will be displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message.
+
+-   If you select the **Use custom recovery URL** option, type the custom message URL in the **Custom recovery URL option** text box. The URL that you type in the **Custom recovery URL option** text box replaces the default URL in the default recovery message, which will be displayed on the pre-boot recovery screen.
+
+**Important**  
+Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen.
+
+ 
+
+**Important**  
+Because you can alter the BCDEdit commands manually before you have set Group Policy settings, you cannot return the policy setting to the default setting by selecting the **Not Configured** option after you have configured this policy setting. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box.
+
+ 
+
+### <a href="" id="bkmk-secboot"></a>Allow Secure Boot for integrity validation
+
+This policy controls how BitLocker-enabled system volumes are handled in conjunction with the Secure Boot feature. Enabling this feature forces Secure Boot validation during the boot process and verifies Boot Configuration Data (BCD) settings according to the Secure Boot policy.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2012 and Windows 8</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>All drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>If the <strong>Configure TPM platform validation profile for native UEFI firmware configurations</strong> Group Policy setting is enabled and PCR 7 is omitted, BitLocker is prevented from using Secure Boot for platform or BCD integrity validation.</p>
+<p>For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled or not configured</strong></p></td>
+<td align="left"><p>BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled</strong></p></td>
+<td align="left"><p>BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8.
+
+When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker.
+
+**Warning**  
+Enabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates.
+
+ 
+
+### <a href="" id="bkmk-depopt1"></a>Provide the unique identifiers for your organization
+
+This policy setting is used to establish an identifier that is applied to all drives that are encrypted in your organization.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can associate unique organizational identifiers to a new drive that is enabled with BitLocker.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2008 R2 and Windows 7</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>All drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>Identification fields are required to manage certificate-based data recovery agents on BitLocker-protected drives. BitLocker manages and updates certificate-based data recovery agents only when the identification field is present on a drive and it is identical to the value that is configured on the computer.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>You can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>The identification field is not required.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+These identifiers are stored as the identification field and the allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line tool.
+
+An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field on the drive matches the value that is configured for the identification field.
+
+For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx).
+
+The allowed identification field is used in combination with the **Deny write access to removable drives not protected by BitLocker** policy setting to help control the use of removable drives in your organization. It is a comma-separated list of identification fields from your organization or external organizations.
+
+You can configure the identification fields on existing drives by using the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line tool.
+
+When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an outside organization.
+
+Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value up to 260 characters.
+
+### <a href="" id="bkmk-depopt2"></a>Prevent memory overwrite on restart
+
+This policy setting is used to control whether the computer's memory will be overwritten the next time the computer is restarted.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can control computer restart performance at the risk of exposing BitLocker secrets.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Vista</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>All drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>The computer will not overwrite memory when it restarts. Preventing memory overwrite may improve restart performance, but it increases the risk of exposing BitLocker secrets.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>BitLocker secrets are removed from memory when the computer restarts.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material that is used to encrypt data. This policy setting applies only when BitLocker protection is enabled.
+
+### <a href="" id="bkmk-tpmbios"></a>Configure TPM platform validation profile for BIOS-based firmware configurations
+
+This policy setting determines what values the TPM measures when it validates early boot components before it unlocks an operating system drive on a computer with a BIOS configuration or with UEFI firmware that has the Compatibility Support Module (CSM) enabled.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2012 and Windows 8</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Operating system drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.
+
+**Important**  
+This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware.
+
+ 
+
+A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following:
+
+-   Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)
+
+-   Option ROM Code (PCR 2)
+
+-   Master Boot Record (MBR) Code (PCR 4)
+
+-   NTFS Boot Sector (PCR 8)
+
+-   NTFS Boot Block (PCR 9)
+
+-   Boot Manager (PCR 10)
+
+-   BitLocker Access Control (PCR 11)
+
+**Note**  
+Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
+
+ 
+
+The following list identifies all of the PCRs available:
+
+-   PCR 0: Core root-of-trust for measurement, BIOS, and Platform extensions
+
+-   PCR 1: Platform and motherboard configuration and data.
+
+-   PCR 2: Option ROM code
+
+-   PCR 3: Option ROM data and configuration
+
+-   PCR 4: Master Boot Record (MBR) code
+
+-   PCR 5: Master Boot Record (MBR) partition table
+
+-   PCR 6: State transition and wake events
+
+-   PCR 7: Computer manufacturer-specific
+
+-   PCR 8: NTFS boot sector
+
+-   PCR 9: NTFS boot block
+
+-   PCR 10: Boot manager
+
+-   PCR 11: BitLocker access control
+
+-   PCR 12-23: Reserved for future use
+
+### <a href="" id="bkmk-depopt3"></a>Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)
+
+This policy setting determines what values the TPM measures when it validates early boot components before unlocking a drive on a computer running Windows Vista, Windows Server 2008, or Windows 7.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2008 and Windows Vista</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Operating system drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection.
+
+A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following:
+
+-   Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)
+
+-   Option ROM Code (PCR 2)
+
+-   Master Boot Record (MBR) Code (PCR 4)
+
+-   NTFS Boot Sector (PCR 8)
+
+-   NTFS Boot Block (PCR 9)
+
+-   Boot Manager (PCR 10)
+
+-   BitLocker Access Control (PCR 11)
+
+**Note**  
+The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only.
+
+ 
+
+The following list identifies all of the PCRs available:
+
+-   PCR 0: Core root-of-trust for measurement, EFI boot and run-time services, EFI drivers embedded in system ROM, ACPI static tables, embedded SMM code, and BIOS code
+
+-   PCR 1: Platform and motherboard configuration and data. Hand-off tables and EFI variables that affect system configuration
+
+-   PCR 2: Option ROM code
+
+-   PCR 3: Option ROM data and configuration
+
+-   PCR 4: Master Boot Record (MBR) code or code from other boot devices
+
+-   PCR 5: Master Boot Record (MBR) partition table. Various EFI variables and the GPT table
+
+-   PCR 6: State transition and wake events
+
+-   PCR 7: Computer manufacturer-specific
+
+-   PCR 8: NTFS boot sector
+
+-   PCR 9: NTFS boot block
+
+-   PCR 10: Boot manager
+
+-   PCR 11: BitLocker access control
+
+-   PCR 12 - 23: Reserved for future use
+
+**Warning**  
+Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
+
+ 
+
+### <a href="" id="bkmk-tpmvaluefi"></a>Configure TPM platform validation profile for native UEFI firmware configurations
+
+This policy setting determines what values the TPM measures when it validates early boot components before unlocking an operating system drive on a computer with native UEFI firmware configurations.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2012 and Windows 8</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Operating system drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>Setting this policy with PCR 7 omitted, overrides the <strong>Allow Secure Boot for integrity validation</strong> Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.</p>
+<p>If your environments use TPM and Secure Boot for platform integrity checks, this policy should not be configured.</p>
+<p>For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>Before you turn on BitLocker, you can configure the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection.
+
+**Important**  
+This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled.
+
+ 
+
+A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR 11).
+
+The following list identifies all of the PCRs available:
+
+-   PCR 0: Core System Firmware executable code
+
+-   PCR 1: Core System Firmware data
+
+-   PCR 2: Extended or pluggable executable code
+
+-   PCR 3: Extended or pluggable firmware data
+
+-   PCR 4: Boot Manager
+
+-   PCR 5: GPT/Partition Table
+
+-   PCR 6: Resume from S4 and S5 Power State Events
+
+-   PCR 7: Secure Boot State
+
+    For more information about this PCR, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic.
+
+-   PCR 8: Initialized to 0 with no Extends (reserved for future use)
+
+-   PCR 9: Initialized to 0 with no Extends (reserved for future use)
+
+-   PCR 10: Initialized to 0 with no Extends (reserved for future use)
+
+-   PCR 11: BitLocker access control
+
+-   PCR 12: Data events and highly volatile events
+
+-   PCR 13: Boot Module Details
+
+-   PCR 14: Boot Authorities
+
+-   PCR 15 – 23: Reserved for future use
+
+**Warning**  
+Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
+
+ 
+
+### <a href="" id="bkmk-resetrec"></a>Reset platform validation data after BitLocker recovery
+
+This policy setting determines if you want platform validation data to refresh when Windows is started following a BitLocker recovery. A platform validation data profile consists of the values in a set of Platform Configuration Register (PCR) indices that range from 0 to 23.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can control whether platform validation data is refreshed when Windows is started following a BitLocker recovery.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2012 and Windows 8</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Operating system drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>Platform validation data is refreshed when Windows is started following a BitLocker recovery.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled</strong></p></td>
+<td align="left"><p>Platform validation data is not refreshed when Windows is started following a BitLocker recovery.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When not configured</strong></p></td>
+<td align="left"><p>Platform validation data is refreshed when Windows is started following a BitLocker recovery.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+For more information about the recovery process, see the [BitLocker recovery guide](bitlocker-recovery-guide-plan.md).
+
+### <a href="" id="bkmk-enbcd"></a>Use enhanced Boot Configuration Data validation profile
+
+This policy setting determines specific Boot Configuration Data (BCD) settings to verify during platform validation. A platform validation uses the data in the platform validation profile, which consists of a set of Platform Configuration Register (PCR) indices that range from 0 to 23.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can specify Boot Configuration Data (BCD) settings to verify during platform validation.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2012 and Windows 8</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Operating system drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the <strong>Use enhanced Boot Configuration Data validation profile</strong> Group Policy setting is ignored (as defined by the <strong>Allow Secure Boot for integrity validation</strong> Group Policy setting).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>You can add additional BCD settings, exclude the BCD settings you specify, or combine inclusion and exclusion lists to create a customized BCD validation profile, which gives you the ability to verify those BCD settings.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled</strong></p></td>
+<td align="left"><p>The computer reverts to a BCD profile validation similar to the default BCD profile that is used by Windows 7.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When not configured</strong></p></td>
+<td align="left"><p>The computer verifies the default BCD settings in Windows.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+**Note**  
+The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it is included in the inclusion or the exclusion list.
+
+ 
+
+### <a href="" id="bkmk-depopt4"></a>Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
+
+This policy setting is used to control whether access to drives is allowed by using the BitLocker To Go Reader, and if the application is installed on the drive.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can configure whether fixed data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2008 R2 and Windows 7</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Fixed data drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong> and <strong>When not configured</strong></p></td>
+<td align="left"><p>Fixed data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled</strong></p></td>
+<td align="left"><p>Fixed data drives that are formatted with the FAT file system and are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+**Note**  
+This policy setting does not apply to drives that are formatted with the NTFS file system.
+
+ 
+
+When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted fixed drives** check box to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user is prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.
+
+### <a href="" id="bkmk-depopt5"></a>Allow access to BitLocker-protected removable data drives from earlier versions of Windows
+
+This policy setting controls access to removable data drives that are using the BitLocker To Go Reader and whether the BitLocker To Go Reader can be installed on the drive.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>With this policy setting, you can configure whether removable data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2008 R2 and Windows 7</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>Removable data drives</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong> and <strong>When not configured</strong></p></td>
+<td align="left"><p>Removable data drives that are formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled</strong></p></td>
+<td align="left"><p>Removable data drives that are formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+**Note**  
+This policy setting does not apply to drives that are formatted with the NTFS file system.
+
+ 
+
+When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted removable drives** check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2 that do not have BitLocker To Go Reader installed.
+
+## FIPS setting
+
+
+You can configure the Federal Information Processing Standard (FIPS) setting for FIPS compliance. As an effect of FIPS compliance, users cannot create or save a BitLocker password for recovery or as a key protector. The use of a recovery key is permitted.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Policy description</strong></p></td>
+<td align="left"><p>Notes</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Introduced</strong></p></td>
+<td align="left"><p>Windows Server 2003 with SP1</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Drive type</strong></p></td>
+<td align="left"><p>System-wide</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Policy path</strong></p></td>
+<td align="left"><p>Local Policies\Security Options\System cryptography: <strong>Use FIPS compliant algorithms for encryption, hashing, and signing</strong></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Conflicts</strong></p></td>
+<td align="left"><p>Some applications, such as Terminal Services, do not support FIPS-140 on all operating systems.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>When enabled</strong></p></td>
+<td align="left"><p>Users will be unable to save a recovery password to any location. This includes AD DS and network folders. In addition, you cannot use WMI or the BitLocker Drive Encryption Setup izard to create a recovery password.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>When disabled or not configured</strong></p></td>
+<td align="left"><p>No BitLocker encryption key is generated</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Reference**
+
+This policy needs to be enabled before any encryption key is generated for BitLocker. Note that when this policy is enabled, BitLocker prevents creating or using recovery passwords, so recovery keys should be used instead.
+
+You can save the optional recovery key to a USB drive. Because recovery passwords cannot be saved to AD DS when FIPS is enabled, an error is caused if AD DS backup is required by Group Policy.
+
+You can edit the FIPS setting by using the Security Policy Editor (Secpol.msc) or by editing the Windows registry. You must be an administrator to perform these procedures.
+
+For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](http://technet.microsoft.com/library/jj852197.aspx).
+
+## Power management Group Policy settings: Sleep and Hibernate
+
+
+PCs default power settings for a computer will cause the computer to enter Sleep mode frequently to conserve power when idle and to help extend the system’s battery life. When a computer transitions to Sleep, open programs and documents are persisted in memory. When a computer resumes from Sleep, users are not required to re-authenticate with a PIN or USB startup key to access encrypted data. This might lead to conditions where data security is compromised.
+
+However, when a computer hibernates the drive is locked, and when it resumes from hibernation the drive is unlocked, which means that users will need to provide a PIN or a startup key if using multifactor authentication with BitLocker. Therefore, organizations that use BitLocker may want to use Hibernate instead of Sleep for improved security. This setting does not have an impact on TPM-only mode, because it provides a transparent user experience at startup and when resuming from the Hibernate states.
+
+You can use disable the following Group Policy settings, which are located in **Computer Configuration\\Administrative Templates\\System\\Power Management** to disable all available sleep states:
+
+-   Allow Standby States (S1-S3) When Sleeping (Plugged In)
+
+-   Allow Standby States (S1-S3) When Sleeping (Battery)
+
+## <a href="" id="bkmk-pcr"></a>About the Platform Configuration Register (PCR)
+
+
+A platform validation profile consists of a set of PCR indices that range from 0 to 23. The scope of the values can be specific to the version of the operating system.
+
+Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
+
+**About PCR 7**
+
+PCR 7 measures the state of Secure Boot. With PCR 7, BitLocker can leverage Secure Boot for integrity validation. Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform. If Secure Boot is on and the firmware measures PCR 7 correctly per the UEFI specification, BitLocker can bind to this information rather than to PCRs 0, 2, and 4 which have the measurements of the exact firmware and Bootmgr images loaded. This reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides you with greater flexibility to manage the preboot configuration.
+
+PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](http://msdn.microsoft.com/library/windows/hardware/jj923068.aspx).
+
+PCR 7 measurements are a mandatory logo requirement for systems that support InstantGo (also known as Always On, Always Connected PCs), such as the Microsoft Surface RT. On such systems, if the TPM with PCR 7 measurement and Secure Boot are correctly configured, BitLocker binds to PCR 7 and PCR 11 by default.
+
+## See also
+
+
+[Trusted Platform Module](trusted-platform-module-overview.md)
+
+
+[TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
+
+
+[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
+
+
+[BitLocker overview](bitlocker-overview.md)
+
+
+[Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
+
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md b/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md
new file mode 100644
index 0000000000..0a0de22f5c
--- /dev/null
+++ b/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md
@@ -0,0 +1,156 @@
+---
+title: BitLocker How to deploy on Windows Server 2012 and later (Windows 10)
+description: This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later.
+ms.assetid: 91c18e9e-6ab4-4607-8c75-d983bbe2542f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# BitLocker: How to deploy on Windows Server 2012 and later
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later.
+
+For all Windows Server editions, BitLocker must be installed using Server Manager. However, you can still provision BitLocker before the server operating system is installed as part of your deployment.
+
+## <a href="" id="installing-bitlocker-"></a>Installing BitLocker
+
+
+BitLocker requires administrator privileges on the server to install. You can install BitLocker either by using Server Manager or Windows PowerShell cmdlets.
+
+-   To install BitLocker using Server Manager
+
+-   To install BitLocker using Windows PowerShell
+
+### <a href="" id="bkmk-blinstallsrvmgr"></a>To install BitLocker using Server Manager
+
+1.  Open Server Manager by selecting the Server Manager icon or running servermanager.exe.
+
+2.  Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.**
+
+3.  With the **Add Roles and Features Wizard** open, select **Next** at the **Before you begin** pane (if shown).
+
+4.  Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features Wizard** pane and select **Next** to continue.
+
+5.  Select the **Select a server from the server pool option** in the **Server Selection** pane and confirm the server for the BitLocker feature install.
+
+6.  Server roles and features install using the same wizard in Server Manager. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane.
+
+7.  Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features Wizard**. The wizard will show the additional management features available for BitLocker. If you do not want to install these features, deselect the **Include management tools option** and select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard.
+
+    **Note**  
+    The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for Encrypted Hard Drives on capable systems.
+
+     
+
+8.  Select **Install** on the **Confirmation** pane of the **Add Roles and Features Wizard** to begin BitLocker feature installation. The BitLocker feature requires a restart to complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane will force a restart of the computer after installation is complete.
+
+9.  If the **Restart the destination server automatically if required** check box is not selected, the **Results pane** of the **Add Roles and Features Wizard** will display the success or failure of the BitLocker feature installation. If required, a notification of additional action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.
+
+### <a href="" id="bkmk-blinstallwps"></a>To install BitLocker using Windows PowerShell
+
+Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism` module; however, the `servermanager` and `dism` modules do not always share feature name parity. Because of this, it is advisable to confirm the feature or role name prior to installation.
+
+**Note**  
+You must restart the server to complete the installation of BitLocker.
+
+ 
+
+### Using the servermanager module to install BitLocker
+
+The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`. This can be determined using the `Get-WindowsFeature` cmdlet with a query such as:
+
+``` syntax
+Get-WindowsFeature Bit 
+```
+
+The results of this command displays a table of all of the feature names beginning with “Bit” as their prefix. This allows you to confirm that the feature name is `BitLocker` for the BitLocker feature.
+
+By default, installation of features in Windows PowerShell does not include optional sub-features or management tools as part of the install process. This can be seen using the `-WhatIf` option in Windows PowerShell.
+
+``` syntax
+Install-WindowsFeature BitLocker -WhatIf
+```
+
+The results of this command show that only the BitLocker Drive Encryption feature installs using this command.
+
+To see what would be installed with the BitLocker feature including all available management tools and sub-features, use the following command:
+
+``` syntax
+Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl
+```
+
+The result of this command displays the following list of all the administration tools for BitLocker that would be installed along with the feature, including tools for use with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).
+
+-   BitLocker Drive Encryption
+
+-   BitLocker Drive Encryption Tools
+
+-   BitLocker Drive Encryption Administration Utilities
+
+-   BitLocker Recovery Password Viewer
+
+-   AD DS Snap-Ins and Command-Line Tools
+
+-   AD DS Tools
+
+-   AD DS and AD LDS Tools
+
+The command to complete a full installation of the BitLocker feature with all available features and then rebooting the server at completion is:
+
+``` syntax
+Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
+```
+
+**Important**  
+Installing the BitLocker feature using Windows PowerShell does not install the Enhanced Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to install the Enhanced Storage feature separately.
+
+ 
+
+### Using the dism module to install BitLocker
+
+The `dism` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism` module does not support wildcards when searching for feature names. To list feature names for the `dism` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system.
+
+``` syntax
+Get-WindowsOptionalFeature -Online | ft
+```
+
+From this output, we can see that there are three BitLocker related optional feature names: BitLocker, BitLocker-Utilities and BitLocker-NetworkUnlock. To install the BitLocker feature, the BitLocker and BitLocker-Utilities features are the only required items.
+
+To install BitLocker using the `dism` module, use the following command:
+
+``` syntax
+Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All
+```
+
+This command will prompt the user for a reboot. The Enable-WindowsOptionalFeature cmdlet does not offer support for forcing a reboot of the computer. This command does not include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command:
+
+``` syntax
+Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All
+```
+
+## More information
+
+
+[BitLocker overview](bitlocker-overview.md)
+
+[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
+
+[Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
+
+[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md
new file mode 100644
index 0000000000..0ee061cb84
--- /dev/null
+++ b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md
@@ -0,0 +1,491 @@
+---
+title: BitLocker How to enable Network Unlock (Windows 10)
+description: This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it.
+ms.assetid: be45bc28-47db-4931-bfec-3c348151d2e9
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# BitLocker: How to enable Network Unlock
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it.
+
+Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network Unlock enables easier management for BitLocker enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware.
+
+Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). This can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers.
+
+Network Unlock allows BitLocker-enabled systems with TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works in a similar fashion to the TPM+StartupKey at boot. Rather than needing to read the StartupKey from USB media, however, the key for Network Unlock is composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session.
+
+This topic contains:
+
+-   [Network Unlock core requirements](#bkmk-nunlockcorereqs)
+
+-   [Network Unlock sequence](#bkmk-networkunlockseq)
+
+-   [Configure Network Unlock](#bkmk-configuringnetworkunlock)
+
+-   [Create the certificate template for Network Unlock](#bkmk-createcerttmpl)
+
+-   [Turning off Network Unlock](#bkmk-turnoffnetworkunlock)
+
+-   [Update Network Unlock certificates](#bkmk-updatecerts)
+
+-   [Troubleshoot Network Unlock](#bkmk-troubleshoot)
+
+-   [Configure Network Unlock on unsupported systems](#bkmk-unsupportedsystems)
+
+## <a href="" id="bkmk-nunlockcorereqs"></a>Network Unlock core requirements
+
+
+Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain joined systems. These requirements include:
+
+-   You must be running at least Windows 8 or Windows Server 2012.
+
+-   Any supported operating system with UEFI DHCP drivers can be Network Unlock clients.
+
+-   A server running the Windows Deployment Services (WDS) role on any supported server operating system.
+
+-   BitLocker Network Unlock optional feature installed on any supported server operating system.
+
+-   A DHCP server, separate from the WDS server.
+
+-   Properly configured public/private key pairing.
+
+-   Network Unlock Group Policy settings configured.
+
+The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus, so you need to confirm that the network stack has been enabled in the BIOS before starting the computer.
+
+**Note**  
+To properly support DHCP within UEFI, the UEFI-based system should be in native mode without a compatibility support module (CSM) enabled.
+
+For Network Unlock to work reliably on computers running Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP and used for Network Unlock. This is especially worth noting when you have multiple adapters, and you wish to configure one without DHCP, such as for a lights-out management protocol. This configuration is necessary because Network Unlock will stop enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter does not support DHCP, is not plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock will fail.
+
+ 
+
+The Network Unlock server component installs on supported versions of Windows Server 2012 and later as a Windows feature using Server Manager or Windows PowerShell cmdlets. The feature name is BitLocker Network Unlock in Server Manager and BitLocker-NetworkUnlock in Windows PowerShell. This feature is a core requirement.
+
+Network Unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation is not required; however, the WDS service needs to be running on the server.
+
+The network key is stored on the system drive along with an AES 256 session key, and encrypted with the 2048-bit RSA public key of the unlock server's certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server running WDS, and returned encrypted with its corresponding session key.
+
+## <a href="" id="bkmk-networkunlockseq"></a>Network Unlock sequence
+
+
+The unlock sequence starts on the client side, when the Windows boot manager detects the existence of Network Unlock protector. It leverages the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described above. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply.
+
+On the server side, the WDS server role has an optional plugin component, like a PXE provider, which is what handles the incoming Network Unlock requests. The provider can also be configured with subnet restrictions, which would require that the IP address provided by the client in the Network Unlock request belong to a permitted subnet in order to release the network key to the client. In instances where the Network Unlock provider is unavailable, BitLocker fails over to the next available protector to unlock the drive. In a typical configuration, this means the standard TPM+PIN unlock screen is presented to unlock the drive.
+
+The server side configuration to enable Network Unlock also requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate, and for the public key certificate to be distributed to the clients. This certificate must be managed and deployed through the Group Policy editor directly on a domain controller with at least a Domain Functional Level of Windows Server 2012. This certificate is the public key that encrypts the intermediate network key (which is one of the two secrets required to unlock the drive; the other secret is stored in the TPM).
+
+![bitlocker network unlock sequence](images/bitlockernetworkunlocksequence.png)
+
+**Phases in the Network Unlock process**
+
+1.  The Windows boot manager detects that a Network Unlock protector exists in the BitLocker configuration.
+
+2.  The client computer uses its DHCP driver in the UEFI to obtain a valid IPv4 IP address.
+
+3.  The client computer broadcasts a vendor-specific DHCP request that contains the Network Key (a 256-bit intermediate key) and an AES-256 session key for the reply. Both of these keys are encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server.
+
+4.  The Network Unlock provider on the WDS server recognizes the vendor-specific request.
+
+5.  The provider decrypts it with the WDS server’s BitLocker Network Unlock certificate RSA private key.
+
+6.  The WDS provider then returns the network key encrypted with the session key using its own vendor-specific DHCP reply to the client computer. This forms an intermediate key.
+
+7.  The returned intermediate key is then combined with another local 256-bit intermediate key that can only be decrypted by the TPM.
+
+8.  This combined key is used to create an AES-256 key that unlocks the volume.
+
+9.  Windows continues the boot sequence.
+
+## <a href="" id="bkmk-configuringnetworkunlock"></a>Configure Network Unlock
+
+
+The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012.
+
+### <a href="" id="bkmk-stepone"></a>Step One: Install the WDS Server role
+
+The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager.
+
+To install the role using Windows PowerShell, use the following command:
+
+``` syntax
+Install-WindowsFeature WDS-Deployment
+```
+
+You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Doman Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard.
+
+### <a href="" id="bkmk-steptwo"></a>Step Two: Confirm the WDS Service is running
+
+To confirm the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service.
+
+To confirm the service is running using Windows PowerShell, use the following command:
+
+``` syntax
+Get-Service WDSServer
+```
+
+### <a href="" id="bkmk-stepthree"></a>Step Three: Install the Network Unlock feature
+
+To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console.
+
+To install the feature using Windows PowerShell, use the following command:
+
+``` syntax
+Install-WindowsFeature BitLocker-NetworkUnlock
+```
+
+### <a href="" id="bkmk-stepfour"></a>Step Four: Create the Network Unlock certificate
+
+Network Unlock can use imported certificates from an existing PKI infrastructure, or you can use a self-signed certificate.
+
+To enroll a certificate from an existing certification authority (CA), do the following:
+
+1.  Open Certificate Manager on the WDS server using **certmgr.msc**
+
+2.  Under the Certificates - Current User item, right-click Personal
+
+3.  Select All Tasks, then **Request New Certificate**
+
+4.  Select **Next** when the Certificate Enrollment wizard opens
+
+5.  Select Active Directory Enrollment Policy
+
+6.  Choose the certificate template created for Network Unlock on the Domain controller and select **Enroll**. When prompted for more information, add the following attribute to the certificate:
+
+    -   Select the **Subject Name** pane and provide a friendly name value. It is suggested that this friendly name include information for the domain or organizational unit for the certificate. For example "BitLocker Network Unlock Certificate for Contoso domain"
+
+7.  Create the certificate. Ensure the certificate appears in the Personal folder.
+
+8.  Export the public key certificate for Network Unlock
+
+    1.  Create a .cer file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**.
+
+    2.  Select **No, do not export the private key**.
+
+    3.  Select **DER encoded binary X.509** and complete exporting the certificate to a file.
+
+    4.  Give the file a name such as BitLocker-NetworkUnlock.cer.
+
+9.  Export the public key with a private key for Network Unlock
+
+    1.  Create a .pfx file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**.
+
+    2.  Select **Yes, export the private key**.
+
+    3.  Complete the wizard to create the .pfx file.
+
+To create a self-signed certificate, do the following:
+
+1.  Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf
+
+2.  Add the following contents to the previously created file:
+
+    ``` syntax
+    [NewRequest]
+
+    Subject="CN=BitLocker Network Unlock certificate"
+    Exportable=true
+    RequestType=Cert
+    KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE"
+    KeyLength=2048
+
+    [Extensions]
+    1.3.6.1.4.1.311.21.10 = "{text}"
+    _continue_ = "OID=1.3.6.1.4.1.311.67.1.1"
+
+    2.5.29.37 = "{text}"
+    _continue_ = "1.3.6.1.4.1.311.67.1.1"
+    ```
+
+3.  Open an elevated command prompt and use the certreq tool to create a new certificate using the following command, specifying the full path to the file created previously, along with the file name:
+
+    ``` syntax
+    certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
+    ```
+
+4.  Verify the previous command properly created the certificate by confirming the .cer file exists
+
+5.  Launch the Certificate Manager by running **certmgr.msc**
+
+6.  Create a .pfx file by opening the **Certificates – Current User\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file.
+
+### <a href="" id="bkmk-stepfive"></a>Step Five: Deploy the private key and certificate to the WDS server
+
+With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following:
+
+1.  On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options.
+
+2.  Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then **Import**
+
+3.  In the **File to Import** dialog, choose the .pfx file created previously.
+
+4.  Enter the password used to create the .pfx and complete the wizard.
+
+### Step Six: Configure Group Policy settings for Network Unlock
+
+With certificate and key deployed to the WDS server for Network Unlock, the final step is to use Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock using the Network Unlock key. Group Policy settings for BitLocker can be found under **\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console.
+
+The following steps describe how to enable the Group Policy setting that is a requirement for configuring Network Unlock.
+
+1.  Open Group Policy Management Console (gpmc.msc)
+
+2.  Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option
+
+3.  Turn on BitLocker with TPM+PIN protectors on all domain-joined computers
+
+The following steps describe how to deploy the required Group Policy setting:
+
+**Note**  
+The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
+
+ 
+
+1.  Copy the .cer file created for Network Unlock to the domain controller
+
+2.  On the domain controller, launch Group Policy Management Console (gpmc.msc)
+
+3.  Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting.
+
+4.  Deploy the public certificate to clients
+
+    1.  Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**
+
+    2.  Right-click the folder and choose **Add Network Unlock Certificate**
+
+    3.  Follow the wizard steps and import the .cer file that was copied earlier.
+
+**Note**  
+Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer.
+
+ 
+
+### <a href="" id="bkmk-stepseven"></a>Step Seven: Require TPM+PIN protectors at startup
+
+An additional step is for enterprises to use TPM+PIN protectors for an extra level of security. To require TPM+PIN protectors in an environment, do the following:
+
+1.  Open Group Policy Management Console (gpmc.msc)
+
+2.  Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option
+
+3.  Turn on BitLocker with TPM+PIN protectors on all domain-joined computers
+
+### <a href="" id="bkmk-createcerttmpl"></a>Create the certificate template for Network Unlock
+
+The following steps detail how to create a certificate template for use with BitLocker Network Unlock. A properly configured Active Directory Services Certification Authority can use this certificate to create and issue Network Unlock certificates.
+
+1.  Open the Certificates Template snap-in (certtmpl.msc).
+
+2.  Locate the User template. Right-click the template name and select **Duplicate Template**
+
+3.  On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8respectively. Ensure the **Show resulting changes** dialog box is selected.
+
+4.  Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option.
+
+5.  Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected.
+
+6.  Select the **Cryptography** tab. Set the **Minimum key size** to 2048. (Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility we recommend using the **Microsoft Software Key Storage Provider**.)
+
+7.  Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider you selected, such as the **Microsoft Software Key Storage Provider**.
+
+8.  Select the **Subject Name** tab. Select **Supply in the request**. Select **OK** if the certificate templates pop-up dialog appears.
+
+9.  Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options.
+
+10. Select the **Extensions** tab. Select **Application Policies** and choose **Edit…**.
+
+11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**.
+
+12. On the **Edit Application Policies Extension** dialog box, select **Add**.
+
+13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy:
+
+    -   **Name:** **BitLocker Network Unlock**
+
+    -   **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
+
+14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**
+
+15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
+
+16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission
+
+17. Select **OK** to complete configuration of the template.
+
+To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
+
+After adding the Network Unlock template to the Certification Authority, this certificate can be used to configure BitLocker Network Unlock.
+
+### Subnet policy configuration files on WDS Server (Optional)
+
+By default, all clients with the correct Network Unlock Certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which subnet(s) Network Unlock clients can use to unlock.
+
+The configuration file, called bde-network-unlock.ini, must be located in the same directory as the Network Unlock provider DLL and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider will fail and stop responding to requests.
+
+The subnet policy configuration file must use a “\[SUBNETS\]” section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equals sign, and the subnet identified on the right of the equal sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word “ENABLED” is disallowed for subnet names.
+
+``` syntax
+ [SUBNETS]
+SUBNET1=10.185.250.0/24 ; comment about this subrange could be here, after the semi-colon
+SUBNET2=10.185.252.200/28 
+SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet
+SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP.
+```
+
+Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define subnets clients can be unlocked from with that certificate.
+
+**Note**  
+When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint the subnet configuration will fail because the thumbprint will not be recognized as valid.
+
+ 
+
+Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnet is listed in a certificate section, then only those subnets listed are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section.
+
+Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon.
+
+``` syntax
+ [‎2158a767e1c14e88e27a4c0aee111d2de2eafe60]
+;Comments could be added here to indicate when the cert was issued, which Group Policy should get it, and so on.
+;This list shows this cert is only allowed to unlock clients on SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out.
+SUBNET1
+;SUBNET2
+SUBNET3
+```
+
+To disallow the use of a certificate altogether, its subnet list may contain the line “DISABLED".
+
+### <a href="" id="bkmk-turnoffnetworkunlock"></a>Turning off Network Unlock
+
+To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
+
+**Note**  
+Removing the FVENKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
+
+ 
+
+### <a href="" id="bkmk-updatecerts"></a>Update Network Unlock certificates
+
+To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server and then update the Network Unlock certificate Group Policy setting on the domain controller.
+
+## <a href="" id="bkmk-troubleshoot"></a>Troubleshoot Network Unlock
+
+
+Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue will be the root cause of the failure. Items to verify include:
+
+-   Verify client hardware is UEFI-based and is on firmware version is 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Do this by checking that the firmware does not have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware does not appear to be in a BIOS-like mode.
+
+-   All required roles and services are installed and started
+
+-   Public and private certificates have been published and are in the proper certificate containers. The presence of the Network Unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** on the client computer.
+
+-   Group policy for Network Unlock is enabled and linked to the appropriate domains
+
+-   Verify group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities.
+
+-   Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the lcoal computer:
+
+    ``` syntax
+    Manage-bde –protectors –get C:
+    ```
+
+**Note**  
+Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock
+
+ 
+
+Files to gather when troubleshooting BitLocker Network Unlock include:
+
+1.  The Windows event logs. Specifically the BitLocker event logs and the Microsoft-Windows-Deployment-Services-Diagnostics-Debug log
+
+    Debug logging is turned off by default for the WDS server role, so you will need to enable it first. You can use either of the following two methods to turn on WDS debug logging.
+
+    1.  Start an elevated command prompt and run the following command:
+
+        ``` syntax
+        wevtutil sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true
+        ```
+
+    2.  Open Event Viewer on the WDS server.
+
+        In the left pane, click **Applications and Services Logs**, click **Microsoft**, click **Windows**, click **Deployment-Services-Diagnostics**, and then click **Debug**.
+
+        In the right pane, click **Enable Log**.
+
+2.  The DHCP subnet configuration file (if one exists).
+
+3.  The output of the BitLocker status on the volume, this can be gathered into a text file using **manage-bde -status** or **Get-BitLockerVolume** in Windows PowerShell
+
+4.  Network Monitor capture on the server hosting the WDS role, filtered by client IP address
+
+## <a href="" id="bkmk-unsupportedsystems"></a>Configure Network Unlock Group Policy settings on earlier versions
+
+
+Network Unlock and the accompanying Group Policy settings were introduced in Windows Server 2012 but can be deployed using operating systems running Windows Server 2008 R2 and Windows Server 2008.
+
+**Requirements**
+
+-   The server hosting WDS must be running any of the server operating systems designated in the **Applies To** list at the beginning of this topic.
+
+-   Client computers must be running any of the client operating systems designated in the **Applies To** list at the beginning of this topic.
+
+The following steps can be used to configure Network Unlock on these older systems.
+
+1.  [Step One: Install the WDS Server role](#bkmk-stepone)
+
+2.  [Step Two: Confirm the WDS Service is running](#bkmk-steptwo)
+
+3.  [Step Three: Install the Network Unlock feature](#bkmk-stepthree)
+
+4.  [Step Four: Create the Network Unlock certificate](#bkmk-stepfour)
+
+5.  [Step Five: Deploy the private key and certificate to the WDS server](#bkmk-stepfive)
+
+6.  **Step Six: Configure registry settings for Network Unlock**
+
+    Apply the registry settings by running the following certutil script on each computer running any of the client operating systems designated in the **Applies To** list at the beginning of this topic.
+
+    ``` syntax
+    certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer
+
+    reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f
+    reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f
+    reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD /d 2 /f
+    reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 2 /f
+    reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f
+    reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f
+    reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f
+    ```
+
+7.  [Create the Network Unlock certificate](#bkmk-stepfour)
+
+8.  [Deploy the private key and certificate to the WDS server](#bkmk-stepfive)
+
+9.  [Create the certificate template for Network Unlock](#bkmk-createcerttmpl)
+
+10. [Require TPM+PIN protectors at startup](#bkmk-stepseven)
+
+## See also
+
+
+-   [BitLocker overview](bitlocker-overview.md)
+
+-   [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
+
+-   [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/bitlocker-overview.md b/windows/keep-secure/bitlocker-overview.md
new file mode 100644
index 0000000000..80f734fc4e
--- /dev/null
+++ b/windows/keep-secure/bitlocker-overview.md
@@ -0,0 +1,147 @@
+---
+title: BitLocker (Windows 10)
+description: This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
+ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# BitLocker
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
+
+## <a href="" id="bkmk-over"></a>
+
+
+BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
+
+BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
+
+On computers that do not have a TPM version 1.2 or later, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM.
+
+In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.
+
+## <a href="" id="bkmk-app"></a>Practical applications
+
+
+Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.
+
+There are two additional tools in the Remote Server Administration Tools, which you can use to manage BitLocker.
+
+-   **BitLocker Recovery Password Viewer**. The BitLocker Recovery Password Viewer enables you to locate and view BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in.
+
+    By using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator.
+
+-   **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel, and they are appropriate to use for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be unlocked normally or by using the recovery console.
+
+## <a href="" id="bkmk-new"></a>New and changed functionality
+
+
+To find out what's new in BitLocker for Windows 10, see [What's new in BitLocker?](../whats-new/bitlocker.md)
+
+ 
+
+## System requirements
+
+
+BitLocker has the following hardware requirements:
+
+For BitLocker to use the system integrity check provided by a Trusted Platform Module (TPM), the computer must have TPM 1.2 or later. If your computer does not have a TPM, enabling BitLocker requires that you save a startup key on a removable device, such as a USB flash drive.
+
+A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require TCG-compliant firmware.
+
+The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment.
+
+The hard disk must be partitioned with at least two drives:
+
+-   The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system.
+
+-   The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on it should have approximately 250 MB of free space.
+
+When installed on a new computer, Windows will automatically create the partitions that are required for BitLocker.
+
+When installing the BitLocker optional component on a server you will also need to install the Enhanced Storage feature, which is used to support hardware encrypted drives.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)</p></td>
+<td align="left"><p>This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)</p></td>
+<td align="left"><p>This topic for the IT professional explains how can you plan your BitLocker deployment.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[BitLocker basic deployment](bitlocker-basic-deployment.md)</p></td>
+<td align="left"><p>This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md)</p></td>
+<td align="left"><p>This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)</p></td>
+<td align="left"><p>This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)</p></td>
+<td align="left"><p>This topic for the IT professional describes how to use tools to manage BitLocker.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)</p></td>
+<td align="left"><p>This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[BitLocker Group Policy settings](bitlocker-group-policy-settings.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[BCD settings and BitLocker](bcd-settings-and-bitlocker.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes the BCD settings that are used by BitLocker.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes how to recover BitLocker keys from AD DS.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)</p></td>
+<td align="left"><p>This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)</p></td>
+<td align="left"><p>This topic for IT pros describes how to protect CSVs and SANs with BitLocker.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/bitlocker-recovery-guide-plan.md b/windows/keep-secure/bitlocker-recovery-guide-plan.md
new file mode 100644
index 0000000000..31c4fb595f
--- /dev/null
+++ b/windows/keep-secure/bitlocker-recovery-guide-plan.md
@@ -0,0 +1,996 @@
+---
+title: BitLocker recovery guide (Windows 10)
+description: This topic for IT professionals describes how to recover BitLocker keys from AD DS.
+ms.assetid: d0f722e9-1773-40bf-8456-63ee7a95ea14
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# BitLocker recovery guide
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes how to recover BitLocker keys from AD DS.
+
+Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. Creating a recovery model for BitLocker while you are planning your BitLocker deployment is recommended.
+
+This article assumes that you understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS.
+
+This article does not detail how to configure AD DS to store the BitLocker recovery information.
+
+This article contains the following topics:
+
+-   [What Is BitLocker Recovery?](#bkmk-whatisrecovery)
+
+-   [Testing Recovery](#bkmk-testingrecovery)
+
+-   [Planning Your Recovery Process](#bkmk-planningrecovery)
+
+-   [Using Additional Recovery Information](#bkmk-usingaddrecovery)
+
+-   [Resetting Recovery Passwords](#bkmk-appendixb)
+
+-   [Retrieving the BitLocker Key Package](#bkmk-appendixc)
+
+## <a href="" id="bkmk-whatisrecovery"></a>What is BitLocker recovery?
+
+
+BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario you have the following options to restore access to the drive:
+
+-   The user can supply the recovery password. If your organization allows users to print or store recovery passwords, the user can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft Account online. (Saving a recovery password with your Microsoft Account online is only allowed when BitLocker is used on a PC that is not a member of a domain).
+
+-   A data recovery agent can use their credentials to unlock the drive. If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
+
+-   A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive. Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method requires that you have enabled this recovery method in the BitLocker Group Policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
+
+### What causes BitLocker recovery?
+
+The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
+
+-   On PCs that use either BitLocker or Device Encryption when an attack is detected the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](http://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](http://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout.
+
+-   Changing the boot order to boot another drive in advance of the hard drive.
+
+-   Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
+
+-   Failing to boot from a network drive before booting from the hard drive.
+
+-   Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. This means that if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked.
+
+-   Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition.
+
+-   Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed.
+
+-   Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if you are using USB-based keys instead of a TPM.
+
+-   Turning off, disabling, deactivating, or clearing the TPM.
+
+-   Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade, causing the related boot measurements to change.
+
+-   Forgetting the PIN when PIN authentication has been enabled.
+
+-   Updating option ROM firmware.
+
+-   Upgrading TPM firmware.
+
+-   Adding or removing hardware; for example, inserting a new card in the computer, including some PCMIA wireless cards.
+
+-   Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
+
+-   Changes to the master boot record on the disk.
+
+-   Changes to the boot manager on the disk.
+
+-   Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software.
+
+-   Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs.
+
+-   Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change.
+
+    **Note**  
+    Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different.
+
+     
+
+-   Moving the BitLocker-protected drive into a new computer.
+
+-   Upgrading the motherboard to a new one with a new TPM.
+
+-   Losing the USB flash drive containing the startup key when startup key authentication has been enabled.
+
+-   Failing the TPM self-test.
+
+-   Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode.
+
+-   Changing the usage authorization for the storage root key of the TPM to a non-zero value.
+
+    **Note**  
+    The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value.
+
+     
+
+-   Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr).
+
+-   Pressing the F8 or F10 key during the boot process.
+
+-   Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards.
+
+-   Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.
+
+**Note**  
+Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components.
+
+ 
+
+For planned scenarios, such as a known hardware or firmware upgrades, you can avoid initiating recovery by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key.
+
+**Note**  
+If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool.
+
+If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premise user to provide the additional authentication method.
+
+ 
+
+Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user.
+
+## <a href="" id="bkmk-testingrecovery"></a>Testing recovery
+
+
+Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The –forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation.
+
+**To force a recovery for the local computer**
+
+1.  Click the **Start** button, type **cmd** in the **Start Search** box, right-click **cmd.exe**, and then click **Run as administrator**.
+
+2.  At the command prompt, type the following command and then press ENTER:
+
+    **manage-bde -forcerecovery** *&lt;Volume&gt;*
+
+**To force recovery for a remote computer**
+
+1.  On the Start screen, type **cmd.exe**, and then click **Run as administrator**.
+
+2.  At the command prompt, type the following command and then press ENTER:
+
+    **manage-bde. -ComputerName** *&lt;ComputerName&gt;***-forcerecovery** *&lt;Volume&gt;*
+
+**Note**  
+*&lt;ComputerName&gt;* represents the name of the remote computer. *&lt;Volume&gt;* represents the volume on the remote computer that is protected with BitLocker.
+
+ 
+
+## <a href="" id="bkmk-planningrecovery"></a>Planning your recovery process
+
+
+When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords? How does your organization perform smart card PIN resets? You can use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model.
+
+Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](http://technet.microsoft.com/windows/hh826072.aspx).
+
+After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. You must consider both self-recovery and recovery password retrieval methods for your organization.
+
+When you determine your recovery process, you should:
+
+-   Become familiar with how you can retrieve the recovery password. See:
+
+    -   [Self-recovery](#bkmk-selfrecovery)
+
+    -   [Recovery password retrieval](#bkmk-recoveryretrieval)
+
+-   Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. See:
+
+    -   [Post-recovery analysis](#bkmk-planningpostrecovery)
+
+### <a href="" id="bkmk-selfrecovery"></a>Self-recovery
+
+In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization create a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users should be warned not to store the USB flash drive in the same place as the PC, especially during travel, for example if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified.
+
+### <a href="" id="bkmk-recoveryretrieval"></a>Recovery password retrieval
+
+If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain the recovery password can be backed up to AD DS. However, this does not happen by default, you must have configured the appropriate Group Policy settings before BitLocker was enabled on the PC. BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
+
+-   **Choose how BitLocker-protected operating system drives can be recovered**
+
+-   **Choose how BitLocker-protected fixed drives can be recovered**
+
+-   **Choose how BitLocker-protected removable drives can be recovered**
+
+In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS). Select the **Do not enable BitLocker until recovery information is stored in AD DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds.
+
+**Note**  
+If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their Microsoft Account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event that recovery is required.
+
+ 
+
+The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory.
+
+You can use the following list as a template for creating your own recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool.
+
+-   [Record the name of the user's computer](#bkmk-recordcomputername)
+
+-   [Verify the user's identity](#bkmk-verifyidentity)
+
+-   [Locate the recovery password in AD DS](#bkmk-locatepassword)
+
+-   [Gather information to determine why recovery occurred](#bkmk-gatherinfo)
+
+-   [Give the user the recovery password](#bkmk-givepassword)
+
+### <a href="" id="bkmk-recordcomputername"></a>Record the name of the user's computer
+
+You can use the name of the user's computer to locate the recovery password in AD DS. If the user does not know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This is the computer name when BitLocker was enabled and is probably the current name of the computer.
+
+### <a href="" id="bkmk-verifyidentity"></a>Verify the user's identity
+
+You should verify that the person that is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify that the computer with the name the user provided belongs to the user.
+
+### <a href="" id="bkmk-locatepassword"></a>Locate the recovery password in AD DS
+
+Locate the Computer object with the matching name in AD DS. Because Computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest.
+
+### Multiple recovery passwords
+
+If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date that the password was created.
+
+If at any time you are unsure what password to provide, or if you think you might be providing the incorrect password, ask the user to read the eight character password ID that is displayed in the recovery console.
+
+Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID will find the correct password to unlock the encrypted volume.
+
+### <a href="" id="bkmk-gatherinfo"></a>Gather information to determine why recovery occurred
+
+Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. For more info about post-recovery analysis, see [Post-recovery analysis](#bkmk-planningpostrecovery).
+
+### <a href="" id="bkmk-givepassword"></a>Give the user the recovery password
+
+Because the recovery password is 48 digits long the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password.
+
+**Note**  
+Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.
+
+ 
+
+### <a href="" id="bkmk-planningpostrecovery"></a>Post-recovery analysis
+
+When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted.
+
+If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator can perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. See:
+
+-   [Determine the root cause of the recovery](#bkmk-determinecause)
+
+-   [Refresh BitLocker protection](#bkmk-refreshprotection)
+
+### <a href="" id="bkmk-determinecause"></a>Determine the root cause of the recovery
+
+If a user needed to recover the drive, it is important to determine the root cause that initiated the recovery as soon as possible. Properly analyzing the state of the computer and detecting tampering may reveal threats that have broader implications for enterprise security.
+
+While an administrator can remotely investigate the cause of recovery in some cases, the end user might need to bring the computer that contains the recovered drive on site to analyze the root cause further.
+
+Review and answer the following questions for your organization:
+
+1.  What BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC?
+
+2.  Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be?
+
+3.  If TPM mode was in effect, was recovery caused by a boot file change?
+
+4.  If recovery was caused by a boot file change, is this due to an intended user action (for example, BIOS upgrade), or to malicious software?
+
+5.  When was the user last able to start the computer successfully, and what might have happened to the computer since then?
+
+6.  Might the user have encountered malicious software or left the computer unattended since the last successful startup?
+
+To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if boot file change occurred). Both of these capabilities can be performed remotely.
+
+### <a href="" id="bkmk-refreshprotection"></a>Resolve the root cause
+
+After you have identified what caused recovery, you can reset BitLocker protection and avoid recovery on every startup.
+
+The details of this reset can vary according to the root cause of the recovery. If you cannot determine the root cause, or if malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately.
+
+**Note**  
+You can perform a BitLocker validation profile reset by suspending and resuming BitLocker.
+
+ 
+
+-   [Unknown PIN](#bkmk-unknownpin)
+
+-   [Lost startup key](#bkmk-loststartup)
+
+-   [Changes to boot files](#bkmk-changebootknown)
+
+### <a href="" id="bkmk-unknownpin"></a>Unknown PIN
+
+If a user has forgotten the PIN, you must reset the PIN while you are logged on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted.
+
+**To prevent continued recovery due to an unknown PIN**
+
+1.  Unlock the computer using the recovery password.
+
+2.  Reset the PIN:
+
+    1.  
+
+    2.  Right-click the drive and then click **Change PIN**
+
+    3.  In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account you must provide administrative credentials at this time.
+
+    4.  In the PIN reset dialog, provide and confirm the new PIN to use and then click **Finish**.
+
+3.  You will use the new PIN the next time you unlock the drive.
+
+### <a href="" id="bkmk-loststartup"></a>Lost startup key
+
+If you have lost the USB flash drive that contains the startup key, then you must unlock the drive by using the recovery key and then create a new startup key.
+
+**To prevent continued recovery due to a lost startup key**
+
+1.  Log on as an administrator to the computer that has the lost startup key.
+
+2.  Open Manage BitLocker.
+
+3.  Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key and then click **Save**.
+
+### <a href="" id="bkmk-changebootknown"></a>Changes to boot files
+
+This error might occur if you updated the firmware. As a best practice you should suspend BitLocker before making changes the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time.
+
+## Windows RE and BitLocker
+
+
+Windows Recovery Environment (RE) can be used to recover access to a drive protected by BitLocker or by Device Encryption. If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
+
+## <a href="" id="bkmk-usingaddrecovery"></a>Using additional recovery information
+
+
+Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used.
+
+### BitLocker key package
+
+If the recovery methods discussed earlier in this document do not unlock the volume, you can use the BitLocker Repair tool to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. You can then use this recovered data to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. We recommend that you still save the recovery password. A key package cannot be used without the corresponding recovery password.
+
+**Note**  
+You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package.
+
+ 
+
+The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc).
+
+## <a href="" id="bkmk-appendixb"></a>Resetting recovery passwords
+
+
+You should invalidate a recovery password after it has been provided and used. It should also be done when you intentionally want to invalidate an existing recovery password for any reason.
+
+You can reset the recovery password in two ways:
+
+-   **Use manage-bde** You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.
+
+-   **Run a script** You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords.
+
+**To reset a recovery password using manage-bde**
+
+1.  Remove the previous recovery password
+
+    ``` syntax
+    Manage-bde –protectors –delete C: –type RecoveryPassword
+    ```
+
+2.  Add the new recovery password
+
+    ``` syntax
+    Manage-bde –protectors –add C: -RecoveryPassword
+    ```
+
+3.  Get the ID of the new recovery password. From the screen copy the ID of the recovery password.
+
+    ``` syntax
+    Manage-bde –protectors –get C: -Type RecoveryPassword
+    ```
+
+4.  Backup the new recovery password to AD DS
+
+    ``` syntax
+    Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
+    ```
+
+    **Warning**  
+    You must include the braces in the ID string.
+
+     
+
+**To run the sample recovery password script**
+
+1.  Save the following sample script in a VBScript file. For example: ResetPassword.vbs.
+
+2.  At the command prompt, type a command similar to the following:
+
+    **cscript ResetPassword.vbs**
+
+**Important**  
+This sample script is configured to work only for the C volume. You must customize the script to match the volume where you want to test password reset.
+
+ 
+
+**Note**  
+To manage a remote computer, you can specify the remote computer name rather than the local computer name.
+
+ 
+
+You can use the following sample script to create a VBScript file to reset the recovery passwords.
+
+``` syntax
+' Target drive letter
+strDriveLetter = "c:"
+
+' Target computer name
+' Use "." to connect to the local computer
+strComputerName = "." 
+
+
+' --------------------------------------------------------------------------------
+' Connect to the BitLocker WMI provider class
+' --------------------------------------------------------------------------------
+
+strConnectionStr = "winmgmts:" _
+                 & "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" _
+                 & strComputerName _
+                 & "\root\cimv2\Security\MicrosoftVolumeEncryption"
+                 
+                 
+On Error Resume Next 'handle permission errors
+
+Set objWMIService = GetObject(strConnectionStr)
+
+
+If Err.Number <> 0 Then
+     WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
+     Wscript.Echo "Ensure that you are running with administrative privileges."
+     WScript.Quit -1
+End If
+
+On Error GoTo 0
+
+strQuery = "Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'"
+Set colTargetVolumes = objWMIService.ExecQuery(strQuery)
+
+
+If colTargetVolumes.Count = 0 Then
+    WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " &  strDriveLetter & " on computer " & strComputerName & "."
+    WScript.Quit -1
+End If
+
+
+' there should only be one volume found
+For Each objFoundVolume in colTargetVolumes
+    set objVolume = objFoundVolume
+Next
+
+
+' objVolume is now our found BitLocker-capable disk volume
+
+
+' --------------------------------------------------------------------------------
+' Perform BitLocker WMI provider functionality
+' --------------------------------------------------------------------------------
+
+
+' Add a new recovery password, keeping the ID around so it doesn't get deleted later
+' ----------------------------------------------------------------------------------
+
+nRC = objVolume.ProtectKeyWithNumericalPassword("Recovery Password Refreshed By Script", , sNewKeyProtectorID)
+
+If nRC <> 0 Then
+WScript.Echo "FAILURE: ProtectKeyWithNumericalPassword failed with return code 0x" & Hex(nRC)
+WScript.Quit -1
+End If
+
+' Removes the other, "stale", recovery passwords 
+' ----------------------------------------------------------------------------------
+
+nKeyProtectorTypeIn = 3 ' type associated with "Numerical Password" protector
+
+nRC = objVolume.GetKeyProtectors(nKeyProtectorTypeIn, aKeyProtectorIDs)
+
+If nRC <> 0 Then
+WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
+WScript.Quit -1
+End If
+
+' Delete those key protectors other than the one we just added. 
+
+For Each sKeyProtectorID In aKeyProtectorIDs
+
+If sKeyProtectorID <> sNewKeyProtectorID Then
+nRC = objVolume.DeleteKeyProtector(sKeyProtectorID)
+
+If nRC <> 0 Then
+WScript.Echo "FAILURE: DeleteKeyProtector on ID " & sKeyProtectorID & " failed with return code 0x" & Hex(nRC)
+WScript.Quit -1
+Else
+' no output
+'WScript.Echo "SUCCESS: Key protector with ID " & sKeyProtectorID & " deleted"
+End If
+End If
+
+Next
+
+WScript.Echo "A new recovery password has been added. Old passwords have been removed."
+
+' - some advanced output (hidden)
+'WScript.Echo ""
+'WScript.Echo "Type ""manage-bde -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords."
+```
+
+## <a href="" id="bkmk-appendixc"></a>Retrieving the BitLocker key package
+
+
+You can use two methods to retrieve the key package, as described in [Using Additional Recovery Information](#bkmk-usingaddrecovery):
+
+-   **Export a previously-saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS.
+
+-   **Export a new key package from an unlocked, BitLocker-protected volume.** You must have local administrator access to the working volume, before any damage has occurred.
+
+The following sample script exports all previously-saved key packages from AD DS.
+
+**To run the sample key package retrieval script**
+
+1.  Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackageADDS.vbs.
+
+2.  At the command prompt, type a command similar to the following:
+
+    **cscript GetBitLockerKeyPackageADDS.vbs -?**
+
+You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS.
+
+``` syntax
+' --------------------------------------------------------------------------------
+' Usage
+' --------------------------------------------------------------------------------
+
+Sub ShowUsage
+   Wscript.Echo "USAGE: GetBitLockerKeyPackageAD [Path To Saved Key Package] [Optional Computer Name]"
+   Wscript.Echo "If no computer name is specified, the local computer is assumed."
+   Wscript.Echo 
+   Wscript.Echo "Example: GetBitLockerKeyPackageAD E:\bitlocker-ad-key-package mycomputer"
+   WScript.Quit
+End Sub
+
+' --------------------------------------------------------------------------------
+' Parse Arguments
+' --------------------------------------------------------------------------------
+
+Set args = WScript.Arguments
+
+Select Case args.Count
+  Case 1
+    If args(0) = "/?" Or args(0) = "-?" Then
+    ShowUsage
+    Else 
+      strFilePath = args(0)
+      ' Get the name of the local computer      
+      Set objNetwork = CreateObject("WScript.Network")
+      strComputerName = objNetwork.ComputerName      
+    End If    
+      
+  Case 2
+    If args(0) = "/?" Or args(0) = "-?" Then
+      ShowUsage
+    Else 
+      strFilePath = args(0)
+      strComputerName = args(1)
+    End If
+  Case Else
+    ShowUsage
+
+End Select
+
+
+
+' --------------------------------------------------------------------------------
+' Get path to Active Directory computer object associated with the computer name
+' --------------------------------------------------------------------------------
+
+Function GetStrPathToComputer(strComputerName) 
+
+    ' Uses the global catalog to find the computer in the forest
+    ' Search also includes deleted computers in the tombstone
+
+    Set objRootLDAP = GetObject("LDAP://rootDSE")
+    namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com    
+
+    strBase = "<GC://" & namingContext & ">"
+ 
+    Set objConnection = CreateObject("ADODB.Connection") 
+    Set objCommand = CreateObject("ADODB.Command") 
+    objConnection.Provider = "ADsDSOOBject" 
+    objConnection.Open "Active Directory Provider" 
+    Set objCommand.ActiveConnection = objConnection 
+
+    strFilter = "(&(objectCategory=Computer)(cn=" &  strComputerName & "))"
+    strQuery = strBase & ";" & strFilter  & ";distinguishedName;subtree" 
+
+    objCommand.CommandText = strQuery 
+    objCommand.Properties("Page Size") = 100 
+    objCommand.Properties("Timeout") = 100
+    objCommand.Properties("Cache Results") = False 
+
+    ' Enumerate all objects found. 
+
+    Set objRecordSet = objCommand.Execute 
+    If objRecordSet.EOF Then
+      WScript.echo "The computer name '" &  strComputerName & "' cannot be found."
+      WScript.Quit 1
+    End If
+
+    ' Found object matching name
+
+    Do Until objRecordSet.EOF 
+      dnFound = objRecordSet.Fields("distinguishedName")
+      GetStrPathToComputer = "LDAP://" & dnFound
+      objRecordSet.MoveNext 
+    Loop 
+
+
+    ' Clean up. 
+    Set objConnection = Nothing 
+    Set objCommand = Nothing 
+    Set objRecordSet = Nothing 
+
+End Function
+
+
+' --------------------------------------------------------------------------------
+' Securely access the Active Directory computer object using Kerberos
+' --------------------------------------------------------------------------------
+
+
+Set objDSO = GetObject("LDAP:")
+strPathToComputer = GetStrPathToComputer(strComputerName)
+
+WScript.Echo "Accessing object: " + strPathToComputer
+
+Const ADS_SECURE_AUTHENTICATION = 1
+Const ADS_USE_SEALING = 64 '0x40
+Const ADS_USE_SIGNING = 128 '0x80
+
+
+' --------------------------------------------------------------------------------
+' Get all BitLocker recovery information from the Active Directory computer object
+' --------------------------------------------------------------------------------
+
+' Get all the recovery information child objects of the computer object
+
+Set objFveInfos = objDSO.OpenDSObject(strPathToComputer, vbNullString, vbNullString, _
+                                   ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)
+
+objFveInfos.Filter = Array("msFVE-RecoveryInformation")
+
+' Iterate through each recovery information object and saves any existing key packages
+
+nCount = 1
+strFilePathCurrent = strFilePath & nCount
+
+For Each objFveInfo in objFveInfos
+
+   strName = objFveInfo.Get("name")
+
+   strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword")
+   strKeyPackage = objFveInfo.Get("msFVE-KeyPackage")
+
+   WScript.echo 
+   WScript.echo "Recovery Object Name: " + strName 
+   WScript.echo "Recovery Password: " + strRecoveryPassword
+
+   ' Validate file path
+   Set fso = CreateObject("Scripting.FileSystemObject")
+
+   If (fso.FileExists(strFilePathCurrent)) Then
+ WScript.Echo "The file " & strFilePathCurrent & " already exists. Please use a different path."
+WScript.Quit -1
+   End If
+
+   ' Save binary data to the file
+   SaveBinaryDataText strFilePathCurrent, strKeyPackage
+   
+   WScript.echo "Related key package successfully saved to " + strFilePathCurrent
+
+
+   ' Update next file path using base name
+   nCount = nCount + 1
+   strFilePathCurrent = strFilePath & nCount
+
+Next
+
+
+'----------------------------------------------------------------------------------------
+' Utility functions to save binary data 
+'----------------------------------------------------------------------------------------
+
+Function SaveBinaryDataText(FileName, ByteArray)
+  'Create FileSystemObject object
+  Dim FS: Set FS = CreateObject("Scripting.FileSystemObject")
+  
+  'Create text stream object
+  Dim TextStream
+  Set TextStream = FS.CreateTextFile(FileName)
+  
+  'Convert binary data To text And write them To the file
+  TextStream.Write BinaryToString(ByteArray)
+End Function
+
+Function BinaryToString(Binary)
+  Dim I, S
+  For I = 1 To LenB(Binary)
+    S = S & Chr(AscB(MidB(Binary, I, 1)))
+  Next
+  BinaryToString = S
+End Function
+
+WScript.Quit
+
+The following sample script exports a new key package from an unlocked, encrypted volume.
+
+To run this script, start by saving the code into a VBS file (for example, GetBitLockerKeyPackage.vbs). Then, open an administrator command prompt and use “cscript” to run the saved file (for example, type "cscript GetBitLockerKeyPackage.vbs  -?").
+
+
+
+' --------------------------------------------------------------------------------
+' Usage
+' --------------------------------------------------------------------------------
+
+Sub ShowUsage
+   Wscript.Echo "USAGE: GetBitLockerKeyPackage [VolumeLetter/DriveLetter:] [Path To Saved Key Package]"
+   Wscript.Echo 
+   Wscript.Echo "Example: GetBitLockerKeyPackage C: E:\bitlocker-backup-key-package"
+   WScript.Quit
+End Sub
+
+' --------------------------------------------------------------------------------
+' Parse Arguments
+' --------------------------------------------------------------------------------
+
+Set args = WScript.Arguments
+
+Select Case args.Count
+  Case 2
+    If args(0) = "/?" Or args(0) = "-?" Then
+      ShowUsage
+    Else 
+      strDriveLetter = args(0)
+      strFilePath = args(1)
+    End If
+  Case Else
+    ShowUsage
+
+End Select
+
+' --------------------------------------------------------------------------------
+' Other Inputs
+' --------------------------------------------------------------------------------
+
+' Target computer name
+' Use "." to connect to the local computer
+strComputerName = "." 
+
+' Default key protector ID to use. Specify "" to let the script choose.
+
+strDefaultKeyProtectorID = ""
+
+' strDefaultKeyProtectorID = "{001298E0-870E-4BA0-A2FF-FC74758D5720}"  ' sample 
+
+
+' --------------------------------------------------------------------------------
+' Connect to the BitLocker WMI provider class
+' --------------------------------------------------------------------------------
+
+strConnectionStr = "winmgmts:" _
+                 & "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" _
+                 & strComputerName _
+                 & "\root\cimv2\Security\MicrosoftVolumeEncryption"
+                 
+                 
+On Error Resume Next 'handle permission errors
+
+Set objWMIService = GetObject(strConnectionStr)
+
+
+If Err.Number <> 0 Then
+     WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
+     Wscript.Echo "Ensure that you are running with administrative privileges."
+     WScript.Quit -1
+End If
+
+On Error GoTo 0
+
+strQuery = "Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'"
+Set colTargetVolumes = objWMIService.ExecQuery(strQuery)
+
+
+If colTargetVolumes.Count = 0 Then
+    WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " &  strDriveLetter & " on computer " & strComputerName & "."
+    WScript.Quit -1
+End If
+
+
+' there should only be one volume found
+For Each objFoundVolume in colTargetVolumes
+    set objVolume = objFoundVolume
+Next
+
+
+' objVolume is now our found BitLocker-capable disk volume
+
+
+' --------------------------------------------------------------------------------
+' Perform BitLocker WMI provider functionality
+' --------------------------------------------------------------------------------
+
+
+' Collect all possible valid key protector ID's that can be used to get the package
+' ----------------------------------------------------------------------------------
+
+nNumericalKeyProtectorType = 3 ' type associated with "Numerical Password" protector
+
+nRC = objVolume.GetKeyProtectors(nNumericalKeyProtectorType, aNumericalKeyProtectorIDs)
+If nRC <> 0 Then
+WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
+WScript.Quit -1
+End If
+
+nExternalKeyProtectorType = 2 ' type associated with "External Key" protector
+
+nRC = objVolume.GetKeyProtectors(nExternalKeyProtectorType, aExternalKeyProtectorIDs)
+If nRC <> 0 Then
+WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
+WScript.Quit -1
+End If
+
+
+' Get first key protector of the type "Numerical Password" or "External Key", if any
+' ----------------------------------------------------------------------------------
+
+if strDefaultKeyProtectorID = "" Then
+
+' Save first numerical password, if exists
+If UBound(aNumericalKeyProtectorIDs) <> -1 Then
+strDefaultKeyProtectorID = aNumericalKeyProtectorIDs(0)
+End If
+
+' No numerical passwords exist, save the first external key
+If strDefaultKeyProtectorID = "" and UBound(aExternalKeyProtectorIDs) <> -1 Then
+strDefaultKeyProtectorID = aExternalKeyProtectorIDs(0)
+End If 
+
+' Fail case: no recovery key protectors exist. 
+If strDefaultKeyProtectorID = "" Then
+WScript.Echo "FAILURE: Cannot create backup key package because no recovery passwords or recovery keys exist. Check that BitLocker protection is on for this drive."
+WScript.Echo "For help adding recovery passwords or recovery keys, type ""manage-bde -protectors -add -?""."
+WScript.Quit -1
+End If
+
+End If
+
+' Get some information about the chosen key protector ID
+' ----------------------------------------------------------------------------------
+
+' is the type valid?
+
+nRC = objVolume.GetKeyProtectorType(strDefaultKeyProtectorID, nDefaultKeyProtectorType)
+
+If Hex(nRC) = "80070057" Then
+WScript.Echo "The key protector ID " & strDefaultKeyProtectorID & " is not valid."
+WScript.Echo "This ID value may have been provided by the script writer."
+ElseIf nRC <> 0 Then
+WScript.Echo "FAILURE: GetKeyProtectorType failed with return code 0x" & Hex(nRC)
+WScript.Quit -1
+End If
+
+' what's a string that can be used to describe it?
+
+strDefaultKeyProtectorType = ""
+
+Select Case nDefaultKeyProtectorType 
+
+  Case nNumericalKeyProtectorType
+      strDefaultKeyProtectorType = "recovery password"
+
+  Case nExternalKeyProtectorType
+      strDefaultKeyProtectorType = "recovery key"
+
+  Case Else
+      WScript.Echo "The key protector ID " & strDefaultKeyProtectorID & " does not refer to a valid recovery password or recovery key."
+      WScript.Echo "This ID value may have been provided by the script writer."
+
+End Select
+
+
+' Save the backup key package using the chosen key protector ID
+' ----------------------------------------------------------------------------------
+
+nRC = objVolume.GetKeyPackage(strDefaultKeyProtectorID, oKeyPackage)
+If nRC <> 0 Then
+WScript.Echo "FAILURE: GetKeyPackage failed with return code 0x" & Hex(nRC)
+WScript.Quit -1
+End If
+
+' Validate file path
+Set fso = CreateObject("Scripting.FileSystemObject")
+If (fso.FileExists(strFilePath)) Then
+WScript.Echo "The file " & strFilePath & " already exists. Please use a different path."
+WScript.Quit -1
+End If
+
+Dim oKeyPackageByte, bKeyPackage
+For Each oKeyPackageByte in oKeyPackage
+  'WScript.echo "key package byte: " & oKeyPackageByte
+  bKeyPackage = bKeyPackage & ChrB(oKeyPackageByte)
+Next
+
+' Save binary data to the file
+SaveBinaryDataText strFilePath, bKeyPackage
+
+' Display helpful information
+' ----------------------------------------------------------------------------------
+
+WScript.Echo "The backup key package has been saved to " & strFilePath & "."
+
+WScript.Echo "IMPORTANT: To use this key package, the " & strDefaultKeyProtectorType & " must also be saved."
+
+' Display the recovery password or a note about saving the recovery key file
+
+If nDefaultKeyProtectorType = nNumericalKeyProtectorType Then
+
+nRC = objVolume.GetKeyProtectorNumericalPassword(strDefaultKeyProtectorID, sNumericalPassword)
+If nRC <> 0 Then
+WScript.Echo "FAILURE: GetKeyProtectorNumericalPassword failed with return code 0x" & Hex(nRC)
+WScript.Quit -1
+End If
+WScript.Echo "Save this recovery password: " & sNumericalPassword
+
+ElseIf nDefaultKeyProtectorType = nExternalKeyProtectorType Then
+WScript.Echo "The saved key file is named " & strDefaultKeyProtectorID & ".BEK"
+WScript.Echo "For help re-saving this external key file, type ""manage-bde -protectors -get -?"""
+End If
+
+
+'----------------------------------------------------------------------------------------
+' Utility functions to save binary data 
+'----------------------------------------------------------------------------------------
+
+Function SaveBinaryDataText(FileName, ByteArray)
+  'Create FileSystemObject object
+  Dim FS: Set FS = CreateObject("Scripting.FileSystemObject")
+  
+  'Create text stream object
+  Dim TextStream
+  Set TextStream = FS.CreateTextFile(FileName)
+  
+  'Convert binary data To text And write them To the file
+  TextStream.Write BinaryToString(ByteArray)
+End Function
+
+Function BinaryToString(Binary)
+  Dim I, S
+  For I = 1 To LenB(Binary)
+    S = S & Chr(AscB(MidB(Binary, I, 1)))
+  Next
+  BinaryToString = S
+End Function
+```
+
+## See also
+
+
+-   [BitLocker overview](bitlocker-overview.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
new file mode 100644
index 0000000000..7a8babc248
--- /dev/null
+++ b/windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -0,0 +1,384 @@
+---
+title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10)
+description: This topic for the IT professional describes how to use tools to manage BitLocker.
+ms.assetid: e869db9c-e906-437b-8c70-741dd61b5ea6
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes how to use tools to manage BitLocker.
+
+BitLocker Drive Encryption Tools include the command line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell.
+
+Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios.
+
+Repair-bde is a special circumstance tool that is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be unlocked normally or using the recovery console.
+
+1.  [Manage-bde](#bkmk-managebde)
+
+2.  [Repair-bde](#bkmk-repairbde)
+
+3.  [BitLocker cmdlets for Windows PowerShell](#bkmk-blcmdlets)
+
+## <a href="" id="bkmk-managebde"></a>Manage-bde
+
+
+Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the manage-bde options, see the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line reference.
+
+Manage-bde includes less default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde.
+
+### Using manage-bde with operating system volumes
+
+Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on <drive letter>` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. It is recommended that at least one primary protector and a recovery protector be added to an operating system volume.
+
+A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status:
+
+``` syntax
+manage-bde -status
+```
+
+This command returns the volumes on the target, current encryption status and volume type (operating system or data) for each volume.
+
+The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process.
+
+``` syntax
+manage-bde –protectors -add C: -startupkey E:
+manage-bde -on C:
+```
+
+**Note**  
+After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
+
+ 
+
+An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. This is done with the command:
+
+``` syntax
+manage-bde -protectors -add C: -pw -sid <user or group>
+```
+
+This command will require you to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, you can then turn BitLocker on.
+
+On computers with a TPM it is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is:
+
+``` syntax
+manage-bde -on C:
+```
+
+This will encrypt the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command:
+
+``` syntax
+ manage-bde -protectors -get <volume>
+```
+
+### Using manage-bde with data volumes
+
+Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on <drive letter>` or you can choose to add additional protectors to the volume first. It is recommended that at least one primary protector and a recovery protector be added to a data volume.
+
+A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on.
+
+``` syntax
+manage-bde -protectors -add -pw C:
+manage-bde -on C:
+```
+
+## <a href="" id="bkmk-repairbde"></a>Repair-bde
+
+
+You may experience a problem that damages an area of a hard disk on which BitLocker stores critical information. This kind of problem may be caused by a hard disk failure or if Windows exits unexpectedly.
+
+The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS.
+
+**Tip**  
+If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume.
+
+ 
+
+The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. You should use Repair-bde if the following conditions are true:
+
+1.  You have encrypted the drive by using BitLocker Drive Encryption.
+
+2.  Windows does not start, or you cannot start the BitLocker recovery console.
+
+3.  You do not have a copy of the data that is contained on the encrypted drive.
+
+**Note**  
+Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
+
+ 
+
+The following limitations exist for Repair-bde:
+
+-   The Repair-bde command-line tool cannot repair a drive that failed during the encryption or decryption process.
+
+-   The Repair-bde command-line tool assumes that if the drive has any encryption, then the drive has been fully encrypted.
+
+For more information about using repair-bde see [Repair-bde](http://technet.microsoft.com/library/ff829851.aspx)
+
+## <a href="" id="bkmk-blcmdlets"></a>BitLocker cmdlets for Windows PowerShell
+
+
+Windows PowerShell cmdlets provide a new way for administrators to use when working with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Name</strong></p></td>
+<td align="left"><p><strong>Parameters</strong></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Add-BitLockerKeyProtector</strong></p></td>
+<td align="left"><p>-ADAccountOrGroup</p>
+<p>-ADAccountOrGroupProtector</p>
+<p>-Confirm</p>
+<p>-MountPoint</p>
+<p>-Password</p>
+<p>-PasswordProtector</p>
+<p>-Pin</p>
+<p>-RecoveryKeyPath</p>
+<p>-RecoveryKeyProtector</p>
+<p>-RecoveryPassword</p>
+<p>-RecoveryPasswordProtector</p>
+<p>-Service</p>
+<p>-StartupKeyPath</p>
+<p>-StartupKeyProtector</p>
+<p>-TpmAndPinAndStartupKeyProtector</p>
+<p>-TpmAndPinProtector</p>
+<p>-TpmAndStartupKeyProtector</p>
+<p>-TpmProtector</p>
+<p>-WhatIf</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Backup-BitLockerKeyProtector</strong></p></td>
+<td align="left"><p>-Confirm</p>
+<p>-KeyProtectorId</p>
+<p>-MountPoint</p>
+<p>-WhatIf</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Disable-BitLocker</strong></p></td>
+<td align="left"><p>-Confirm</p>
+<p>-MountPoint</p>
+<p>-WhatIf</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Disable-BitLockerAutoUnlock</strong></p></td>
+<td align="left"><p>-Confirm</p>
+<p>-MountPoint</p>
+<p>-WhatIf</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Enable-BitLocker</strong></p></td>
+<td align="left"><p>-AdAccountOrGroup</p>
+<p>-AdAccountOrGroupProtector</p>
+<p>-Confirm</p>
+<p>-EncryptionMethod</p>
+<p>-HardwareEncryption</p>
+<p>-Password</p>
+<p>-PasswordProtector</p>
+<p>-Pin</p>
+<p>-RecoveryKeyPath</p>
+<p>-RecoveryKeyProtector</p>
+<p>-RecoveryPassword</p>
+<p>-RecoveryPasswordProtector</p>
+<p>-Service</p>
+<p>-SkipHardwareTest</p>
+<p>-StartupKeyPath</p>
+<p>-StartupKeyProtector</p>
+<p>-TpmAndPinAndStartupKeyProtector</p>
+<p>-TpmAndPinProtector</p>
+<p>-TpmAndStartupKeyProtector</p>
+<p>-TpmProtector</p>
+<p>-UsedSpaceOnly</p>
+<p>-WhatIf</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Enable-BitLockerAutoUnlock</strong></p></td>
+<td align="left"><p>-Confirm</p>
+<p>-MountPoint</p>
+<p>-WhatIf</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Get-BitLockerVolume</strong></p></td>
+<td align="left"><p>-MountPoint</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Lock-BitLocker</strong></p></td>
+<td align="left"><p>-Confirm</p>
+<p>-ForceDismount</p>
+<p>-MountPoint</p>
+<p>-WhatIf</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Remove-BitLockerKeyProtector</strong></p></td>
+<td align="left"><p>-Confirm</p>
+<p>-KeyProtectorId</p>
+<p>-MountPoint</p>
+<p>-WhatIf</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Resume-BitLocker</strong></p></td>
+<td align="left"><p>-Confirm</p>
+<p>-MountPoint</p>
+<p>-WhatIf</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Suspend-BitLocker</strong></p></td>
+<td align="left"><p>-Confirm</p>
+<p>-MountPoint</p>
+<p>-RebootCount</p>
+<p>-WhatIf</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Unlock-BitLocker</strong></p></td>
+<td align="left"><p>-AdAccountOrGroup</p>
+<p>-Confirm</p>
+<p>-MountPoint</p>
+<p>-Password</p>
+<p>-RecoveryKeyPath</p>
+<p>-RecoveryPassword</p>
+<p>-RecoveryPassword</p>
+<p>-WhatIf</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
+
+A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLockerVolume` cmdlet.
+
+The `Get-BitLockerVolume` cmdlet output gives information on the volume type, protectors, protection status and other details.
+
+**Tip**  
+Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors.
+
+`Get-BitLockerVolume C: | fl`
+
+ 
+
+If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
+
+A simple script can pipe the values of each Get-BitLockerVolume return out to another variable as seen below:
+
+``` syntax
+$vol = Get-BitLockerVolume
+$keyprotectors = $vol.KeyProtector
+```
+
+Using this, you can display the information in the $keyprotectors variable to determine the GUID for each protector.
+
+Using this information, you can then remove the key protector for a specific volume using the command:
+
+``` syntax
+Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
+```
+
+**Note**  
+The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
+
+ 
+
+### Using the BitLocker Windows PowerShell cmdlets with operating system volumes
+
+Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them in BitLocker Windows PowerShell.
+
+The following example shows how to enable BitLocker on an operating system drive using only the TPM protector:
+
+``` syntax
+Enable-BitLocker C:
+```
+
+In the example below, adds one additional protector, the StartupKey protector and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot.
+
+``` syntax
+Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath <path> -SkipHardwareTest
+```
+
+### Using the BitLocker Windows PowerShell cmdlets with data volumes
+
+Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password.
+
+``` syntax
+$pw = Read-Host -AsSecureString
+<user inputs password>
+Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
+```
+
+### Using an AD Account or Group protector in Windows PowerShell
+
+The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover to and be unlocked by any member computer of the cluster.
+
+**Warning**  
+The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes
+
+ 
+
+To add an **ADAccountOrGroup** protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
+
+``` syntax
+Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
+```
+
+For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command:
+
+**Note**  
+Use of this command requires the RSAT-AD-PowerShell feature.
+
+ 
+
+``` syntax
+get-aduser -filter {samaccountname -eq "administrator"}
+```
+
+**Tip**  
+In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
+
+ 
+
+The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account:
+
+``` syntax
+Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500
+```
+
+**Note**  
+Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
+
+ 
+
+## More information
+
+
+[BitLocker overview](bitlocker-overview.md)
+
+[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
+
+[Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
+
+[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
+
+[BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md
new file mode 100644
index 0000000000..b3d3843cf4
--- /dev/null
+++ b/windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md
@@ -0,0 +1,79 @@
+---
+title: BitLocker Use BitLocker Recovery Password Viewer (Windows 10)
+description: This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer.
+ms.assetid: 04c93ac5-5dac-415e-b636-de81435753a2
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# BitLocker: Use BitLocker Recovery Password Viewer
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer.
+
+The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT). It lets you locate and view BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. You can also search for a password by password identifier (ID).
+
+## Before you start
+
+
+To complete the procedures in this scenario:
+
+-   You must have domain administrator credentials.
+
+-   Your test computers must be joined to the domain.
+
+-   On the test computers, BitLocker must have been turned on after joining the domain.
+
+The following procedures describe the most common tasks performed by using the BitLocker Recovery Password Viewer.
+
+**To view the recovery passwords for a computer**
+
+1.  In **Active Directory Users and Computers**, locate and then click the container in which the computer is located.
+
+2.  Right-click the computer object, and then click **Properties**.
+
+3.  In the **Properties** dialog box, click the **BitLocker Recovery** tab to view the BitLocker recovery passwords that are associated with the computer.
+
+**To copy the recovery passwords for a computer**
+
+1.  Follow the steps in the previous procedure to view the BitLocker recovery passwords.
+
+2.  On the **BitLocker Recovery** tab of the **Properties** dialog box, right-click the BitLocker recovery password that you want to copy, and then click **Copy Details**.
+
+3.  Press CTRL+V to paste the copied text to a destination location, such as a text file or spreadsheet.
+
+**To locate a recovery password by using a password ID**
+
+1.  In Active Directory Users and Computers, right-click the domain container, and then click **Find BitLocker Recovery Password**.
+
+2.  In the **Find BitLocker Recovery Password** dialog box, type the first eight characters of the recovery password in the **Password ID (first 8 characters)** box, and then click **Search**.
+
+By completing the procedures in this scenario, you have viewed and copied the recovery passwords for a computer and used a password ID to locate a recovery password.
+
+## More information
+
+
+[BitLocker Overview](bitlocker-overview.md)
+
+[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
+
+[Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
+
+[BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
+
+[BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/block-untrusted-fonts-in-enterprise.md b/windows/keep-secure/block-untrusted-fonts-in-enterprise.md
new file mode 100644
index 0000000000..032ef98517
--- /dev/null
+++ b/windows/keep-secure/block-untrusted-fonts-in-enterprise.md
@@ -0,0 +1,107 @@
+---
+title: Block untrusted fonts in an enterprise (Windows 10)
+description: To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature.
+ms.assetid: a3354c8e-4208-4be6-bc19-56a572c361b4
+keywords: ["font blocking", "untrusted font blocking", "block fonts", "untrusted fonts"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: eross-msft
+---
+
+# Block untrusted fonts in an enterprise
+To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%/Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process.
+
+## What does this mean for me?
+Blocking untrusted fonts helps improve your network and employee protection against font-processing-related attacks. By default, this feature is not turned on.
+
+## How does this feature work?
+There are 3 ways to use this feature:
+
+-   **On.** Helps stop any font processed using GDI from loading outside of the `%windir%/Fonts` directory. It also turns on event logging.
+
+-   **Audit.** Turns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.<p>**Note**<br>If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues.
+
+-   **Exclude apps to load untrusted fonts.** You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see [Fix apps having problems because of blocked fonts](#fix-apps-having-problems-because-of-blocked-fonts).
+
+## Potential reductions in functionality
+After you turn this feature on, your employees might experience reduced functionality when:
+
+-   Sending a print job to a remote printer server that uses this feature and where the spooler process hasn’t been specifically excluded. In this situation, any fonts that aren’t already available in the server’s %windir%/Fonts folder won’t be used.
+
+-   Printing using fonts provided by the installed printer’s graphics .dll file, outside of the %windir%/Fonts folder. For more information, see [Introduction to Printer Graphics DLLs](http://go.microsoft.com/fwlink/p/?LinkId=522302).
+
+-   Using first or third-party apps that use memory-based fonts.
+
+-   Using Internet Explorer to look at websites that use embedded fonts. In this situation, the feature blocks the embedded font, causing the website to use a default font. However, not all fonts have all of the characters, so the website might render differently.
+
+-   Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office.
+
+## Turn on and use the Blocking Untrusted Fonts feature
+To turn this feature on, off, or to use audit mode:
+
+1.  Open the registry editor (regedit.exe) and go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\`.
+
+2.  If the **MitigationOptions** key isn't there, right-click and add a new **QWORD (64-bit) Value**, renaming it to **MitigationOptions**.
+
+3.  Update the **Value data** of the **MitigationOptions** key, making sure you keep your existing value, like in the important note below:
+
+    -   **To turn this feature on.** Type **1000000000000**.
+    -   **To turn this feature off.** Type **2000000000000**.
+    -   **To audit with this feature.** Type **3000000000000**.<p>**Important**<br>Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*. 
+
+4.  Restart your computer.
+
+## View the event log
+After you turn this feature on, or start using Audit mode, you can look at your event logs for details.
+
+**To look at your event log**
+
+1. Open the event viewer (eventvwr.exe) and go to **Application and Service Logs/Microsoft/Windows/Win32k/Operational**.
+
+2. Scroll down to **EventID: 260** and review the relevant events.
+<p>
+**Event Example 1 - MS Word**<br>
+WINWORD.EXE attempted loading a font that is restricted by font loading policy.<br>
+FontType: Memory<br>
+FontPath:<br>
+Blocked: true<p>
+**Note**<br>Because the **FontType** is *Memory*, there’s no associated **FontPath.**
+<p>
+**Event Example 2 - Winlogon**<br>
+Winlogon.exe attempted loading a font that is restricted by font loading policy.<br>
+FontType: File<br>
+FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`<br>
+Blocked: true<p>
+**Note**<br>Because the **FontType** is *File*, there’s also an associated **FontPath.**
+<p>
+**Event Example 3 - Internet Explorer running in Audit mode**<br>
+Iexplore.exe attempted loading a font that is restricted by font loading policy.<br>
+FontType: Memory<br>
+FontPath:<br>
+Blocked: false<p>
+**Note**<br>In Audit mode, the problem is recorded, but the font isn’t blocked.
+
+## Fix apps having problems because of blocked fonts
+Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first run this feature in Audit mode to determine which fonts are causing the problems.
+
+After you figure out the problematic fonts, you can try to fix your apps in 2 ways: by directly installing the fonts into the %windir%/Fonts directory or by excluding the underlying processes and letting the fonts load. As the default solution, we highly recommend that you install the problematic font. Installing fonts is safer than excluding apps because excluded apps can load any font, trusted or untrusted.
+
+**To fix your apps by installing the problematic fonts (recommended)**
+
+-   On each computer with the app installed, right-click on the font name and click **Install**.<p>The font should automatically install into your `%windir%/Fonts` directory. If it doesn’t, you’ll need to manually copy the font files into the **Fonts** directory and run the installation from there.
+
+**To fix your apps by excluding processes**
+
+1.  On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process_image_name>`. Like, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
+
+2.  Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using steps 2 and 3 in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/bypass-traverse-checking.md b/windows/keep-secure/bypass-traverse-checking.md
new file mode 100644
index 0000000000..b0d84bfa72
--- /dev/null
+++ b/windows/keep-secure/bypass-traverse-checking.md
@@ -0,0 +1,165 @@
+---
+title: Bypass traverse checking (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Bypass traverse checking security policy setting.
+ms.assetid: 1c828655-68d3-4140-aa0f-caa903a7087e
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Bypass traverse checking
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Bypass traverse checking** security policy setting.
+
+## Reference
+
+
+This policy setting determines which users (or a process that acts on behalf of the user’s account) have permission to navigate an object path in the NTFS file system or in the registry without being checked for the Traverse Folder special access permission. This user right does not allow the user to list the contents of a folder. It only allows the user to traverse folders to access permitted files or subfolders.
+
+Constant: SeChangeNotifyPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not Defined
+
+### Best practices
+
+1.  Use access–based enumeration when you want to prevent users from seeing any folder or file to which they do not have access.
+
+2.  Use the default settings of this policy in most cases. If you change the settings, verify your intent through testing.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p>
+<p>Authenticated Users</p>
+<p>Everyone</p>
+<p>Local Service</p>
+<p>Network Service</p>
+<p>Pre-Windows 2000 Compatible Access</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p>
+<p>Users</p>
+<p>Everyone</p>
+<p>Local Service</p>
+<p>Network Service</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Authenticated Users</p>
+<p>Everyone</p>
+<p>Local Service</p>
+<p>Network Service</p>
+<p>Pre-Windows 2000 Compatible Access</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p>
+<p>Users</p>
+<p>Everyone</p>
+<p>Local Service</p>
+<p>Network Service</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p>
+<p>Users</p>
+<p>Everyone</p>
+<p>Local Service</p>
+<p>Network Service</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+Permissions to files and folders are controlled though the appropriate configuration of file system access control lists (ACLs).The ability to traverse the folder does not provide any Read or Write permissions to the user.
+
+A restart of the computer is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+The default configuration for the **Bypass traverse checking** setting is to allow all users to bypass traverse checking. Permissions to files and folders are controlled though the appropriate configuration of file system access control lists (ACLs) because the ability to traverse the folder does not provide any Read or Write permissions to the user. The only scenario in which the default configuration could lead to a mishap would be if the administrator who configures permissions does not understand how this policy setting works. For example, the administrator might expect that users who are unable to access a folder are unable to access the contents of any child folders. Such a situation is unlikely, and, therefore, this vulnerability presents little risk.
+
+### Countermeasure
+
+Organizations that are extremely concerned about security may want to remove the Everyone group, and perhaps the Users group, from the list of groups that have the **Bypass traverse checking** user right. Taking explicit control over traversal assignments can be an effective way to limit access to sensitive information. Access–based enumeration can also be used. If you use access–based enumeration, users cannot see any folder or file to which they do not have access. For more info about this feature, see [Access-based Enumeration](http://go.microsoft.com/fwlink/p/?LinkId=100745).
+
+### Potential impact
+
+The Windows operating systems and many applications were designed with the expectation that anyone who can legitimately access the computer will have this user right. Therefore, we recommend that you thoroughly test any changes to assignments of the **Bypass traverse checking** user right before you make such changes to production systems. In particular, IIS requires this user right to be assigned to the Network Service, Local Service, IIS\_WPG, IUSR\_*&lt;ComputerName&gt;*, and IWAM\_*&lt;ComputerName&gt;* accounts. (It must also be assigned to the ASPNET account through its membership in the Users group.) We recommend that you leave this policy setting at its default configuration.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
new file mode 100644
index 0000000000..b9db148655
--- /dev/null
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -0,0 +1,115 @@
+---
+title: Change history for Keep Windows 10 secure (Windows 10)
+description: This topic lists new and updated topics in the Keep Windows 10 secure documentation for Windows 10 and Windows 10 Mobile.
+ms.assetid: E50EC5E6-71AA-4FF1-8356-574CFDB8079B
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Change history for Keep Windows 10 secure
+
+
+This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">New or changed topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">[Protect derived domain credentials with Credential Guard](credential-guard.md)</td>
+<td align="left"><p>Clarified Credential Guard protections</p></td>
+</tr>
+<tr class="even">
+<td align="left">[Requirements to use AppLocker](requirements-to-use-applocker.md)</td>
+<td align="left"><p>Added that MDM can be used to manage any edition of Windows 10. Windows 10 Enterprise or Windows Server 2016 Technical Preview is required to manage AppLocker by using Group Policy.</p></td>
+</tr>
+<tr class="odd">
+<td align="left">[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md)</td>
+<td align="left"><p>Added pre-release content about how to set up and deploy enterprise data protection (EDP) in an enterprise environment.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## February 2016
+
+
+| New or changed topic                                                                                                                | Description |
+|-------------------------------------------------------------------------------------------------------------------------------------|-------------|
+| [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md)                                                       | New         |
+| [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)                       | New         |
+| [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | New         |
+| [Encrypted Hard Drive](encrypted-hard-drive.md)                                                                                    | New         |
+
+ 
+
+## January 2016
+
+
+| New or changed topic                                                                                       | Description                                                                                 |
+|------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------|
+| [Device Guard deployment guide](device-guard-deployment-guide.md)                                         | Updated recommendations in Bring Your Own Device section                                    |
+| [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) | Updated the prerequisites for an Azure Active Directory/Active Directory hybrid environment |
+| [Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)                     | Updated to clarify that this procedure is not needed for Passport for Work                  |
+| [Microsoft Passport guide](microsoft-passport-guide.md)                                                   | Updated the prerequisites for an Azure Active Directory/Active Directory hybrid environment |
+| [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)                                   | New                                                                                         |
+
+ 
+
+## December 2015
+
+
+| New or changed topic                                                                               | Description |
+|----------------------------------------------------------------------------------------------------|-------------|
+| [Device Guard certification and compliance](device-guard-certification-and-compliance.md)         | Updated     |
+| [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) | Updated     |
+| [Protect derived domain credentials with Credential Guard](credential-guard.md)                   | Updated     |
+| [Security policy settings](security-policy-settings.md) (multiple topics)                         | Updated     |
+
+ 
+
+## November 2015
+
+
+| New or changed topic                                                                         | Description |
+|----------------------------------------------------------------------------------------------|-------------|
+| [Windows Defender in Windows 10](windows-defender-in-windows-10.md)                         | New         |
+| [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) | New         |
+| [AppLocker](applocker-overview.md) (multiple topics)                                 | Updated     |
+| [Device Guard certification and compliance](device-guard-certification-and-compliance.md)   | Updated     |
+| [Device Guard deployment guide](device-guard-deployment-guide.md)                           | Updated     |
+| [Security auditing](security-auditing-overview.md) (multiple topics)                   | Updated     |
+| [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)               | Updated     |
+
+ 
+
+## Related topics
+
+
+[Change history for What's new in Windows 10](../whats-new/change-history-for-what-s-new-in-windows-10.md)
+
+[Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
+
+[Change history for Deploy Windows 10](../deploy/change-history-for-deploy-windows-10.md)
+
+[Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/change-the-system-time.md b/windows/keep-secure/change-the-system-time.md
new file mode 100644
index 0000000000..e654e9d952
--- /dev/null
+++ b/windows/keep-secure/change-the-system-time.md
@@ -0,0 +1,169 @@
+---
+title: Change the system time (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Change the system time security policy setting.
+ms.assetid: f2f6637d-acbc-4352-8ca3-ec563f918e65
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Change the system time
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Change the system time** security policy setting.
+
+## Reference
+
+
+This policy setting determines which users can adjust the time on the device's internal clock. This right allows the computer user to change the date and time associated with records in the event logs, database transactions, and the file system. This right is also required by the process that performs time synchronization. This setting does not impact the user’s ability to change the time zone or other display characteristics of the system time. For info about assigning the right to change the time zone, see [Change the time zone](change-the-time-zone.md).
+
+Constant: SeSystemtimePrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not Defined
+
+### Best practices
+
+-   Restrict the **Change the system time** user right to users with a legitimate need to change the system time.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default, members of the Administrators and Local Service groups have this right on workstations and servers. Members of the Administrators, Server Operators, and Local Service groups have this right on domain controllers.
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p>
+<p>Server Operators</p>
+<p>Local Service</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Local Service</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Server Operators</p>
+<p>Local Service</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Local Service</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Local Service</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools and guidance to help you manage this policy.
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Users who can change the time on a computer could cause several problems. For example:
+
+-   Time stamps on event log entries could be made inaccurate
+
+-   Time stamps on files and folders that are created or modified could be incorrect
+
+-   Computers that belong to a domain might not be able to authenticate themselves
+
+-   Users who try to log on to the domain from devices with inaccurate time might not be able to authenticate.
+
+Also, because the Kerberos authentication protocol requires that the requester and authenticator have their clocks synchronized within an administrator-defined skew period, an attacker who changes a device's time may cause that computer to be unable to obtain or grant Kerberos protocol tickets.
+
+The risk from these types of events is mitigated on most domain controllers, member servers, and end-user computers because the Windows Time Service automatically synchronizes time with domain controllers in the following ways:
+
+-   All desktop client devices and member servers use the authenticating domain controller as their inbound time partner.
+
+-   All domain controllers in a domain nominate the primary domain controller (PDC) emulator operations master as their inbound time partner.
+
+-   All PDC emulator operations masters follow the hierarchy of domains in the selection of their inbound time partner.
+
+-   The PDC emulator operations master at the root of the domain is authoritative for the organization. Therefore, we recommend that you configure this computer to synchronize with a reliable external time server.
+
+This vulnerability becomes much more serious if an attacker is able to change the system time and then stop the Windows Time Service or reconfigure it to synchronize with a time server that is not accurate.
+
+### Countermeasure
+
+Restrict the **Change the system time** user right to users with a legitimate need to change the system time, such as members of the IT team.
+
+### Potential impact
+
+There should be no impact because time synchronization for most organizations should be fully automated for all computers that belong to the domain. Computers that do not belong to the domain should be configured to synchronize with an external source, such as a web service.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/change-the-time-zone.md b/windows/keep-secure/change-the-time-zone.md
new file mode 100644
index 0000000000..63a5424dc7
--- /dev/null
+++ b/windows/keep-secure/change-the-time-zone.md
@@ -0,0 +1,141 @@
+---
+title: Change the time zone (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Change the time zone security policy setting.
+ms.assetid: 3b1afae4-68bb-472f-a43e-49e300d73e50
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Change the time zone
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Change the time zone** security policy setting.
+
+## Reference
+
+
+This policy setting determines which users can adjust the time zone that is used by the device for displaying the local time, which includes the device's system time plus the time zone offset.
+
+Constant: SeTimeZonePrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not Defined
+
+### Best practices
+
+None.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p>
+<p>Users</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Users</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Users</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Users</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Users</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the account for this user right assignment becomes effective the next time the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Changing the time zone represents little vulnerability because the system time is not affected. This setting merely enables users to display their preferred time zone while being synchronized with domain controllers in different time zones.
+
+### Countermeasure
+
+Countermeasures are not required because system time is not affected by this setting.
+
+### Potential impact
+
+None.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/change-the-tpm-owner-password.md b/windows/keep-secure/change-the-tpm-owner-password.md
new file mode 100644
index 0000000000..dbbd1ff048
--- /dev/null
+++ b/windows/keep-secure/change-the-tpm-owner-password.md
@@ -0,0 +1,97 @@
+---
+title: Change the TPM owner password (Windows 10)
+description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
+ms.assetid: e43dcff3-acb4-4a92-8816-d6b64b7f2f45
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Change the TPM owner password
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
+
+## <a href="" id="bkmk-changeowner1"></a>About the TPM owner password
+
+
+The owner of the TPM is the user who possesses the owner password and is able to set it and change it. Only one owner password exists per TPM. The owner of the TPM can make full use of TPM capabilities. When an owner is set, no other user or software can claim ownership of the TPM. Only the TPM owner can enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. Taking ownership of the TPM can be performed as part of the initialization process. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it.
+
+Applications, including BitLocker Drive Encryption, can automatically start the initialization process. If you enable BitLocker without manually initializing the TPM, the TPM owner password is automatically created and saved in the same location as the BitLocker recovery password.
+
+The TPM owner password can be saved as a file on a removable storage device, or on another computer. The password can also be printed. The TPM MMC gives the TPM owner the sole ability to choose the appropriate option to type the password or to use the saved password.
+
+As with any password, you should change your TPM owner password if you suspect that it has become compromised and is no longer a secret.
+
+**Other TPM management options**
+
+Instead of changing your owner password, you can also use the following options to manage your TPM:
+
+-   **Clear the TPM**   If you want to invalidate all of the existing keys that have been created since you took ownership of the TPM, you can clear it. For more info, see [Initialize and Configure Ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md#bkmk-clear1).
+
+    **Important**  
+    Clearing the TPM can result in the loss of data. To avoid data loss, make sure you have a backup or recovery method for any data protected or encrypted by the TPM.
+
+     
+
+-   **Turn off the TPM**   If you want to keep all existing keys and data intact, and you want to disable the services that are provided by the TPM, you can turn it off. For more info, see [Initialize and Configure Ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md#bkmk-onoff).
+
+## Change the TPM owner password
+
+
+The following procedure provides the steps that are necessary to change the TPM owner password.
+
+**To change the TPM owner password**
+
+1.  Open the TPM MMC (tpm.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+
+2.  In the **Actions** pane, click **Change Owner Password**.
+
+3.  In the **Manage the TPM security hardware** dialog box, select a method to enter your current TPM owner password.
+
+    -   If you saved your TPM owner password on a removable storage device, insert it, and then click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, use **Browse** to navigate to the .tpm file that is saved on your removable storage device. Click **Open**, and then click **Create New Password**.
+
+    -   If you do not have the removable storage device with your saved password, click **I want to enter the owner password**. In the **Type your TPM owner password** dialog box, enter your password (including hyphens), and click **Create New Password**.
+
+4.  On the **Create the TPM owner password** page, select a method for creating a new TPM owner password.
+
+    1.  Click **Automatically create the password** to have a new owner password generated for you.
+
+    2.  Click **Manually create the password** if you want to specify a password.
+
+        **Note**  
+        The TPM owner password must have a minimum of eight characters.
+
+         
+
+5.  After the new password is created, you can choose **Save the password** to save the password in a password backup file on a removable storage device or **Print the password** to print a copy of the password for later reference.
+
+6.  Click **Change password** to apply the new owner password to the TPM.
+
+## <a href="" id="bkmk-tpmcmdlets"></a>Use the TPM cmdlets
+
+
+If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command:
+
+**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets**
+
+For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+
+## Additional resources
+
+
+For more info about TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md#bkmk-additionalresources).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md
new file mode 100644
index 0000000000..c59d12e4db
--- /dev/null
+++ b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md
@@ -0,0 +1,62 @@
+---
+title: Choose the right BitLocker countermeasure (Windows 10)
+description: This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks.
+ms.assetid: b0b09508-7885-4030-8c61-d91458afdb14
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Choose the right BitLocker countermeasure
+
+
+**Applies to**
+
+-   Windows 10
+
+This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks.
+
+You can use BitLocker to protect your Windows 10 PCs. Whichever operating system you’re using, Microsoft and Windows-certified devices provide countermeasures to address attacks and improve your data security. In most cases, this protection can be implemented without the need for pre-boot authentication.
+
+Figures 2, 3, and 4 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default settings.
+
+![how to choose best countermeasures for windows 7](images/bitlockerprebootprotection-counterwin7.jpg)
+
+**Figure 2.** How to choose the best countermeasures for Windows 7
+
+![how to choose countermeasures for windows 8](images/bitlockerprebootprotection-counterwin8.jpg)
+
+**Figure 3.** How to choose the best countermeasures for Windows 8
+
+![how to choose countermeasures for windows 8.1](images/bitlockerprebootprotection-counterwin81.jpg)
+
+**Figure 4.** How to choose the best countermeasures for Windows 8.1
+
+The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be, too. DMA port–based attacks, which represent the attack vector of choice, are not possible on InstantGo devices, because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case DMA ports can be disabled entirely, which is an increasingly popular option because the use of DMA ports is infrequent in the non-developer space.
+
+Memory remanence attacks can be mitigated with proper configuration; in cases where the system memory is fixed and non-removable, they are not possible using published techniques. Even in cases where system memory can be removed and loaded into another device, attackers will find the attack vector extremely unreliable, as has been shown in the DRDC Valcartier group’s analysis (see [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078)).
+
+Windows 7 PCs share the same security risks as newer devices but are far more vulnerable to DMA and memory remanence attacks, because Windows 7 devices are more likely to include DMA ports, lack support for UEFI-based Secure Boot, and rarely have fixed memory. To eliminate the need for pre-boot authentication on Windows 7 devices, disable the ability to boot to external media, password-protect the BIOS configuration, and disable the DMA ports. If you believe that your devices may be a target of a memory remanence attack, where the system memory may be removed and put into another computer to gain access to its contents, consider testing your devices to determine whether they are susceptible to this type of attack.
+
+In the end, many customers will find that pre-boot authentication improves security only for a shrinking subset of devices within their organization. Microsoft recommends a careful examination of the attack vectors and mitigations outlined in this document along with an evaluation of your devices before choosing to implement pre-boot authentication, which may not enhance the security of your devices and instead will only compromise the user experience and add to support costs.
+
+## See also
+
+
+-   [Types of attacks for volume encryption keys](types-of-attacks-for-volume-encryption-keys.md)
+
+-   [BitLocker Countermeasures](bitlocker-countermeasures.md)
+
+-   [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)
+
+-   [BitLocker overview](bitlocker-overview.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md b/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md
new file mode 100644
index 0000000000..f554bbf9cb
--- /dev/null
+++ b/windows/keep-secure/configure-an-applocker-policy-for-audit-only.md
@@ -0,0 +1,48 @@
+---
+title: Configure an AppLocker policy for audit only (Windows 10)
+description: This topic for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker.
+ms.assetid: 10bc87d5-cc7f-4500-b7b3-9006e50afa50
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Configure an AppLocker policy for audit only
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker.
+
+After AppLocker rules are created within the rule collection, you can configure the enforcement setting to **Enforce rules** or **Audit only**.
+
+When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
+
+**Note**  
+There is no audit mode for the DLL rule collection. DLL rules affect specific apps. Therefore, test the impact of these rules first before deploying them to production. To enable the DLL rule collection, see [Enable the DLL rule collection](enable-the-dll-rule-collection.md).
+
+ 
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To audit rule collections**
+
+1.  From the AppLocker console, right-click **AppLocker**, and then click **Properties**.
+
+2.  On the **Enforcement** tab, select the **Configured** check box for the rule collection that you want to enforce, and then verify that **Audit only** is selected in the list for that rule collection.
+
+3.  Repeat the above step to configure the enforcement setting to **Audit only** for additional rule collections.
+
+4.  Click **OK**.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md b/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md
new file mode 100644
index 0000000000..acea4f15df
--- /dev/null
+++ b/windows/keep-secure/configure-an-applocker-policy-for-enforce-rules.md
@@ -0,0 +1,46 @@
+---
+title: Configure an AppLocker policy for enforce rules (Windows 10)
+description: This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
+ms.assetid: 5dbbb290-a5ae-4f88-82b3-21e95972e66c
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Configure an AppLocker policy for enforce rules
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
+
+**Note**  
+When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited.
+
+ 
+
+For info about how AppLocker policies are applied within a GPO structure, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md).
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To enable the Enforce rules enforcement setting**
+
+1.  From the AppLocker console, right-click **AppLocker**, and then click **Properties**.
+
+2.  On the **Enforcement** tab of the **AppLocker Properties** dialog box, select the **Configured** check box for the rule collection that you are editing, and then verify that **Enforce rules** is selected.
+
+3.  Click **OK**.
+
+For info about viewing the events generated from rules enforcement, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md b/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md
new file mode 100644
index 0000000000..126647dac7
--- /dev/null
+++ b/windows/keep-secure/configure-exceptions-for-an-applocker-rule.md
@@ -0,0 +1,49 @@
+---
+title: Add exceptions for an AppLocker rule (Windows 10)
+description: This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.
+ms.assetid: d15c9d84-c14b-488d-9f48-bf31ff7ff0c5
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Add exceptions for an AppLocker rule
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.
+
+Rule exceptions allow you to specify files or folders to exclude from the rule. For more information about exceptions, see [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md).
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To configure exceptions for a rule**
+
+1.  Open the AppLocker console.
+
+2.  Expand the rule collection, right-click the rule that you want to configure exceptions for, and then click **Properties**.
+
+3.  Click the **Exceptions** tab.
+
+4.  In the **Add exception** box, select the rule type that you want to create, and then click **Add**.
+
+    -   For a publisher exception, click **Browse**, select the file that contains the publisher to exclude, and then click **OK**.
+
+    -   For a path exception, choose the file or folder path to exclude, and then click **OK**.
+
+    -   For a file hash exception, edit the file hash rule, and click **Remove**.
+
+    -   For a packaged apps exception, click **Add** to create the exceptions based on reference app and rule scope.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/configure-s-mime.md b/windows/keep-secure/configure-s-mime.md
new file mode 100644
index 0000000000..205f3823db
--- /dev/null
+++ b/windows/keep-secure/configure-s-mime.md
@@ -0,0 +1,104 @@
+---
+title: Configure S/MIME for Windows 10 and Windows 10 Mobile (Windows 10)
+description: In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them.
+ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05
+keywords: ["encrypt", "digital signature"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Configure S/MIME for Windows 10 and Windows 10 Mobile
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.
+
+## About message encryption
+
+
+Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows 10 Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys.
+
+Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipient(s) whose encryption certificate are not available, the app will prompt you to remove these recipients before sending the email.
+
+## About digital signatures
+
+
+A digitally signed message reassures the recipient that the message hasn't been tampered with and verifies the identity of the sender. Recipients can only verify the digital signature if they’re using an email client that supports S/MIME.
+
+## Prerequisites
+
+
+-   [S/MIME is enabled for Exchange accounts](http://go.microsoft.com/fwlink/p/?LinkId=718217) (on-premises and Office 365). Users can’t use S/MIME signing and encryption with a personal account such as Outlook.com.
+-   Valid Personal Information Exchange (PFX) certificates are installed on the device.
+
+    -   [How to Create PFX Certificate Profiles in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkID=718215)
+    -   [Enable access to company resources using certificate profiles with Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=718216)
+    -   [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
+
+## Choose S/MIME settings
+
+
+On the device, perform the following steps: (add select certificate)
+
+1.  Open the Mail app. (In Windows 10 Mobile, the app is Outlook Mail.)
+2.  Open **Settings** by tapping the gear icon on a PC, or the ellipsis (...) and then the gear icon on a phone.
+
+    ![settings icon in mail app](images/mailsettings.png)
+
+3.  Tap **Email security**.
+
+    ![email security settings](images/emailsecurity.png)
+
+4.  In **Select an account**, select the account for which you want to configure S/MIME options.
+5.  Make a certificate selection for digital signature and encryption.
+
+    -   Select **Automatically** to let the app choose the certificate.
+    -   Select **Manually** to specify the certificate yourself from the list of valid certificates on the device.
+
+6.  (Optional) Select **Always sign with S/MIME**, **Always encrypt with S/MIME**, or both, to automatically digitally sign or encrypt all outgoing messages.
+    **Note**  The option to sign or encrypt can be changed for individual messages, unless EAS policies prevent it.
+
+     
+
+7.  Tap the back arrow.
+
+## Encrypt or sign individual messages
+
+
+1.  While composing a message, choose **Options** from the ribbon. On phone, **Options** can be accessed by tapping the the ellipsis (...).
+2.  Use **Sign** and **Encrypt** icons to turn on digital signature and encryption for this message.
+
+    ![sign or encrypt message](images/signencrypt.png)
+
+## Read signed or encrypted messages
+
+
+When you receive an encrypted message, the mail app will check whether there is a certificate available on your computer. If there is a certificate available, the message will be decrypted when you open it. If your certificate is stored on a smartcard, you will be prompted to insert the smartcard to read the message. Your smartcard may also require a PIN to access the certificate.
+
+## Install certificates from a received message
+
+
+When you receive a signed email, the app provide feature to install corresponding encryption certificate on your device if the certificate is available. This certificate can then be used to send encrypted email to this person.
+
+1.  Open a signed email.
+
+2.  Tap or click the digital signature icon in the reading pane.
+
+3.  Tap **Install.**
+
+    ![message security information](images/installcert.png)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/configure-the-appLocker-reference-device.md b/windows/keep-secure/configure-the-appLocker-reference-device.md
new file mode 100644
index 0000000000..3d1f849430
--- /dev/null
+++ b/windows/keep-secure/configure-the-appLocker-reference-device.md
@@ -0,0 +1,67 @@
+---
+title: Configure the AppLocker reference device (Windows 10)
+description: This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer.
+ms.assetid: 034bd367-146d-4956-873c-e1e09e6fefee
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Configure the AppLocker reference device
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer.
+
+An AppLocker reference device that is used for the development and deployment of AppLocker policies should mimic the directory structure and corresponding applications in the organizational unit (OU) or business group for the production environment. On a reference device, you can:
+
+-   Maintain an application list for each business group.
+
+-   Develop AppLocker policies by creating individual rules or by creating a policy by automatically generating rules.
+
+-   Create the default rules to allow the Windows system files to run properly.
+
+-   Run tests and analyze the event logs to determine the affect of the policies that you intend to deploy.
+
+The reference device does not need to be joined to a domain, but it must be able to import and export AppLocker policies in XML format. The reference computer must be running one of the supported editions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).
+
+**Warning**  
+Do not use operating system snapshots when creating AppLocker rules. If you take a snapshot of the operating system, install an app, create AppLocker rules, and then revert to a clean snapshot and repeat the process for another app, there is a chance that duplicate rule GUIDs can be created. If duplicate GUIDs are present, AppLocker policies will not work as expected.
+
+ 
+
+**To configure a reference device**
+
+1.  If the operating system is not already installed, install one of the supported editions of Windows on the device.
+
+    **Note**  
+    If you have the Group Policy Management Console (GPMC) installed on another device to test your implementation of AppLocker policies, you can export the policies to that device
+
+     
+
+2.  Configure the administrator account.
+
+    To update local policies, you must be a member of the local Administrators group. To update domain policies, you must be a member of the Domain Admins group or have been delegated privileges to use Group Policy to update a Group Policy Object (GPO).
+
+3.  Install all apps that run in the targeted business group or OU by using the same directory structure.
+
+    The reference device should be configured to mimic the structure of your production environment. It depends on having the same apps in the same directories to accurately create the rules.
+
+### See also
+
+-   After you configure the reference computer, you can create the AppLocker rule collections. You can build, import, or automatically generate the rules. For procedures to do this, see [Working with AppLocker rules](working-with-applocker-rules.md).
+
+-   [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/configure-the-application-identity-service.md b/windows/keep-secure/configure-the-application-identity-service.md
new file mode 100644
index 0000000000..d09240e41c
--- /dev/null
+++ b/windows/keep-secure/configure-the-application-identity-service.md
@@ -0,0 +1,56 @@
+---
+title: Configure the Application Identity service (Windows 10)
+description: This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.
+ms.assetid: dc469599-37fd-448b-b23e-5b8e4f17e561
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Configure the Application Identity service
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.
+
+The Application Identity service determines and verifies the identity of an app. Stopping this service will prevent AppLocker policies from being enforced.
+
+**Important**  
+When using Group Policy, you must configure it to start automatically in at least one Group Policy Object (GPO) that applies AppLocker rules. This is because AppLocker uses this service to verify the attributes of a file.
+
+ 
+
+**To start the Application Identity service automatically using Group Policy**
+
+1.  On the **Start** screen, type **gpmc.msc** to open the Group Policy Management Console (GPMC).
+
+2.  Locate the GPO to edit, right-click the GPO, and then click **Edit**.
+
+3.  In the console tree under **Computer Configuration\\Windows Settings\\Security Settings**, click **System Services**.
+
+4.  In the details pane, double-click **Application Identity**.
+
+5.  In **Application Identity Properties**, configure the service to start automatically.
+
+Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
+
+**To start the Application Identity service manually**
+
+1.  Right-click the taskbar, and click **Task Manager**.
+
+2.  Click the **Services** tab, right-click **AppIDSvc**, and then click **Start Service**.
+
+3.  Verify that the status for the Application Identity service is **Running**.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/configure-windows-defender-in-windows-10.md b/windows/keep-secure/configure-windows-defender-in-windows-10.md
new file mode 100644
index 0000000000..6d18bfcd2e
--- /dev/null
+++ b/windows/keep-secure/configure-windows-defender-in-windows-10.md
@@ -0,0 +1,223 @@
+---
+title: Configure Windows Defender in Windows 10 (Windows 10)
+description: IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
+ms.assetid: 22649663-AC7A-40D8-B1F7-5CAD9E49653D
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Configure Windows Defender in Windows 10
+
+
+**Applies to**
+
+-   Windows 10
+
+IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
+
+## Configure definition updates
+
+
+It is important to update definitions regularly to ensure that your endpoints are protected. Definition updates can be configured to suit the requirements of your organization.
+
+Windows Defender supports the same updating options (such as using multiple definition sources) as other Microsoft endpoint protection products; for more information, see [Configuring Definition Updates](https://technet.microsoft.com/library/gg412502.aspx).
+
+When you configure multiple definition sources in Windows Defender, you can configure the fallback order using the following values through *Group Policy* settings:
+
+-   InternalDefinitionUpdateServer - WSUS
+-   MicrosoftUpdateServer - Microsoft Update
+-   MMPC - [Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx)
+-   FileShares - file share
+
+Read about deploying administrative template files for Windows Defender in the article [Description of the Windows Defender Group Policy administrative template settings](https://support.microsoft.com/kb/927367).
+
+You can also manage your Windows Defender update configuration settings through System Center Configuration Manager. See [How to Configure Definition Updates for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/jj822983.aspx) for details.
+
+## Definition update logic
+
+
+You can update Windows Defender definitions in four ways depending on your business requirements:
+
+-   WSUS, the managed server. You can manage the distribution of updates that are released through Microsoft Update to computers in your enterprise environment; read more on the [Windows Server Update Services](https://technet.microsoft.com/windowsserver/bb332157.aspx) website.
+-   Microsoft Update, the unmanaged server. You can use this method to get regular updates from Microsoft Update.
+-   The [Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx), as an alternate download location. You can use this method if you want to download the latest definitions.
+-   File share, where the definition package is downloaded. You can retrieve definition updates from a file share. The file share must be provisioned on a regular basis with the update files.
+
+## Update Windows Defender definitions through Active Directory and WSUS
+
+
+This section details how to update Windows Defender definitions for Windows 10 endpoints through Active Directory and WSUS.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Method</th>
+<th align="left">Instructions</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>WSUS</p></td>
+<td align="left"><p>See [Software Updates and Windows Server Update Services Definition Updates](https://technet.microsoft.com/library/gg398036.aspx) in the [Configuring Definition Updates](https://technet.microsoft.com/library/gg412502.aspx) topic that also applies to Windows Defender.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Microsoft Update</p></td>
+<td align="left"><p>Set the following fallback order <em>Group Policy</em> to enable Microsoft Update:</p>
+<ol>
+<li>Open the <strong>Group Policy Editor</strong>.</li>
+<li>In the <strong>Local Computer Policy</strong> tree, expand <strong>Computer Configuration</strong>, then <strong>Administrative Templates</strong>, then <strong>Windows Components</strong>, then <strong>Windows Defender</strong>.</li>
+<li>Click on <strong>Signature Updates</strong>.</li>
+<li><p>Double-click on <strong>Define the order of sources for downloading definition updates</strong>.</p>
+<p>This will open the <strong>Define the order of sources for downloading definition updates</strong> window.</p></li>
+<li>Click <strong>Enable</strong>.</li>
+<li><p>In the <strong>Options</strong> pane, define the following <em>Group Policy</em> to enable Microsoft Update:</p>
+<p><strong>{MicrosoftUpdateServer}</strong></p>
+<p><img src="images/defender-gp-defsourcefield.png" alt="&quot;Define the order of sources for downloading definition updates&quot; field" /></p></li>
+<li><p>Click <strong>OK</strong>.</p>
+<p>The window will close automatically.</p></li>
+</ol></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx)</p></td>
+<td align="left"><p>Set the following fallback order <em>Group Policy</em> to enable Windows Defender to download updated signatures:</p>
+<ol>
+<li>Open the <strong>Group Policy Editor</strong>.</li>
+<li>In the <strong>Local Computer Policy</strong> tree, expand <strong>Computer Configuration</strong>, then <strong>Administrative Templates</strong>, then <strong>Windows Components</strong>, then <strong>Windows Defender</strong>.</li>
+<li>Click on <strong>Signature Updates</strong>.</li>
+<li><p>Double-click on <strong>Define the order of sources for downloading definition updates</strong>.</p>
+<p>This will open the <strong>Define the order of sources for downloading definition updates</strong> window.</p></li>
+<li>Click <strong>Enable</strong>.</li>
+<li><p>In the <strong>Options</strong> pane, define the following <em>Group Policy</em> to enable Windows Defender to download updated signatures:</p>
+<p><strong>{MMPC}</strong></p>
+<p><img src="images/defender-gp-defsourcefield.png" alt="&quot;Define the order of sources for downloading definition updates&quot; field" /></p></li>
+<li><p>Click <strong>OK</strong>.</p>
+<p>The window will close automatically.</p></li>
+</ol></td>
+</tr>
+<tr class="even">
+<td align="left"><p>File share</p></td>
+<td align="left"><p></p>
+<ol>
+<li>Open the <strong>Group Policy Editor</strong>.</li>
+<li>In the <strong>Local Computer Policy</strong> tree, expand <strong>Computer Configuration</strong>, then <strong>Administrative Templates</strong>, then <strong>Windows Components</strong>, then <strong>Windows Defender</strong>.</li>
+<li>Click on <strong>Signature Updates</strong>.</li>
+<li><p>Double-click on <strong>Define the order of sources for downloading definition updates</strong>.</p>
+<p>This will open the <strong>Define the order of sources for downloading definition updates</strong> window:</p></li>
+<li>Click <strong>Enable</strong>.</li>
+<li><p>In the <strong>Options</strong> pane, define the following <em>Group Policy</em> to enable Windows Defender to download updated signatures:</p>
+<p><strong>{FileShares}</strong></p>
+<p><img src="images/defender-gp-defsourcefield.png" alt="&quot;Define the order of sources for downloading definition updates&quot; field" /></p></li>
+<li><p>Click <strong>OK</strong>.</p>
+<p>The window will close automatically.</p></li>
+<li><p>Double-click on <strong>Define file shares for downloading definition updates</strong>.</p>
+<p>This will open the <strong>Define file shares for downloading definition updates</strong> window.</p></li>
+<li>Click <strong>Enable</strong>.</li>
+<li><p>In the <strong>Options</strong> pane, define the following <em>Group Policy</em> to specify the Universal Naming Convention (UNC) share source:</p>
+<p><strong>{\\unc1\\unc2}</strong> - where you define [unc] as the UNC shares.</p>
+<p><img src="images/defender-gp-defsharesfield.png" alt="&quot;Define the file shares for downloading definition updates&quot; field" /></p></li>
+<li><p>Click <strong>OK</strong>.</p>
+<p>The window will close automatically.</p></li>
+</ol></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Manage cloud-based protection
+
+
+Windows Defender offers improved cloud-based protection and threat intelligence for endpoint protection clients using the Microsoft Active Protection Service. Read more about the Microsoft Active Protection Service community in [Join the Microsoft Active Protection Service community](http://windows.microsoft.com/windows-8/join-maps-community).
+
+You can enable or disable the Microsoft Active Protection Service using *Group Policy* settings and administrative template files.
+
+More information on deploying administrative template files for Windows Defender is available in the article [Description of the Windows Defender Group Policy administrative template settings](https://support.microsoft.com/kb/927367).
+
+The Microsoft Active Protection Service can be configured with the following *Group Policy* settings:
+
+1.  Open the **Group Policy Editor**.
+2.  In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
+3.  Click on **MAPS**.
+4.  Double-click on **Join Microsoft MAPS**.
+5.  Select your configuration option from the **Join Microsoft MAPS** list.
+    **Note**  Any settings modified on an endpoint will be overridden by the administrator's policy setting.
+
+     
+
+Use the Windowsdefender.adm *Group Policy* template file to control the policy settings for Windows Defender in Windows 10:
+
+Policy setting: **Configure Microsoft SpyNet Reporting**
+Registry key name: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\SpyNetReporting**
+Policy description: **Adjusts membership in Microsoft Active Protection Service**
+
+You can also configure preferences using the following PowerShell parameters:
+
+-   Turn Microsoft Active Protection Service off: *Set-MpPreference -MAPSReporting 0*
+-   Turn Microsoft Active Protection Service on: *Set-MpPreference -MAPSReporting 2*
+
+Read more about this in:
+
+-   [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
+-   [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
+
+**Note**  Any information that Windows Defender collects is encrypted in transit to our servers, and then stored in secure facilities. Microsoft takes several steps to avoid collecting any information that directly identifies you, such as your name, email address, or account ID.
+
+ 
+
+Read more about how to manage your privacy settings in [Setting your preferences for Windows 10 services](http://windows.microsoft.com/windows-10/services-setting-preferences).
+
+## Opt-in to Microsoft Update
+
+
+You can use Microsoft Update to keep definitions on mobile computers running Windows Defender in Windows 10 up to date when they are not connected to the corporate network. If the mobile computer doesn't have a [Windows Server Update Service](https://technet.microsoft.com/windowsserver/bb332157.aspx) (WSUS) connection, the signatures will still come from Microsoft Update. This means that signatures can be pushed down (via Microsoft Update) even if WSUS overrides Windows Update.
+
+You need to opt-in to Microsoft Update on the mobile computer before it can retrieve the definition updates from Microsoft Update.
+
+There are two ways you can opt-in to Microsoft Update in Windows Defender for Windows 10:
+
+1.  Use a VBScript to create a script, then run it on each computer in your network.
+2.  Manually opt-in every computer on your network through the **Settings** menu.
+
+You can create a VBScript and run it on each computer on your network; this is an efficient way to opt-in to Microsoft Update.
+
+**Use a VBScript to opt in to Microsoft Update**
+
+1.  Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript.
+2.  Run the VBScript you created on each computer in your network.
+
+You can manually opt-in each individual computer on your network to receive Microsoft Update.
+
+**Manually opt-in to Microsoft Update**
+
+1.  Open **Windows Update** in **Update & security** settings on the computer you want to opt-in.
+2.  Click **Advanced** options.
+3.  Select the checkbox for **Give me updates for other Microsoft products when I update Windows**.
+
+## Schedule updates for Microsoft Update
+
+
+Opting-in to Microsoft Update means that your system administrator can schedule updates to your mobile computer, so that it keeps up-to-date with the latest software versions and security definitions, even when you’re on the road.
+
+For more information on scheduling updates, see [Configure definition updates](https://technet.microsoft.com/library/mt622088.aspx#configure-definition-updates).
+
+## Related topics
+
+
+[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
+
+[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md
new file mode 100644
index 0000000000..bf422552a0
--- /dev/null
+++ b/windows/keep-secure/create-a-basic-audit-policy-settings-for-an-event-category.md
@@ -0,0 +1,59 @@
+---
+title: Create a basic audit policy for an event category (Windows 10)
+description: By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization.
+ms.assetid: C9F52751-B40D-482E-BE9D-2C61098249D3
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Create a basic audit policy for an event category
+
+
+**Applies to**
+
+-   Windows 10
+
+By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default.
+
+To complete this procedure, you must be logged on as a member of the built-in Administrators group.
+
+**To define or modify auditing policy settings for an event category for your local computer**
+
+1.  Open the Local Security Policy snap-in (secpol.msc), and then click **Local Policies**.
+2.  Click **Audit Policy**.
+3.  In the results pane, double-click an event category that you want to change the auditing policy settings for.
+4.  Do one or both of the following, and then click **OK.**
+    -   To audit successful attempts, select the **Success** check box.
+    -   To audit unsuccessful attempts, select the **Failure** check box.
+
+To complete this procedure, you must be logged on as a member of the Domain Admins group.
+
+**To define or modify auditing policy settings for an event category for a domain or organizational unit, when you are on a member server or on a workstation that is joined to a domain**
+
+1.  Open the Group Policy Management Console (GPMC).
+2.  In the console tree, double-click **Group Policy objects** in the forest and domain containing the **Default Domain Policy** Group Policy object (GPO) that you want to edit.
+3.  Right-click the **Default Domain Policy** GPO, and then click **Edit**.
+4.  In the GPMC, go to **Computer Configuration**, **Windows Settings**, **Security Settings**, and then click **Audit Policy**.
+5.  In the results pane, double-click an event category that you want to change the auditing policy settings for.
+6.  If you are defining auditing policy settings for this event category for the first time, select the **Define these policy settings** check box.
+7.  Do one or both of the following, and then click **OK.**
+    -   To audit successful attempts, select the **Success** check box.
+    -   To audit unsuccessful attempts, select the **Failure** check box.
+
+## Additional considerations
+
+
+-   To audit object access, enable auditing of the object access event category by following the steps above. Then, enable auditing on the specific object.
+-   After your audit policy is configured, events will be recorded in the Security log. Open the Security log to view these events.
+-   The default auditing policy setting for domain controllers is **No Auditing**. This means that even if auditing is enabled in the domain, the domain controllers do not inherit auditing policy locally. If you want domain auditing policy to apply to domain controllers, you must modify this policy setting.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/create-a-pagefile.md b/windows/keep-secure/create-a-pagefile.md
new file mode 100644
index 0000000000..ffa275db74
--- /dev/null
+++ b/windows/keep-secure/create-a-pagefile.md
@@ -0,0 +1,140 @@
+---
+title: Create a pagefile (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Create a pagefile security policy setting.
+ms.assetid: dc087897-459d-414b-abe0-cd86c8dccdea
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Create a pagefile
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Create a pagefile** security policy setting.
+
+## Reference
+
+
+Windows designates a section of the hard drive as virtual memory known as the page file, or more specifically, as pagefile.sys. It is used to supplement the computer’s Random Access Memory (RAM) to improve performance for programs and data that are used frequently. Although the file is hidden from browsing, you can manage it using the system settings.
+
+This policy setting determines which users can create and change the size of a page file. It determines whether users can specify a page file size for a particular drive in the **Performance Options** box located on the **Advanced** tab of the **System Properties** dialog box or through using internal application interfaces (APIs).
+
+Constant: SeCreatePagefilePrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Administrators
+
+### Best practices
+
+-   Restrict the **Create a pagefile** user right to Administrators, which is the default.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default, members of the Administrators group have this right.
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Users who can change the page file size could make it extremely small or move the file to a highly fragmented storage volume, which could cause reduced device performance.
+
+### Countermeasure
+
+Restrict the **Create a pagefile** user right to members of the Administrators group.
+
+### Potential impact
+
+None. Restricting this right to members of the Administrators group is the default configuration.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/create-a-rule-for-packaged-apps.md b/windows/keep-secure/create-a-rule-for-packaged-apps.md
new file mode 100644
index 0000000000..f16c4fcee9
--- /dev/null
+++ b/windows/keep-secure/create-a-rule-for-packaged-apps.md
@@ -0,0 +1,135 @@
+---
+title: Create a rule for packaged apps (Windows 10)
+description: This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
+ms.assetid: e4ffd400-7860-47b3-9118-0e6853c3dfa0
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Create a rule for packaged apps
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
+
+Packaged apps, also known as Universal Windows apps, are based on an app model that ensures that all the files within an app package share the same identity. Therefore, it is possible to control the entire app using a single AppLocker rule as opposed to the non-packaged apps where each file within the app could have a unique identity. Windows does not support unsigned packaged apps which implies all packaged apps must be signed. AppLocker supports only publisher rules for packaged apps. A publisher rule for a packaged app is based on the following information:
+
+-   Publisher of the package
+
+-   Package name
+
+-   Package version
+
+All the files within a package as well as the package installer share these attributes. Therefore, an AppLocker rule for a packaged app controls both the installation as well as the running of the app. Otherwise, the publisher rules for packaged apps are no different than the rest of the rule collections; they support exceptions, can be increased or decreased in scope, and can be assigned to users and groups.
+
+For info about the publisher condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md).
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To create a packaged app rule**
+
+1.  Open the AppLocker console.
+
+2.  On the **Action** menu, or by right-clicking on **Packaged app Rules**, click **Create New Rule**.
+
+3.  On the **Before You Begin** page, click **Next**.
+
+4.  On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**.
+
+5.  On the **Publisher** page, you can select a specific reference for the packaged app rule and set the scope for the rule. The following table describes the reference options.
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Selection</th>
+    <th align="left">Description</th>
+    <th align="left">Example</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><strong>Use an installed packaged app as a reference</strong></p></td>
+    <td align="left"><p>If selected, AppLocker requires you to choose an app that is already installed on which to base your new rule. AppLocker uses the publisher, package name and package version to define the rule.</p></td>
+    <td align="left"><p>You want the Sales group only to use the app named Microsoft.BingMaps for its outside sales calls. The Microsoft.BingMaps app is already installed on the device where you are creating the rule, so you choose this option, and select the app from the list of apps installed on the computer and create the rule using this app as a reference.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><strong>Use a packaged app installer as a reference</strong></p></td>
+    <td align="left"><p>If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name and package version of the installer to define the rule.</p></td>
+    <td align="left"><p>Your company has developed a number of internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share and choose the installer for the Payroll app as a reference to create your rule.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    The following table describes setting the scope for the packaged app rule.
+
+    <table>
+    <colgroup>
+    <col width="33%" />
+    <col width="33%" />
+    <col width="33%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Selection</th>
+    <th align="left">Description</th>
+    <th align="left">Example</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>Applies to <strong>Any publisher</strong></p></td>
+    <td align="left"><p>This is the least restrictive scope condition for an <strong>Allow</strong> rule. It permits every packaged app to run or install.</p>
+    <p>Conversely, if this is a <strong>Deny</strong> rule, then this option is the most restrictive because it denies all apps from installing or running.</p></td>
+    <td align="left"><p>You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Applies to a specific <strong>Publisher</strong></p></td>
+    <td align="left"><p>This scopes the rule to all apps published by a particular publisher.</p></td>
+    <td align="left"><p>You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>Applies to a <strong>Package name</strong></p></td>
+    <td align="left"><p>This scopes the rule to all packages that share the publisher name and package name as the reference file.</p></td>
+    <td align="left"><p>You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Applies to a <strong>Package version</strong></p></td>
+    <td align="left"><p>This scopes the rule to a particular version of the package.</p></td>
+    <td align="left"><p>You want to be very selective in what you allow. You do not want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>Applying custom values to the rule</p></td>
+    <td align="left"><p>Selecting the <strong>Use custom values</strong> check box allows you to adjust the scope fields for your particular circumstance.</p></td>
+    <td align="left"><p>You want to allow users to install all Microsoft.Bing* applications which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the <strong>Use custom values</strong> check box and edit the package name field by adding “Microsoft.Bing*” as the Package name.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+6.  Click **Next**.
+
+7.  (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**.
+
+8.  On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md b/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md
new file mode 100644
index 0000000000..19f8350862
--- /dev/null
+++ b/windows/keep-secure/create-a-rule-that-uses-a-file-hash-condition.md
@@ -0,0 +1,56 @@
+---
+title: Create a rule that uses a file hash condition (Windows 10)
+description: This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.
+ms.assetid: eb3b3524-1b3b-4979-ba5a-0a0b1280c5c7
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Create a rule that uses a file hash condition
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.
+
+File hash rules use a system-computed cryptographic hash of the identified file.
+
+For info about the file hash condition, see [Understanding the File Hash Rule Condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md).
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To create a new rule with a file hash condition**
+
+1.  Open the AppLocker console, and then click the rule collection that you want to create the rule for.
+
+2.  On the **Action** menu, click **Create New Rule**.
+
+3.  On the **Before You Begin** page, click **Next**.
+
+4.  On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**.
+
+5.  On the **Conditions** page, select the **File hash** rule condition, and then click **Next**.
+
+6.  **Browse Files** to locate the targeted application file.
+
+    **Note**  
+    You can also click **Browse Folders** which calculates the hash for all the appropriate files relative to the rule collection. To remove hashes individually, click the **Remove** button.
+
+     
+
+7.  Click **Next**.
+
+8.  On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md b/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md
new file mode 100644
index 0000000000..59f864fa6e
--- /dev/null
+++ b/windows/keep-secure/create-a-rule-that-uses-a-path-condition.md
@@ -0,0 +1,63 @@
+---
+title: Create a rule that uses a path condition (Windows 10)
+description: This topic for IT professionals shows how to create an AppLocker rule with a path condition.
+ms.assetid: 9b2093f5-5976-45fa-90c3-da1e0e845d95
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Create a rule that uses a path condition
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals shows how to create an AppLocker rule with a path condition.
+
+The path condition identifies an app by its location in the file system of the computer or on the network.
+
+**Important**  
+When creating a rule that uses a deny action, path conditions are less secure for preventing access to a file because a user could easily copy the file to a different location than what is specified in the rule. Because path rules correspond to locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file within C:\\ will be allowed to run, including users' profiles.
+
+ 
+
+For info about the path condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For information how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To create a new rule with a path condition**
+
+1.  Open the AppLocker console, and then click the rule collection that you want to create the rule for.
+
+2.  On the **Action** menu, click **Create New Rule**.
+
+3.  On the **Before You Begin** page, click **Next**.
+
+4.  On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**.
+
+5.  On the **Conditions** page, select the **Path** rule condition, and then click **Next**.
+
+6.  Click **Browse Files** to locate the targeted folder for the app.
+
+    **Note**  
+    When you browse to a file or folder location, the wizard automatically converts absolute file paths to use AppLocker path variables. You may edit the path after browsing to specify an absolute path, or you may type the path directly into the **Path** box. To learn more about AppLocker path variables, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).
+
+     
+
+7.  Click **Next**.
+
+8.  (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. Click **Next**.
+
+9.  On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md b/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md
new file mode 100644
index 0000000000..cbbec57db2
--- /dev/null
+++ b/windows/keep-secure/create-a-rule-that-uses-a-publisher-condition.md
@@ -0,0 +1,55 @@
+---
+title: Create a rule that uses a publisher condition (Windows 10)
+description: This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.
+ms.assetid: 345ad45f-2bc1-4c4c-946f-17804e29f55b
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Create a rule that uses a publisher condition
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.
+
+You can use publisher conditions only for files that are digitally signed; the publisher condition identifies an app based on its digital signature and extended attributes. The digital signature contains information about the company that created the app (the publisher). The extended attributes, which are obtained from the binary resource, contain the name of the product that the file is part of and the version number of the application. The publisher may be a software development company, such as Microsoft, or the information technology department of your organization.
+
+Packaged app rules are by definition rules that use publisher conditions. For info about creating a packaged app rule, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md).
+
+For info about the publisher condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md).
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To create a new rule with a publisher condition**
+
+1.  Open the AppLocker console, and then click the rule collection that you want to create the rule for.
+
+2.  On the **Action** menu, click **Create New Rule**.
+
+3.  On the **Before You Begin** page, click **Next**.
+
+4.  On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**.
+
+5.  On the **Conditions** page, select the **Publisher** rule condition, and then click **Next**.
+
+6.  On the **Publisher** page, click **Browse** to select a signed file, and then use the slider to specify the scope of the rule. To use custom values in any of the fields or to specify a specific file version, select the **Use custom values** check box. For example, you can use the asterisk (\*) wildcard character within a publisher rule to specify that any value should be matched.
+
+7.  Click **Next**.
+
+8.  (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. Click **Next**.
+
+9.  On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/create-a-token-object.md b/windows/keep-secure/create-a-token-object.md
new file mode 100644
index 0000000000..f5be6bd569
--- /dev/null
+++ b/windows/keep-secure/create-a-token-object.md
@@ -0,0 +1,145 @@
+---
+title: Create a token object (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Create a token object security policy setting.
+ms.assetid: bfbf52fc-6ba4-442a-9df7-bd277e55729c
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Create a token object
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Create a token object** security policy setting.
+
+## Reference
+
+
+This policy setting determines which accounts a process can use to create a token, and which accounts it can then use to gain access to local resources when the process uses NtCreateToken() or other token-creation APIs.
+
+When a user logs on to the local device or connects to a remote device through a network, Windows builds the user’s access token. Then the system examines the token to determine the level of the user's privileges. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects.
+
+Constant: SeCreateTokenPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not Defined
+
+### Best practices
+
+-   This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+This user right is used internally by the operating system. By default, it is not assigned to any user groups.
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Local System</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Local System</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Local System</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+**Caution**  
+A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts.
+
+ 
+
+Windows examines a user's access token to determine the level of the user's privileges. Access tokens are built when users log on to the local device or connect to a remote device over a network. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any account on a computer if they are currently logged on. They could escalate their privileges or create a DoS condition.
+
+### Countermeasure
+
+Do not assign the **Create a token object** user right to any users. Processes that require this user right should use the Local System account, which already includes it, instead of a separate user account that has this user right assigned.
+
+### Potential impact
+
+None. Not Defined is the default configuration.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/create-applocker-default-rules.md b/windows/keep-secure/create-applocker-default-rules.md
new file mode 100644
index 0000000000..d701502116
--- /dev/null
+++ b/windows/keep-secure/create-applocker-default-rules.md
@@ -0,0 +1,44 @@
+---
+title: Create AppLocker default rules (Windows 10)
+description: This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.
+ms.assetid: 21e9dc68-a6f4-4ebe-ac28-4c66a7ab6e18
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Create AppLocker default rules
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.
+
+AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed to run.
+
+**Important**  
+You can use the default rules as a template when creating your own rules to allow files within the Windows folders to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules. The default rules can be modified in the same way as other AppLocker rule types.
+
+ 
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For information how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To create default rules**
+
+1.  Open the AppLocker console.
+
+2.  Right-click the appropriate rule type for which you want to automatically generate default rules. You can automatically generate rules for executable, Windows Installer, script rules and Packaged app rules.
+
+3.  Click **Create Default Rules**.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/create-edp-policy-using-intune.md b/windows/keep-secure/create-edp-policy-using-intune.md
new file mode 100644
index 0000000000..3c0bd54506
--- /dev/null
+++ b/windows/keep-secure/create-edp-policy-using-intune.md
@@ -0,0 +1,342 @@
+---
+title: Create an enterprise data protection (EDP) policy using Microsoft Intune (Windows 10)
+description: Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
+ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: eross-msft
+---
+
+# Create an enterprise data protection (EDP) policy using Microsoft Intune
+**Applies to:**
+
+-   Windows 10 Insider Preview
+-   Windows 10 Mobile Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
+
+Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
+
+## In this topic:
+-   [Add an EDP policy](#add-an-edp-policy)
+
+-   [Add individual apps to your Protected App list](#add-individual-apps-to-your-protected-app-list)
+
+-   [Exempt apps from EDP restrictions](#exempt-apps-from-EDP-restrictions)
+
+-   [Manage the EDP protection level for your enterprise data](#manage-the-edp-protection-level-for-your-enterprise-data)
+
+-   [Define your enterprise-managed identity domains](#define-your-enterprise-managed-identity-domains)
+
+-   [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data)
+
+-   [Choose your optional EDP-related settings](#choose-your-optional-EDP-related-settings)
+
+## Add an EDP policy
+After you’ve installed and set up Intune for your organization, you must create an EDP-specific policy.
+
+**To add an EDP policy**
+1.  Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
+
+2.  Click **Add Policy** from the **Tasks** area.
+
+3.  Go to **Windows**, click the **Enterprise Data Protection (Windows 10 and Mobile and later) policy**, pick the EDP template, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
+
+    ![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png)
+
+4.  Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
+
+    ![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-namedescription.png)
+
+## Add individual apps to your Protected App list
+During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
+
+The steps to add your apps are based on the type of app it is; either a Universal Windows Platform (UWP) app, or a signed Desktop app, also known as a Classic Windows application.
+
+**Important**<br>EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary and will encrypt all files they create or modify, meaning that they could encrypt personal data and cause data loss during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **Protected App** list.
+<p>
+**Note**<br>If you want to use **File hash** or **Path** rules, instead of Publisher rules, you must follow the steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic.
+
+**To add a UWP app**
+
+1.  From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
+
+2.  Click **Universal App**, type the **Publisher Name** and the **Product Name** into the associated boxes, and then click **OK**. If you don't have the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
+
+    **To find the Publisher and Product name values for Microsoft Store apps without installing them**
+
+    1.  Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.<p>
+    **Note**<br>If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the **Protected App** list. For info about how to do this, see the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic.
+
+    2.  Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
+
+    3.  In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/*9wzdncrfhvjl*/applockerdata, where *9wzdncrfhvjl* is replaced with your ID value.
+    <p>
+    The API runs and opens a text editor with the app details.
+
+        ``` json
+        {
+          "packageIdentityName": "Microsoft.Office.OneNote",
+          "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+        }
+        ```
+    4.  Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune.
+     <p>**Important**<br>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
+    <p>For example:<br>
+     ``` json
+        {
+          "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+        }
+       ```
+    ![Microsoft Intune: Add a UWP app to the Protected Apps list](images/intune-addapps.png)
+
+    **To find the Publisher and Product name values for apps installed on Windows 10 Mobile phones**
+
+    1.  If you need to add mobile apps that aren't distributed through the Store for Business, you must use the Windows Device Portal feature.
+    <p>**Note**<br>Your PC and phone must be on the same wireless network.
+
+    2.  On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
+
+    3.  In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
+
+    4.  Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
+
+    5.  In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
+
+    6.  On the **Apps** tab of the website, click the drop-down box to choose the app you want to know more about.
+    <p>The **Publisher** and **Product Name** values appear.
+
+    7.  Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
+    <p>**Important**<br>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
+    <p>For example:<br>
+     ``` json
+        {
+          "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+        }
+       ```
+
+**To add a Classic Windows application**
+
+1.  From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
+<p>A dialog box appears, letting you pick whether the app is a **Universal App** or a **Desktop App**.
+
+2.  Click **Desktop App**, pick the options you want (see table), and then click **OK**.
+    <table>
+        <tr>
+            <th>Option</th>
+            <th>Manages</th>
+        </tr>
+        <tr>
+            <td>All fields left as "*"</td>
+            <td>All files signed by any publisher. (Not recommended.)</td>
+        </tr>
+        <tr>
+            <td><strong>Publisher</strong> selected</td>
+            <td>All files signed by the named publisher.<p>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
+        </tr>
+         <tr>
+            <td><strong>Publisher</strong> and <strong>Product Name</strong> selected</td>
+            <td>All files for the specified product, signed by the named publisher.</td>
+        </tr>  
+         <tr>
+            <td><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>File Name</strong> selected</td>
+            <td>Any version of the named file or package for the specified product, signed by the named publisher.</td>
+        </tr>
+         <tr>
+            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, Exactly</strong> selected</td>
+            <td>Specified version of the named file or package for the specified product, signed by the named publisher.</td>
+        </tr>
+         <tr>
+            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And above</strong> selected</td>
+            <td>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<p>This option is recommended for enlightened apps that weren't previously enlightened.</td>
+        </tr>
+         <tr>
+            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And below</strong> selected</td>
+            <td>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
+        </tr>                                            
+    </table>
+
+    ![Microsoft Intune: Add a Classic Windows app to the Protected Apps list](images/intune-add-desktop-app.png)
+
+If you’re unsure about what to include for the publisher, you can run this PowerShell command:
+
+``` ps1
+Get-AppLockerFileInformation -Path "<path of the exe>"
+```
+Where `"<path_of_the_exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`.
+
+In this example, you'd get the following info:
+
+``` json
+Path                                          Publisher
+----                                          ---------
+%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR...
+```
+Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
+
+## Exempt apps from EDP restrictions
+If you're running into compatibility issues where your app is incompatible with EDP, but still needs to be used with enterprise data, you can exempt the app from the EDP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
+
+**To exempt an UWP app**
+
+1.  Follow the **Add a UWP app** steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic, through to Step 11.
+
+2.  In the **OMA-URI** box at Step 12, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>edpexempt/StoreApp EXE`.<p>Where **edpexempt** is added as a substring, making the app exempt.
+
+3.  Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
+
+4.  Copy the text that has a **Type** of Appx, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
+
+    ``` 
+    <RuleCollection Type="Appx" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
+    ```
+    
+5.  Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.<p>After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
+
+**To exempt a Classic Windows application**
+
+1.  Follow the **Add a Classic Windows application app** steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic, through to Step 11.
+
+2.  In the **OMA-URI** box at Step 12, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>edpexempt/EXE`.<p>Where **edpexempt** is added as a substring, making the app exempt.
+
+3.  Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
+
+4.  Copy the text that has a **Type** of EXE, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
+
+    ``` 
+    <RuleCollection Type="Exe" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
+    ```
+
+5.  Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.<p>After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
+
+## Manage the EDP protection level for your enterprise data
+After you've added the apps you want to protect with EDP, you'll need to apply a management and protection mode.
+
+We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your **Protected Apps** list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
+<table>
+    <tr>
+        <th>Mode</th>
+        <th>Description</th>
+    </tr>
+    <tr>
+        <td>Block</td>
+        <td>EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.</td>
+    </tr>
+    <tr>
+        <td>Override</td>
+        <td>EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459).</td>
+    </tr>
+    <tr>
+        <td>Silent</td>
+        <td>EDP runs silently, logging inappropriate data sharing, without blocking anything.</td>
+    </tr>
+    <tr>
+        <td>Off</td>
+        <td>EDP is turned off and doesn't help to protect or audit your data.</td>
+    </tr>
+</table>
+
+![Microsoft Intune: Add the protection level for your Protected Apps list](images/intune-encryption-level.png)
+
+## Define your enterprise-managed identity domains
+Specify your company’s enterprise identity, expressed as your primary internet domain. For example, if your company is Contoso, its enterprise identity might be contoso.com. The first listed domain (in this example, contoso.com) is the primary enterprise identity string used to tag files protected by any app on the **Protected App** list.
+
+You can also specify all the domains owned by your enterprise that are used for user accounts, separating them with the "|" character. For example, if Contoso also has some employees with email addresses or user accounts on the fabrikam.com domain, you would use contoso.com|fabrikam.com.
+
+This list of managed identity domains, along with the primary domain, make up the identity of your managing enterprise. User identities (user@domain) that end in any of the domains on this list, are considered managed.
+
+![Microsoft Intune: Add the primary internet domain for your enterprise identity](images/intune-primary-domain.png)
+
+**To add your primary domain**
+
+-   Type the name of your primary domain into the **Primary domain** field. For example, *contoso.com*.<p>
+If you have multiple domains, you must separate them with the "|" character. For example, contoso.com|fabrikam.com.
+
+## Choose where apps can access enterprise data
+After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range.<p>
+**Important**<br>
+-   Every EDP policy should include policy that defines your enterprise network locations.
+
+-   Classless Inter-Domain Routing (CIDR) notation isn’t supported for EDP configurations.
+
+**To specify where your protected apps can find and send enterprise data on the network**
+
+1.  Add additional network locations your apps can access by clicking **Add**, typing a description into the **Description** box, and then choosing your location type, including:
+    <table>
+        <tr>
+            <th>Network location type</th>
+            <th>Format</th>
+            <th>Description</th>
+        </tr>
+        <tr>
+            <td>Enterprise Cloud Domain</td>
+            <td>contoso.sharepoint.com,proxy1.contoso.com|<br>office.com|proxy2.contoso.com</td>
+            <td>Specify the cloud resources traffic to restrict to your protected apps.<p>For each cloud resource, you may also specify an internal proxy server that routes your traffic from your **Enterprise Internal Proxy Server** policy. If you have multiple resources, you must use the &#x7C; delimiter. Include the "|" delimiter just before the "|" if you don’t use proxies. For example: [URL,Proxy]|[URL,Proxy].</td>     
+        </tr>
+        <tr>
+            <td>Enterprise Network Domain</td>
+            <td>domain1.contoso.com,domain2.contoso.com</td>
+            <td>Specify the DNS suffix used in your environment. All traffic to the fully-qualified domains using this DNS suffix will be protected. If you have multiple resources, you must use the "," delimiter.<p>This setting works with the IP Ranges settings to detect whether a network endpoint is enterprise or personal on private networks.</td>                
+        </tr>
+        <tr>
+            <td>Enterprise Proxy Server</td>
+            <td>domain1.contoso.com:80;domain2.contoso.com:137</td>
+            <td>Specify the proxy server and the port traffic is routed through. If you have multiple resources, you must use the ";" delimiter.<p>This setting is required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when using certain Wi-Fi hotspots at hotels and restaurants.</td>                
+        </tr>
+        <tr>
+            <td>Enterprise Internal Proxy Server</td>
+            <td>proxy1.contoso.com;proxy2.contoso.com</td>
+            <td>Specify the proxy servers your cloud resources will go through. If you have multiple resources, you must use the ";" delimiter.</td>                
+        </tr>
+        <tr>
+            <td>Enterprise IPv4 Range</td>
+            <td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,10.0.0.1-10.255.255.254</td>
+            <td>Specify the addresses for a valid IPv4 value range within your intranet.<p>If you are adding a single range, you can enter the starting and ending addresses into your management system’s UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the "-" delimiter between start and end of a range, and the "," delimiter to separate ranges.</td>
+        </tr>
+        <tr>
+            <td>Enterprise IPv6 Range</td>
+            <td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
+            <td>Specify the addresses for a valid IPv6 value range within your intranet.<p>If you are adding a single range, you can enter the starting and ending addresses into your management system’s UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the "-" delimiter between start and end of a range, and the "," delimiter to separate ranges.</td>
+        </tr>                
+    </table>
+
+    ![Microsoft Intune: Choose the primary domain and the other network locations for protected apps](images/intune-networklocation.png)
+
+2.  Add as many locations as you need, and then click **OK**.<p>The **Add or Edit Enterprise Network Locations box** closes.
+
+3.  In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.<p>Adding a data recovery certificate helps you to access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP-protected data from a Windows 10 company computer. This can also help recover data in case an employee's device is accidentally revoked. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.<p>
+
+    ![Microsoft Intune: Specify a data recovery certificate for your policy](images/intune-data-recovery.png)
+
+## Choose your optional EDP-related settings
+After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional EDP settings.
+
+**To add your optional settings**
+
+1.  Choose to set any or all of the optional EDP-related settings:
+
+    -   **Allow the user to decrypt data that was created or edited by the apps configured above.** Clicking **Yes**, or turning off this setting in Intune, lets your employees right-click to decrypt their protected app data, along with the option to decrypt data in the **Save As** box and the **Save As** file picker . Clicking **No** removes the **Decrypt** option and saves all data for protected apps as enterprise-encrypted.
+
+    -   **Protect app content when the device is in a locked state for the apps configured above.** Clicking **Yes** lets EDP help to secure protected app content when a mobile device is locked. We recommend turning this option on to help prevent data leaks from things such as email text that appears on the **Lock** screen of a Windows 10 Mobile phone.
+
+        ![Microsoft Intune: Optional EDP settings](images/intune-edpsettings.png)
+
+2.  Click **Save Policy**.
+
+## Related topics
+- [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)
+- [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)
+- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
+- [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
+
+
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/create-edp-policy-using-sccm.md b/windows/keep-secure/create-edp-policy-using-sccm.md
new file mode 100644
index 0000000000..ddc24c2fc9
--- /dev/null
+++ b/windows/keep-secure/create-edp-policy-using-sccm.md
@@ -0,0 +1,296 @@
+---
+title: Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager (Windows 10)
+description: Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
+ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529
+keywords: ["EDP", "Enterprise Data Protection", "SCCM", "System Center Configuration Manager", Configuration Manager"]
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: eross-msft
+---
+
+# Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager
+**Applies to:**
+
+-   Windows 10 Insider Preview
+-   Windows 10 Mobile Preview
+-   System Center Configuration Manager (version 1511 or later)
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
+
+Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
+
+## In this topic:
+-   [Add an EDP policy](#add-an-edp-policy)
+
+-   [Choose which apps can access your enterprise data](#choose-which-apps-can-access-your-enterprise-data)
+
+-   [Manage the EDP protection level for your enterprise data](#manage-the-edp-protection-level-for-your-enterprise-data)
+
+-   [Define your enterprise-managed identity domains](#define-your-enterprise-managed-identity-domains)
+
+-   [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data)
+
+-   [Choose your optional EDP-related settings](#choose-your-optional-EDP-related-settings)
+
+-   [Review your configuration choices in the Summary screen](#review-your-configuration-choices-in-the-summary-screen)
+
+-   [Deploy the EDP policy](#deploy-the-edp-policy)
+
+## Add an EDP policy
+After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for EDP, which in turn becomes your EDP policy.
+
+**To create a configuration item for EDP**
+
+1.  Open the System Center Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
+
+    ![System Center Configuration Manager, Configuration Items screen](images/edp-sccm-addpolicy.png)
+
+2.  Click the **Create Configuration Item** button.<p>
+The **Create Configuration Item Wizard** starts.
+
+    ![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/edp-sccm-generalscreen.png)
+
+3.  On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
+
+4.  In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click **Next**.
+
+    -   **Settings for devices managed with the Configuration Manager client:** Windows 10
+
+        -OR-
+
+    -   **Settings for devices managed without the Configuration Manager client:** Windows 8.1 and Windows 10
+
+5.  On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**.
+
+    ![Create Configuration Item wizard, choose the supported platforms for the policy](images/edp-sccm-supportedplat.png)
+
+6.  On the **Device Settings** screen, click **Enterprise Data Protection**, and then click **Next**.
+
+    ![Create Configuration Item wizard, choose the enterprise data protection settings](images/edp-sccm-devicesettings.png)
+
+The **Configure Enterprise Data Protection settings** page appears, where you'll configure your policy for your organization.
+
+## Choose which apps can access your enterprise data
+During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps or unprotected network locations.
+
+The steps to add your apps are based on the type of app it is; either a Universal Windows Platform (UWP) app, or a signed Classic Windows application.
+
+**Important**<br>EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary and will encrypt all files they create or modify, meaning that they could encrypt personal data and cause data leaks during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **Protected App** list.
+
+**To add a UWP app**
+
+1.  From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
+
+2.  Click **Universal App**, type the **Publisher Name** and the **Product Name** into the associated boxes, and then click **OK**. If you don't have the publisher or product name, you can find them by following these steps.
+
+    **To find the Publisher and Product name values for Microsoft Store apps without installing them**
+
+    1.  Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
+
+    2.  Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
+
+    3.  In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/*9wzdncrfhvjl*/applockerdata, where *9wzdncrfhvjl* is replaced with your ID value.
+
+        The API runs and opens a text editor with the app details.
+
+        ``` json
+        {
+          "packageIdentityName": "Microsoft.Office.OneNote",
+          "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+        }
+        ```
+
+    4.  Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of the **Add app** box, and then click **OK**.
+    <p>**Important**<br>If you don’t see the **Product Name** box, it could mean that your tenant is not on the latest build and that you need to wait until it's upgraded. Same applies if you see the **AppId** box. The **AppId** box has been removed in the latest build and should disappear (along with any entries) when your tenant is upgraded.
+    <p>**Important**<br>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:<br>    
+
+        ```
+        {
+          "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+        }
+        ```
+
+        ![Create Configuration Item wizard, add a Universal Windows Platform (UWP) app](images/edp-sccm-adduniversalapp.png)
+
+**To add a Classic Windows application**
+
+1.  From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
+<p>A dialog box appears, letting you pick whether the app is a **Universal App** or a **Desktop App**.
+
+2.  Click **Desktop App**, pick the options you want (see table), and then click **OK**.
+
+    <table>
+        <tr>
+            <th>Option</th>
+            <th>Manages</th>
+        </tr>
+        <tr>
+            <td>All fields left as “*”</td>
+            <td>All files signed by any publisher. (Not recommended.)</td>
+        </tr>
+        <tr>
+            <td><strong>Publisher</strong> selected</td>
+            <td>All files signed by the named publisher.<p>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
+        </tr>
+        <tr>
+            <td><strong>Publisher</strong> and <strong>Product Name</strong> selected</td>
+            <td>All files for the specified product, signed by the named publisher.</td>
+        </tr>
+        <tr>
+            <td><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>File Name</strong> selected</td>
+            <td>Any version of the named file or package for the specified product, signed by the named publisher.</td>
+        </tr>
+        <tr>
+            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, Exactly</strong>, selected</td>
+            <td>Specified version of the named file or package for the specified product, signed by the named publisher.</td>
+        </tr>
+        <tr>
+            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And above</strong> selected</td>
+            <td>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<p>This option is recommended for enlightened apps that weren't previously enlightened.</td>
+        </tr>
+        <tr>
+            <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And below</strong> selected</td>
+            <td>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
+        </tr>
+    </table>
+
+If you’re unsure about what to include for the publisher, you can run this PowerShell command:
+
+```ps1
+Get-AppLockerFileInformation -Path "<path of the exe>"
+```
+Where `"<path of the exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`.
+
+In this example, you'd get the following info:
+
+``` json
+Path                   Publisher
+----                   ---------
+%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR...
+```
+Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
+
+![Create Configuration Item wizard, add a Classic Windows app](images/edp-sccm-adddesktopapp.png)
+
+## Manage the EDP-protection level for your enterprise data
+After you've added the apps you want to protect with EDP, you'll need to apply an app management mode.
+
+We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your **Protected Apps** list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
+
+|Mode |Description |
+|-----|------------|
+|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise. |
+|Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
+|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything. |
+|Off (not recommended) |EDP is turned off and doesn't help to protect or audit your data.
+<p>After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives. |
+
+![Create Configuration Item wizard, choose your EDP-protection level](images/edp-sccm-appmgmt.png)
+
+## Define your enterprise-managed identity domains
+Specify your company’s enterprise identity, expressed as your primary internet domain. For example, if your company is Contoso, its enterprise identity might be contoso.com. The first listed domain (in this example, contoso.com) is the primary enterprise identity string used to tag files protected by any app on the **Protected App** list.
+
+You can also specify all the domains owned by your enterprise that are used for user accounts, separating them with the "|" character. For example, if Contoso also has some employees with email addresses or user accounts on the fabrikam.com domain, you would use contoso.com|fabrikam.com.
+
+This list of managed identity domains, along with the primary domain, make up the identity of your managing enterprise. User identities (user@domain) that end in any of the domains on this list, are considered managed.
+
+![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/sccm-primary-domain.png)
+
+**To add your primary domain**
+
+-   Type the name of your primary domain into the **Primary domain** field. For example, *contoso.com*.<p>
+If you have multiple domains, you must separate them with the "|" character. For example, contoso.com|fabrikam.com.
+
+## Choose where apps can access enterprise data
+After you've added a management level to your protected apps, you'll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range.
+
+**To specify where your protected apps can find and send enterprise data on the network**
+
+1.  Add additional network locations your apps can access by clicking **Add**, and then choosing your location type, including:
+    <table>
+        <tr>
+            <th>Network location type</th>
+            <th>Format</th>
+            <th>Description</th>
+        </tr>
+        <tr>
+            <td>Enterprise Cloud Domain</td>
+            <td>contoso.sharepoint.com,proxy1.contoso.com|<br>office.com|proxy2.contoso.com</td>
+            <td>Specify the cloud resources traffic to restrict to your protected apps.<p>For each cloud resource, you may also specify an internal proxy server that routes your traffic from your **Enterprise Internal Proxy Server** policy. If you have multiple resources, you must use the &#x7C; delimiter. Include the "|" delimiter just before the "|" if you don’t use proxies. For example: [URL,Proxy]|[URL,Proxy].</td>     
+        </tr>
+        <tr>
+            <td>Enterprise Network Domain</td>
+            <td>domain1.contoso.com,domain2.contoso.com</td>
+            <td>Specify the DNS suffix used in your environment. All traffic to the fully-qualified domains using this DNS suffix will be protected. If you have multiple resources, you must use the "," delimiter.<p>This setting works with the IP Ranges settings to detect whether a network endpoint is enterprise or personal on private networks.</td>                
+        </tr>
+        <tr>
+            <td>Enterprise Proxy Server</td>
+            <td>domain1.contoso.com:80;domain2.contoso.com:137</td>
+            <td>Specify the proxy server and the port traffic is routed through. If you have multiple resources, you must use the ";" delimiter.<p>This setting is required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when using certain Wi-Fi hotspots at hotels and restaurants.</td>                
+        </tr>
+        <tr>
+            <td>Enterprise Internal Proxy Server</td>
+            <td>proxy1.contoso.com;proxy2.contoso.com</td>
+            <td>Specify the proxy servers your cloud resources will go through. If you have multiple resources, you must use the ";" delimiter.</td>                
+        </tr>
+        <tr>
+            <td>Enterprise IPv4 Range</td>
+            <td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,10.0.0.1-10.255.255.254</td>
+            <td>Specify the addresses for a valid IPv4 value range within your intranet.<p>If you are adding a single range, you can enter the starting and ending addresses into your management system’s UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the "-" delimiter between start and end of a range, and the "," delimiter to separate ranges.</td>
+        </tr>
+        <tr>
+            <td>Enterprise IPv6 Range</td>
+            <td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
+            <td>Specify the addresses for a valid IPv6 value range within your intranet.<p>If you are adding a single range, you can enter the starting and ending addresses into your management system’s UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the "-" delimiter between start and end of a range, and the "," delimiter to separate ranges.</td>
+        </tr>                
+    </table>
+
+    ![Create Configuration Item wizard, specify the network locations that can be accessed by the protected apps](images/edp-sccm-primarydomain2.png)
+
+2.  Add as many locations as you need, and then click **OK**.<p>
+The **Add or Edit Enterprise Network Locations box** closes.
+
+3.  In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.<p>
+Adding a data recovery certificate helps you to access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP-protected data from a Windows 10 company computer. This can also help recover data in case an employee's device is accidentally revoked. For more info about how to find and export your data recovery certificate, see the[Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.
+
+## Choose your optional EDP-related settings
+After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional EDP settings.
+
+**To add your optional settings**
+-   Choose to set any or all of the optional EDP-related settings:
+
+    -   **Block the user from decrypting data that was created or edited by the apps configured above.** Clicking **No**, or leaving the setting blank, lets your employees right-click to decrypt their protected app data, along with the option to decrypt data in the **Save As** box and the **Save As** file picker . Clicking **Yes** removes the **Decrypt** option and saves all data for protected apps as enterprise-encrypted.
+
+    -   **Protect app content when the device is in a locked state for the apps configured above.** Clicking **Yes** lets EDP help to secure protected app content when a mobile device is locked. We recommend turning this option on to help prevent data leaks from things such as email text that appears on the **Lock** screen of a Windows 10 Mobile phone.
+
+        ![Create Configuration Item wizard, choose additional optional settings for enterprise data protection](images/edp-sccm-optsettings.png)
+
+## Review your configuration choices in the Summary screen
+After you've finished configuring your policy, you can review all of your info on the **Summary** screen.
+
+**To view the Summary screen**
+-   Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.<p>
+A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
+
+    ![Create Configuration Item wizard, review the Summary screen before creating the policy](images/edp-sccm-summaryscreen.png)
+
+## Deploy the EDP policy
+After you’ve created your EDP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
+- [Operations and Maintenance for Compliance Settings in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=708224)
+- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708225)
+- [How to Deploy Configuration Baselines in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708226)
+
+## Related topics
+- [System Center Configuration Manager and Endpoint Protection (Version 1511)](http://go.microsoft.com/fwlink/p/?LinkId=717372)
+- [TechNet documentation for Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=691623)
+- [Manage mobile devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=691624)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/create-global-objects.md b/windows/keep-secure/create-global-objects.md
new file mode 100644
index 0000000000..dd10fb6763
--- /dev/null
+++ b/windows/keep-secure/create-global-objects.md
@@ -0,0 +1,160 @@
+---
+title: Create global objects (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Create global objects security policy setting.
+ms.assetid: 9cb6247b-44fc-4815-86f2-cb59b6f0221e
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Create global objects
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Create global objects** security policy setting.
+
+## Reference
+
+
+This policy setting determines which users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right.
+
+A global object is an object that is created to be used by any number of processes or threads, even those not started within the user’s session. Remote Desktop Services uses global objects in its processes to facilitate connections and access.
+
+Constant: SeCreateGlobalPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Default accounts listed below
+
+### Best practices
+
+-   Do not assign any user accounts this right.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default, members of the Administrators group have this right, as do Local Service and Network Service accounts on the supported versions of Windows. Service is included for backwards compatibility with earlier versions of Windows.
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p>
+<p>Local Service</p>
+<p>Network Service</p>
+<p>Service</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Local Service</p>
+<p>Network Service</p>
+<p>Service</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Local Service</p>
+<p>Network Service</p>
+<p>Service</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Local Service</p>
+<p>Network Service</p>
+<p>Service</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Local Service</p>
+<p>Network Service</p>
+<p>Service</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+A restart of the device is not required for this policy setting to take effect.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+**Caution**  
+A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts.
+
+ 
+
+Windows examines a user's access token to determine the level of the user's privileges. Access tokens are built when users log on to the local device or connect to a remote device over a network. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any currently logged on account. They could escalate their privileges or create a denial-of-service (DoS) condition.
+
+### Countermeasure
+
+Do not assign the **Create a token object** user right to any users. Processes that require this user right should use the Local System account, which already includes it, instead of a separate user account with this user right assigned.
+
+### Potential impact
+
+None. Not Defined is the default domain policy configuration.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md b/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md
new file mode 100644
index 0000000000..64fb148309
--- /dev/null
+++ b/windows/keep-secure/create-list-of-applications-deployed-to-each-business-group.md
@@ -0,0 +1,92 @@
+---
+title: Create a list of apps deployed to each business group (Windows 10)
+description: This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker.
+ms.assetid: d713aa07-d732-4bdc-8656-ba616d779321
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Create a list of apps deployed to each business group
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker.
+
+## Determining app usage
+
+
+For each business group, determine the following:
+
+-   The complete list of apps used, including different versions of an app
+
+-   The full installation path of the app
+
+-   The publisher and signed status of each app
+
+-   The type of requirement the business groups set for each app, such as business critical, business productivity, optional, or personal. It might also be helpful during this effort to identify which apps are supported or unsupported by your IT department, or supported by others outside your control.
+
+-   A list of files or apps that require administrative credentials to install or run. If the file requires administrative credentials to install or run, users who cannot provide administrative credentials will be prevented from running the file even if the file is explicitly allowed by an AppLocker policy. Even with AppLocker policies enforced, only members of the Administrators group can install or run files that require administrative credentials.
+
+### How to perform the app usage assessment
+
+Although you might already have a method in place to understand app usage for each business group, you will need to use this information to help create your AppLocker rule collection. AppLocker includes the Automatically Generate Rules wizard and the **Audit only** enforcement configuration to assist you with planning and creating your rule collection.
+
+**Application inventory methods**
+
+Using the Automatically Generate Rules wizard quickly creates rules for the applications you specify. The wizard is designed specifically to build a rule collection. You can use the Local Security Policy snap-in to view and edit the rules. This method is very useful when creating rules from a reference computer, and when creating and evaluating AppLocker policies in a testing environment. However, it does require that the files be accessible on the reference computer or through a network drive. This might mean additional work in setting up the reference computer and determining a maintenance policy for that computer.
+
+Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can see what the enforcement will be on the computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is very important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully.
+
+**Tip**  
+If you run Application Verifier against a custom application with any AppLocker policies enabled, it might prevent the application from running. You should either disable Application Verifier or AppLocker.
+
+You can create an inventory of Universal Windows apps on a device by using two methods: the **Get-AppxPackage** Windows PowerShell cmdlet or the AppLocker console.
+
+ 
+
+The following topics in the [AppLocker Step-by-Step Guide](http://go.microsoft.com/fwlink/p/?LinkId=160261) describe how to perform each method:
+
+-   [Automatically generating executable rules from a reference computer](http://go.microsoft.com/fwlink/p/?LinkId=160264)
+
+-   [Using auditing to track which apps are used](http://go.microsoft.com/fwlink/p/?LinkId=160281)
+
+### Prerequisites to completing the inventory
+
+Identify the business group and each organizational unit (OU) within that group to which you will apply application control policies. In addition, you should have identified whether or not AppLocker is the most appropriate solution for these policies. For info about these steps, see the following topics:
+
+-   [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
+
+-   [Determine your application control objectives](determine-your-application-control-objectives.md)
+
+## Next steps
+
+
+Identify and develop the list of apps. Record the name of the app, whether it is signed or not as indicated by the publisher's name, and whether or not it is a mission critical, business productivity, optional, or personal application. Record the installation path of the apps. For info about how to do this, see [Document your app list](document-your-application-list.md).
+
+After you have created the list of apps, the next step is to identify the rule collections, which will become the policies. This information can be added to the table under columns labeled:
+
+-   Use default rule or define new rule condition
+
+-   Allow or deny
+
+-   GPO name
+
+To do this, see the following topics:
+
+-   [Select the types of rules to create](select-types-of-rules-to-create.md)
+
+-   [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/create-permanent-shared-objects.md b/windows/keep-secure/create-permanent-shared-objects.md
new file mode 100644
index 0000000000..79fc9f07f7
--- /dev/null
+++ b/windows/keep-secure/create-permanent-shared-objects.md
@@ -0,0 +1,140 @@
+---
+title: Create permanent shared objects (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Create permanent shared objects security policy setting.
+ms.assetid: 6a58438d-65ca-4c4a-a584-450eed976649
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Create permanent shared objects
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Create permanent shared objects** security policy setting.
+
+## Reference
+
+
+This user right determines which accounts can be used by processes to create a directory object by using the object manager. Directory objects include Active Directory objects, files and folders, printers, registry keys, processes, and threads. Users who have this capability can create permanent shared objects, including devices, semaphores, and mutexes. This user right is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel-mode inherently have this user right assigned to them, it is not necessary to specifically assign it.
+
+Constant: SeCreatePermanentPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not Defined
+
+### Best practices
+
+-   Users who have the **Create permanent shared objects** user right could create new shared objects and expose sensitive data to the network. Therefore, do not assign this right to any users.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default, **LocalSystem** is the only account that has this right.
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p><strong>LocalSystem</strong></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p><strong>LocalSystem</strong></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p><strong>LocalSystem</strong></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes different features and tools available to help you manage this policy.
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Users who have the **Create permanent shared objects** user right could create new shared objects and expose sensitive data to the network.
+
+### Countermeasure
+
+Do not assign the **Create permanent shared objects** user right to any users. Processes that require this user right should use the System account, which already includes this user right, instead of a separate user account.
+
+### Potential impact
+
+None. Not Defined is the default configuration.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/create-symbolic-links.md b/windows/keep-secure/create-symbolic-links.md
new file mode 100644
index 0000000000..38de1ae084
--- /dev/null
+++ b/windows/keep-secure/create-symbolic-links.md
@@ -0,0 +1,148 @@
+---
+title: Create symbolic links (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Create symbolic links security policy setting.
+ms.assetid: 882922b9-0ff8-4ee9-8afc-4475515ee3fd
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Create symbolic links
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Create symbolic links** security policy setting.
+
+## Reference
+
+
+This user right determines if users can create a symbolic link from the device they are logged on to.
+
+A symbolic link is a file-system object that points to another file-system object. The object that is pointed to is called the target. Symbolic links are transparent to users. The links appear as normal files or directories, and they can be acted upon by the user or application in exactly the same manner. Symbolic links are designed to aid in migration and application compatibility with UNIX operating systems. Microsoft has implemented symbolic links to function just like UNIX links.
+
+**Warning**   This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them.
+
+Constant: SeCreateSymbolicLinkPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not Defined
+
+### Best practices
+
+-   This user right should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that are not designed to handle them.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default, members of the Administrators group have this right.
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes different features and tools available to help you manage this policy.
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+### Command-line tools
+
+This setting can be used in conjunction with a symbolic link file system setting that can be manipulated with the command-line tool to control the kinds of symlinks that are allowed on the device. For more info, type **fsutil behavior set symlinkevalution /?** at the command prompt.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Users who have the **Create symbolic links** user right could inadvertently or maliciously expose your system to symbolic link attacks. Symbolic link attacks can be used to change the permissions on a file, to corrupt data, to destroy data, or as a DoS attack.
+
+### Countermeasure
+
+Do not assign the **Create symbolic links** user right to standard users. Restrict this right to trusted administrators. You can use the **fsutil** command to establish a symbolic link file system setting that controls the kind of symbolic links that can be created on a computer.
+
+### Potential impact
+
+None. Not defined is the default configuration.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md b/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md
new file mode 100644
index 0000000000..42c19efa73
--- /dev/null
+++ b/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md
@@ -0,0 +1,117 @@
+---
+title: Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune (Windows 10)
+description: After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy.
+ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b
+keywords: ["EDP", "Enterprise Data Protection"]
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: eross-msft
+---
+
+# Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune
+**Applies to:**
+
+-   Windows 10 Insider Preview
+-   Windows 10 Mobile Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
+
+After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy.
+
+## Create your VPN policy using Microsoft Intune
+Follow these steps to create the VPN policy you want to use with EDP.
+
+**To create your VPN policy**
+
+1.  Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
+
+2.  Go to **Windows**, click the **VPN Profile (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
+
+    ![Microsoft Intune: Create a new policy using the New Policy screen](images/intune-vpn-createpolicy.png)
+
+3.  Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
+
+    ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-titledescription.png)
+
+4.  In the **VPN Settings** area, type the following info:
+
+    -   **VPN connection name.** This name is also what appears to your employees, so it's important that it be clear and understandable.
+
+    -   **Connection type.** Pick the connection type that matches your infrastructure. The options are **Pulse Secure**, **F5 Edge Client**, **Dell SonicWALL Mobile Connect**, or **Check Point Capsule VPN**.
+
+    -   **VPN server description.** A descriptive name for this connection. Only you will see it, but it should be unique and readable.
+
+    -   **Server IP address or FQDN.** The server's IP address or fully-qualified domain name (FQDN).
+
+        ![Microsoft Intune: Fill in the VPN Settings area](images/intune-vpn-vpnsettings.png)
+
+5.  In the **Authentication** area, choose the authentication method that matches your VPN infrastructure, either **Username and Password** or **Certificates**.<p>
+It's your choice whether you check the box to **Remember the user credentials at each logon**.
+
+    ![Microsoft Intune: Choose the Authentication Method for your VPN system](images/intune-vpn-authentication.png)
+
+6.  You can leave the rest of the default or blank settings, and then click **Save Policy**.
+
+## Deploy your VPN policy using Microsoft Intune
+After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your enterprise data protection (EDP) policy.
+
+**To deploy your VPN policy**
+
+1.  On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
+
+2.  In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.<p>
+The added people move to the **Selected Groups** list on the right-hand pane.
+
+    ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-deploy-vpn.png)
+
+3.  After you've picked all of the employees and groups that should get the policy, click **OK**.<p>
+The policy is deployed to the selected users' devices.
+
+## Link your EDP and VPN policies and deploy the custom configuration policy
+The final step to making your VPN configuration work with EDP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **EdpModeID** setting, and then deploying the policy to the same group you deployed your EDP and VPN policies
+
+**To link your VPN policy**
+
+1.  Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
+
+2.  Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
+
+    ![Microsoft Intune: Create a new policy from the New Policy screen](images/intune-vpn-customconfig.png)
+
+3.  Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
+
+    ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-edpmodeid.png)
+
+4.  In the **OMA-URI Settings** area, click **Add** to add your **EdpModeID** info.
+
+5.  In the **OMA-URI Settings** area, type the following info:
+
+    -   **Setting name.** Type **EdpModeID** as the name.
+
+    -   **Data type.** Pick the **String** data type.
+
+    -   **OMA-URI.** Type `./Vendor/MSFT/VPNv2/<your_edp_policy_name>/EdpModeId`, replacing *&lt;your\_edp\_policy\_name&gt;* with the name you gave to your EDP policy. For example, `./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/EdpModeId`.
+
+    -   **Value.** Your fully-qualified domain that should be used by the OMA-URI setting.
+
+        ![Microsoft Intune: Fill in the OMA-URI Settings for the EdpModeID setting](images/intune-vpn-omaurisettings.png)
+
+6.  Click **OK** to save your new OMA-URI setting, and then click **Save Policy.**
+
+ **To deploy your linked policy**
+
+1.  On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
+
+2.  In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**. The added people move to the **Selected Groups** list on the right-hand pane.
+
+3.  After you've picked all of the employees and groups that should get the policy, click **OK**. The policy is deployed to the selected users' devices.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/create-your-applocker-planning-document.md b/windows/keep-secure/create-your-applocker-planning-document.md
new file mode 100644
index 0000000000..c05e7740c9
--- /dev/null
+++ b/windows/keep-secure/create-your-applocker-planning-document.md
@@ -0,0 +1,411 @@
+---
+title: Create your AppLocker planning document (Windows 10)
+description: This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document.
+ms.assetid: 41e49644-baf4-4514-b089-88adae2d624e
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Create your AppLocker planning document
+
+
+**Applies to**
+
+-   Windows 10
+
+This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document.
+
+## The AppLocker deployment design
+
+
+The design process and the planning document help you investigate application usage in your organization and record your findings so you can effectively deploy and maintain application control policies by using AppLocker.
+
+You should have completed these steps in the design and planning process:
+
+1.  [Determine your application control objectives](determine-your-application-control-objectives.md)
+
+2.  [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
+
+3.  [Select types of rules to create](select-types-of-rules-to-create.md)
+
+4.  [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+
+5.  [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
+
+### AppLocker planning document contents
+
+Your planning document should contain:
+
+-   A list of business groups that will participate in the application control policy project, their requirements, a description of their business processes, and contact information.
+
+-   Application control policy project target dates, both for planning and deployment.
+
+-   A complete list of apps used by each business group (or organizational unit), including version information and installation paths.
+
+-   What condition to apply to rules governing each application (or whether to use the default set provided by AppLocker).
+
+-   A strategy for using Group Policy to deploy the AppLocker policies.
+
+-   A strategy in processing the application usage events generated by AppLocker.
+
+-   A strategy to maintain and manage AppLocker polices after deployment.
+
+### Sample template for an AppLocker planning document
+
+You can use the following form to construct your own AppLocker planning document.
+
+**Business group**:
+
+**Operating system environment**: (Windows and non-Windows)
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Contacts</strong></p></td>
+<td align="left"><p>Business contact:</p></td>
+<td align="left"><p>Technical contact:</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Other departments</strong></p></td>
+<td align="left"><p>In this business group:</p></td>
+<td align="left"><p>Affected by this project:</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Security policies</strong></p></td>
+<td align="left"><p>Internal:</p></td>
+<td align="left"><p>Regulatory/compliance:</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Business goals</strong></p></td>
+<td align="left"><p>Primary:</p></td>
+<td align="left"><p>Secondary:</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Project target dates</strong></p></td>
+<td align="left"><p>Design signoff date:</p></td>
+<td align="left"><p>Policy deployment date:</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Rules**
+
+<table style="width:100%;">
+<colgroup>
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Organizational unit</th>
+<th align="left">Implement AppLocker?</th>
+<th align="left">Apps</th>
+<th align="left">Installation path</th>
+<th align="left">Use default rule or define new rule condition</th>
+<th align="left">Allow or deny</th>
+<th align="left">GPO name</th>
+<th align="left">Support policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p> </p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Event processing**
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">AppLocker event collection location</th>
+<th align="left">Archival policy</th>
+<th align="left">Analyzed?</th>
+<th align="left">Security policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p> </p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Policy maintenance**
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Rule update policy</th>
+<th align="left">App decommission policy</th>
+<th align="left">App version policy</th>
+<th align="left">App deployment policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p> </p></td>
+<td align="left"><p>Planned:</p>
+<p>Emergency:</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Example of an AppLocker planning document
+
+**Rules**
+
+<table style="width:100%;">
+<colgroup>
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Organizational unit</th>
+<th align="left">Implement AppLocker?</th>
+<th align="left">Applications</th>
+<th align="left">Installation path</th>
+<th align="left">Use default rule or define new rule condition</th>
+<th align="left">Allow or deny</th>
+<th align="left">GPO name</th>
+<th align="left">Support policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Teller-East and Teller-West</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Teller Software</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p>Tellers-AppLockerTellerRules</p></td>
+<td align="left"><p>Web help</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p>
+<p></p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Create a path exception to the default rule to exclude \Windows\Temp</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Help desk</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>HR-All</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Check Payout</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p>HR-AppLockerHRRules</p></td>
+<td align="left"><p>Web help</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Time Sheet Organizer</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p></td>
+<td align="left"><p>File is not signed; create a file hash condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Web help</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Internet Explorer 7</p></td>
+<td align="left"><p>C:\Program Files\Internet Explorer\</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Deny</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Web help</p>
+<p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Use the default rule for the Windows path</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Help desk</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Event processing**
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">AppLocker event collection location</th>
+<th align="left">Archival policy</th>
+<th align="left">Analyzed?</th>
+<th align="left">Security policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Forwarded to: AppLocker Event Repository on srvBT093</p></td>
+<td align="left"><p>Standard</p></td>
+<td align="left"><p>None</p></td>
+<td align="left"><p>Standard</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>DO NOT FORWARD. srvHR004</p></td>
+<td align="left"><p>60 months</p></td>
+<td align="left"><p>Yes, summary reports monthly to managers</p></td>
+<td align="left"><p>Standard</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Policy maintenance**
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Rule update policy</th>
+<th align="left">App decommission policy</th>
+<th align="left">App version policy</th>
+<th align="left">App deployment policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Planned: Monthly through business office triage</p>
+<p>Emergency: Request through help desk</p></td>
+<td align="left"><p>Through business office triage</p>
+<p>30-day notice required</p></td>
+<td align="left"><p>General policy: Keep past versions for 12 months</p>
+<p>List policies for each application</p></td>
+<td align="left"><p>Coordinated through business office</p>
+<p>30-day notice required</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>Planned: Monthly through HR triage</p>
+<p>Emergency: Request through help desk</p></td>
+<td align="left"><p>Through HR triage</p>
+<p>30-day notice required</p></td>
+<td align="left"><p>General policy: Keep past versions for 60 months</p>
+<p>List policies for each application</p></td>
+<td align="left"><p>Coordinated through HR</p>
+<p>30-day notice required</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Additional resources
+
+-   The AppLocker Policies Design Guide is the predecessor to the AppLocker Policies Deployment Guide. When planning is complete, see the [AppLocker policies deployment guide](applocker-policies-deployment-guide.md).
+
+-   For more general info, see [AppLocker](applocker-overview.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/create-your-applocker-policies.md b/windows/keep-secure/create-your-applocker-policies.md
new file mode 100644
index 0000000000..d08dbfd31a
--- /dev/null
+++ b/windows/keep-secure/create-your-applocker-policies.md
@@ -0,0 +1,97 @@
+---
+title: Create Your AppLocker policies (Windows 10)
+description: This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.
+ms.assetid: d339dee2-4da2-4d4a-b46e-f1dfb7cb4bf0
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Create Your AppLocker policies
+
+
+**Applies to**
+
+-   Windows 10
+
+This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.
+
+Creating effective application control policies with AppLocker starts by creating the rules for each app. Rules are grouped into one of five rule collections. The rule collection can be configured to be enforced or to run in **Audit only** mode. An AppLocker policy includes the rules in the five rule collections and the enforcement settings for each rule collection.
+
+## Step 1: Use your plan
+
+
+You can develop an application control policy plan to guide you in making successful deployment decisions. For more info about how to do this and what you should consider, see the [AppLocker Design Guide](applocker-policies-design-guide.md). This guide is intended for security architects, security administrators, and system administrators. It contains the following topics to help you create an AppLocker policy deployment plan for your organization that will address your specific application control requirements by department, organizational unit, or business group:
+
+1.  [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md)
+
+2.  [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
+
+3.  [Determine your application control objectives](determine-your-application-control-objectives.md)
+
+4.  [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
+
+5.  [Select the types of rules to create](select-types-of-rules-to-create.md)
+
+6.  [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+
+7.  [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
+
+8.  [Create your AppLocker planning document](create-your-applocker-planning-document.md)
+
+## Step 2: Create your rules and rule collections
+
+
+Each rule applies to one or more apps, and it imposes a specific rule condition on them. Rules can be created individually or they can be generated by the Automatically Generate Rules Wizard. For the steps to create the rules, see [Create Your AppLocker rules](create-your-applocker-rules.md).
+
+## Step 3: Configure the enforcement setting
+
+
+An AppLocker policy is a set of rule collections that are configured with a rule enforcement setting. The enforcement setting can be **Enforce rules**, **Audit only**, or **Not configured**. If an AppLocker policy has at least one rule, and it is set to **Not configured**, all the rules in that policy will be enforced. For info about configuring the rule enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) and [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md).
+
+## Step 4: Update the GPO
+
+
+AppLocker policies can be defined locally on a device or applied through Group Policy. To use Group Policy to apply AppLocker policies, you must create a new Group Policy Object (GPO) or you must update an existing GPO. You can create or modify AppLocker policies by using the Group Policy Management Console (GPMC), or you can import an AppLocker policy into a GPO. For the procedure to do this, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
+
+## Step 5: Test the effect of the policy
+
+
+In a test environment or with the enforcement setting set at **Audit only**, verify that the results of the policy are what you intended. For info about testing a policy, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md).
+
+## Step 6: Implement the policy
+
+
+Depending on your deployment method, import the AppLocker policy to the GPO in your production environment, or if the policy is already deployed, change the enforcement setting to your production environment value—**Enforce rules** or **Audit only**.
+
+## Step 7: Test the effect of the policy and adjust
+
+
+Validate the effect of the policy by analyzing the AppLocker logs for application usage, and then modify the policy as necessary. To do this, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
+
+## Next steps
+
+
+Follow the steps described in the following topics to continue the deployment process:
+
+1.  [Create Your AppLocker rules](create-your-applocker-rules.md)
+
+2.  [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md)
+
+3.  [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
+
+## See also
+
+
+[AppLocker deployment guide](applocker-policies-deployment-guide.md)
+
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/create-your-applocker-rules.md b/windows/keep-secure/create-your-applocker-rules.md
new file mode 100644
index 0000000000..f1aa18a539
--- /dev/null
+++ b/windows/keep-secure/create-your-applocker-rules.md
@@ -0,0 +1,108 @@
+---
+title: Create Your AppLocker rules (Windows 10)
+description: This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules.
+ms.assetid: b684a3a5-929c-4f70-8742-04088022f232
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Create Your AppLocker rules
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules.
+
+## Creating AppLocker rules
+
+
+AppLocker rules apply to the targeted app, and they are the components that make up the AppLocker policy. Depending on your IT environment and the business group that requires application control policies, setting these access rules for each application can be time-consuming and prone to error. With AppLocker, you can generate rules automatically or create rules individually. Creating rules that are derived from your planning document can help you avoid unintended results. For info about this planning document and other planning activities, see [AppLocker Design Guide](applocker-policies-design-guide.md).
+
+### Automatically generate your rules
+
+You can use a reference device to automatically create a set of default rules for each of the installed apps, test and modify each rule as necessary, and deploy the policies. Creating most of the rules for all the installed apps gives you a starting point to build and test your policies. For info about performing this task, see the following topics:
+
+-   [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md)
+
+-   [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md)
+
+-   [Create AppLocker default rules](create-applocker-default-rules.md)
+
+-   [Edit AppLocker rules](edit-applocker-rules.md)
+
+-   [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md)
+
+### Create your rules individually
+
+You can create rules and set the mode to **Audit only** for each installed app, test and update each rule as necessary, and then deploy the policies. Creating rules individually might be best when you are targeting a small number of applications within a business group.
+
+**Note**  
+AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You can also edit the default rules. For information about creating the default rules for the Windows operating system, see [Create AppLocker default rules](create-applocker-default-rules.md).
+
+ 
+
+For information about performing this task, see:
+
+1.  [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
+
+2.  [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
+
+3.  [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
+
+4.  [Edit AppLocker rules](edit-applocker-rules.md)
+
+5.  [Enforce AppLocker rules](enforce-applocker-rules.md)
+
+6.  [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
+
+## About selecting rules
+
+
+AppLocker policies are composed of distinct rules for specific apps. These rules are grouped by collection, and they are implemented through an AppLocker policy definition. AppLocker policies are managed by using Group Policy or by using the Local Security Policy snap-in for a single computer.
+
+When you determine what types of rules to create for each of your business groups or organizational units (OUs), you should also determine what enforcement setting to use for each group. Certain rule types are more applicable for some apps, depending on how the apps are deployed in a specific business group.
+
+For info about how to determine and document your AppLocker rules, see [AppLocker Design Guide](applocker-policies-design-guide.md).
+
+For info about AppLocker rules and AppLocker policies, see the following topics:
+
+-   [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md)
+
+-   [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md)
+
+-   [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md)
+
+-   [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md)
+
+-   [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md)
+
+-   [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
+
+## Next steps
+
+
+1.  [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md)
+
+2.  [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md)
+
+3.  [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md)
+
+4.  [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
+
+## Related topics
+
+
+[Create Your AppLocker policies](create-your-applocker-policies.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md
new file mode 100644
index 0000000000..b0079da964
--- /dev/null
+++ b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md
@@ -0,0 +1,140 @@
+---
+title: Create a Device Guard code integrity policy based on a reference device (Windows 10)
+description: To implement Device Guard app protection, you will need to create a code integrity policy. Code integrity policies determine what apps are considered trustworthy and are allowed to run on a protected device.
+ms.assetid: 6C94B14E-E2CE-4F6C-8939-4B375406E825
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Create a Device Guard code integrity policy based on a reference device
+
+
+**Applies to**
+
+-   Windows 10
+
+To implement Device Guard app protection, you will need to create a code integrity policy. Code integrity policies determine what apps are considered trustworthy and are allowed to run on a protected device.
+
+## <a href="" id="create-a-device-guard-code-integrity-policy-based-on--a-reference-device"></a>Create a Device Guard code integrity policy based on a reference device
+
+
+To create a code integrity policy, you'll first need to create a reference image that includes the signed applications you want to run on your protected devices. For information on how to sign applications, see [Getting apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md).
+
+**Note**  Before creating a code integrity policy, make sure your reference device is clean of viruses and malware.
+
+ 
+
+**To create a code integrity policy based on a reference device**
+
+1.  On your reference device, start PowerShell as an administrator.
+
+2.  In PowerShell, initialize variables by typing:
+
+    ``` syntax
+    $CIPolicyPath=$env:userprofile+"\Desktop\"
+    $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"
+    $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"
+    ```
+
+3.  Scan your device for installed applications and create a new code integrity policy by typing:
+
+    ``` syntax
+    New-CIPolicy -Level <RuleLevel> -FilePath $InitialCIPolicy -UserPEs -Fallback Hash 3> Warningslog.txt
+    ```
+
+    Where *&lt;RuleLevel&gt;* can be set to any of the following options:
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Rule level</th>
+    <th align="left">Description</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>Hash</p></td>
+    <td align="left"><p>Specifies individual hash values for each discovered app. Each time an app is updated the hash value will change and you will need to update your policy.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>FileName</p></td>
+    <td align="left"><p>Currently unsupported.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>SignedVersion</p></td>
+    <td align="left"><p>Currently unsupported.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Publisher</p></td>
+    <td align="left"><p>This level is a combination of the PCA certificate and the common name (CN) on the leaf certificate. When a PCA certificate is used to sign apps from multiple companies (such as VeriSign), this rule level allows you to trust the PCA certificate but only for the company whose name is on the leaf certificate.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>FilePublisher</p></td>
+    <td align="left"><p>Currently unsupported.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>LeafCertificate</p></td>
+    <td align="left"><p>Adds trusted signers at the individual signing certificate level. When an app is updated, the hash value is modified but the signing certificate stays the same. You will only need to update your policy if the signing certificate for an app changes.</p>
+    <div class="alert">
+    <strong>Note</strong>  Leaf certificates have much shorter validity periods than PCA certificates. You will need to update your policy if a certificate expires.
+    </div>
+    <div>
+     
+    </div></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>PcaCertificate</p></td>
+    <td align="left"><p>Adds the highest certificate in the provided certificate chain to signers. This is typically one certificate below the root certificate, as the scan does not validate anything above the presented signature by going online or checking local root stores.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>RootCertificate</p></td>
+    <td align="left"><p>Currently unsupported.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>WHQL</p></td>
+    <td align="left"><p>Currently unsupported.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>WHQLPublisher</p></td>
+    <td align="left"><p>Currently unsupported.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>WHQLFilePublisher</p></td>
+    <td align="left"><p>Currently unsupported.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+4.  Type the following to convert the code integrity policy to a binary format:
+
+    ``` syntax
+    ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin
+    ```
+
+Once you have completed these steps, the Device Guard policy binary file (DeviceGuardPolicy.bin) and original xml file (InitialScan.xml) will be available on your desktop.
+
+**Note**  We recommend that you keep a copy of InitialScan.xml to use if you need to merge this code integrity policy with another policy, or update policy rule options.
+
+ 
+
+## Related topics
+
+
+[Getting apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
new file mode 100644
index 0000000000..3d8a02bb7d
--- /dev/null
+++ b/windows/keep-secure/credential-guard.md
@@ -0,0 +1,1031 @@
+---
+title: Protect derived domain credentials with Credential Guard (Windows 10)
+description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
+ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Protect derived domain credentials with Credential Guard
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets.
+
+Credential Guard offers the following features and solutions:
+
+-   **Hardware security** Credential Guard increases the security of derived domain credentials by taking advantage of platform security features including, Secure Boot and virtualization.
+
+-   **Virtualization-based security** Windows services that manage derived domain credentials and other secrets run in a protected environment that is isolated from the running operating system.
+
+-   **Better protection against advanced persistent threats** Securing derived domain credentials using the virtualization-based security blocks the credential theft attack techniques and tools used in many targeted attacks. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
+
+-   **Manageability** You can manage Credential Guard by using Group Policy, WMI, from a command prompt, and Windows PowerShell.
+
+## How it works
+
+
+Credential Guard isolates secrets that previous versions of Windows stored in the Local Security Authority (LSA) by using virtualization-based security. Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process
+
+For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
+
+Credential Guard also does not allow older variants of NTLM and Kerberos authentication protocols and cipher suites when using default derived credentials, including NTLMv1, MS-CHAPv2, and weaker Kerberos encryption types, such as DES.
+
+Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
+
+![Credential Guard oveview](images/credguard.png)
+
+## New and changed functionality
+
+
+To see what was added or changed in Credential Guard, see [What's new in Credential Guard?](../whats-new/credential-guard.md).
+
+## Hardware and software requirements
+
+
+The PC must meet the following hardware and software requirements to use Credential Guard:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Requirement</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Windows 10 Enterprise</p></td>
+<td align="left"><p>The PC must be running Windows 10 Enterprise.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>UEFI firmware version 2.3.1 or higher and Secure Boot</p></td>
+<td align="left"><p>To verify that the firmware is using UEFI version 2.3.1 or higher and Secure Boot, you can validate it against the [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby) Windows Hardware Compatibility Program requirement.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Virtualization extensions</p></td>
+<td align="left"><p>The following virtualization extensions are required to support virtualization-based security:</p>
+<ul>
+<li>Intel VT-x or AMD-V</li>
+<li>Second Level Address Translation</li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>x64 architecture</p></td>
+<td align="left"><p>The features that virtualization-based security uses in the Windows hypervisor can only run on a 64-bit PC.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>A VT-d or AMD-Vi IOMMU (Input/output memory management unit)</p></td>
+<td align="left"><p>In Windows 10, an IOMMU enhances system resiliency against memory attacks. ¹</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Trusted Platform Module (TPM) version 1.2 or 2.0</p></td>
+<td align="left"><p>TPM 1.2 and 2.0 provides protection for encryption keys that are stored in the firmware and are used by Credential Guard. See the following table to determine which TPM versions are supported on your OS.</p>
+<table>
+<th>OS version</th>
+<th>Required TPM</th>
+<tr>
+<td>Windows 10 version 1507</td>
+<td>TPM 2.0</td>
+</tr>
+<tr>
+<td>Windows 10 version 1511</td>
+<td>TPM 2.0 or TPM 1.2</td>
+</tr>
+</table>
+<div class="alert">
+<strong>Note</strong>  If you don't have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM.
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Secure firmware update process</p></td>
+<td align="left"><p>To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>The firmware is updated for [Secure MOR implementation](http://msdn.microsoft.com/library/windows/hardware/mt270973.aspx)</p></td>
+<td align="left"><p>Credential Guard requires the secure MOR bit to help prevent certain memory attacks.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Physical PC</p></td>
+<td align="left"><p>For PCs running Windows 10, you cannot run Credential Guard on a virtual machine.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+¹ If you choose the **Secure Boot and DMA protection** option in the Group Policy setting, an IOMMU is required. The **Secure Boot** Group Policy option enables Credential Guard on devices without an IOMMU.
+
+## Manage Credential Guard
+
+
+Credential Guard uses virtualization-based security features that must be enabled on each PC before you can use it.
+
+### Turn on Credential Guard by using Group Policy
+
+You can use Group Policy to enable Credential Guard because it will add the virtualization-based security features for you.
+
+1.  From the Group Policy Management Console, go to **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Device Guard**.
+
+2.  Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
+
+3.  **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
+
+4.  In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Credential Guard remotely, choose **Enabled without lock**.
+
+    ![](images/credguard-gp.png)
+
+5.  Close the Group Policy Management Console.
+
+### Add Credential Guard to an image
+
+If you would like to add Credential Guard to an image, you can do this by adding the virtualization-based security features and then turning on Credential Guard.
+
+### Add the virtualization-based security features
+
+First, you must add the virtualization-based security features. You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
+
+**Note**  If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you.
+
+ 
+
+**Add the virtualization-based security features by using Programs and Features**
+
+1.  Open the Programs and Features control panel.
+
+2.  Click **Turn Windows feature on or off**.
+
+3.  Select the **Isolated User Mode** check box.
+
+4.  Go to **Hyper-V** -&gt; **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
+
+5.  Click **OK**.
+
+**Add the virtualization-based security features to an offline image by using DISM**
+
+1.  Open an elevated command prompt.
+
+2.  Add the Hyper-V Hypervisor by running the following command:
+
+    ``` syntax
+    dism /image:<WIM file name> /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor
+    ```
+
+3.  Add Isolated User Mode by running the following command:
+
+    ``` syntax
+    dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
+    ```
+
+**Note**  
+You can also add these features to an online image by using either DISM or Configuration Manager.
+
+ 
+
+### Turn on Credential Guard
+
+If you don't use Group Policy, you can enable Credential Guard by using the registry.
+
+**Turn on Credential Guard by using the registry**
+
+1.  Open Registry Editor.
+
+2.  Enable virtualization-based security:
+
+    -   Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
+
+    -   Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
+
+    -   Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 2 to use **Secure Boot and DMA protection**.
+
+3.  Enable Credential Guard:
+
+    -   Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
+
+    -   Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it.
+
+4.  Close Registry Editor.
+
+**Note**  
+You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
+
+ 
+
+### Remove Credential Guard
+
+If you have to remove Credential Guard on a PC, you need to do the following:
+
+1.  If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Device Guard** -&gt; **Turn on Virtualization Based Security**).
+
+2.  Delete the following registry setting: HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags
+
+3.  Delete the Credential Guard EFI variables by using bcdedit.
+
+**Delete the Credential Guard EFI variables**
+
+1.  From an elevated command prompt, type the following commands:
+
+    ``` syntax
+    mountvol X: /s
+    copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
+    bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
+    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
+    bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
+    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
+    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
+    mountvol X: /d
+    ```
+
+2.  Restart the PC.
+
+3.  Accept the prompt to disable Credential Guard.
+
+4.  Alternatively, you can disable the virtualization-based security features to turn off Credential Guard.
+
+**Note**  
+The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS.
+
+If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings:
+
+**bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS**
+
+For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
+
+ 
+
+### Check that Credential Guard is running
+
+You can use System Information to ensure that Credential Guard is running on a PC.
+
+1.  Click **Start**, type **msinfo32.exe**, and then click **System Information**.
+
+2.  Click **System Summary**.
+
+3.  Confirm that **Credential Guard** is shown next to **Device Guard Security Services Running**.
+
+    Here's an example:
+
+    ![](images/credguard-msinfo32.png)
+
+## Considerations when using Credential Guard
+
+
+-   If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard is enabled before the PC is joined to a domain.
+
+-   You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
+
+    -   **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
+
+    -   **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0
+
+        -   The first variable: 0x1 means Credential Guard is configured to run. 0x0 means it’s not configured to run.
+        -   The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
+    -   **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard.
+
+    -   **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\]
+
+    -   **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
+
+    You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -&gt; **Windows** -&gt; **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
+
+    -   **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
+
+-   Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, Microsoft Passport, or Microsoft Passport for Work.
+
+-   Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
+
+-   As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running.
+
+-   If you are using Wi-Fi and VPN end points that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for Wi-Fi and VPN connections.
+
+-   Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager:
+
+    -   Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password.
+
+    -   Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
+
+    -   You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
+
+## Scenarios not protected by Credential Guard
+
+
+Some ways to store credentials are not protected by Credential Guard, including:
+
+-   Software that manages credentials outside of Windows feature protection
+
+-   Local accounts and Microsoft Accounts
+
+-   Credential Guard does not protect the Active Directory database running on Windows Server 2016 Technical Preview domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 Technical Preview servers running Remote Desktop Gateway. If you're using a Windows Server 2016 Technical Preview server as a client PC, it will get the same protection as it would be running Windows 10 Enterprise.
+
+-   Key loggers
+
+-   Physical attacks
+
+-   Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access high value assets in your organization.
+
+## Additional mitigations
+
+
+Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also need to be deployed to make the domain environment more robust.
+
+Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. By deploying authentication policies with compound authentication in Windows Server 2012 R2 or later domains, users can be restricted to only sign on from specific domain-joined devices. However, since devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, authentication policies can require that the device authenticates with its private key. This prevents shared secrets on stolen devices to be used with stolen user passwords or Kerberos secret keys to sign on as the user.
+
+Device certificate authentication has the following requirements:
+
+-   Device domains are Windows Server 2012 or higher and all domain controllers have certificates, which satisfy strict KDC validation (KDC EKU present and the DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension).
+
+-   Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store.
+
+-   A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
+
+### Additional Group Policy settings
+
+There are a few Group Policy settings that you can enable that provide more protection against credential attacks:
+
+-   On the domain controllers, configure the KDC support for claims, compound authentication, and Kerberos armoring system by using Group Policy. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
+
+-   On devices running Windows 10, you can turn it on by using Group Policy as well. To do this, enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** & **Always send compound authentication first system** Group Policy settings under **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Kerberos**.
+
+### Compound authentication
+
+Compound authentication adds the device identity to the user’s during authentication to the domain and resources. Without compound authentication, only the user’s secrets are validated. With compound authentication, the Kerberos client has to have both the user’s and device’s secrets.
+
+Enabling compound authentication also enables Kerberos armoring, which provides two additional benefits:
+
+-   User authentication on domain-joined devices will be armored. This means that network captures will contain encrypted Kerberos initial authentication. Without the appropriate device key, Kerberos AS-REQs are protected against offline dictionary attacks.
+
+-   KDC errors are signed, which provides protection against error spoofing attacks.
+
+### Deploying machine certificates
+
+If the domain controllers in your organization are running Windows Server 2016 Technical Preview, devices running Windows 10 will automatically enroll a machine certificate when Credential Guard is enabled and the PC is joined to the domain.
+
+If the domain controllers are running Windows Server 2012 R2, the machine certificates must be provisioned manually on each device. You can do this by creating a certificate template on the domain controller or certificate authority and deploying the machine certificates to each device.
+
+The same security procedures used for issuing smart cards to users should be applied to machine certificates.
+
+1.  From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.**
+
+2.  Right-click **Workstation Authentication**, and then click **Duplicate Template**.
+
+3.  Right-click the new template, and then click **Properties**.
+
+4.  On the **Extensions** tab, click **Application Policies**, and then click **Edit**.
+
+5.  Click **Client Authentication**, and then click **Remove**.
+
+6.  Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values:
+
+    -   Name: Kerberos Client Auth
+
+    -   Object Identifier: 1.3.6.1.5.2.3.4
+
+7.  On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**.
+
+8.  Under **Issuance Policies**, click**High Assurance**.
+
+9.  On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
+
+On devices that are running Credential Guard, enroll the devices using the machine authentication certificate by running the following command:
+
+``` syntax
+CertReq -EnrollCredGuardCert MachineAuthentication
+```
+
+**Note**  
+You must restart the device after enrolling the machine authentication certificate.
+
+ 
+
+### Link the issuance policies to a group
+
+By using an authentication policy, you can ensure that users only sign into devices that are running Credential Guard. Before you deploy the authentication policy though, you must first run a couple of scripts that set up your environment.
+
+-   The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.
+
+    From a Windows PowerShell command prompt, run the following command:
+
+    ``` syntax
+    .\get-IssuancePolicy.ps1 –LinkedToGroup:All
+    ```
+
+-   The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.
+
+    From a Windows PowerShell command prompt, run the following command:
+
+    ``` syntax
+    .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:”<name of issuance policy>” –groupOU:”<Name of OU to create>” –groupName:”<name of Universal security group to create>”
+    ```
+
+### Deploy the authentication policy
+
+Before setting up the authentication policy, you should log any failed attempt to apply an authentication policy on the KDC. To do this in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
+
+Now you can set up an authentication policy to use Credential Guard.
+
+**To add an authentication policy for Credential Guard**
+
+1.  Ensure that your domain controllers are running at least the Windows Server 2012 R2 domain functional level.
+
+2.  Create a security group that will be used to identify the PCs that will have this authentication policy applied to them.
+
+3.  Add the computer account to this security group.
+
+4.  Open Active Directory Administrative Center.
+
+5.  Click **Authentication**, click **New**, and then click **Authentication Policy**.
+
+6.  In the **Display name** box, enter a name for this authentication policy.
+
+7.  Under the **Accounts** heading, click **Add**.
+
+8.  In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account, and then click **OK**.
+
+9.  Under the **User** heading, click the **Edit** button that applies to user account.
+
+10. Click **Add a condition**.
+
+11. In the **Edit Access Control Conditions** box, ensure that it reads **User** &gt; **Group** &gt; **Member of each** &gt; **Value**, and then click **Add items**.
+
+12. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**.
+
+13. Click **OK** to close the **Edit Access Control Conditions** box.
+
+14. Click **OK** to create the authentication policy.
+
+15. Close Active Directory Administrative Center.
+
+**Note**  
+When authentication policies in enforcement mode are deployed with Credential Guard, users will not be able to sign in using devices that do not have the machine authentication certificate provisioned. This applies to both local and remote sign in scenarios.
+
+ 
+
+### Appendix: Scripts
+
+Here is a list of scripts that are mentioned in this topic.
+
+### <a href="" id="bkmk-getscript"></a>Get the available issuance policies on the certificate authority
+
+Save this script file as get-IssuancePolicy.ps1.
+
+``` syntax
+#######################################
+##     Parameters to be defined      ##
+##     by the user                   ##
+#######################################
+
+Param (
+$Identity,
+$LinkedToGroup
+)
+
+#######################################
+##     Strings definitions           ##
+#######################################
+Data getIP_strings {
+# culture="en-US"
+ConvertFrom-StringData -stringdata @'
+help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targetted.
+help2 = Usage:
+help3 = The following parameter is mandatory:
+help4 = -LinkedToGroup:<yes|no|all>
+help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups.
+help6 = "no" will return only Issuance Policies that are not currently linked to any group.
+help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups.
+help8 = The following parameter is optional:
+help9 = -Identity:<Name, Distinguished Name or Display Name of the Issuance Policy that you want to retrieve>. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored.
+help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters.
+help11 = Examples:
+errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}"
+ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security".
+ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal".
+ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members:
+LinkedIPs = The following Issuance Policies are linked to groups:
+displayName = displayName : {0}
+Name = Name : {0}
+dn = distinguishedName : {0}
+        InfoName = Linked Group Name: {0}
+        InfoDN = Linked Group DN: {0}   
+NonLinkedIPs = The following Issuance Policies are NOT linked to groups:
+'@
+}
+
+##Import-LocalizedData getIP_strings
+
+
+import-module ActiveDirectory
+
+
+#######################################
+##           Help                    ##
+#######################################
+
+function Display-Help {
+
+    ""
+    $getIP_strings.help1
+    ""
+$getIP_strings.help2
+""
+$getIP_strings.help3
+"     " + $getIP_strings.help4
+"             " + $getIP_strings.help5
+    "             " + $getIP_strings.help6
+    "             " + $getIP_strings.help7
+""
+$getIP_strings.help8
+    "     " + $getIP_strings.help9
+    ""
+    $getIP_strings.help10
+""
+""    
+$getIP_strings.help11
+    "     " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All"
+    "     " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes"
+    "     " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance"""
+""
+}
+
+
+$root = get-adrootdse
+$domain = get-addomain -current loggedonuser
+$configNCDN = [String]$root.configurationNamingContext
+
+
+if ( !($Identity) -and !($LinkedToGroup) ) {
+display-Help
+break
+}
+
+if ($Identity) {
+    $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties *
+
+    if ($OIDs -eq $null) {
+$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity
+write-host $errormsg -ForegroundColor Red
+    }
+
+    foreach ($OID in $OIDs) {
+
+        if ($OID."msDS-OIDToGroupLink") {
+# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping.
+            $groupDN = $OID."msDS-OIDToGroupLink"
+            $group = get-adgroup -Identity $groupDN
+    $groupName = $group.Name
+
+# Analyze the group
+            if ($group.groupCategory -ne "Security") {
+$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName
+                write-host $errormsg -ForegroundColor Red
+            }
+            if ($group.groupScope -ne "Universal") {
+                $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName
+write-host $errormsg -ForegroundColor Red
+            }
+            $members = Get-ADGroupMember -Identity $group
+            if ($members) {
+                $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName
+write-host $errormsg -ForegroundColor Red
+                foreach ($member in $members) {
+                    write-host "          "  $member -ForeGroundColor Red
+                }
+            }
+        }
+
+    }
+    return $OIDs
+    break
+}
+
+if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) {
+    $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))"
+    $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
+
+    write-host ""    
+    write-host "*****************************************************"
+    write-host $getIP_strings.LinkedIPs
+    write-host "*****************************************************"
+    write-host ""
+    if ($LinkedOIDs -ne $null){
+      foreach ($OID in $LinkedOIDs) {
+
+# Display basic information about the Issuance Policies
+          ""
+  $getIP_strings.displayName -f $OID.displayName
+  $getIP_strings.Name -f $OID.Name
+  $getIP_strings.dn -f $OID.distinguishedName
+
+
+# Get the linked group.
+          $groupDN = $OID."msDS-OIDToGroupLink"
+          $group = get-adgroup -Identity $groupDN
+          $getIP_strings.InfoName -f $group.Name
+          $getIP_strings.InfoDN -f $groupDN
+
+# Analyze the group
+          $OIDName = $OID.displayName
+    $groupName = $group.Name
+          if ($group.groupCategory -ne "Security") {
+          $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName
+          write-host $errormsg -ForegroundColor Red
+          }
+          if ($group.groupScope -ne "Universal") {
+          $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName
+          write-host $errormsg -ForegroundColor Red
+          }
+          $members = Get-ADGroupMember -Identity $group
+          if ($members) {
+          $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName
+          write-host $errormsg -ForegroundColor Red
+              foreach ($member in $members) {
+                  write-host "          "  $member -ForeGroundColor Red
+              }
+          }
+          write-host ""
+      }
+    }else{
+write-host "There are no issuance policies that are mapped to a group"
+    }
+    if ($LinkedToGroup -eq "yes") {
+        return $LinkedOIDs
+        break
+    }
+}    
+
+if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) {  
+    $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))"
+    $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
+
+    write-host ""    
+    write-host "*********************************************************"
+    write-host $getIP_strings.NonLinkedIPs
+    write-host "*********************************************************"
+    write-host ""
+    if ($NonLinkedOIDs -ne $null) {
+      foreach ($OID in $NonLinkedOIDs) {
+
+# Display basic information about the Issuance Policies
+write-host ""
+$getIP_strings.displayName -f $OID.displayName
+$getIP_strings.Name -f $OID.Name
+$getIP_strings.dn -f $OID.distinguishedName
+write-host ""
+      }
+    }else{
+write-host "There are no issuance policies which are not mapped to groups"
+    }
+    if ($LinkedToGroup -eq "no") {
+        return $NonLinkedOIDs
+        break
+    }
+}
+```
+
+**Note**  
+If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
+
+ 
+
+### <a href="" id="bkmk-setscript"></a>Link an issuance policy to a group
+
+Save the script file as set-IssuancePolicyToGroupLink.ps1.
+
+``` syntax
+#######################################
+##     Parameters to be defined      ##
+##     by the user                   ##
+#######################################
+
+Param (
+$IssuancePolicyName,
+$groupOU,
+$groupName
+)
+
+#######################################
+##     Strings definitions           ##
+#######################################
+
+Data ErrorMsg {
+# culture="en-US"
+ConvertFrom-StringData -stringdata @'
+help1 = This command can be used to set the link between a certificate issuance policy and a universal security group.
+help2 = Usage:
+help3 = The following parameters are required:
+help4 = -IssuancePolicyName:<name or display name of the issuance policy that you want to link to a group>
+help5 = -groupName:<name of the group you want to link the issuance policy to>. If no name is specified, any existing link to a group is removed from the Issuance Policy.
+help6 = The following parameter is optional:
+help7 = -groupOU:<Name of the Organizational Unit dedicated to the groups which are linked to issuance policies>. If this parameter is not specified, the group is looked for or created in the Users container.
+help8 = Examples:
+help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them.
+help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group.
+MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}"
+NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}".
+IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1}
+MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}".
+confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it?
+OUCreationSuccess = Organizational Unit "{0}" successfully created.
+OUcreationError = Error: Organizational Unit "{0}" could not be created.
+OUFoundSuccess = Organizational Unit "{0}" was successfully found.
+multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}".  
+confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it?
+groupCreationSuccess = Univeral Security group "{0}" successfully created.
+groupCreationError = Error: Univeral Security group "{0}" could not be created.
+GroupFound = Group "{0}" was successfully found.
+confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link?
+UnlinkSuccess = Certificate issuance policy successfully unlinked from any group.
+UnlinkError = Removing the link failed.
+UnlinkExit = Exiting without removing the link from the issuance policy to the group.
+IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script.
+ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security".
+ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal".
+ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members:
+ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"?
+LinkSuccess = The certificate issuance policy was successfully linked to the specified group.
+LinkError = The certificate issuance policy could not be linked to the specified group.
+ExitNoLinkReplacement = Exiting without setting the new link.
+'@
+}
+
+# import-localizeddata ErrorMsg
+
+function Display-Help {
+""
+write-host $ErrorMsg.help1
+""
+write-host $ErrorMsg.help2
+""
+write-host $ErrorMsg.help3
+write-host "`t" $ErrorMsg.help4
+write-host "`t" $ErrorMsg.help5
+""
+write-host $ErrorMsg.help6
+write-host "`t" $ErrorMsg.help7
+""
+""
+write-host $ErrorMsg.help8
+""
+write-host $ErrorMsg.help9
+".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" "
+""
+write-host $ErrorMsg.help10
+'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null '
+""
+}
+
+
+
+# Assumption:  The group to which the Issuance Policy is going
+#              to be linked is (or is going to be created) in
+#              the domain the user running this script is a member of.
+import-module ActiveDirectory
+$root = get-adrootdse
+$domain = get-addomain -current loggedonuser
+
+
+if ( !($IssuancePolicyName) ) {
+display-Help
+break
+}
+
+#######################################
+##     Find the OID object           ##
+##     (aka Issuance Policy)         ##
+#######################################
+
+$searchBase = [String]$root.configurationnamingcontext
+$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties *
+
+if ($OID -eq $null) {
+$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase  
+write-host $tmp -ForeGroundColor Red
+break;
+}
+elseif ($OID.GetType().IsArray) {
+$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase  
+write-host $tmp -ForeGroundColor Red
+break;
+}
+else {
+$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName
+write-host $tmp -ForeGroundColor Green
+}
+
+
+
+#######################################
+##  Find the container of the group  ##
+#######################################
+
+if ($groupOU -eq $null) {
+# default to the Users container
+$groupContainer = $domain.UsersContainer
+}
+else {
+$searchBase = [string]$domain.DistinguishedName
+$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
+if ($groupContainer.count -gt 1) {
+$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase
+write-host $tmp -ForegroundColor Red
+break;
+}
+elseif ($groupContainer -eq $null) {
+$tmp = $ErrorMsg.confirmOUcreation
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName
+if ($?){
+$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU
+write-host $tmp -ForegroundColor Green
+}
+else{
+$tmp = $ErrorMsg.OUCreationError -f $groupOU
+write-host $tmp -ForeGroundColor Red
+break;
+}
+$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
+}
+else {
+break;
+}
+}
+else {
+$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name
+write-host $tmp -ForegroundColor Green
+}
+}
+
+#######################################
+##  Find the group               ##
+#######################################
+
+if (($groupName -ne $null) -and ($groupName -ne "")){
+##$searchBase = [String]$groupContainer.DistinguishedName
+$searchBase = $groupContainer
+$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
+if ($group -ne $null -and $group.gettype().isarray) {
+$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase
+write-host $tmp -ForeGroundColor Red
+break;
+}
+elseif ($group -eq $null) {
+$tmp = $ErrorMsg.confirmGroupCreation
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security"
+if ($?){
+$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName
+write-host $tmp -ForegroundColor Green
+}else{
+$tmp = $ErrorMsg.groupCreationError -f $groupName
+write-host $tmp -ForeGroundColor Red
+break
+}
+$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
+}
+else {
+break;
+}
+}
+else {
+$tmp = $ErrorMsg.GroupFound -f $group.Name
+write-host $tmp -ForegroundColor Green
+}
+}
+else {
+#####
+## If the group is not specified, we should remove the link if any exists
+#####
+if ($OID."msDS-OIDToGroupLink" -ne $null) {
+$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink"
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink"
+if ($?) {
+$tmp = $ErrorMsg.UnlinkSuccess
+write-host $tmp -ForeGroundColor Green
+}else{
+$tmp = $ErrorMsg.UnlinkError
+write-host $tmp -ForeGroundColor Red
+}
+}
+else {
+$tmp = $ErrorMsg.UnlinkExit
+write-host $tmp
+break
+}
+}
+else {
+$tmp = $ErrorMsg.IPNotLinked
+write-host $tmp -ForeGroundColor Yellow
+}
+break;
+}
+
+
+#######################################
+##  Verify that the group is         ##
+##  Universal, Security, and         ##
+##  has no members                   ##
+#######################################
+
+if ($group.GroupScope -ne "Universal") {
+$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+break;
+}
+if ($group.GroupCategory -ne "Security") {
+$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+break;
+}
+$members = Get-ADGroupMember -Identity $group
+if ($members -ne $null) {
+$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+foreach ($member in $members) {write-host "   $member.name" -ForeGroundColor Red}
+break;
+}
+
+
+#######################################
+##  We have verified everything. We  ##
+##  can create the link from the     ##
+##  Issuance Policy to the group.    ##
+#######################################
+
+if ($OID."msDS-OIDToGroupLink" -ne $null) {
+$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName
+write-host $tmp  "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
+set-adobject -Identity $OID -Replace $tmp
+if ($?) {
+$tmp = $Errormsg.LinkSuccess
+write-host $tmp -Foreground Green
+}else{
+$tmp = $ErrorMsg.LinkError
+write-host $tmp -Foreground Red
+}
+} else {
+$tmp = $Errormsg.ExitNoLinkReplacement
+write-host $tmp
+break
+}
+}
+else {
+$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
+set-adobject -Identity $OID -Add $tmp
+if ($?) {
+$tmp = $Errormsg.LinkSuccess
+write-host $tmp -Foreground Green
+}else{
+$tmp = $ErrorMsg.LinkError
+write-host $tmp -Foreground Red
+}
+}
+```
+
+**Note**  
+If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
+
+ 
+
+## Related topics
+
+
+[Isolated User Mode in Windows 10 with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-in-Windows-10-with-Dave-Probert)
+
+[Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel (Channel 9)](http://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows-10-with-Logan-Gabriel)
+
+[More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/More-on-Processes-and-Features-in-Windows-10-Isolated-User-Mode-with-Dave-Probert)
+
+[Mitigating Credential Theft using the Windows 10 Isolated User Mode (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Mitigating-Credential-Theft-using-the-Windows-10-Isolated-User-Mode)
+
+[Enabling Strict KDC Validation in Windows Kerberos](http://www.microsoft.com/download/details.aspx?id=6382)
+
+[What's New in Kerberos Authentication for Windows Server 2012](http://technet.microsoft.com/library/hh831747.aspx)
+
+[Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](http://technet.microsoft.com/library/dd378897.aspx)
+
+[Trusted Platform Module](trusted-platform-module-overview.md)
+
+ 
+
+ 
diff --git a/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
new file mode 100644
index 0000000000..33a9de5798
--- /dev/null
+++ b/windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -0,0 +1,136 @@
+---
+title: DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting.
+ms.assetid: 0fe3521a-5252-44df-8a47-8d92cf936e7c
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting.
+
+## Reference
+
+
+This policy setting allows you to define additional computer-wide controls that govern access to all Distributed Component Object Model (DCOM)–based applications on a device. These controls restrict call, activation, or launch requests on the device. A simple way to think about these access controls is as an additional access check that is performed against a device-wide access control list (ACL) on each call, activation, or launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to access any COM-based server. This policy setting controls access permissions to cover call rights.
+
+These device-wide ACLs provide a way to override weak security settings that are specified by an application through the CoInitializeSecurity function or application-specific security settings. They provide a minimum security standard that must be passed, regardless of the settings of the specific server.
+
+These ACLs also provide a centralized location for an administrator to set a general authorization policy that applies to all COM-based servers on the device.
+
+This policy setting allows you to specify an ACL in two different ways. You can type the security descriptor in SDDL, or you can grant or deny Local Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you are running.
+
+### Possible values
+
+-   *User-defined input* of the SDDL representation of the groups and privileges
+
+    When you specify the users or groups that are to be given permissions, the security descriptor field is populated with the Security Descriptor Definition Language representation of those groups and privileges. Users and groups can be given explicit Allow or Deny privileges for local access and remote access.
+
+-   Blank
+
+    This represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it as Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Blank</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Blank</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Blank</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+The registry settings that are created as a result of enabling the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting take precedence over the previous registry settings when this policy setting was configured. The Remote Procedure Call (RPC) service checks the new registry keys in the Policies section for the computer restrictions, and these registry entries take precedence over the existing registry keys under OLE. This means that previously existing registry settings are no longer effective, and if you make changes to the existing settings, device access permissions for users are not changed. Use care in configuring the list of users and groups.
+
+If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in the Windows operating system, the administrator can use the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting to manage DCOM access to the computer. The administrator can use this setting to specify which users and groups can access the DCOM application on the computer locally and remotely. This will restore control of the DCOM application to the administrator and users. To do this, open the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click **Edit Security**. Specify the users or groups you want to include and the computer access permissions for those users or groups. This defines the setting and sets the appropriate SDDL value.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Many COM applications include some security-specific code (for example, to call CoInitializeSecurity), but they use weak settings that allow unauthenticated access to the process. Administrators cannot override these settings to force stronger security in earlier versions of Windows without modifying the application. An attacker could attempt to exploit weak security in an individual application by attacking it through COM calls.
+
+Also, the COM infrastructure includes the Remote Procedure Call Services (RPCSS), a system service that runs during and after computer startup. This service manages activation of COM objects and the running object table and provides helper services to DCOM remoting. It exposes RPC interfaces that can be called remotely. Because some COM-based servers allow unauthenticated remote access, these interfaces can be called by anyone, including unauthenticated users. As a result, RPCSS can be attacked by malicious users who use remote, unauthenticated computers.
+
+### Countermeasure
+
+To protect individual COM-based applications or services, set the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting to an appropriate device-wide ACL.
+
+### Potential impact
+
+Windows implements default COM ACLs when they are installed. Modifying these ACLs from the default may cause some applications or components that communicate by using DCOM to fail. If you implement a COM-based server and you override the default security settings, confirm that the application-specific call permissions that ACL assigns are the correct permissions for appropriate users. If it does not, you must change your application-specific permission ACL to provide appropriate users with activation rights so that applications and Windows components that use DCOM do not fail.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
new file mode 100644
index 0000000000..3ec93358be
--- /dev/null
+++ b/windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -0,0 +1,136 @@
+---
+title: DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax security policy setting.
+ms.assetid: 4b95d45f-dd62-4c34-ba32-43954528dabe
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** security policy setting.
+
+## Reference
+
+
+This policy setting is similar to the [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) setting in that it allows you to define additional computer-wide controls that govern access to all DCOM–based applications on a device. However, the ACLs that are specified in this policy setting control local and remote COM launch requests (not access requests) on the device. A simple way to think about this access control is as an additional access check that is performed against a device-wide ACL on each launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to launch any COM-based server. The DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting differs in that it provides a minimum access check that is applied to attempts to access an already launched COM-based server.
+
+These device-wide ACLs provide a way to override weak security settings that are specified by an application through CoInitializeSecurity or application-specific security settings. They provide a minimum security standard that must be passed, regardless of the settings of the specific COM-based server. These ACLs provide a centralized location for an administrator to set a general authorization policy that applies to all COM-based servers.
+
+The **DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax** setting allows you to specify an ACL in two ways. You can type the security descriptor in SDDL, or you can grant or deny Local Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you are running.
+
+### Possible values
+
+-   Blank
+
+    This represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it to Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK.
+
+-   *User-defined input* of the SDDL representation of the groups and privileges
+
+    When you specify the users or groups that are to be given permission, the security descriptor field is populated with the Security Descriptor Definition Language representation of those groups and privileges. Users and groups can be given explicit Allow or Deny privileges on both local access and remote access.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Blank</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Blank</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Blank</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+The registry settings that are created as a result of this policy take precedence over the previous registry settings in this area. The Remote Procedure Call (RPC) service (RpcSs) checks the new registry keys in the Policies section for the computer restrictions; these entries take precedence over the existing registry keys under OLE.
+
+If you are denied access to activate and launch DCOM applications due to the changes made to DCOM in the Windows operating system, this policy setting can be used to control the DCOM activation and launch to the device.
+
+You can specify which users and groups can launch and activate DCOM applications on the device locally and remotely by using the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting. This restores control of the DCOM application to the administrator and specified users. To do this, open the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click **Edit Security**. Specify the groups that you want to include and the device launch permissions for those groups. This defines the setting and sets the appropriate SDDL value.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Many COM applications include some security-specific code (for example, to call CoInitializeSecurity), but they use weak settings that allow unauthenticated access to the process. You cannot override these settings to force stronger security in earlier versions of Windows without modifying the application. An attacker could attempt to exploit weak security in an individual application by attacking it through COM calls.
+
+Also, the COM infrastructure includes the Remote Procedure Call Service (RPCSS), a system service that runs during computer startup and always runs after that. This service manages activation of COM objects and the running object table and provides helper services to DCOM remoting. It exposes RPC interfaces that can be called remotely. Because some COM-based servers allow unauthenticated remote component activation, these interfaces can be called by anyone, including unauthenticated users. As a result, RPCSS can be attacked by malicious users using remote, unauthenticated computers.
+
+### Countermeasure
+
+To protect individual COM-based applications or services, set this policy setting to an appropriate computer-wide ACL.
+
+### Potential impact
+
+Windows implements default COM ACLs when they are installed. Modifying these ACLs from the default may cause some applications or components that communicate by using DCOM to fail. If you implement a COM-based server and you override the default security settings, confirm that the application-specific launch permissions ACL assigns include activation permissions to appropriate users. If it does not, you must change your application-specific launch permission ACL to provide appropriate users with activation rights so that applications and Windows components that use DCOM do not fail.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/debug-programs.md b/windows/keep-secure/debug-programs.md
new file mode 100644
index 0000000000..2950e96f89
--- /dev/null
+++ b/windows/keep-secure/debug-programs.md
@@ -0,0 +1,140 @@
+---
+title: Debug programs (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Debug programs security policy setting.
+ms.assetid: 594d9f2c-8ffc-444b-9522-75615ec87786
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Debug programs
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Debug programs** security policy setting.
+
+## Reference
+
+
+This policy setting determines which users can attach to or open any process, even those they do not own. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components need this user right. This user right provides access to sensitive and critical operating-system components.
+
+Constant: SeDebugPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not defined
+
+### Best practices
+
+-   Assign this user right only to trusted users to reduce security vulnerabilities.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default, members of the Administrators group have this right.
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+The **Debug programs** user right can be exploited to capture sensitive device information from system memory or to access and modify kernel or application structures. Some attack tools exploit this user right to extract hashed passwords and other private security information or to insert malware. By default, the **Debug programs** user right is assigned only to administrators, which helps mitigate risk from this vulnerability.
+
+### Countermeasure
+
+Remove the accounts of all users and groups that do not require the **Debug programs** user right.
+
+### Potential impact
+
+If you revoke this user right, no one can debug programs. However, typical circumstances rarely require this capability on production devices. If an issue arises that requires an application to be debugged on a production server, you can move the server to a different organizational unit (OU) temporarily and assign the **Debug programs** user right to a separate Group Policy for that OU.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/delete-an-applocker-rule.md b/windows/keep-secure/delete-an-applocker-rule.md
new file mode 100644
index 0000000000..bed27aa9de
--- /dev/null
+++ b/windows/keep-secure/delete-an-applocker-rule.md
@@ -0,0 +1,48 @@
+---
+title: Delete an AppLocker rule (Windows 10)
+description: This topic for IT professionals describes the steps to delete an AppLocker rule.
+ms.assetid: 382b4be3-0df9-4308-89b2-dcf9df351eb5
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Delete an AppLocker rule
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes the steps to delete an AppLocker rule.
+
+As older apps are retired and new apps are deployed in your organization, it will be necessary to modify the application control policies. If an app becomes unsupported by the IT department or is no longer allowed due to the organization's security policy, then deleting the rule or rules associated with that app will prevent the app from running.
+
+For info about testing an AppLocker policy to see what rules affect which files or applications, see [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To delete a rule in an AppLocker policy**
+
+1.  Open the AppLocker console.
+
+2.  Click the appropriate rule collection for which you want to delete the rule.
+
+3.  In the details pane, right-click the rule to delete, click **Delete**, and then click **Yes**.
+
+**Note**  
+When using Group Policy, for the rule deletion to take effect on computers within the domain, the GPO must be distributed or refreshed.
+
+When this procedure is performed on the local device, the AppLocker policy takes effect immediately.
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/deny-access-to-this-computer-from-the-network.md b/windows/keep-secure/deny-access-to-this-computer-from-the-network.md
new file mode 100644
index 0000000000..e4e6d176a7
--- /dev/null
+++ b/windows/keep-secure/deny-access-to-this-computer-from-the-network.md
@@ -0,0 +1,152 @@
+---
+title: Deny access to this computer from the network (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Deny access to this computer from the network security policy setting.
+ms.assetid: 935e9f89-951b-4163-b186-fc325682bb0b
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Deny access to this computer from the network
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Deny access to this computer from the network** security policy setting.
+
+## Reference
+
+
+This security setting determines which users are prevented from accessing a device over the network.
+
+Constant: SeDenyNetworkLogonRight
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Guest
+
+### Best practices
+
+-   Because all Active Directory Domain Services programs use a network logon for access, use caution when you assign this user right on domain controllers.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default, this setting is Guest on domain controllers and on stand-alone servers.
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Guest</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Guest</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Guest</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Guest</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Guest</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools available to help you manage this policy.
+
+A restart of the device is not required for this policy setting to be effective.
+
+This policy setting supersedes the **Access this computer from the network** policy setting if a user account is subject to both policies.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Users who can log on to the device over the network can enumerate lists of account names, group names, and shared resources. Users with permission to access shared folders and files can connect over the network and possibly view or modify data.
+
+### Countermeasure
+
+Assign the **Deny access to this computer from the network** user right to the following accounts:
+
+-   Anonymous logon
+
+-   Built-in local Administrator account
+
+-   Local Guest account
+
+-   All service accounts
+
+An important exception to this list is any service accounts that are used to start services that must connect to the device over the network. For example, let’s say you have configured a shared folder for web servers to access, and you present content within that folder through a website. You may need to allow the account that runs IIS to log on to the server with the shared folder from the network. This user right is particularly effective when you must configure servers and workstations on which sensitive information is handled because of regulatory compliance concerns.
+
+### Potential impact
+
+If you configure the **Deny access to this computer from the network** user right for other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should verify that delegated tasks are not negatively affected.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/deny-log-on-as-a-batch-job.md b/windows/keep-secure/deny-log-on-as-a-batch-job.md
new file mode 100644
index 0000000000..c7a4c65273
--- /dev/null
+++ b/windows/keep-secure/deny-log-on-as-a-batch-job.md
@@ -0,0 +1,148 @@
+---
+title: Deny log on as a batch job (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a batch job security policy setting.
+ms.assetid: 0ac36ebd-5e28-4b6a-9b4e-8924c6ecf44b
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Deny log on as a batch job
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Deny log on as a batch job** security policy setting.
+
+## Reference
+
+
+This policy setting determines which accounts are prevented from logging on by using a batch-queue tool to schedule and start jobs automatically in the future. The ability to log on by using a batch-queue tool is needed for any account that is used to start scheduled jobs by means of the Task Scheduler.
+
+Constant: SeDenyBatchLogonRight
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not defined
+
+### Best practices
+
+1.  When you assign this user right, thoroughly test that the effect is what you intended.
+
+2.  Within a domain, modify this setting on the applicable Group Policy Object (GPO).
+
+3.  **Deny log on as a batch job** prevents administrators or operators from using their personal accounts to schedule tasks, which helps with business continuity when that person transitions to other positions or responsibilities.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools available to help you manage this policy.
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+This policy setting might conflict with and negate the **Log on as a batch job** setting.
+
+### Group Policy
+
+On a domain-joined device, including the domain controller, this policy can be overwritten by a domain policy, which will prevent you from modifying the local policy setting.
+
+For example, if you are trying to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account is not present in the **Deny log on as a batch job** User Rights Assignment and also correctly configured in the **Log on as a batch job** setting.
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Accounts that have the **Deny log on as a batch job** user right could be used to schedule jobs that could consume excessive computer resources and cause a denial-of-service condition.
+
+### Countermeasure
+
+Assign the **Deny log on as a batch job** user right to the local Guest account.
+
+### Potential impact
+
+If you assign the **Deny log on as a batch job** user right to other accounts, you could deny the ability to perform required job activities to users who are assigned specific administrative roles. You should confirm that delegated tasks are not affected adversely.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/deny-log-on-as-a-service.md b/windows/keep-secure/deny-log-on-as-a-service.md
new file mode 100644
index 0000000000..005a760cfe
--- /dev/null
+++ b/windows/keep-secure/deny-log-on-as-a-service.md
@@ -0,0 +1,146 @@
+---
+title: Deny log on as a service (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a service security policy setting.
+ms.assetid: f1114964-df86-4278-9b11-e35c66949794
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Deny log on as a service
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Deny log on as a service** security policy setting.
+
+## Reference
+
+
+This policy setting determines which users are prevented from logging on to the service applications on a device.
+
+A service is an application type that runs in the system background without a user interface. It provides core operating system features, such as web serving, event logging, file serving, printing, cryptography, and error reporting.
+
+Constant: SeDenyServiceLogonRight
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not defined
+
+### Best practices
+
+1.  When you assign this user right, thoroughly test that the effect is what you intended.
+
+2.  Within a domain, modify this setting on the applicable Group Policy Object (GPO).
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools available to help you manage this policy.
+
+A restart of the computer is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+On a domain-joined device, including the domain controller, this policy can be overwritten by a domain policy, which will prevent you from modifying the local policy setting.
+
+This policy setting might conflict with and negate the **Log on as a service** setting.
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Accounts that can log on to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is somewhat reduced by the fact that only users with administrative rights can install and configure services, and an attacker who has already attained that level of access could configure the service to run by using the System account.
+
+### Countermeasure
+
+We recommend that you not assign the **Deny log on as a service** user right to any accounts. This is the default configuration. Organizations that are extremely concerned about security might assign this user right to groups and accounts when they are certain that they will never need to log on to a service application.
+
+### Potential impact
+
+If you assign the **Deny log on as a service** user right to specific accounts, services may not start and a denial-of-service condition could result.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/deny-log-on-locally.md b/windows/keep-secure/deny-log-on-locally.md
new file mode 100644
index 0000000000..82391e79b2
--- /dev/null
+++ b/windows/keep-secure/deny-log-on-locally.md
@@ -0,0 +1,144 @@
+---
+title: Deny log on locally (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on locally security policy setting.
+ms.assetid: 00150e88-ec9c-43e1-a70d-33bfe10434db
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Deny log on locally
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Deny log on locally** security policy setting.
+
+## Reference
+
+
+This policy setting determines which users are prevented from logging on directly at the device's console.
+
+Constant: SeDenyInteractiveLogonRight
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not defined
+
+### Best practices
+
+1.  Assign the **Deny log on locally** user right to the local guest account to restrict access by potentially unauthorized users.
+
+2.  Test your modifications to this policy setting in conjunction with the **Allow log on locally** policy setting to determine if the user account is subject to both policies.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+If you apply this policy setting to the Everyone group, no one will be able to log on locally.
+
+### Group Policy
+
+This policy setting supersedes the **Allow log on locally** policy setting if a user account is subject to both policies.
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Any account with the ability to log on locally could be used to log on at the console of the device. If this user right is not restricted to legitimate users who must log on to the console of the device, unauthorized users might download and run malicious software that elevates their user rights.
+
+### Countermeasure
+
+Assign the **Deny log on locally** user right to the local Guest account. If you have installed optional components such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components.
+
+### Potential impact
+
+If you assign the **Deny log on locally** user right to additional accounts, you could limit the abilities of users who are assigned to specific roles in your environment. However, this user right should explicitly be assigned to the ASPNET account on device that are configured with the Web Server role. You should confirm that delegated activities are not adversely affected.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/deny-log-on-through-remote-desktop-services.md b/windows/keep-secure/deny-log-on-through-remote-desktop-services.md
new file mode 100644
index 0000000000..952c471dfd
--- /dev/null
+++ b/windows/keep-secure/deny-log-on-through-remote-desktop-services.md
@@ -0,0 +1,142 @@
+---
+title: Deny log on through Remote Desktop Services (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on through Remote Desktop Services security policy setting.
+ms.assetid: 84bbb807-287c-4acc-a094-cf0ffdcbca67
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Deny log on through Remote Desktop Services
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Deny log on through Remote Desktop Services** security policy setting.
+
+## Reference
+
+
+This policy setting determines which users are prevented from logging on to the device through a Remote Desktop connection through Remote Desktop Services. It is possible for a user to establish a Remote Desktop connection to a particular server, but not be able to log on to the console of that server.
+
+Constant: SeDenyRemoteInteractiveLogonRight
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not defined
+
+### Best practices
+
+-   To control who can open a Remote Desktop connection and log on to the device, add the user account to or remove user accounts from the Remote Desktop Users group.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the computer is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+The **Remote System** property controls settings for Remote Desktop Services (**Allow or prevent remote connections to the computer**) and for Remote Assistance (**Allow Remote Assistance connections to this computer**).
+
+### Group Policy
+
+This policy setting supersedes the [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md) policy setting if a user account is subject to both policies.
+
+Group Policy settings are applied in the following order. They overwrite settings on the local device at the next Group Policy update.
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  Organizational unit policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Any account with the right to log on through Remote Desktop Services could be used to log on to the remote console of the device. If this user right is not restricted to legitimate users who need to log on to the console of the computer, malicious users might download and run software that elevates their user rights.
+
+### Countermeasure
+
+Assign the **Deny log on through Remote Desktop Services** user right to the built-in local guest account and all service accounts. If you have installed optional components, such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components.
+
+### Potential impact
+
+If you assign the **Deny log on through Remote Desktop Services** user right to other groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. Accounts that have this user right cannot connect to the device through Remote Desktop Services or Remote Assistance. You should confirm that delegated tasks are not negatively affected.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
new file mode 100644
index 0000000000..dee2747b62
--- /dev/null
+++ b/windows/keep-secure/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
@@ -0,0 +1,70 @@
+---
+title: Deploy AppLocker policies by using the enforce rules setting (Windows 10)
+description: This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
+ms.assetid: fd3a3d25-ff3b-4060-8390-6262a90749ba
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Deploy AppLocker policies by using the enforce rules setting
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
+
+## Background and prerequisites
+
+
+These procedures assume that you have already deployed AppLocker policies with the enforcement set to **Audit only**, and you have been collecting data through the AppLocker event logs and other channels to determine what effect these policies have on your environment and the policy's adherence to your application control design.
+
+For info about the AppLocker policy enforcement setting, see [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md).
+
+For info about how to plan an AppLocker policy deployment, see [AppLocker Design Guide](applocker-policies-design-guide.md).
+
+## Step 1: Retrieve the AppLocker policy
+
+
+Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Using Group Policy, you can export the policy from the Group Policy Object (GPO) and then update the rule or rules by using AppLocker on your AppLocker reference or test PC. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). For local AppLocker policies, you can update the rule or rules by using the Local Security policy snap-in (secpol.msc) on your AppLocker reference or test PC. For the procedures to do this, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
+
+## Step 2: Alter the enforcement setting
+
+
+Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into collections: executable files, Windows Installer files, packaged apps, scripts, and DLL files. By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. For information about the enforcement setting, see [Understand AppLocker Enforcement Settings](understand-applocker-enforcement-settings.md). For the procedure to alter the enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md).
+
+## Step 3: Update the policy
+
+
+You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](http://go.microsoft.com/fwlink/p/?LinkId=145013) feature from the Microsoft Desktop Optimization Pack.
+
+**Caution**  
+You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
+
+ 
+
+For the procedure to update the GPO, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
+
+For the procedures to distribute policies for local PCs by using the Local Security Policy snap-in (secpol.msc), see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
+
+## Step 4: Monitor the effect of the policy
+
+
+When a policy is deployed, it is important to monitor the actual implementation of that policy. You can do this by monitoring your support organization's app access request activity and reviewing the AppLocker event logs. To monitor the effect of the policy, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md).
+
+## Additional resources
+
+
+-   For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/deploy-edp-policy-using-intune.md b/windows/keep-secure/deploy-edp-policy-using-intune.md
new file mode 100644
index 0000000000..5bf2f443a2
--- /dev/null
+++ b/windows/keep-secure/deploy-edp-policy-using-intune.md
@@ -0,0 +1,49 @@
+---
+title: Deploy your enterprise data protection (EDP) policy using Microsoft Intune (Windows 10)
+description: After you’ve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices.
+ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211
+keywords: ["EDP", "Enterprise Data Protection", "Intune"]
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: eross-msft
+---
+
+# Deploy your enterprise data protection (EDP) policy using Microsoft Intune
+**Applies to:**
+
+-   Windows 10 Insider Preview
+-   Windows 10 Mobile Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
+
+After you’ve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
+
+**To deploy your EDP policy**
+
+1.  On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
+
+    ![Microsoft Intune: Click the Manage Deployment link from the Configuration Policies screen](images/intune-managedeployment.png)
+
+2.  In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.<p>
+The added people move to the **Selected Groups** list on the right-hand pane.
+
+    ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-groupselection.png)
+
+3.  After you've picked all of the employees and groups that should get the policy, click **OK**.<p>
+The policy is deployed to the selected users' devices.
+
+## Related topics
+- [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
+-[Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)
+- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
+- [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/deploy-the-applocker-policy-into-production.md b/windows/keep-secure/deploy-the-applocker-policy-into-production.md
new file mode 100644
index 0000000000..da107fefad
--- /dev/null
+++ b/windows/keep-secure/deploy-the-applocker-policy-into-production.md
@@ -0,0 +1,61 @@
+---
+title: Deploy the AppLocker policy into production (Windows 10)
+description: This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.
+ms.assetid: ebbb1907-92dc-499e-8cee-8e637483c9ae
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Deploy the AppLocker policy into production
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.
+
+After successfully testing and modifying the AppLocker policy for each Group Policy Object (GPO), you are ready to deploy the enforcement settings into production. For most organizations, this means switching the AppLocker enforcement setting from **Audit only** to **Enforce rules**. However, it is important to follow the deployment plan that you created earlier. For more info, see the [AppLocker Design Guide](applocker-policies-design-guide.md). Depending on the needs of different business groups in your organization, you might deploy different enforcement settings for linked GPOs.
+
+### Understand your design decisions
+
+Before you deploy an AppLocker policy, you should determine:
+
+-   For each business group, which applications will be controlled and in what manner. For more info, see [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).
+
+-   How to handle requests for application access. For info about what to consider when developing your support policies, see [Plan for AppLocker policy management](plan-for-applocker-policy-management.md).
+
+-   How to manage events, including forwarding events. For info about event management in AppLocker, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
+
+-   Your GPO structure, including how to include policies generated by Software Restriction Policies and AppLocker policies. For more info, see [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md).
+
+For info about how AppLocker deployment is dependent on design decisions, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md).
+
+### AppLocker deployment methods
+
+If you have configured a reference device, you can create and update your AppLocker policies on this device, test the policies, and then export the policies to the appropriate GPO for distribution. Another method is to create the policies and set the enforcement setting on **Audit only**, then observe the events that are generated.
+
+-   [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
+
+    This topic describes the steps to use an AppLocker reference computer to prepare application control policies for deployment by using Group Policy or other means.
+
+-   [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md)
+
+    This topic describes the steps to deploy the AppLocker policy by changing the enforcement setting to **Audit only** or to **Enforce rules**.
+
+## See also
+
+
+[AppLocker deployment guide](applocker-policies-deployment-guide.md)
+
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md b/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md
new file mode 100644
index 0000000000..8fc14ddac0
--- /dev/null
+++ b/windows/keep-secure/determine-group-policy-structure-and-rule-enforcement.md
@@ -0,0 +1,74 @@
+---
+title: Determine the Group Policy structure and rule enforcement (Windows 10)
+description: This overview topic describes the process to follow when you are planning to deploy AppLocker rules.
+ms.assetid: f435fcbe-c7ac-4ef0-9702-729aab64163f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Determine the Group Policy structure and rule enforcement
+
+
+**Applies to**
+
+-   Windows 10
+
+This overview topic describes the process to follow when you are planning to deploy AppLocker rules.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)</p></td>
+<td align="left"><p>This topic describes the AppLocker enforcement settings for rule collections.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md)</p></td>
+<td align="left"><p>This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md)</p></td>
+<td align="left"><p>This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+When you are determining how many Group Policy Objects (GPOs) to create when you apply an AppLocker policy in your organization, you should consider the following:
+
+-   Whether you are creating new GPOs or using existing GPOs
+
+-   Whether you are implementing Software Restriction Policies (SRP) policies and AppLocker policies in the same GPO
+
+-   GPO naming conventions
+
+-   GPO size limits
+
+**Note**  
+There is no default limit on the number of AppLocker rules that you can create. However, in Windows Server 2008 R2, GPOs have a 2 MB size limit for performance. In subsequent versions, that limit is raised to 100 MB.
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
new file mode 100644
index 0000000000..b909f207d6
--- /dev/null
+++ b/windows/keep-secure/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
@@ -0,0 +1,46 @@
+---
+title: Determine which apps are digitally signed on a reference device (Windows 10)
+description: This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
+ms.assetid: 24609a6b-fdcb-4083-b234-73e23ff8bcb8
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Determine which apps are digitally signed on a reference device
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
+
+The Windows PowerShell cmdlet **Get-AppLockerFileInformation** can be used to determine which apps installed on your reference devices are digitally signed. Perform the following steps on each reference computer that you used to define the AppLocker policy. The device does not need to be joined to the domain.
+
+Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
+
+**To determine which apps are digitally signed on a reference device**
+
+1.  Run **Get-AppLockerFileInformation** with the appropriate parameters.
+
+    The **Get-AppLockerFileInformation** cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information.
+
+2.  Analyze the publisher's name and digital signature status from the output of the command.
+
+For command parameters, syntax, and examples, see [Get-AppLockerFileInformation](http://technet.microsoft.com/library/ee460961.aspx).
+
+## Related topics
+
+
+[Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/determine-your-application-control-objectives.md b/windows/keep-secure/determine-your-application-control-objectives.md
new file mode 100644
index 0000000000..653b1b4585
--- /dev/null
+++ b/windows/keep-secure/determine-your-application-control-objectives.md
@@ -0,0 +1,170 @@
+---
+title: Determine your application control objectives (Windows 10)
+description: This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
+ms.assetid: 0e84003e-6095-46fb-8c4e-2065869bb53b
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Determine your application control objectives
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
+
+AppLocker is very effective for organizations with app restriction requirements whose environments have a simple topography and the application control policy goals are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is to achieve a detailed level of control on the PCs that they manage for a relatively small number of apps.
+
+There are management and maintenance costs associated with a list of allowed apps. In addition, the purpose of application control policies is to allow or prevent employees from using apps that might actually be productivity tools. Keeping employees or users productive while implementing the policies can cost time and effort. Lastly, creating user support processes and network support processes to keep the organization productive are also concerns.
+
+Use the following table to develop your own objectives and determine which application control feature best addresses those objectives.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Application control function</th>
+<th align="left">SRP</th>
+<th align="left">AppLocker</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Scope</p></td>
+<td align="left"><p>SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.</p></td>
+<td align="left"><p>AppLocker policies apply only to the support versions of Windows listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Policy creation</p></td>
+<td align="left"><p>SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.</p></td>
+<td align="left"><p>AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.</p>
+<p>AppLocker permits customization of error messages to direct users to a Web page for help.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Policy maintenance</p></td>
+<td align="left"><p>SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).</p></td>
+<td align="left"><p>AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Policy application</p></td>
+<td align="left"><p>SRP policies are distributed through Group Policy.</p></td>
+<td align="left"><p>AppLocker policies are distributed through Group Policy.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Enforcement mode</p></td>
+<td align="left"><p>SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file are allowed to run by default.</p>
+<p>SRP can also be configured in the “allow list mode” such that the by default all files are blocked and administrators need to create allow rules for files that they want to allow.</p></td>
+<td align="left"><p>AppLocker by default works in the “allow list mode” where only those files are allowed to run for which there is a matching allow rule.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>File types that can be controlled</p></td>
+<td align="left"><p>SRP can control the following file types:</p>
+<ul>
+<li><p>Executables</p></li>
+<li><p>Dlls</p></li>
+<li><p>Scripts</p></li>
+<li><p>Windows Installers</p></li>
+</ul>
+<p>SRP cannot control each file type separately. All SRP rules are in a single rule collection.</p></td>
+<td align="left"><p>AppLocker can control the following file types:</p>
+<ul>
+<li><p>Executables</p></li>
+<li><p>Dlls</p></li>
+<li><p>Scripts</p></li>
+<li><p>Windows Installers</p></li>
+<li><p>Packaged apps and installers</p></li>
+</ul>
+<p>AppLocker maintains a separate rule collection for each of the five file types.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Designated file types</p></td>
+<td align="left"><p>SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.</p></td>
+<td align="left"><p>AppLocker does not support this. AppLocker currently supports the following file extensions:</p>
+<ul>
+<li><p>Executables (.exe, .com)</p></li>
+<li><p>Dlls (.ocx, .dll)</p></li>
+<li><p>Scripts (.vbs, .js, .ps1, .cmd, .bat)</p></li>
+<li><p>Windows Installers (.msi, .mst, .msp)</p></li>
+<li><p>Packaged app installers (.appx)</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Rule types</p></td>
+<td align="left"><p>SRP supports four types of rules:</p>
+<ul>
+<li><p>Hash</p></li>
+<li><p>Path</p></li>
+<li><p>Signature</p></li>
+<li><p>Internet zone</p></li>
+</ul></td>
+<td align="left"><p>AppLocker supports three types of rules:</p>
+<ul>
+<li><p>Hash</p></li>
+<li><p>Path</p></li>
+<li><p>Publisher</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Editing the hash value</p></td>
+<td align="left"><p>SRP allows you to select a file to hash.</p></td>
+<td align="left"><p>AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (Exe and Dll) and Windows Installers and a SHA2 flat file hash for the rest.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Support for different security levels</p></td>
+<td align="left"><p>With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that notepad always runs with restricted permissions and never with administrative privileges.</p>
+<p>SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).</p></td>
+<td align="left"><p>AppLocker does not support security levels.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Manage Packaged apps and Packaged app installers.</p></td>
+<td align="left"><p>Unable</p></td>
+<td align="left"><p>.appx is a valid file type which AppLocker can manage.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Targeting a rule to a user or a group of users</p></td>
+<td align="left"><p>SRP rules apply to all users on a particular computer.</p></td>
+<td align="left"><p>AppLocker rules can be targeted to a specific user or a group of users.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Support for rule exceptions</p></td>
+<td align="left"><p>SRP does not support rule exceptions</p></td>
+<td align="left"><p>AppLocker rules can have exceptions which allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Support for audit mode</p></td>
+<td align="left"><p>SRP does not support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.</p></td>
+<td align="left"><p>AppLocker supports audit mode which allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Support for exporting and importing policies</p></td>
+<td align="left"><p>SRP does not support policy import/export.</p></td>
+<td align="left"><p>AppLocker supports the importing and exporting of policies. This allows you to create AppLocker policy on a sample computer, test it out and then export that policy and import it back into the desired GPO.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Rule enforcement</p></td>
+<td align="left"><p>Internally, SRP rules enforcement happens in the user-mode which is less secure.</p></td>
+<td align="left"><p>Internally, AppLocker rules for exes and dlls are enforced in the kernel-mode which is more secure than enforcing them in the user-mode.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For more general info, see [AppLocker](applocker-overview.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/device-guard-certification-and-compliance.md b/windows/keep-secure/device-guard-certification-and-compliance.md
new file mode 100644
index 0000000000..4fba3a5dc4
--- /dev/null
+++ b/windows/keep-secure/device-guard-certification-and-compliance.md
@@ -0,0 +1,144 @@
+---
+title: Device Guard certification and compliance (Windows 10)
+description: Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications.
+ms.assetid: 94167ECA-AB08-431D-95E5-7A363F42C7E3
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Device Guard certification and compliance
+
+
+**Applies to**
+
+-   Windows 10
+
+Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when.
+
+Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, letting the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
+
+For details on how to implement Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
+
+## Why use Device Guard
+
+
+With thousands of new malicious files created every day, using traditional methods like signature-based detection to fight against malware provides an inadequate defense against new attacks. Device Guard on Windows 10 changes from a mode where apps are trusted unless blocked by an antivirus or other security solutions, to a mode where the operating system trusts only apps authorized by your enterprise.
+
+Device Guard also helps protect against [zero day attacks](http://go.microsoft.com/fwlink/p/?linkid=534209) and works to combat the challenges of [polymorphic viruses](http://go.microsoft.com/fwlink/p/?LinkId=534210).
+
+### Advantages to using Device Guard
+
+You can take advantage of the benefits of Device Guard, based on what you turn on and use:
+
+-   Helps provide strong malware protection with enterprise manageability
+-   Helps provide the most advanced malware protection ever offered on the Windows platform
+-   Offers improved tamper resistance
+
+## How Device Guard works
+
+
+Device Guard restricts the Windows 10 operating system to only running code that’s signed by trusted signers, as defined by your Code Integrity policy through specific hardware and security configurations, including:
+
+-   User Mode Code Integrity (UMCI)
+
+-   New kernel code integrity rules (including the new Windows Hardware Quality Labs (WHQL) signing constraints)
+
+-   Secure Boot with database (db/dbx) restrictions
+
+-   Virtualization-based security to help protect system memory and kernel mode apps and drivers from possible tampering.
+
+-   Optional: Trusted Platform Module (TPM) 1.2 or 2.0
+
+Device Guard works with your image-building process, so you can turn the virtualization-based security feature on for capable devices, configure your Code Integrity policy, and set any other operating system settings you require for Windows 10. After that, Device Guard works to help protect your devices:
+
+1.  Your device starts up using Universal Extensible Firmware Interface (UEFI) Secure Boot, so that boot kits can’t run and so that Windows 10 starts before anything else.
+
+2.  After securely starting up the Windows boot components, Windows 10 can start the Hyper-V virtualization-based security services, including Kernel Mode Code Integrity. These services help protect the system core (kernel), privileged drivers, and system defenses, like anti-malware solutions, by preventing malware from running early in the boot process, or in kernel after startup.
+
+3.  Device Guard uses UMCI to make sure that anything that runs in User mode, such as a service, a Universal Windows Platform (UWP) app, or a Classic Windows application is trusted, allowing only trusted binaries to run.
+
+4.  At the same time that Windows 10 starts up, so too does the trusted platform module (TPM). TPM provides an isolated hardware component that helps protect sensitive information, such as user credentials and certificates.
+
+## Required hardware and software
+
+
+The following table shows the hardware and software you need to install and configure to implement Device Guard.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Requirement</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Windows 10 Enterprise</p></td>
+<td align="left"><p>The PC must be running Windows 10 Enterprise.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>UEFI firmware version 2.3.1 or higher with UEFI Secure Boot and Platform Secure Boot</p></td>
+<td align="left"><p>UEFI Secure Boot ensures that the device boots only authorized code. Additionally, Boot Integrity, also known as Platform Secure Boot must be supported. You can validate it against the following Windows Hardware Compatibility Program requirements:</p>
+<ul>
+<li><p>[System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)</p></li>
+<li><p>[System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby)</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Virtualization extensions</p></td>
+<td align="left"><p>The following virtualization extensions are required to support virtualization-based security:</p>
+<ul>
+<li>Intel VT-x or AMD-V</li>
+<li>Second Level Address Translation</li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Firmware lock</p></td>
+<td align="left"><ul>
+<li><p>The firmware setup should be locked to prevent other operating systems from starting and to prevent changes to the UEFI settings.</p></li>
+<li><p>• Work with your hardware manufacturer to ensure that the devices are Device Guard ready</p></li>
+<li><p>You should require a firmware password or higher authentication to change firmware settings.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>x64 architecture</p></td>
+<td align="left"><p>The features that virtualization-based security uses in the Windows hypervisor can only run on a 64-bit PC.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>A VT-d or AMD-Vi IOMMU (Input/output memory management unit)</p></td>
+<td align="left"><p>In Windows 10, an IOMMU enhances system resiliency against memory attacks.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Secure firmware update process</p></td>
+<td align="left"><p>To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Signed processor microcode updates</p></td>
+<td align="left"><p>If the processor supports it, you must require signed microcode updates.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Get apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md)
+
+[Create a Device Guard code integrity policy based on a reference device](creating-a-device-guard-policy-for-signed-apps.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/device-guard-deployment-guide.md b/windows/keep-secure/device-guard-deployment-guide.md
new file mode 100644
index 0000000000..cdedb8169e
--- /dev/null
+++ b/windows/keep-secure/device-guard-deployment-guide.md
@@ -0,0 +1,1570 @@
+---
+title: Device Guard deployment guide (Windows 10)
+description: Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security.
+ms.assetid: 4BA52AA9-64D3-41F3-94B2-B87EC2717486
+keywords: ["virtualization", "security", "malware"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+author: brianlic-msft
+---
+
+# Device Guard deployment guide
+
+
+**Applies to**
+
+-   Windows 10
+
+Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security. Windows 10 employs Device Guard as well as code integrity and advanced hardware features such as CPU virtualization extensions, Trusted Platform Module, and second-level address translation to offer comprehensive modern security to its users. This guide explores the individual features in Device Guard as well as how to plan for, configure, and deploy them.
+
+## Introduction to Device Guard
+
+
+Today’s security threat landscape is more aggressive than ever before. Modern malicious attacks are focused on revenue generation, intellectual property theft, and targeted system degradation, which results in financial loss. Many of these modern attackers are sponsored by nation states with unknown motives and large cyber terrorism budgets. These threats can enter a company through something as simple as an email message and can permanently damage its reputation for securing its software assets, as well as having significant financial impact. Windows 10 introduces several new security features that help mitigate a large percentage of today’s known threats.
+
+It is estimated that more than 300,000 new malware variants are discovered daily. Unfortunately, companies currently use an ancient method to discover this infectious software and prevent its use. In fact, current PCs trust everything that runs until malware signatures determine whether a threat exists; then, the antimalware software attempts to clean the PC, often after the malicious software’s effect has already been noticed. This signature-based system focuses on reacting to an infection and ensuring that the particular infection does not happen again. In this model, the system that drives malware detection relies on the discovery of malicious software; only then can a signature be provided to the client to remediate it, which implies that a computer must be infected first. The time between the detection of the malware and a client being issued a signature could mean the difference between losing data and staying safe.
+
+In addition to antimalware solutions, there are some “whitelisting” technologies available, including AppLocker. These technologies perform single instance, or blanket-allow or blanket-deny rules for running applications. Although this is more preventative than signature-based detection, it requires significant ongoing maintenance. In Windows 10, these applications are most effective when they are deployed alongside Microsoft Device Guard.
+
+Device Guard breaks the current model of detection first-block later, and allows only trusted applications to run, period. This methodology is consistent with the successful prevention strategy for mobile phone security. With Device Guard, Microsoft has changed how the Windows operating system handles untrusted applications, which makes its defenses difficult for malware to penetrate. This new prevention versus detection model provides Windows clients with the necessary security for modern threats and, when implemented, makes most of today’s threats completely obsolete from day one.
+
+Device Guard's features revolutionize the Windows operating system’s security by taking advantage of new virtualization-based security (VBS) options and the trust-nothing mobile device operating system model, which makes its defenses much more difficult for malware to penetrate. By using configurable code integrity policies, organizations are able to choose exactly which applications are allowed to run in their environment. Configurable code integrity is not limited to Windows Store applications and can be used with existing unsigned or signed Win32 applications, without the requirement that the application be repackaged. In addition, configurable code integrity can be deployed as an individual feature if organizations don’t possess the required hardware for Device Guard. Along with code integrity, Windows 10 leverages advanced hardware features such as CPU virtualization extensions, input/output memory management units (IOMMUs), Trusted Platform Module (TPM), and second-level address translation (SLAT) to offer comprehensive modern security to its users. Device Guard deployed with configurable code integrity and Credential Guard will be among the most impactful client-side security deployments an organization can implement today. In this guide, you learn about the individual features found within Device Guard as well as how to plan for, configure, and deploy them. Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as Credential Guard and AppLocker.
+
+## Device Guard overview
+
+
+Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features revolutionize the Windows operating system’s security by taking advantage of new virtualization-based security options and the trust-nothing mobile device operating system model. A key feature in this model is called *configurable code integrity*, which allows your organization to choose exactly which software or trusted software publishers are allowed to run code on your client machines—exactly what has made mobile phone security so successful. In addition, Device Guard offers organizations a way to sign existing line-of-business (LOB) applications so that they can trust their own code, without the requirement that the application be repackaged. Also, this same method of signing provides organizations with a way to trust individual third-party applications. Device Guard—with configurable code integrity, Credential Guard, and AppLocker—is the most complete security defense that any Microsoft product has ever been able to offer a Windows client.
+
+Advanced hardware features such as CPU virtualization extensions, IOMMUs, and SLAT, drive these new client security offerings. By integrating these hardware features further into the core operating system, Windows 10 leverages them in new ways. For example, the same type 1 hypervisor technology that is used to run virtual machines in Microsoft Hyper-V is used to isolate core Windows services into a virtualization-based, protected container. This is just one example of how Windows 10 integrates advanced hardware features deeper into the operating system to offer comprehensive modern security to its users. These hardware features are now available in consumer and enterprise PC markets and are discussed in detail in the [Hardware considerations](#hardware) section.
+
+Along with these new features, some components of Device Guard are existing tools or technologies that have been included in this strategic security offering to provide customers with the most secure Windows operating system possible. Device Guard is intended as a set of client security features to be used in conjunction with the other threat-resistance features available in the Windows operating system, some of which are mentioned in this guide. In addition to an overview of each feature, this guide walks you through the configuration and deployment of them.
+
+### <a href="" id="config-code"></a>
+
+**Configurable code integrity**
+
+The Windows operating system consists of two operating modes: user mode and kernel mode. The base of the operating system runs within the kernel mode, which is where the Windows operating system directly interfaces with hardware resources. User mode is primarily responsible for running applications and brokering information to and from the kernel mode for hardware resource requests. For example, when an application that is running in user mode needs additional memory, the user mode process must request the resources from kernel mode, not directly from RAM.
+
+Code integrity is the component of the Windows operating system that verifies that the code Windows is running is trusted and safe. Like the operating system, Windows code integrity also contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). KMCI has been used in recent versions of the Windows operating system to protect the kernel mode from running unsigned drivers. Although effective, drivers are not the only route that malware can take to penetrate the kernel mode space of the operating system. In Windows 10, however, Microsoft has raised the standard for kernel mode code out of the box as well as provided enterprises with a way to set their own UMCI and KMCI standards. Beginning with the Code Integrity service itself and continuing through the policies a Windows client uses to verify that an application should be allowed to run, Microsoft has made Windows 10 more secure than any previous Windows release. Historically, UMCI has been available only in Windows RT and on Windows Phone devices, which has made it difficult for these devices to be infected with viruses and malware. In Windows 10, these same successful UMCI standards are available.
+
+Historically, most malware has been unsigned. By simply deploying code integrity policies, organizations will immediately protect themselves against unsigned malware, which is estimated to be responsible for more than 95 percent of current attacks. By using code integrity policies, an enterprise can select exactly which binaries are allowed to run in both user mode and kernel mode, from the signer to the hash level. When completely enforced, it makes user mode in Windows function like a mobile phone, by allowing only specific applications or specific signatures to be trusted and run. This feature alone fundamentally changes the security in an enterprise. This additional security is not limited to Windows apps and does not require that an application be rewritten to be compatible with your existing, unsigned applications. You can implement configurable code integrity without enabling Device Guard, but it is intended to run in conjunction with Device Guard when supported hardware is available. For more information about how to configure, deploy, and manage code integrity policies, see the [Code integrity policies](#code-integrity-policies) section.
+
+**Hardware security features and virtualization-based security**
+
+The Device Guard core functionality and protection start at the hardware level. Devices that have processors equipped with SLAT technologies and virtualization extensions, such as Intel Virtualization Technology (VT-x) and AMD-V, will be able to take advantage of virtualization-based security (VBS) features that enhance Windows security. Device Guard leverages VBS to isolate core Windows services that are critical to the security and integrity of the operating system. This isolation removes the vulnerability of these services from both the user and kernel modes and acts as an impenetrable barrier for most malware used today. One of these isolated services, called the Windows Code Integrity service, drives the Device Guard kernel mode configurable code integrity feature. This prevents code that has penetrated the kernel mode operations from compromising the code integrity service.
+
+Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the virtualization container that hosts the Windows security services, such as code integrity. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#dg-with-cg) section. For information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-cg) section.
+
+### <a href="" id="dg-with-applocker"></a>
+
+**Device Guard with AppLocker**
+
+Although AppLocker is not considered a new Device Guard feature, it complements Device Guard functionality when enforced code integrity cannot be fully implemented or its functionality does not cover every desired scenario. There are many scenarios in which code integrity policies would be used alongside AppLocker rules. As a best practice, you should enforce code integrity policies at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
+
+**Note**  One example in which Device Guard functionality needs AppLocker supplementation is when your organization would like to limit universal applications. Universal applications have already been validated by Microsoft to be trustworthy to run, but an organization may not want to allow specific universal applications to run in their environment. You can accomplish this enforcement by using an AppLocker rule.
+
+ 
+
+AppLocker and Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, Microsoft recommends that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
+
+### <a href="" id="dg-with-cg"></a>
+
+**Device Guard with Credential Guard**
+
+Although Credential Guard is not a feature within Device Guard, many organizations will likely deploy Credential Guard alongside Device Guard for additional protection against credential theft. Similar to virtualization-based protection of kernel mode code integrity, Credential Guard leverages hypervisor technology to protect domain credentials. This mitigation is targeted at resisting the use of pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Credential Guard, organizations can gain additional protection against such threats. For information about how to deploy Credential Guard to your Windows 10 Enterprise clients, see the [Enable Credential Guard](#enable-cg) section. In addition to the client-side enablement of Credential Guard, organizations can deploy mitigations at both the CA and domain controller level to help prevent credential theft. Microsoft will be releasing details about these additional mitigations in the future.
+
+**Unified manageability**
+
+You can easily manage Device Guard features by using the familiar enterprise and client-management tools that IT pros use every day. Use the following management tools to enable and manage Device Guard:
+
+-   **Group Policy**. Windows 10 provides an administrative template to configure and deploy the configurable code integrity policies for your organization. This template also allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings along with your existing Group Policy Objects (GPOs), which makes it simple to implement Device Guard features. In addition to these code integrity and hardware-based security features, you can use Group Policy to help you manage your catalog files. For more information about catalog files, see the [Catalog files](#catalog-files) section.
+
+-   **Microsoft System Center Configuration Manager**. You can use System Center Configuration Manager to simplify deployment and management of catalog files, code integrity policies, and hardware-based security features, as well as provide version control. For more information about how to deploy catalog files by using System Center Configuration Manager, see the [Deploy catalog files with System Center Configuration Manager](#deploy-cat-sccm) section.
+
+-   **Microsoft Intune**. In a future release of Microsoft Intune, organizations will be able to leverage Intune for deployment and management of code integrity policies and catalog files.
+
+-   **Windows PowerShell**. Windows PowerShell is primarily used to create and service code integrity policies. These policies represent the most powerful component of Device Guard. For a step-by-step walkthrough of how to create, audit, service, enforce, and deploy code integrity policies, see the [Code integrity policies](#code-integrity-policies) section.
+
+These options provide the same experience you are used to in order to manage your existing enterprise management solutions. For more information about how to manage and deploy Device Guard hardware and code integrity features in your organization, see the [Device Guard deployment](#dg-deployment) section.
+## Plan for Device Guard
+
+
+In this section, you will learn about the following topics:
+
+-   [Approach enterprise code integrity deployment](#approach-enterprise). Device Guard deployment in your organization requires a planned approach. In this section, you get high-level recommendations for how to approach enterprise code integrity deployment in your organization.
+
+-   [Device Guard deployment scenarios](#device-guard-deployment). When you plan for Device Guard deployment, Microsoft recommends that you categorize each device in your organization into a deployment scenario. These scenarios will provide a roadmap for your Device Guard deployment.
+
+-   [Code signing adoption](#code-signing-adoption). Code signing is important to the security that Device Guard provides. This section outlines the options for code signing and the benefits and disadvantages of each method.
+
+-   [Hardware considerations](#hardware). Several Device Guard features require advanced hardware. This section outlines the requirements for each of those features and what to look for during your next hardware refresh.
+
+## <a href="" id="approach-enterprise"></a>Approach enterprise code integrity deployment
+
+
+Enterprises that want to consider Device Guard should not expect deployment to their entire organization overnight. Device Guard implementation requires that you plan for both end-user and IT pro impact. In addition, the deployment of Device Guard features to your enterprise requires a planned, phased approach to ensure that end-user systems are fully capable and ready to enforce these new security restrictions. Perform the following high-level tasks to approach the deployment of Device Guard to your enterprise:
+
+1.  **Group devices into similar functions**. Categorize machines into the groups described in the [Device Guard deployment scenarios](#device-guard-deployment) section. This begins the roadmap for your Device Guard deployment and provides groups of easier and more difficult implementations. From there, assess the quantity of necessary Device Guard policies. The easiest solution is to lock down your entire enterprise, but it might not fit your individual departments’ needs.
+
+    To discover an appropriate number of policies for your organization, try to separate the defined groups into departments or roles. Then ask some questions: What software does each department or role need to do their job? Should they be able to install and run other departments’ software? Do we need to create a base code integrity policy that aligns with our application catalog? Should users be able to install any application or only choose from an “allowed” list? Do we allow users to use their own peripheral devices? These questions will help you discover the number of necessary policies for your organization. Finally, try to focus on which people or departments would require an additional level of privileges. For example, should department x be able to install and run application xyz, even though no other department does? If the answer is yes and justifiable, you will need a secondary code integrity policy for that group. If not, you will likely be able to merge several policies to simplify management. For more information about configurable code integrity policies, see the [Code integrity policies](#code-integrity-policies) section.
+
+2.  **Create code integrity policies from “golden” PCs**. After you create the groups of devices, you can create code integrity policies to align with those groups, similar to the way you would manage corporate images. When you have separated these groups and set up golden PCs that mimic the software and hardware those individual groups require, create code integrity policies from each of them. After you create these, you can merge these code integrity policies to create a master policy, or you can manage and deploy them individually. For step-by-step instructions about how to create code integrity policies, see the [Create code integrity policies from golden PCs](#create-code-golden) section.
+
+3.  **Audit and merge code integrity policies**. Microsoft recommends that you test code integrity policies in audit mode before you enforce them. Audit mode allows administrators to run the code integrity policy on a system but not actually block anything. Rather than not allowing applications to run, events are logged with each exception to the policy. This way, you can easily highlight any issues that were not discovered during the initial scan. You can create additional code integrity policies by using the audit events and merge them into the existing policy. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity) section.
+
+4.  **Assess LOB applications that are currently unsigned, and create a catalog file for them**. Catalog files allow organizations to sign applications that do not currently possess digitally signed binaries or applications that a customer would want to add a secondary signature to. These applications can be in-house applications or from third parties, and the process does not require any repackaging of the application. When you create code integrity policies at a rule level above hash values, you will not discover unsigned applications. To include these applications in your code integrity policies, simply create, sign, and deploy a catalog file. For information about catalog files, see the [Catalog files](#catalog-files) section.
+
+5.  **Enable desired hardware security features**. Each type of device found in the [Device Guard deployment scenarios](#device-guard-deployment) section takes advantage of different software and hardware integrity configurations. You should assess hardware-based security features separately from code integrity policies because they provide complementary functionality. For information about how to configure Device Guard hardware-based security features, see the [Configure hardware-based security features](#configure-hardware) section.
+
+6.  **Deploy code integrity policies and catalog files**. After you have created and signed the necessary catalog files and created and audited code integrity policies, you are ready to deploy them in phases. Microsoft strongly recommends that you deploy these components to a test group of users, even after your IT organization has tested and vetted them. This provides a final quality control validation before you deploy the catalog files and policies more broadly. For information about how to deploy catalog files with Group Policy, see the [Deploy catalog files with Group Policy](#deploy-cat-gp) section. For additional information about how to deploy code integrity policies, see the [Deploy code integrity policies with Group Policy](#deploy-manage-code-gp) section.
+
+## <a href="" id="device-guard-deployment"></a>Device Guard deployment scenarios
+
+
+To help simplify the deployment of Device Guard to your organization, Microsoft recommends that you group devices into the deployment scenarios described in this section. Device Guard is not a feature that organizations will just simply “turn on”; rather, it typically requires a phased implementation approach. To see where these scenarios fit into an overall Device Guard deployment approach, see the [Approach to enterprise code integrity deployment](#approach-enterprise) section.
+
+**Fixed-workload devices**
+
+The lists of approved applications on fixed-workload devices rarely change as they perform the same tasks day after day. Examples of such devices include kiosks, point-of-sale systems, and call center PCs. These devices could easily employ the full capabilities of Device Guard and would require little management or policy modification. Device Guard implementation to these devices is painless and requires little ongoing administration. With Device Guard fully implemented, users are able to run only those applications that the IT department installs, manages, and trusts.
+
+Device Guard components that are applicable to fixed-workload devices include:
+
+-   KMCI VBS protection
+
+<!-- -->
+
+-   Enforced UMCI policy
+
+**Fully managed devices**
+
+Fully managed devices are those for which the IT department restricts the software that is installed and run on them, but allows users to request installation of additional software or provides a list of approved software in an application catalog. Examples of such devices include locked-down, company-owned desktops and laptops. With these devices, establish an initial baseline code integrity policy and enforce the code integrity policy. The IT department manages the policies and updates the devices when new applications are approved or are provided in the System Center Configuration Manager catalog.
+
+Device Guard components that are applicable to fully managed devices include:
+
+-   KMCI VBS protection
+
+-   Enforced UMCI policy
+
+In this scenario, an application list is provided and trusted, and the trust policy is constantly re-evaluated when a user requests a new application. When an application is trusted across all of these devices, new user requests for that application do not require a policy update (alignment with application catalog). In addition, you can couple this with an onboarding process for new applications that you should add to the central application catalog. Initial implementation of Device Guard to fully managed devices is simple but does require more administrative overhead to manage trusted signatures of newly requested and approved applications.
+
+**Lightly managed devices**
+
+Lightly managed devices are company-owned machines over which users have full control, which includes what is installed on them. These devices run the organization’s antivirus solution and client management tools but are not restricted by software request or compliance policies.
+
+Device Guard components that are applicable to lightly managed devices include:
+
+-   KMCI VBS protection
+
+-   UMCI policy in Audit mode
+
+**Bring Your Own Device**
+
+Device Guard is not a good way to manage devices in a Bring Your Own Device (BYOD) model. When employees are allowed to bring their own devices, the management of user-mode applications on them can make it difficult for users to use their own devices when they are not at work. In addition, Device Guard functionality is difficult to maintain from an administrative perspective. For devices in this group, explore alternate hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune.
+
+## Code signing adoption
+
+
+Code signing is crucial to the successful implementation of configurable code integrity policies. These policies can trust the signing certificates from both independent software vendors and customers. In Windows 10, all Windows Store applications are signed. Also, you can easily trust any other signed application by adding the signing certificate to the code integrity policy.
+
+For unsigned applications, customers have multiple options for signing them so that code integrity policies can trust them. The first option is traditional embedded code signing. Organizations that have in-house development teams can incorporate binary code signing into their application development process, and then simply add the signing certificate to their code integrity policies. The second option for signing unsigned applications is to use catalog files. In Windows 10, customers have the ability to create catalog files as they monitor the installation and initial run of an application. For more information about signing existing unsigned LOB applications or third-party applications, see the [Existing line-of-business applications](#existing-lob) section.
+
+### <a href="" id="existing-lob"></a>
+
+**Existing line-of-business applications**
+
+Until now, existing LOB applications were difficult to trust if they were signed by a source other than the Windows Store or not signed at all. With Windows 10, signing your existing LOB and third-party unsigned applications is simplified. This new signing method does not require that applications be repackaged in any way. With catalog files, administrators can sign these unsigned applications simply by monitoring for an installation and initial startup. By using this monitoring information, an administrator can generate a catalog file. Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries’ hash values are updated every time an application is updated and therefore require an updated catalog file. For simplified administration, consider incorporating embedded code signing into your application development process. For more information about how to generate catalog files, see the [Catalog files](#catalog-files) section.
+
+**Note**  
+Catalog files are lists of individual binaries’ hash values. If the scanned application is updated, you will need to create a new catalog file. That said, binary signing is still highly recommended for any future applications so that no catalog files are needed.
+
+ 
+
+When you create a catalog file, you must sign it by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. When signed, code integrity policies can trust the signer or signing certificate of those files. For information about catalog file signing, see the [Catalog files](#catalog-files) section.
+
+**Application development**
+
+Although in-house applications can be signed after packaging by using catalog files, Microsoft strongly recommends that embedded code signing be incorporated into your application development process. When signing applications, simply add the code signing certificate used to sign your applications to your code integrity policy. This ensures that your code integrity policy will trust any future application that is signed with that certificate. Embedding code signing into any in-house application development process is beneficial to your IT organization as you implement code integrity policies.
+
+## <a href="" id="hardware"></a>Hardware considerations
+
+
+Careful consideration about which hardware vendor and specific models to purchase during your next hardware refresh is vitally important to the success of your organization’s Device Guard implementation efforts. In alignment with your current hardware life cycle, consider the process that is discussed in the [Approach enterprise code integrity deployment](#approach-enterprise) section when you determine the appropriate order of hardware replacement in your organization. Device Guard should be deployed in phases; therefore, you have time to methodically plan for its implementation.
+
+Different hardware features are required to implement the various features of Device Guard. There will likely be some individual features that you will be able to enable with your current hardware and some that you will not. However, for organizations that want to implement Device Guard in its entirety, several advanced hardware features will be required. For additional details about the hardware features that are required for Device Guard components, see the following table.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Requirement</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Windows 10 Enterprise</p></td>
+<td align="left"><p>The PC must be running Windows 10 Enterprise.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>UEFI firmware version 2.3.1 or higher with UEFI Secure Boot and Platform Secure Boot</p></td>
+<td align="left"><p>UEFI Secure Boot ensures that the device boots only authorized code. Additionally, Boot Integrity, also known as Platform Secure Boot must be supported. You can validate it against the following Windows Hardware Compatibility Program requirements:</p>
+<ul>
+<li><p>[System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)</p></li>
+<li><p>[System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby)</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Virtualization extensions</p></td>
+<td align="left"><p>The following virtualization extensions are required to support virtualization-based security:</p>
+<ul>
+<li>Intel VT-x or AMD-V</li>
+<li>Second Level Address Translation</li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Firmware lock</p></td>
+<td align="left"><ul>
+<li><p>The firmware setup should be locked to prevent other operating systems from starting and to prevent changes to the UEFI settings.</p></li>
+<li><p>Work with your hardware manufacturer to ensure that the devices are Device Guard ready.</p></li>
+<li><p>You should require a firmware password or higher authentication to change firmware settings.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>x64 architecture</p></td>
+<td align="left"><p>The features that virtualization-based security uses in the Windows hypervisor can only run on a 64-bit PC.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>A VT-d or AMD-Vi IOMMU (Input/output memory management unit)</p></td>
+<td align="left"><p>In Windows 10, an IOMMU enhances system resiliency against memory attacks.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Secure firmware update process</p></td>
+<td align="left"><p>To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Signed processor microcode updates</p></td>
+<td align="left"><p>If the processor supports it, you must require signed microcode updates.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="dg-deployment"></a>Device Guard deployment
+
+
+In this section, you learn about the following topics:
+
+-   [Configure hardware-based security features](#configure-hardware). This section explains how to enable the hardware-based security features in Device Guard. Also, you verify that the features are enabled by using both Windows Management Infrastructure (WMI) and Msinfo32.exe.
+
+-   [Catalog files](#catalog-files). In this section, you create, sign, and deploy catalog files. You deploy the catalog files by using both Group Policy and System Center Configuration Manager. Also, you use System Center Configuration Manager to inventory the deployed catalog files for reporting purposes.
+
+-   [Code integrity policies](#code-integrity-policies). This section provides information on how to create, audit, service, merge, deploy, and remove signed and unsigned configurable code integrity policies.
+
+## <a href="" id="configure-hardware"></a>Configure hardware-based security features
+
+
+Hardware-based security features make up a large part of Device Guard security offerings. VBS reinforces the most important feature of Device Guard: configurable code integrity. There are three steps to configure hardware-based security features in Device Guard:
+
+1.  **Verify that hardware requirements are met and enabled**. Verify that your client machines possess the necessary hardware to run these features. A list of hardware requirements for the hardware-based security features is available in the [Hardware considerations](#hardware) section.
+
+2.  **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. For details on which Windows features are needed, see the [Windows feature requirements for virtualization-based security](#vb-security) section.
+
+3.  **Enable desired features**. When the necessary hardware and Windows features have been enabled, you are ready to enable the desired hardware-based security features. For UEFI Secure Boot, see the [Enable UEFI Secure Boot](#enable-secureboot) section. For information about how to enable VBS protection of the KMCI service, see the [Enable virtualization-based protection of kernel mode code integrity](#enable-virtualbased) section. Finally, for information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-cg) section.
+
+### <a href="" id="vb-security"></a>
+
+**Windows feature requirements for virtualization-based security**
+
+In addition to the hardware requirements found in the [Hardware considerations](#hardware) section, you must enable certain operating system features before you can enable VBS: Microsoft Hyper-V and isolated user mode (shown in Figure 1).
+
+**Note**  
+You can configure these features manually by using Windows PowerShell or Deployment Image Servicing and Management. For specific information about these methods, refer to the [Credential Guard documentation](http://go.microsoft.com/fwlink/p/?LinkId=624529).
+
+ 
+
+![figure 1](images/dg-fig1-enableos.png)
+
+Figure 1. Enable operating system features for VBS
+
+After you enable these features, you can configure any hardware-based security features you want. For information about how to enable virtualization-based protection of kernel-mode code integrity, see the [Enable virtualization-based protection of kernel-mode code integrity](#enable-virtualbased) section. For information about how to enable UEFI Secure Boot, see the [Enable Unified Extensible Firmware Interface Secure Boot](#enable-secureboot) section. Finally, for additional information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-cg) section.
+
+### <a href="" id="enable-secureboot"></a>
+
+**Enable Unified Extensible Firmware Interface Secure Boot**
+
+Before you begin this process, verify that the target device meets the hardware requirements for UEFI Secure Boot that are laid out in the [Hardware considerations](#hardware) section. There are two options to configure UEFI Secure Boot: manual configuration of the appropriate registry keys and Group Policy deployment. Complete the following steps to manually configure UEFI Secure Boot on a computer running Windows 10:
+
+**Note**  
+There are two platform security levels for Secure Boot: stand-alone Secure Boot and Secure Boot with DMA protection. DMA protection provides additional memory protection but will be enabled only on systems whose processors include DMA protection (IOMMU) technologies. Without the presence of IOMMUs and with DMA protection disabled, customers will lose protection from driver-based attacks.
+
+ 
+
+1.  Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey.
+
+2.  Set the **EnableVirtualizationBasedSecurity DWORD** value to **1**.
+
+3.  Set the **RequirePlatformSecurityFeatures DWORD** value as appropriate:
+
+    -   Set this value to **1** to enable the **Secure Boot** option.
+
+    -   Set this value to **2** to enable the **Secure Boot with DMA Protection** option.
+
+4.  Restart the client machine.
+
+Unfortunately, it would be time consuming to perform these steps manually on every protected machine in your enterprise. Group Policy offers a much simpler way to deploy UEFI Secure Boot to your organization. This example creates a test organizational unit (OU) called *DG Enabled PCs*. If you prefer to link the policy to an existing OU, and then scope the GPO by using appropriately named computer security groups, you can certainly do so.
+
+**Note**  
+Microsoft recommends that you test-enable this feature on a group of test machines before you deploy it to machines that are currently deployed to users.
+
+ 
+
+**Use Group Policy to deploy Secure Boot**
+
+<a href="" id="bkmk-depsecureboot"></a>
+1.  To create a new GPO, right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**.
+
+    ![figure 2](images/dg-fig2-createou.png)
+
+    Figure 2. Create a new OU-linked GPO
+
+2.  Name the new GPO **Contoso Secure Boot GPO Test**. This example uses *Contoso Secure Boot GPO Test* as the name of the GPO. You can choose any name for this example. Ideally, the name would align with your existing GPO naming convention.
+
+3.  To open the Group Policy Management Editor, right-click the new GPO, and then click **Edit**.
+
+4.  Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Then, right-click **Turn On Virtualization Based Security**, and then click **Edit**.
+
+    ![figure 3](images/dg-fig3-enablevbs.png)
+
+    Figure 3. Enable VBS
+
+5.  Select the **Enabled** option, and then select **Secure Boot and DMA Protection** from the **Select Platform Security Level** list.
+
+    ![figure 4](images/device-guard-gp.png)
+
+    Figure 4. Enable Secure Boot
+
+    **Note**  
+    Device Guard Secure Boot is maximized when combined with DMA protection. If your hardware contains the IOMMUs required for DMA protection, be sure to select the **Secure Boot and DMA Protection** platform security level. If your hardware does not contain IOMMU, there are several mitigations provided by leveraging Secure Boot without DMA Protection.
+
+     
+
+6.  Close the Group Policy Management Editor, and then restart the Windows 10 test computer. After you configure this setting, UEFI Secure Boot will be enabled upon restart.
+
+7.  Check the test computer’s event log for Device Guard GPOs.
+
+    Processed Device Guard policies are logged in event viewer at Application and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational. When the **Turn On Virtualization Based Security** policy is successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.
+
+### <a href="" id="enable-virtualbased"></a>
+
+**Enable virtualization-based security of kernel-mode code integrity**
+
+Before you begin this process, verify that the desired computer meets the hardware requirements for VBS found in the [Hardware considerations](#hardware) section, and enable the Windows features discussed in the [Virtualization-based security Windows feature requirements](#vb-security) section. When validated, you can enable virtualization-based protection of KMCI in one of two ways: manual configuration of the appropriate registry subkeys and Group Policy deployment.
+
+**Note**  
+All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. Microsoft recommends that you enable this feature on a group of test machines before you enable it on deployed machines.
+
+ 
+
+To configure virtualization-based protection of KMCI manually:
+
+1.  Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey.
+
+2.  Set the **HypervisorEnforcedCodeIntegrity DWORD** value to **1**.
+
+3.  Restart the client computer.
+
+It would be time consuming to perform these steps manually on every protected machine in your enterprise. Instead, use Group Policy to deploy virtualization-based protection of KMCI. This example creates a test OU called *DG Enabled PCs*, which you will use to link the GPO. If you prefer to link the policy to an existing OU rather than create a test OU and scope the policy by using appropriately named computer security groups, that is another option.
+
+**Note**  
+Microsoft recommends that you test-enable this feature on a group of test computers before you deploy it to machines that are currently deployed to users. If untested, there is a possibility that this feature can cause system instability and ultimately cause the client operating system to fail.
+
+ 
+
+To use Group Policy to configure VBS of KMCI:
+
+1.  Create a new GPO: Right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**.
+
+    ![figure 5](images/dg-fig5-createnewou.png)
+
+    Figure 5. Create a new OU-linked GPO
+
+2.  Name the new GPO **Contoso VBS CI Protection GPO Test**.
+
+    This example uses *Contoso VBS CI Protection GPO Test* as the name of the GPO. You can choose any name you prefer for this example. Ideally, this name would align with your existing GPO naming convention.
+
+3.  Open the Group Policy Management Editor: Right-click the new GPO, and then click **Edit**.
+
+4.  Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Then, right-click **Turn On Virtualization Based Security**, and then click **Edit**.
+
+    ![figure 6](images/dg-fig6-enablevbs.png)
+
+    Figure 6. Enable VBS
+
+5.  Select the **Enabled** option, and then select the **Enable Virtualization Based Protection of Code Integrity** check box.
+
+    ![figure 7](images/dg-fig7-enablevbsofkmci.png)
+
+    Figure 7. Enable VBS of KMCI
+
+6.  Close the Group Policy Management Editor, and then restart the Windows 10 test computer. With this setting configured, the VBS of the KMCI will take effect upon restart.
+
+7.  Check the test client event log for Device Guard GPOs.
+
+    Processed Device Guard policies are logged in event viewer under Application and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational. When the **Turn On Virtualization Based Security** policy has been successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.
+
+### <a href="" id="enable-cg"></a>
+
+**Enable Credential Guard**
+
+Credential Guard provides an additional layer of credential protection specifically for domain users by storing the credentials within the virtualized container, away from both the kernel and user mode operating system. This makes it difficult for even a compromised system to obtain access to the credentials. In addition to the client-side enablement of Credential Guard, you can deploy additional mitigations at both the Certification Authority and domain controller level to prevent credential theft. Microsoft will be releasing details about these additional mitigations in the future.
+
+Before you begin this process, verify that the desired system meets the hardware requirements for VBS found in the [Hardware considerations](#hardware) section, and that you have enabled the Windows features laid out in the [Virtualization-based security Windows feature requirements](#vb-security) section. When validated, you can enable Credential Guard manually, by configuring the appropriate registry subkeys, or through Group Policy deployment.
+
+To configure VBS of Credential Guard manually:
+
+1.  Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa** registry subkey.
+
+2.  Set the **LsaCfgFlags DWORD** value to **1**.
+
+3.  Restart the client computer.
+
+To avoid spending an unnecessary amount of time in manual deployments, use Group Policy to deploy Credential Guard to your organization. This example creates a test OU called *DG Enabled PCs*. To enable Credential Guard, you can link to any OU, and then scope the GPO’s application by using security groups.
+
+**Note**  
+Microsoft recommends that you enable Credential Guard before you join a machine to the domain to ensure that all credentials are properly protected. Setting the appropriate registry subkeys during your imaging process would be ideal to achieve this protection.
+
+ 
+
+To use Group Policy to enable Credential Guard:
+
+1.  Create a new GPO: right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here** .
+
+    ![figure 8](images/dg-fig8-createoulinked.png)
+
+    Figure 8. Create a new OU-linked GPO
+
+2.  Name the new GPO **Contoso Credential Guard GPO Test**.
+
+    This example uses *Contoso Credential Guard GPO Test* as the name of the GPO. You can choose any name you prefer for this example. Ideally, this name would align with your existing GPO naming convention.
+
+3.  Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
+
+4.  Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.
+
+    ![figure 9](images/dg-fig9-enablevbs.png)
+
+    Figure 9. Enable VBS
+
+5.  Select the **Enabled** option, and then select the **Enable Credential Guard** check box.
+
+    ![figure 10](images/dg-fig10-enablecredentialguard.png)
+
+    Figure 10. Enable Credential Guard
+
+6.  Close Group Policy Management Editor, and then restart the Windows 10 test computer.
+
+    **Note**  
+    The default platform security level is **Secure Boot**. If IOMMUs are available within the protected machines, it is recommended that you select **Secure Boot and DMA Protection** to maximize the mitigations that are available through Credential Guard.
+
+     
+
+7.  Check the test client event log for Device Guard GPOs.
+
+**Note**  
+All processed Device Guard policies are logged in event viewer under Application and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational.
+
+ 
+
+For additional information about how Credential Guard works as well as additional configuration options, please refer to the [Credential Guard documentation](http://go.microsoft.com/fwlink/p/?LinkId=624529).
+
+**Validate enabled Device Guard hardware-based security features**
+
+Windows 10 and Windows Server 2016 and later have a WMI class for Device Guard–related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command:
+
+`Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard`
+
+**Note**  
+The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10.
+
+The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled. For detailed information about what each property means, refer to Table 1.
+
+ 
+
+Table 1. Win32\_DeviceGuard properties
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left"><strong>Properties</strong></th>
+<th align="left"><strong>Description</strong></th>
+<th align="left"><strong>Valid values</strong></th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><strong>AvailableSecurityProperties</strong></td>
+<td align="left">This field helps to enumerate and report state on the relevant security properties for Device Guard.</td>
+<td align="left"><ul>
+<li><p><strong>0.</strong> If present, no relevant properties exist on the device.</p></li>
+<li><p><strong>1.</strong> If present, hypervisor support is available.</p></li>
+<li><p><strong>2.</strong> If present, Secure Boot is available.</p></li>
+<li><p><strong>3.</strong> If present, DMA protection is available.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><strong>InstanceIdentifier</strong></td>
+<td align="left">A string that is unique to a particular device.</td>
+<td align="left">Determined by WMI.</td>
+</tr>
+<tr class="odd">
+<td align="left"><strong>RequiredSecurityProperties</strong></td>
+<td align="left">This field describes the required security properties to enable virtualization-based security.</td>
+<td align="left"><ul>
+<li><p><strong>0.</strong> Nothing is required.</p></li>
+<li><p><strong>1.</strong> If present, Secure Boot is needed.</p></li>
+<li><p><strong>2.</strong> If present, DMA protection is needed.</p></li>
+<li><p><strong>3.</strong> If present, both Secure Boot and DMA protection are needed.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><strong>SecurityServicesConfigured</strong></td>
+<td align="left">This field indicates whether the Credential Guard or HVCI service has been configured.</td>
+<td align="left"><ul>
+<li><p><strong>0.</strong> No services configured.</p></li>
+<li><p><strong>1.</strong> If present, Credential Guard is configured.</p></li>
+<li><p><strong>2.</strong> If present, HVCI is configured.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><strong>SecurityServicesRunning</strong></td>
+<td align="left">This field indicates whether the Credential Guard or HVCI service is running.</td>
+<td align="left"><ul>
+<li><p><strong>0.</strong> No services running.</p></li>
+<li><p><strong>1.</strong> If present, Credential Guard is running.</p></li>
+<li><p><strong>2.</strong> If present, HVCI is running.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><strong>Version</strong></td>
+<td align="left">This field lists the version of this WMI class.</td>
+<td align="left">The only valid value now is <strong>1.0</strong>.</td>
+</tr>
+<tr class="odd">
+<td align="left"><strong>VirtualizationBasedSecurityStatus</strong></td>
+<td align="left">This field indicates whether VBS is enabled and running.</td>
+<td align="left"><ul>
+<li><p><strong>0.</strong> VBS is not enabled.</p></li>
+<li><p><strong>1.</strong> VBS is enabled but not running.</p></li>
+<li><p><strong>2.</strong> VBS is enabled and running.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><strong>PSComputerName</strong></td>
+<td align="left">This field lists the computer name.</td>
+<td align="left">All valid values for computer name.</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+Another method to determine the available and enabled Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Device Guard properties are displayed at the bottom of the **System Summary** section, as shown in Figure 11.
+
+![figure 11](images/dg-fig11-dgproperties.png)
+
+Figure 11. Device Guard properties in the System Summary
+
+## Catalog files
+
+
+Enforcement of Device Guard on a system requires that every trusted application have a signature or its binary hashes added to the code integrity policy. For many organizations, this can be an issue when considering unsigned LOB applications. To avoid the requirement that organizations repackage and sign these applications, Windows 10 includes a tool called Package Inspector that monitors an installation process for any deployed and executed binary files. If the tool discovers such files, it itemizes them in a catalog file. These catalog files offer you a way to trust your existing unsigned applications, whether developed in house or by a third party, as well as trust signed applications for which you do not want to trust the signer but rather the specific application. When created, these files can be signed, the signing certificates added to your existing code integrity policies, and the catalog files themselves distributed to the clients.
+
+**Note**  
+The Enterprise edition of Windows 10 or Windows Server 2016 is required to create and use catalog files.
+
+ 
+
+### <a href="" id="create-catalog-files"></a>
+
+**Create catalog files**
+
+The creation of catalog files is the first step to add an unsigned application to a code integrity policy. To create a catalog file, copy each of the following commands into an elevated Windows PowerShell session, and then complete the steps:
+
+**Note**  
+When you establish a naming convention it makes it easier to detect deployed catalog files in the future. In this guide, you will use *\*-Contoso.cat* as the naming convention. For more information about why this practice is helpful to inventory or detect catalog files, see the [Inventory catalog files with System Center Configuration Manager](#inventory-cat-sccm) section.
+
+ 
+
+1.  Be sure that a code integrity policy is currently running in audit mode.
+
+    Package Inspector does not always detect installation files that have been removed from the machine during the installation process. To ensure that these binaries are also trusted, the code integrity policy that you created and audited in the [Create code integrity policies from golden PCs](#create-code-golden) and [Audit code integrity policies](#audit-code-integrity) sections should be deployed, in audit mode, to the system on which you are running Package Inspector.
+
+    **Note**  
+    This process should **not** be performed on a system running an enforced Device Guard policy, only with a policy running in audit mode. If a policy is currently being enforced, you will not be able to install and run the application.
+
+     
+
+2.  Start Package Inspector, and then scan drive C:
+
+    `PackageInspector.exe Start C:`
+
+    **Note**  
+    Package inspector can monitor installations on any local drive. In this example, we install the application on drive C, but any other drive can be used.
+
+     
+
+3.  Copy the installation media to drive C.
+
+    By copying the installation media to drive C, you ensure that Package Inspector detects and catalogs the actual installer. If you skip this step, the future code integrity policy may trust the application to run but not be installed.
+
+4.  Install and launch the application.
+
+    Install the application to drive C. When the installation is finished, launch the application and ensure that any product updates are installed and any downloadable content caught during the scan. When finished, close and reopen the application once again to ensure that the scan has captured all binaries.
+
+    **Note**  
+    Every binary that is run while Package Inspector is running will be captured in the catalog. Therefore, be sure not to run additional installations or updates during the scan to minimize the risk of trusting the incorrect binaries. Alternatively, if you want to add multiple applications to a single catalog file, simply repeat the installation and run process while the current scan is running.
+
+     
+
+5.  Stop the scan, and then generate definition and catalog files. When application installation and initial setup are finished, stop the Package Inspector scan and generate the catalog and definition files on your desktop by using the following commands:
+
+    `$ExamplePath=$env:userprofile+"\Desktop"`
+
+    `$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
+
+    `$CatDefName=$ExamplePath+"\LOBApp.cdf"`
+
+    `PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName`
+
+**Note**  
+This scan catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries’ hash values.
+
+ 
+
+When finished, the files will be saved to your desktop. To trust this catalog file within a code integrity policy, the catalog must first be signed. Then, the signing certificate can be included in the code integrity policy, and the catalog file can be distributed to the individual client machines. Catalog files can be signed by using a certificate and SignTool.exe, a free tool available in the Windows SDK. For more information about signing catalog files with SignTool.exe, see the [Catalog signing with SignTool.exe](#catsign-signtool) section.
+
+### <a href="" id="catsign-signtool"></a>
+
+**Catalog signing with SignTool.exe**
+
+Device Guard makes it easy for organizations to sign and trust existing unsigned LOB applications. In this section, you sign a catalog file you generated in a previous section by using PackageInspector.exe. For information about how to create catalog files, see the [Create catalog files](#create-catalog-files) section. In this example, you need the following:
+
+-   SignTool.exe, found in the Windows software development kit (SDK—Windows 7 or later)
+
+-   The catalog file that you generated in the [Create catalog files](#create-catalog-files) section, or another catalog file that you have created
+
+-   Internal certification authority (CA) code signing certificate or purchased code signing certificate
+
+If you do not have a code signing certificate, please see the [Create a Device Guard code signing certificate](#create-dg-code) section for a walkthrough of how to create one. In addition to using the certificate you create in the Create a Device Guard code signing certificate section, this example signs the catalog file that you created in the [Create catalog files](#create-catalog-files) section. If you are using an alternate certificate or catalog file, update the following steps with the appropriate variables and certificate. To sign the existing catalog file, copy each of the following commands into an elevated Windows PowerShell session:
+
+1.  Initialize the variables that will be used:
+
+    <span codelanguage=""></span>
+    <table>
+    <colgroup>
+    <col width="100%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><pre><code>$ExamplePath=$env:userprofile+&quot;\Desktop&quot;</code></pre></td>
+    </tr>
+    </tbody>
+    </table>
+
+    <span codelanguage=""></span>
+    <table>
+    <colgroup>
+    <col width="100%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><pre><code>$CatFileName=$ExamplePath+&quot;\LOBApp-Contoso.cat&quot;</code></pre></td>
+    </tr>
+    </tbody>
+    </table>
+
+    **Note**  
+    In this example, you use the catalog file you created in the [Create catalog files](#create-catalog-files) section. If you are signing another catalog file, be sure to update the *$ExamplePath* and *$CatFileName* variables with the correct information.
+
+     
+
+2.  Import the code signing certificate. Import the code signing certificate that will be used to sign the catalog file to the signing user’s personal store. In this example, you use the certificate that you created in the [Create a Device Guard code signing certificate](#create-dg-code) section.
+
+3.  Sign the catalog file with Signtool.exe:
+
+    <span codelanguage=""></span>
+    <table>
+    <colgroup>
+    <col width="100%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><pre><code>&lt;Path to signtool.exe&gt; sign /n &quot;ContosoDGSigningCert&quot; /fd sha256 /v $CatFileName</code></pre></td>
+    </tr>
+    </tbody>
+    </table>
+
+    **Note**  
+    The *&lt;Path to signtool.exe&gt;* variable should be the full path to the Signtool.exe utility. *ContosoDGSigningCert* is the subject name of the certificate that you will use to sign the catalog file. This certificate should be imported to your personal certificate store on the machine on which you are attempting to sign the catalog file.
+
+     
+
+    **Note**  
+    For additional information about Signtool.exe and all additional switches, visit [MSDN Sign Tool page](http://go.microsoft.com/fwlink/p/?LinkId=624163).
+
+     
+
+4.  Verify the catalog file digital signature. Right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 12.
+
+    ![figure 12](images/dg-fig12-verifysigning.png)
+
+    Figure 12. Verify that the signing certificate exists
+
+5.  Copy the catalog file to C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}.
+
+    For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, Microsoft recommends that you use Group Policy File Preferences to copy the appropriate catalog files to all desired machines or an enterprise systems management product such as System Center Configuration Manager. Doing this simplifies the management of catalog versions, as well.
+
+### <a href="" id="deploy-cat-gp"></a>
+
+**Deploy catalog files with Group Policy**
+
+To simplify the management of catalog files, you can use Group Policy preferences to deploy catalog files to the appropriate PCs in your organization. The following process walks you through the deployment of a signed catalog file called LOBApp-Contoso.cat to a test OU called DG Enabled PCs with a GPO called **Contoso DG Catalog File GPO Test**.
+
+**Note**  
+This walkthrough requires that you have previously created a signed catalog file and have a Windows 10 client PC on which to test a Group Policy deployment. For more information about how to create and sign a catalog file, see the [Catalog files](#catalog-files) section.
+
+ 
+
+To deploy a catalog file with Group Policy:
+
+1.  From either a domain controller or a client PC that has Remote Server Administration Tools (RSAT) installed, open the Group Policy Management Console (GPMC) by running **GPMC.MSC** or by searching for Group Policy Management.
+
+2.  Create a new GPO: right-click the DG Enabled PCs OU, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 13.
+
+    **Note**  
+    The DG Enabled PCs OU is just an example of where to link the test GPO that you created in this section. You can use any OU name. Also, security group filtering is an option when you consider policy partitioning options based on the strategy discussed in the [Approach enterprise code integrity deployment](#approach-enterprise) section.
+
+     
+
+    ![figure 13](images/dg-fig13-createnewgpo.png)
+
+    Figure 13. Create a new GPO
+
+3.  Name the new GPO **Contoso DG Catalog File GPO Test**.
+
+    This example uses *Contoso DG Catalog File GPO Test* as the name of the GPO. You can choose any name you prefer for this example.
+
+4.  Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
+
+5.  Within the selected GPO, navigate to Computer Configuration\\Preferences\\Windows Settings\\Files. Right-click **Files**, point to **New**, and then click **File**, as shown in Figure 14.
+
+    ![figure 14](images/dg-fig14-createnewfile.png)
+
+    Figure 14. Create a new file
+
+6.  Configure the catalog file share.
+
+    To use this setting to provide consistent deployment of LOBApp-Contoso.cat, the source file should be on a share that is accessible to the computer account of every deployed machine. This example uses a share on a Windows 10 client machine called \\\\Contoso-Win10\\Share. The catalog file being deployed is copied to this share.
+
+7.  To keep versions consistent, in the **New File Properties** dialog box (Figure 15), select **Replace** from the **Action** list so that the newest version is always used.
+
+    ![figure 15](images/dg-fig15-setnewfileprops.png)
+
+    Figure 15. Set the new file properties
+
+8.  In the **Source file(s)** box, type the name of your accessible share, with the catalog file name included (for example, \\\\Contoso-Win10\\share\\LOBApp-Contoso.cat).
+
+9.  In the **Destination File** box, type **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\LOBApp-Contoso.cat**.
+
+    **Note**  
+    LOBApp-Contoso.cat is not a required catalog name: This name was used in the [Create catalog files](#create-catalog-files) section, and so it was used here, as well.
+
+     
+
+10. On the **Common** tab of the **New File Properties** dialog box, select the **Remove this item when it is no longer applied** option. Doing this ensures that the catalog file is removed from every system, in case you ever need to stop trusting this application.
+
+11. Click **OK** to complete file creation.
+
+12. Close the Group Policy Management Editor, and then update the policy on the test Windows 10 machine by running GPUpdate.exe. When the policy has been updated, verify that the catalog file exists in C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} on the Windows 10 machine.
+
+### <a href="" id="deploy-cat-sccm"></a>
+
+**Deploy catalog files with System Center Configuration Manager**
+
+As an alternative to Group Policy, you can use System Center Configuration Manager to deploy catalog files to the managed machines in your environment. This approach can simplify the deployment and management of multiple catalog files as well as provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, System Center Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files:
+
+**Note**  
+The following example uses a network share named \\\\Shares\\CatalogShare as a source for the catalog files. If you have collection specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization.
+
+ 
+
+1.  Open the Configuration Manager console, and select the Software Library workspace.
+
+2.  Navigate to Overview\\Application Management, right-click **Packages**, and then click **Create Package**.
+
+3.  Name the package, set your organization as the manufacturer, and select an appropriate version number (Figure 16).
+
+    ![figure 16](images/dg-fig16-specifyinfo.png)
+
+    Figure 16. Specify information about the new package
+
+4.  Click **Next**, and then select **Standard program** as the program type.
+
+5.  On the **Standard Program** page, select a name, and then set the **Command Line** property to **XCopy \\\\Shares\\CatalogShare C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} /H /K /E /Y**.
+
+6.  On the **Standard Program** page, select the following options (Figure 17):
+
+    -   In **Name**, type **Contoso Catalog File Copy Program**.
+
+    -   In **Command line**, browse to the program location.
+
+    -   In **Startup folder**, type **C:\\Windows\\System32**.
+
+    -   From the **Run** list, select **Hidden**.
+
+    -   From the **Program can run** list, select **Whether or not a user is logged on**.
+
+    -   From the **Drive mode** list, select **Runs with UNC name**.
+
+    ![figure 17](images/dg-fig17-specifyinfo.png)
+
+    Figure 17. Specify information about the standard program
+
+7.  Accept the defaults for the rest of the wizard, and then close the wizard.
+
+After you create the deployment package, deploy it to a collection so that the clients will receive the catalog files. In this example, you deploy the package you just created to a test collection:
+
+1.  In the Software Library workspace, navigate to Overview\\Application Management\\Packages, right-click the catalog file package, and then click **Deploy**.
+
+2.  On the **General** page, select the test collection to which the catalog files will be deployed, and then click **Next**.
+
+3.  On the **Content** page, click **Add** to select the distribution point that will serve content to the selected collection, and then click **Next**.
+
+4.  On the **Deployment Settings** page, select **Required** in the **Purpose** box.
+
+5.  On the **Scheduling** page, click **New**.
+
+6.  In the **Assignment Schedule** dialog box, select **Assign immediately after this event**, set the value to **As soon as possible**, and then click **OK**.
+
+7.  On the **Scheduling** page, click **Next**.
+
+8.  On the **User Experience** page (Figure 18), set the following options, and then click **Next**:
+
+    -   Select the **Software installation** check box.
+
+    -   Select the **Commit changes at deadline or during a maintenance window (requires restarts)** check box.
+
+    ![figure 18](images/dg-fig18-specifyux.png)
+
+    Figure 18. Specify the user experience
+
+9.  On the **Distribution Points** page, in the **Deployment options** box, select **Run program from distribution point**, and then click **Next**.
+
+10. On the **Summary** page, review the selections, and then click **Next**.
+
+11. Close the wizard.
+
+### <a href="" id="inventory-cat-sccm"></a>
+
+**Inventory catalog files with System Center Configuration Manager**
+
+When catalog files have been deployed to the machines within your environment, whether by using Group Policy or System Center Configuration Manager, you can inventory them with the software inventory feature of System Center Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy.
+
+**Note**  
+A standard naming convention for your catalog files will significantly simplify the catalog file software inventory process. In this example, *-Contoso* has been added to all catalog file names.
+
+ 
+
+1.  Open the Configuration Manager console, and select the Administration workspace.
+
+2.  Navigate to **Overview\\Client Settings**, right-click **Client Settings**, and then click **Create Custom Client Device Settings**.
+
+3.  Name the new policy, and select the **Software Inventory** check box from the **Select and then configure the custom settings for client devices** list, as shown in Figure 19.
+
+    ![figure 19](images/dg-fig19-customsettings.png)
+
+    Figure 19. Select custom settings
+
+4.  In the navigation pane, click **Software Inventory**, and then click **Set Types**, as shown in Figure 20.
+
+    ![figure 20](images/dg-fig20-setsoftwareinv.png)
+
+    Figure 20. Set the software inventory
+
+5.  In the **Configure Client Setting** dialog box, click the **Start** button to open the **Inventories File Properties** dialog box.
+
+6.  In the **Name** box, type **\*Contoso.cat**, and then click **Set**.
+
+    **Note**  
+    **\*Contoso.cat** is the naming convention used in this example. This should mimic the naming convention you use for your catalog files.
+
+     
+
+7.  In the **Path Properties** dialog box, select **Variable or path name**, and then type **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}** in the box, as shown in Figure 21.
+
+    ![figure 21](images/dg-fig21-pathproperties.png)
+
+    Figure 21. Set the path properties
+
+8.  Click **OK**.
+
+9.  Now that you have created the client settings policy, right-click the new policy, click **Deploy**, and then choose the collection on which you would like to inventory the catalog files.
+
+At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you will be able to view the inventoried files in the built-in System Center Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps:
+
+1.  Open the Configuration Manager console, and select the Assets and Compliance workspace.
+
+2.  Navigate to Overview\\Devices, and search for the device on which you want to view the inventoried files.
+
+3.  Right-click the computer, point to **Start**, and then click **Resource Explorer**.
+
+4.  In Resource Explorer, navigate to Software\\File Details to view the inventoried catalog files.
+
+**Note**  
+If nothing is displayed in this view, navigate to Software\\Last Software Scan in Resource Explorer to verify that the client has recently completed a software inventory scan.
+
+ 
+
+## Code integrity policies
+
+
+Code integrity policies maintain the standards by which a computer running Windows 10 determines whether an application is trustworthy and can be run. For an overview of code integrity, see the [Configurable code integrity](#config-code) section.
+
+A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Code integrity policies follow a similar methodology, that begins with the establishment of a golden PC. Like when imaging, you can have multiple golden PCs based on model, department, application set, and so on. Although the thought process around the creation of code integrity policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional code integrity policies based on what should be allowed to be installed and run and for whom.
+
+**Note**  
+Each machine can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to C:\\Windows\\System32\\CodeIntegrity. Keep this in mind when you create your code integrity policies.
+
+ 
+
+Optionally, code integrity policies can align with your software catalog as well as any IT department–approved applications. One simple method to implement code integrity policies is to use existing images to create one master code integrity policy. You do so by creating a code integrity policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, should the applications be installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed.
+
+**Note**  
+The following section assumes that you will deploy code integrity policies as part of your Device Guard deployment. Alternatively, configurable code integrity is available without the enablement of Device Guard.
+
+ 
+
+### <a href="" id="code-integrity-policy-rules"></a>
+
+**Code integrity policy rules**
+
+Code integrity policies consist of several components. The two major components, which are configurable, are called *policy rules* and *file rules*, respectively. Code integrity policy rules are options that the code integrity policy creator can specify on the policy. These options include the enablement of audit mode, UMCI, and so on. You can modify these options in a new or existing code integrity policy. File rules are the level to which the code integrity policy scan ties each binary trust. For example, the hash level is going to itemize each discovered hash on the system within the generated code integrity policy. This way, when a binary prepares to run, the code integrity service will validate its hash value against the trusted hashes found in the code integrity policy. Based on that result, the binary will or will not be allowed to run.
+
+To modify the policy rule options of an existing code integrity policy, use the **Set-RuleOption** Windows PowerShell cmdlet. Note the following examples of how to use this cmdlet to add and remove a rule option on an existing code integrity policy:
+
+-   To enable UMCI, add rule option 0 to an existing policy by running the following command:
+
+    `Set-RuleOption -Option 0 -FilePath <Path to policy>`
+
+-   To disable UMCI on an existing code integrity policy, remove rule option 0 by running the following command:
+
+    ` Set-RuleOption -Option 0 -FilePath <Path to policy> -Delete`
+
+You can set several rule options within a code integrity policy. Table 2 lists each rule and its high-level meaning.
+
+Table 2. Code integrity policy - policy rule options
+
+| **Rule option**                                          | **Description**                                                                                                                                                                                                                                                                                    |
+|----------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **0 Enabled:UMCI**                                       | Code integrity policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts.                                                                                             |
+| **1 Enabled:Boot Menu Protection**                       | This option is not currently supported.                                                                                                                                                                                                                                                            |
+| **2 Required:WHQL**                                      | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10–compatible driver must be WHQL certified. |
+| **3 Enabled:Audit Mode (Default)**                       | Enables the execution of binaries outside of the code integrity policy but logs each occurrence in the CodeIntegrity event log, which can be used to update the existing policy before enforcement. To enforce a code integrity policy, remove this option.                                        |
+| **4 Disabled:Flight Signing**                            | If enabled, code integrity policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flighted builds.                                                                                                  |
+| **5 Enabled:Inherent Default Policy**                    | This option is not currently supported.                                                                                                                                                                                                                                                            |
+| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications.                                                                                                               |
+| **7 Allowed:Debug Policy Augmented**                     | This option is not currently supported.                                                                                                                                                                                                                                                            |
+| **8 Required:EV Signers**                                | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All future Windows 10 and later drivers will meet this requirement.                                                                    |
+| **9 Enabled:Advanced Boot Options Menu**                 | The F8 preboot menu is disabled by default for all code integrity policies. Setting this rule option allows the F8 menu to appear to physically present users.                                                                                                                                     |
+| **10 Enabled:Boot Audit on Failure**                     | Used when the code integrity policy is in enforcement mode. When a driver fails during startup, the code integrity policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log.                           |
+
+ 
+
+File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as low as the hash of each binary and as high as a PCA certificate. File rule levels are specified both when you create a new code integrity policy from a scan and when you create a policy from audit events. In addition, to combine rule levels found in multiple policies, you can merge the policies. When merged, code integrity policies combine their file rules. Each file rule level has its benefit and disadvantage. Use Table 3 to select the appropriate protection level for your available administrative resources and Device Guard deployment scenario.
+
+Table 3. Code integrity policy - file rule levels
+
+| **Rule level**        | **Description**                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
+|-----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Hash**              | Specifies individual hash values for each discovered binary. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update.                                                                                                                                                                                                                                                                  |
+| **FileName**          | Specifies individual binary file names. Although the hash values for an application are modified when updated, the file names are typically not. This offers less specific security than the hash level but does not typically require a policy update when any binary is modified.                                                                                                                                                                                                                                                                               |
+| **SignedVersion**     | This combines the publisher rule with a file version number. This option allows anything from the specified publisher, with a file version at or above the specified version number, to run.                                                                                                                                                                                                                                                                                                                                                                      |
+| **Publisher**         | This is a combination of the PCA certificate and the common name (CN) on the leaf certificate. In the scenario that a PCA certificate is used to sign multiple companies’ applications (such as VeriSign), this rule level allows organizations to trust the PCA certificate but only for the company whose name is on the leaf certificate (for example, Intel for device drivers). This level trusts a certificate with a long validity period but only when combined with a trusted leaf certificate.                                                          |
+| **FilePublisher**     | This is a combination of the publisher file rule level and the SignedVersion rule level. Any signed file from the trusted publisher that is the specified version or newer is trusted.                                                                                                                                                                                                                                                                                                                                                                            |
+| **LeafCertificate**   | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. Using this level, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than PCA certificates, so additional administrative overhead is associated with updating the code integrity policy when these certificates expire. |
+| **PcaCertificate**    | Adds the highest certificate in the provided certificate chain to signers. This is typically one certificate below the root certificate, because the scan does not validate anything above the presented signature by going online or checking local root stores.                                                                                                                                                                                                                                                                                                 |
+| **RootCertificate**   | Currently unsupported.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
+| **WHQL**              | Trusts binaries if they have been validated and signed by WHQL. This is primarily for kernel binaries.                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
+| **WHQLPublisher**     | This is a combination of the WHQL and the CN on the leaf certificate and is primarily for kernel binaries.                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| **WHQLFilePublisher** | Specifies that the binaries are validated and signed by WHQL, with a specific publisher (WHQLPublisher), and that the binary is the specified version or newer. This is primarily for kernel binaries.                                                                                                                                                                                                                                                                                                                                                            |
+
+ 
+
+**Note**  
+When you create code integrity policies with the **New-CIPolicy** cmdlet, you can specify a primary file rule level by including the **–Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **–Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
+
+ 
+
+### <a href="" id="create-code-golden"></a>
+
+**Create code integrity policies from golden PCs**
+
+The process to create a golden code integrity policy from a reference system is straightforward. This section outlines the process that is required to successfully create a code integrity policy with Windows PowerShell. First, for this example, you must initiate variables to be used during the creation process. Rather than using variables, you can simply use the full file paths in the command. Next, you create the code integrity policy by scanning the system for installed applications. When created, the policy file is converted to binary format so that Windows can consume its contents.
+
+**Note**  
+Before you begin this procedure, ensure that the reference PC is clean of viruses or malware. Each piece of installed software should be validated as trustworthy before you create this policy. Also, be sure that any software that you would like to be scanned is installed on the system before you create the code integrity policy.
+
+ 
+
+To create a code integrity policy, copy each of the following commands into an elevated Windows PowerShell session, in order:
+
+1.  Initialize variables that you will use:
+
+    `$CIPolicyPath=$env:userprofile+"\Desktop\"`
+
+    `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
+
+    `$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
+
+2.  Create a new code integrity policy by scanning the system for installed applications:
+
+    `New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt `
+
+    **Note**  
+    By specifying the *–UserPEs* parameter, rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. If you do not specify this parameter, use the following command to enable UMCI:
+
+    `Set-RuleOption -Option 0 -FilePath $InitialCIPolicy`
+
+     
+
+    **Note**  
+    You can add the *–Fallback* parameter to catch any applications not discovered using the primary file rule level specified by the *–Level* parameter. For more information about file rule level options, see the [Code integrity policy rules](#code-integrity-policy-rules) section.
+
+     
+
+    **Note**  
+    If you would like to specify the code integrity policy scan to look only at a specific drive, you can do so by using the *–ScanPath* parameter. Without this parameter, as shown in the example, the entire system is scanned.
+
+     
+
+3.  Convert the code integrity policy to a binary format:
+
+    `ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
+
+After you complete these steps, the Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security.
+
+**Note**  
+Microsoft recommends that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see the [Merge code integrity policies](#merge-code-integrity) section.
+
+ 
+
+Microsoft recommends that every code integrity policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error message dialog boxes. For information about how to audit a code integrity policy, see the [Audit code integrity policies](#audit-code-integrity) section.
+
+### <a href="" id="audit-code-integrity"></a>
+
+**Audit code integrity policies**
+
+When code integrity policies are run in audit mode, it allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a code integrity policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the Applications and Services Logs\\Microsoft\\CodeIntegrity\\Operational event log. When these logged binaries have been validated, they can easily be added to a new code integrity policy. When the new exception policy is created, you can merge it with your existing code integrity policies.
+
+**Note**  
+Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see the [Create a code integrity policy](#create-code-golden) section for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format.
+
+ 
+
+To audit a code integrity policy with local policy:
+
+1.  Copy the DeviceGuardPolicy.bin file that you created in the [Create code integrity policies from golden PCs](#create-code-golden) section to C:\\Windows\\System32\\CodeIntegrity.
+
+2.  On the system you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**.
+
+3.  Navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard, and then select **Deploy Code Integrity Policy**. Enable this setting by using the file path C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 22.
+
+    **Note**  
+    *DeviceGuardPolicy.bin* is not a required policy name. This name was simply used in the [Create code integrity policies from golden PCs](#create-code-golden) section and so was used here. Also, this policy file does not need to be copied to every system. Alternatively, you can copy the code integrity policies to a file share to which all computer accounts have access.
+
+     
+
+    **Note**  
+    Any policy you select here is converted to SIPolicy.p7b when it is deployed to the individual computers.
+
+     
+
+    ![figure 22](images/dg-fig22-deploycode.png)
+
+    Figure 22. Deploy your code integrity policy
+
+    **Note**  
+    You may have noticed that the GPO setting references a .p7b file and this policy uses a .bin file. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the Windows 10 computers. Microsoft recommends that you make your code integrity policies friendly and allow the system to convert the policy names for you. By doing this, it ensures that the policies are easily distinguishable when viewed in a share or any other central repository.
+
+     
+
+4.  Restart reference system for the code integrity policy to take effect.
+
+5.  Monitor the CodeIntegrity event log. While in audit mode, any exception to the deployed code integrity policy will be logged in the Applications and Services Logs\\Microsoft\\CodeIntegrity\\Operational event log, as shown in Figure 23.
+
+    ![figure 23](images/dg-fig23-exceptionstocode.png)
+
+    Figure 23. Exceptions to the deployed code integrity policy
+
+6.  Validate any code integrity policy exceptions.
+
+    After you run a code integrity policy in audit mode, Microsoft recommends that each logged exception be researched and validated. In addition to discovering which application is causing the exception and ensuring that it should be added to the code integrity policy, be sure to check which file level should be used to trust each application. Although the Hash file rule level will catch all of these exceptions, it may not be the best way to trust all of the exceptions. For information about file rule levels and their purpose, see the [Code integrity policy rules](#code-integrity-policy-rules) section.
+
+7.  Create code integrity policy from audit events.
+
+    For information about how to create code integrity policies from audit events, see the [Create code integrity policies from golden PCs](#create-code-golden) section.
+
+**Note**  
+An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it with the local machine policy.
+
+ 
+
+### <a href="" id="create-audit-code"></a>
+
+**Create an audit code integrity policy**
+
+When you run code integrity policies in audit mode, validate any exceptions and determine whether you will need to add them to the code integrity policy you want to audit. Use the system as you normally would to ensure that any use exceptions are logged. When you are ready to create a code integrity policy from the auditing events, complete the following steps in an elevated Windows PowerShell session:
+
+1.  Initialize the variables that will be used:
+
+    `$CIPolicyPath=$env:userprofile+"\Desktop\"`
+
+    `$CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
+
+2.  Analyze audit results.
+
+    Before you create a code integrity policy from audit events, Microsoft recommends that each exception be analyzed, as discussed in steps 5 and 6 of the [Audit code integrity policies](#audit-code-integrity) section.
+
+3.  Generate a new code integrity policy from logged audit events:
+
+    `New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt`
+
+**Note**  
+When you create policies from audit events, you should carefully consider the file rule level that you select to trust. In this example, you use the Hash rule level, which should be used as a last resort.
+
+ 
+
+After you complete these steps, the Device Guard audit policy .xml file (DeviceGuardAuditPolicy.xml) will be available on your desktop. You can now use this file to update the existing code integrity policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing code integrity policy, see the [Merge code integrity policies](#merge-code-integrity) section.
+
+**Note**  
+You may have noticed that you did not generate a binary version of this policy as you did in the [Create code integrity policies from golden PCs](#create-code-golden) section. This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies.
+
+ 
+
+### <a href="" id="merge-code-integrity"></a>
+
+**Merge code integrity policies**
+
+When you develop code integrity policies, you will occasionally need to merge two policies. A common example is when a code integrity policy is initially created and audited. Another example is when you create a single master policy by using multiple code integrity policies previously created from golden PCs. Because each Windows 10 machine can have only one code integrity policy, it is important to properly maintain these policies. In this example, audit events have been saved into a secondary code integrity policy that you then merge with the initial code integrity policy.
+
+**Note**  
+The following example uses the code integrity policy .xml files that you created in the [Create code integrity policies from golden PCs](#create-code-golden) and [Audit code integrity policies](#audit-code-integrity) sections. You can follow this process, however, with any two code integrity policies you would like to combine.
+
+ 
+
+To merge two code integrity policies, complete the following steps in an elevated Windows PowerShell session:
+
+1.  Initialize the variables that will be used:
+
+    ` $CIPolicyPath=$env:userprofile+"\Desktop\"`
+
+    `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
+
+    `$AuditCIPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
+
+    `$MergedCIPolicy=$CIPolicyPath+"MergedPolicy.xml"`
+
+    `    $CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"`
+
+    **Note**  
+    The variables in this section specifically expect to find an initial policy on your desktop called InitialScan.xml and an audit code integrity policy called DeviceGuardAuditPolicy.xml. If you want to merge other code integrity policies, update the variables accordingly.
+
+     
+
+2.  Merge two policies to create a new code integrity policy:
+
+    `Merge-CIPolicy -PolicyPaths $InitialCIPolicy,$AuditCIPolicy -OutputFilePath $MergedCIPolicy`
+
+3.  Convert the merged code integrity policy to binary format:
+
+    ` ConvertFrom-CIPolicy $MergedCIPolicy $CIPolicyBin `
+
+Now that you have created a new code integrity policy called NewDeviceGuardPolicy.bin, you can deploy the policy to systems manually or by using Group Policy or Microsoft client management solutions. For information about how to deploy this new policy with Group Policy, see the [Deploy and manage code integrity policies with Group Policy](#deploy-manage-code-gp) section.
+
+**Enforce code integrity policies**
+
+Every code integrity policy is created with audit mode enabled. After you have successfully deployed and tested a code integrity policy in audit mode and are ready to test the policy in enforced mode, complete the following steps in an elevated Windows PowerShell session:
+
+**Note**  
+Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity) section.
+
+ 
+
+1.  Initialize the variables that will be used:
+
+    `$CIPolicyPath=$env:userprofile+"\Desktop\"`
+
+    `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml" `
+
+    `$EnforcedCIPolicy=$CIPolicyPath+"EnforcedPolicy.xml"`
+
+    `$CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"`
+
+    **Note**  
+    The initial code integrity policy that this section referenced was created in the [Create code integrity polices from golden PCs](#create-code-golden) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.
+
+     
+
+2.  Copy the initial file to maintain an original copy:
+
+    `cp $InitialCIPolicy $EnforcedCIPolicy`
+
+3.  Remove the audit mode rule option:
+
+    `Set-RuleOption -Option 3 -FilePath $EnforcedCIPolicy -Delete`
+
+    **Note**  
+    Rather than adding an **Enforced** option, code integrity policies are implicitly enforced if no **Audit Mode Enabled** option is present.
+
+     
+
+4.  Convert the new code integrity policy to binary format:
+
+    `ConvertFrom-CIPolicy $EnforcedCIPolicy $CIPolicyBin`
+
+    **Note**  
+    Microsoft strongly recommends that you enable rule options 9 and 10 before you run any enforced policy for the first time. If already present in the policy, do not remove it. Doing so allows Windows to start if the code integrity policy blocks a kernel-mode driver from running and provides administrators with a pre-boot command prompt. When ready for enterprise deployment, you can remove these options.
+
+     
+
+Now that this policy has been enforced, you can deploy it to your test machines. Rename the policy to SIPolicy.p7b and copy it to C:\\Windows\\System32\\CodeIntegrity for testing, or deploy the policy through Group Policy by following the instructions in the [Deploy and manage code integrity policies with Group Policy](#deploy-manage-code-gp) section, or through client management software by following the instructions in the section “Deploying and managing code integrity policies by using Microsoft client management solutions.”
+
+**Signing code integrity policies with SignTool.exe**
+
+Signed code integrity policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the machine. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed code integrity policies than unsigned ones. Before you sign and deploy a signed code integrity policy, Microsoft recommends that you audit the policy to discover any blocked applications that should be allowed to run. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity) section.
+
+Signing code integrity policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Create a Device Guard code signing certificate](#create-dg-code) to create one with your on-premises CA. Before signing code integrity policies for the first time, be sure to enable rule options 9 and 10 to leave troubleshooting options available to test administrators. When validated and ready for enterprise deployment, you can remove these options. For information about how to add rule options, see the [Code integrity policy rules](#code-integrity-policy-rules) section.
+
+**Note**  
+Signing code integrity policies is the last step in a code integrity deployment. It is much more difficult to remove a signed code integrity policy than an unsigned one. Before you deploy a signed code integrity policy to deployed client computers, be sure to test its effect on a subset of machines.
+
+To sign a code integrity policy with SignTool.exe, you need the following components:
+
+-   SignTool.exe, found in the Windows SDK (Windows 7 or later)
+
+-   The binary format of the code integrity policy that you generated in the [Create code integrity policies from golden PCs](#create-code-golden) section or another code integrity policy that you have created
+
+-   An internal CA code signing certificate or a purchased code signing certificate
+
+ 
+
+If you do not have a code signing certificate, see the [Create a Device Guard code signing certificate](#create-dg-code) section for instructions on how to create one. If you use an alternate certificate or code integrity policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing code integrity policy, copy each of the following commands into an elevated Windows PowerShell session:
+
+1.  Initialize the variables that will be used:
+
+    `$CIPolicyPath=$env:userprofile+"\Desktop\" $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml" $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
+
+    **Note**  
+    This example uses the code integrity policy that you created in the [Create code integrity policies from golden PCs](#create-code-golden) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
+
+     
+
+2.  Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the code integrity policy into the signing user’s personal store on the machine that will be doing the signing. In this example, you use the certificate that was created in the [Create a Device Guard code signing certificate](#create-dg-code) section.
+
+3.  Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later.
+
+4.  Navigate to your desktop as the working directory:
+
+    `cd $env:USERPROFILE\Desktop `
+
+5.  Add an update signer certificate to the code integrity policy:
+
+    `Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User –Update`
+
+    **Note**  
+    *&lt;Path to exported .cer certificate&gt;* should be the full path to the certificate that you exported in step 3.
+
+     
+
+    **Note**  
+    Adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed code integrity policies, see the [Disable signed code integrity policies within Windows](#disable-signed-code) section.
+
+     
+
+6.  Remove the unsigned policy rule option:
+
+    `Set-RuleOption -Option 6 -FilePath $InitialCIPolicy -Delete`
+
+7.  Convert the policy to binary format:
+
+    `ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
+
+8.  Sign the code integrity policy by using SignTool.exe:
+
+    `<Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
+
+    **Note**  
+    The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the code integrity policy. You should import this certificate to your personal certificate store on the machine you use to sign the policy.
+
+     
+
+9.  Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy code integrity policies, see the [Deploy and manage code integrity policies with Group Policy](#deploy-manage-code-gp) section.
+
+### <a href="" id="disable-unsigned-code"></a>
+
+**Disable unsigned code integrity policies**
+
+There may come a time when an administrator wants to disable a code integrity policy. For unsigned code integrity policies, this process is simple. Depending on how the code integrity policy was deployed, unsigned policies can be disabled in one of two ways. If a code integrity policy was manually enabled and copied to the code integrity folder location, simply delete the file and restart the machine. The following locations can contain executing code integrity policies:
+
+-   &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
+
+-   &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
+
+If the code integrity policy was deployed by using Group Policy, the GPO that is currently enabling and deploying the policy must be set to disabled. Then, the code integrity policy will be disabled on the next computer restart.
+
+### <a href="" id="disable-signed-code"></a>
+
+**Disable signed code integrity policies within Windows**
+
+Signed policies protect Windows from administrative manipulation as well as malware that has gained administrative-level access to the system. For this reason, signed code integrity policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed code integrity policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps:
+
+**Note**  
+For reference, signed code integrity policies should be replaced and removed from the following locations:
+
+-   &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
+
+-   &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
+
+ 
+
+1.  Replace the existing policy with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
+
+    **Note**  
+    To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
+
+     
+
+2.  Restart the client computer.
+
+3.  Verify that the new signed policy exists on the client.
+
+    **Note**  
+    If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
+
+     
+
+4.  Delete the new policy.
+
+5.  Restart the client computer.
+
+If the signed code integrity policy has been deployed using by using Group Policy, you must complete the following steps:
+
+1.  Replace the existing policy in the GPO with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
+
+    **Note**  
+    To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
+
+     
+
+2.  Restart the client computer.
+
+3.  Verify that the new signed policy exists on the client.
+
+    **Note**  
+    If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
+
+     
+
+4.  Set the GPO to disabled.
+
+5.  Delete the new policy.
+
+6.  Restart the client computer.
+
+### <a href="" id="disable-signed-code-bios"></a>
+
+**Disable signed code integrity policies within the BIOS**
+
+There may be a time when signed code integrity policies cause a boot failure. Because code integrity policies enforce kernel mode drivers, it is important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed code integrity policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows:
+
+-   &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
+
+-   &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
+
+### <a href="" id="deploy-manage-code-gp"></a>
+
+**Deploy and manage code integrity policies with Group Policy**
+
+Code integrity policies can easily be deployed and managed with Group Policy. A Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Device Guard hardware-based security features and code integrity policies. The following procedure walks you through how to deploy a code integrity policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
+
+**Note**  
+This walkthrough requires that you have previously created a code integrity policy and have a Windows 10 client PC on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see the [Create code integrity polices from golden PCs](#create-code-golden) section.
+
+ 
+
+**Note**  
+Signed code integrity policies can cause boot failures when deployed. Microsoft recommends that signed code integrity policies be thoroughly tested on each hardware platform before enterprise deployment.
+
+ 
+
+To deploy and manage a code integrity policy with Group Policy:
+
+1.  On a domain controller on a client computer on which RSAT is installed, open the GPMC by running **GPMC.MSC** or searching for “Group Policy Management” in Windows Search.
+
+2.  Create a new GPO: right-click the DG Enabled PCs OU, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 24.
+
+    **Note**  
+    The DG Enabled PCs OU is just an example of where to link the test GPO created in this section. Any OU name can be used. Also, security group filtering is an option when considering policy partitioning options based on the strategy discussed in the [Approach enterprise code integrity deployment](#approach-enterprise) section.
+
+     
+
+    ![figure 24](images/dg-fig24-creategpo.png)
+
+    Figure 24. Create a GPO
+
+3.  Name new GPO **Contoso GPO Test**. This example uses Contoso GPO Test as the name of the GPO. You can choose any name that you prefer for this example.
+
+4.  Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
+
+5.  In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Then, right-click **Deploy Code Integrity Policy**, and then click **Edit**.
+
+    ![figure 25](images/dg-fig25-editcode.png)
+
+    Figure 25. Edit the code integration policy
+
+6.  In the **Display Code Integrity Policy** dialog box, select the **Enabled** option, and then specify the code integrity policy deployment path.
+
+    In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. This example copied the DeviceGuardPolicy.bin file onto the test machine and will enable this setting and use the file path C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 26.
+
+    **Note**  
+    *DeviceGuardPolicy.bin* is not a required policy name: It was simply used in the [Create code integrity policies from golden PCs](#create-code-golden) section and so is used here, as well. Also, this policy file does not need to be copied to every computer. Alternatively, you can copy the code integrity policies to a file share to which the computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
+
+     
+
+    ![figure 26](images/dg-fig26-enablecode.png)
+
+    Figure 26. Enable the code integrity policy
+
+    **Note**  
+    You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the Windows 10 client computers. Make your code integrity policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
+
+     
+
+7.  Close the Group Policy Management Editor, and then restart the Windows 10 test machine. Restarting the client computer updates the code integrity policy. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity)section.
+
+## <a href="" id="create-dg-code"></a>Create a Device Guard code signing certificate
+
+
+To sign catalog files or code integrity policies internally, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip these steps and proceed to the sections that outline the steps to sign catalog files and code integrity policies. If you have not purchased a certificate but have an internal CA, complete these steps to create a code signing certificate:
+
+1.  Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA.
+
+2.  When connected, right-click **Certificate Templates**, and then click **Manage** to open the Certification Templates Console.
+
+    ![figure 27](images/dg-fig27-managecerttemp.png)
+
+    Figure 27. Manage the certificate templates
+
+3.  In the navigation pane, right-click the Code Signing certificate, and then click **Duplicate Template**.
+
+4.  On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** from the **Certification Authority** list, and then select **Windows 8 / Windows Server 2012** from the **Certificate recipient** list.
+
+5.  On the **General** tab, specify the **Template display name** and **Template name**. This example uses **DG Catalog Signing Certificate**.
+
+6.  On the **Request Handling** tab, select the **Allow private key to be exported** check box.
+
+7.  On the **Extensions** tab, select the **Basic Constraints** check box, and then click **Edit**.
+
+8.  In the **Edit Basic Constraints Extension** dialog box, select the **Enable the extension** check box, as shown in Figure 28.
+
+    ![figure 28](images/dg-fig29-enableconstraints.png)
+
+    Figure 28. Enable constraints on the new template
+
+9.  If a certificate manager is required to approve any issued certificates, on the **Issuance Requirements** tab, select **CA certificate manager approval**.
+
+10. On the **Subject Name** tab, select **Supply in the request**.
+
+11. On the **Security** tab, verify that whatever account will be used to request the certificate has the right to enroll the certificate.
+
+12. Click **OK** to create the template, and then close the Certificate Template Console.
+
+When this certificate template has been created, you must publish it to the CA published template store. To do so, complete the following steps:
+
+1.  In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then click **Certificate Template to Issue**, as shown in Figure 29.
+
+    A list of available templates to issue appears, including the template you just created.
+
+    ![figure 29](images/dg-fig30-selectnewcert.png)
+
+    Figure 29. Select the new certificate template to issue
+
+2.  Select the DG Catalog signing certificate, and then click **OK**.
+
+Now that the template is available to be issued, you must request one from the Windows 10 computer that you use to create and sign catalog files. To begin, open the MMC, and then complete the following steps:
+
+1.  In MMC, from the **File** menu, click **Add/Remove Snap-in**. Double-click **Certificates**, and then select **My user account**.
+
+2.  In the Certificates snap-in, right-click the Personal store folder, point to **All Tasks**, and then click **Request New Certificate**.
+
+3.  Click **Next** twice to get to the certificate selection list.
+
+4.  In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 30.
+
+    ![figure 30](images/dg-fig31-getmoreinfo.png)
+
+    Figure 30. Get more information for your code signing certificate
+
+5.  In the **Certificate Properties** dialog box, for **Type**, select **Common name**. For **Value**, select **ContosoDGSigningCert**, and then click **Add**. When added, click **OK.**
+
+6.  Enroll and finish.
+
+**Note**  
+If a certificate manager is required to approve any issued certificates and you selected to require management approval on the template, the request will need to be approved in the CA before it will be issued to the client.
+
+ 
+
+This certificate must be installed in the user’s personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the machine on which you just requested the certificate, exporting the certificate to a .pfx file will not be required because it already exists in your personal store. If you are signing on another computer, you will need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps:
+
+1.  Right-click the certificate, point to **All Tasks**, and then click **Export**.
+
+2.  Click **Next**, and then select **Yes, export the private key**.
+
+3.  Choose the default settings, and then select **Export all extended properties**.
+
+4.  Set a password, select an export path, and then select **DGCatSigningCert.pfx** as the file name.
+
+When the certificate has been exported, import it into the personal store for the user who will be signing the catalog files or code integrity policies on the specific computer that will be signing them.
+
+## Related topics
+
+
+[AppLocker overview](http://go.microsoft.com/fwlink/p/?LinkId=624172)
+
+[Code integrity](http://go.microsoft.com/fwlink/p/?LinkId=624173)
+
+[Credential guard](http://go.microsoft.com/fwlink/p/?LinkId=624529)
+
+[Device Guard certification and compliance](http://go.microsoft.com/fwlink/p/?LinkId=624840)
+
+[Driver compatibility with Device Guard in Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=624843)
+
+[Dropping the Hammer Down on Malware Threats with Windows 10’s Device Guard](http://go.microsoft.com/fwlink/p/?LinkId=624844)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md b/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md
new file mode 100644
index 0000000000..5b03d0aedc
--- /dev/null
+++ b/windows/keep-secure/devices-allow-undock-without-having-to-log-on.md
@@ -0,0 +1,131 @@
+---
+title: Devices Allow undock without having to log on (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Devices Allow undock without having to log on security policy setting.
+ms.assetid: 1d403f5d-ad41-4bb4-9f4a-0779c1c14b8c
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Devices: Allow undock without having to log on
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Devices: Allow undock without having to log on** security policy setting.
+
+## Reference
+
+
+This policy setting enables or disables the ability of a user to remove a portable device from a docking station without logging on. If you enable this policy setting, users can press a docked portable device's physical eject button to safely undock the device. If you disable this policy setting, the user must log on to receive permission to undock the device. Only users who have the **Remove Computer from Docking Station** privilege can obtain this permission.
+
+**Note**  
+Disabling this policy setting only reduces theft risk for portable devices that cannot be mechanically undocked. Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality.
+
+ 
+
+Enabling this policy setting means that anyone with physical access to a device that has been placed in its docking station can remove the computer and possibly tamper with it. For devices that do not have docking stations, this policy setting has no impact. However, for users with a mobile computer that is normally docked while they are in the office, this policy setting will help lower the risk of equipment theft or a malicious user gaining physical access to these devices
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+It is advisable to disable the **Devices: Allow undock without having to log on** policy setting. Users who have docked their devices will have to log on to the local console before they can undock their systems.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+If this policy setting is enabled, anyone with physical access to portable computers in docking stations could remove them and possibly tamper with them.
+
+### Countermeasure
+
+Disable the **Devices: Allow undock without having to log on** setting.
+
+### Potential impact
+
+Users who have docked their device must log on to the local console before they can undock their computers. For devices that do not have docking stations, this policy setting has no impact.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md b/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md
new file mode 100644
index 0000000000..40c23ebc27
--- /dev/null
+++ b/windows/keep-secure/devices-allowed-to-format-and-eject-removable-media.md
@@ -0,0 +1,128 @@
+---
+title: Devices Allowed to format and eject removable media (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Devices Allowed to format and eject removable media security policy setting.
+ms.assetid: d1b42425-7244-4ab1-9d46-d68de823459c
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Devices: Allowed to format and eject removable media
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Devices: Allowed to format and eject removable media** security policy setting.
+
+## Reference
+
+
+This policy setting determines who is allowed to format and eject removable media.
+
+Users can move removable disks to a different device where they have administrative user rights and then take ownership of any file, assign themselves full control, and view or modify any file. The advantage of configuring this policy setting is diminished by the fact that most removable storage devices will eject media with the press of a button.
+
+### Possible values
+
+-   Administrators
+
+-   Administrators and Power Users
+
+-   Administrators and Interactive Users (not applicable to Windows Server 2008 R2 or Windows 7 and later)
+
+-   Not defined
+
+### Best practices
+
+-   It is advisable to set **Allowed to format and eject removable media** to **Administrators**. Only administrators will be able to eject NTFS-formatted removable media.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Users could move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices eject media when a mechanical button is pressed diminishes the advantage of this policy setting.
+
+### Countermeasure
+
+Configure the **Devices: Allowed to format and eject removable media** setting to **Administrators**.
+
+### Potential impact
+
+Only administrators can format and eject removable media. If users are in the habit of using removable media for file transfers and storage, they must be informed of the change in policy.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md b/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md
new file mode 100644
index 0000000000..b6c244f268
--- /dev/null
+++ b/windows/keep-secure/devices-prevent-users-from-installing-printer-drivers.md
@@ -0,0 +1,128 @@
+---
+title: Devices Prevent users from installing printer drivers (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Devices Prevent users from installing printer drivers security policy setting.
+ms.assetid: ab70a122-f7f9-47e0-ad8c-541f30a27ec3
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Devices: Prevent users from installing printer drivers
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Devices: Prevent users from installing printer drivers** security policy setting.
+
+## Reference
+
+
+For a device to print to a network printer, the driver for that network printer must be installed locally. The **Devices: Prevent users from installing printer drivers** policy setting determines who can install a printer driver as part of adding a network printer. When you set the value to **Enabled**, only Administrators and Power Users can install a printer driver as part of adding a network printer. Setting the value to **Disabled** allows any user to install a printer driver as part of adding a network printer. This setting prevents unprivileged users from downloading and installing an untrusted printer driver.
+
+This setting has no impact if you have configured a trusted path for downloading drivers. When using trusted paths, the print subsystem attempts to use the trusted path to download the driver. If the trusted path download succeeds, the driver is installed on behalf of any user. If the trusted path download fails, the driver is not installed and the network printer is not added.
+
+Although it might be appropriate in some organizations to allow users to install printer drivers on their own workstations, this is not suitable for servers. Installing a printer driver on a server can cause the system to become less stable. Only administrators should have this user right on servers. A malicious user might deliberately try to damage the system by installing inappropriate printer drivers.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+-   It is advisable to set **Devices: Prevent users from installing printer drivers** to Enabled. Only users in the Administrative, Power User, or Server Operator groups will be able to install printers on servers. If this policy setting is enabled, but the driver for a network printer already exists on the local computer, users can still add the network printer. This policy setting does not affect a user's ability to add a local printer.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only administrators, not users, to do so on servers because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver.
+
+### Countermeasure
+
+Enable the **Devices: Prevent users from installing printer drivers** setting.
+
+### Potential impact
+
+Only members of the Administrator, Power Users, or Server Operator groups can install printers on the servers. If this policy setting is enabled but the driver for a network printer already exists on the local computer, users can still add the network printer.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
new file mode 100644
index 0000000000..4a6476a263
--- /dev/null
+++ b/windows/keep-secure/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
@@ -0,0 +1,128 @@
+---
+title: Devices Restrict CD-ROM access to locally logged-on user only (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Devices Restrict CD-ROM access to locally logged-on user only security policy setting.
+ms.assetid: 8b8f44bb-84ce-4f18-af30-ab89910e234d
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Devices: Restrict CD-ROM access to locally logged-on user only
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Devices: Restrict CD-ROM access to locally logged-on user only** security policy setting.
+
+## Reference
+
+
+This policy setting determines whether a CD is accessible to local and remote users simultaneously. If you enable this policy setting, only the interactively logged-on user is allowed to access removable CDs. If this policy setting is enabled and no one is logged on interactively, the CD can be accessed over the network.
+
+The security benefit of enabling this policy setting is small because it only prevents network users from accessing the drive when someone is logged on to the local console of the system at the same time. Additionally, CD drives are not automatically made available as network shared drives; you must deliberately choose to share the drive. This is important when administrators are installing software or copying data from a CD-ROM, and they do not want network users to be able to execute the applications or view the data.
+
+If this policy setting is enabled, users who connect to the server over the network will not be able to use any CD drives that are installed on the server when anyone is logged on to the local console of the server. Enabling this policy setting is not suitable for a system that serves as a CD jukebox for network users.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+-   Best practices are dependent on your security and user accessibility requirements for CD drives.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives are not automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run applications from removable media on the server.
+
+### Countermeasure
+
+Enable the **Devices: Restrict CD-ROM drive access to locally logged-on user only** setting.
+
+### Potential impact
+
+Users who connect to the server over the network cannot use any CD drives that are installed on the server when anyone is logged on to the local console of the server. System tools that require access to the CD drive will fail. For example, the Volume Shadow Copy service attempts to access all CD and floppy disk drives that are present on the computer when it initializes, and if the service cannot access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail. This policy setting would not be suitable for a computer that serves as a CD jukebox for network users.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
new file mode 100644
index 0000000000..ade06f8756
--- /dev/null
+++ b/windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
@@ -0,0 +1,128 @@
+---
+title: Devices Restrict floppy access to locally logged-on user only (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Devices Restrict floppy access to locally logged-on user only security policy setting.
+ms.assetid: 92997910-da95-4c03-ae6f-832915423898
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Devices: Restrict floppy access to locally logged-on user only
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Devices: Restrict floppy access to locally logged-on user only** security policy setting.
+
+## Reference
+
+
+This policy setting determines whether removable floppy disks are accessible to local and remote users simultaneously. Enabling this policy setting allows only the interactively logged-on user to access removable floppy disks. If this policy setting is enabled and no one is logged on interactively, the floppy disk can be accessed over the network.
+
+The security benefit of enabling this policy setting is small because it only prevents network users from accessing the floppy disk drive when someone is logged on to the local console of the system at the same time. Additionally, floppy disk drives are not automatically made available as network shared drives; you must deliberately choose to share the drive. This becomes important when you are installing software or copying data from a floppy disk and they do not want network users to be able to execute the applications or view the data.
+
+If this policy setting is enabled, users who connect to the server over the network will not be able to use any floppy disk drives that are installed on the server when anyone is logged on to the local console of the server.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+-   Best practices are dependent on your security and user accessibility requirements for CD drives.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+A remote user could potentially access a mounted floppy disk that contains sensitive information. This risk is small because floppy disk drives are not automatically shared; administrators must deliberately choose to share the drive. However, you can deny network users the ability to view data or run applications from removable media on the server.
+
+### Countermeasure
+
+Enable the **Devices: Restrict floppy access to locally logged-on user only** setting.
+
+### Potential impact
+
+Users who connect to the server over the network cannot use any floppy disk drives that are installed on the device when anyone is logged on to the local console of the server. System tools that require access to floppy disk drives fail. For example, the Volume Shadow Copy service attempts to access all CD-ROM and floppy disk drives that are present on the computer when it initializes, and if the service cannot access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
new file mode 100644
index 0000000000..1cd3b2b2c5
--- /dev/null
+++ b/windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
@@ -0,0 +1,47 @@
+---
+title: Display a custom URL message when users try to run a blocked app (Windows 10)
+description: This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.
+ms.assetid: 9a2534a5-d1fa-48a9-93c6-989d4857cf85
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Display a custom URL message when users try to run a blocked app
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.
+
+Using Group Policy, AppLocker can be configured to display a message with a custom URL. You can use this URL to redirect users to a support site that contains info about why the user received the error and which apps are allowed. If you do not display a custom message when an apps is blocked, the default access denied message is displayed.
+
+To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
+
+**To display a custom URL message when users try to run a blocked app**
+
+1.  On the **Start** screen, type **gpmc.msc** to open the Group Policy Management Console (GPMC).
+
+2.  Navigate to the Group Policy Object (GPO) that you want to edit.
+
+3.  Right-click the GPO, and then click **Edit**.
+
+4.  In the console tree under **Policies\\Administrative Templates\\Windows Components**, click **File Explorer**.
+
+5.  In the details pane, double-click **Set a support web page link**.
+
+6.  Click **Enabled**, and then type the URL of the custom Web page in the **Support Web page URL** box.
+
+7.  Click **OK** to apply the setting.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/dll-rules-in-applocker.md b/windows/keep-secure/dll-rules-in-applocker.md
new file mode 100644
index 0000000000..aeabe9379e
--- /dev/null
+++ b/windows/keep-secure/dll-rules-in-applocker.md
@@ -0,0 +1,89 @@
+---
+title: DLL rules in AppLocker (Windows 10)
+description: This topic describes the file formats and available default rules for the DLL rule collection.
+ms.assetid: a083fd08-c07e-4534-b0e7-1e15d932ce8f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# DLL rules in AppLocker
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic describes the file formats and available default rules for the DLL rule collection.
+
+AppLocker defines DLL rules to include only the following file formats:
+
+-   .dll
+
+-   .ocx
+
+The following table lists the default rules that are available for the DLL rule collection.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Purpose</th>
+<th align="left">Name</th>
+<th align="left">User</th>
+<th align="left">Rule condition type</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Allows members of the local Administrators group to run all DLLs</p></td>
+<td align="left"><p>(Default Rule) All DLLs</p></td>
+<td align="left"><p>BUILTIN\Administrators</p></td>
+<td align="left"><p>Path: *</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Allow all users to run DLLs in the Windows folder</p></td>
+<td align="left"><p>(Default Rule) Microsoft Windows DLLs</p></td>
+<td align="left"><p>Everyone</p></td>
+<td align="left"><p>Path: %windir%\*</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Allow all users to run DLLs in the Program Files folder</p></td>
+<td align="left"><p>(Default Rule) All DLLs located in the Program Files folder</p></td>
+<td align="left"><p>Everyone</p></td>
+<td align="left"><p>Path: %programfiles%\*</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Important**  
+If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps
+
+ 
+
+**Caution**  
+When DLL rules are used, AppLocker must check each DLL that an app loads. Therefore, users may experience a reduction in performance if DLL rules are used.
+
+ 
+
+## Related topics
+
+
+[Understanding AppLocker default rules](understanding-applocker-default-rules.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md
new file mode 100644
index 0000000000..a3e357256e
--- /dev/null
+++ b/windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md
@@ -0,0 +1,145 @@
+---
+title: Document the Group Policy structure and AppLocker rule enforcement (Windows 10)
+description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.
+ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Document the Group Policy structure and AppLocker rule enforcement
+
+
+**Applies to**
+
+-   Windows 10
+
+This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.
+
+## Record your findings
+
+
+To complete this AppLocker planning document, you should first complete the following steps:
+
+1.  [Determine your application control objectives](determine-your-application-control-objectives.md)
+
+2.  [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
+
+3.  [Select the types of rules to create](select-types-of-rules-to-create.md)
+
+4.  [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+
+After you determine how to structure your Group Policy Objects (GPOs) so that you can apply AppLocker policies, you should record your findings. You can use the following table to determine how many GPOs to create (or edit) and which objects they are linked to. If you decided to create custom rules to allow system files to run, note the high-level rule configuration in the **Use default rule or define new rule condition** column.
+
+The following table includes the sample data that was collected when you determined your enforcement settings and the GPO structure for your AppLocker policies.
+
+<table>
+<colgroup>
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+<col width="12%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Organizational unit</th>
+<th align="left">Implement AppLocker?</th>
+<th align="left">Apps</th>
+<th align="left">Installation path</th>
+<th align="left">Use default rule or define new rule condition</th>
+<th align="left">Allow or deny</th>
+<th align="left">GPO name</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Teller-East and Teller-West</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Teller Software</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p>Tellers-AppLockerTellerRules</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Create a path exception to the default rule to exclude \Windows\Temp</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>HR-All</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Check Payout</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p>HR-AppLockerHRRules</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Time Sheet Organizer</p>
+<p></p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p>
+<p></p></td>
+<td align="left"><p>File is not signed; create a file hash condition</p>
+<p></p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Internet Explorer 7</p></td>
+<td align="left"><p>C:\Program Files\Internet Explorer\</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Deny</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Use a default rule for the Windows path</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Next steps
+
+
+After you have determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain:
+
+-   [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
+
+-   [Create your AppLocker planning document](create-your-applocker-planning-document.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/document-your-application-control-management-processes.md b/windows/keep-secure/document-your-application-control-management-processes.md
new file mode 100644
index 0000000000..c5d5c7ecf4
--- /dev/null
+++ b/windows/keep-secure/document-your-application-control-management-processes.md
@@ -0,0 +1,260 @@
+---
+title: Document your application control management processes (Windows 10)
+description: This planning topic describes the AppLocker policy maintenance information to record for your design document.
+ms.assetid: 6397f789-0e36-4933-9f86-f3f6489cf1fb
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Document your application control management processes
+
+
+**Applies to**
+
+-   Windows 10
+
+This planning topic describes the AppLocker policy maintenance information to record for your design document.
+
+## Record your findings
+
+
+To complete this AppLocker planning document, you should first complete the following steps:
+
+1.  [Determine your application control objectives](determine-your-application-control-objectives.md)
+
+2.  [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
+
+3.  [Select the types of rules to create](select-types-of-rules-to-create.md)
+
+4.  [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+
+5.  [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
+
+The three key areas to determine for AppLocker policy management are:
+
+1.  Support policy
+
+    Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel know recommended troubleshooting steps and escalation points for your policy.
+
+2.  Event processing
+
+    Document whether events will be collected in a central location, how that store will be archived, and whether the events will be processed for analysis.
+
+3.  Policy maintenance
+
+    Detail how rules will be added to the policy, in which Group Policy Object (GPO) the rules should be defined, and how to modify rules when apps are retired, updated, or added.
+
+The following table contains the added sample data that was collected when determining how to maintain and manage AppLocker policies.
+
+<table style="width:100%;">
+<colgroup>
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Organizational unit</th>
+<th align="left">Implement AppLocker?</th>
+<th align="left">Apps</th>
+<th align="left">Installation path</th>
+<th align="left">Use default rule or define new rule condition</th>
+<th align="left">Allow or deny</th>
+<th align="left">GPO name</th>
+<th align="left">Support policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Teller-East and Teller-West</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Teller Software</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p>Tellers-AppLockerTellerRules</p></td>
+<td align="left"><p>Web help</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p>
+<p></p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Create a path exception to the default rule to exclude \Windows\Temp</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Help desk</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>HR-All</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Check Payout</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p>HR-AppLockerHRRules</p></td>
+<td align="left"><p>Web help</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Time Sheet Organizer</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p></td>
+<td align="left"><p>File is not signed; create a file hash condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Web help</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Internet Explorer 7</p></td>
+<td align="left"><p>C:\Program Files\Internet Explorer\</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Deny</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Web help</p>
+<p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Use the default rule for the Windows path</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Help desk</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The following two tables illustrate examples of documenting considerations to maintain and manage AppLocker policies.
+
+**Event processing policy**
+
+One discovery method for app usage is to set the AppLocker enforcement mode to **Audit only**. This will write events to the AppLocker logs, which can be managed and analyzed like other Windows logs. After apps have been identified, you can begin to develop policies regarding the processing and access to AppLocker events.
+
+The following table is an example of what to consider and record.
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">AppLocker event collection location</th>
+<th align="left">Archival policy</th>
+<th align="left">Analyzed?</th>
+<th align="left">Security policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Forwarded to: AppLocker Event Repository on srvBT093</p></td>
+<td align="left"><p>Standard</p></td>
+<td align="left"><p>None</p></td>
+<td align="left"><p>Standard</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>DO NOT FORWARD. srvHR004</p></td>
+<td align="left"><p>60 months</p></td>
+<td align="left"><p>Yes, summary reports monthly to managers</p></td>
+<td align="left"><p>Standard</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Policy maintenance policy**
+
+When applications are identified and policies are created for application control, then you can begin documenting how you intend to update those policies.
+
+The following table is an example of what to consider and record.
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Rule update policy</th>
+<th align="left">Application decommission policy</th>
+<th align="left">Application version policy</th>
+<th align="left">Application deployment policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Planned: Monthly through business office triage</p>
+<p>Emergency: Request through help desk</p></td>
+<td align="left"><p>Through business office triage</p>
+<p>30-day notice required</p></td>
+<td align="left"><p>General policy: Keep past versions for 12 months</p>
+<p>List policies for each application</p></td>
+<td align="left"><p>Coordinated through business office</p>
+<p>30-day notice required</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>Planned: Monthly through HR triage</p>
+<p>Emergency: Request through help desk</p></td>
+<td align="left"><p>Through HR triage</p>
+<p>30-day notice required</p></td>
+<td align="left"><p>General policy: Keep past versions for 60 months</p>
+<p>List policies for each application</p></td>
+<td align="left"><p>Coordinated through HR</p>
+<p>30-day notice required</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Next steps
+
+
+After you have determined your application control management strategy for each of the business group's applications, the following task remains:
+
+-   [Create your AppLocker planning document](create-your-applocker-planning-document.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/document-your-application-list.md b/windows/keep-secure/document-your-application-list.md
new file mode 100644
index 0000000000..89cf353d55
--- /dev/null
+++ b/windows/keep-secure/document-your-application-list.md
@@ -0,0 +1,153 @@
+---
+title: Document your app list (Windows 10)
+description: This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies.
+ms.assetid: b155284b-f75d-4405-aecf-b74221622dc0
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Document your app list
+
+
+**Applies to**
+
+-   Windows 10
+
+This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies.
+
+## Record your findings
+
+
+**Apps**
+
+Record the name of the app, whether it is signed as indicated by the publisher's name, and whether it is a mission critical, business productivity, optional, or personal app. Later, as you manage your rules, AppLocker displays this information in the format shown in the following example: *MICROSOFT OFFICE INFOPATH signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US*.
+
+**Installation path**
+
+Record the installation path of the apps. For example, Microsoft Office 2016 installs files to *%programfiles%\\Microsoft Office\\Office16\\*, which is *C:\\Program Files\\Microsoft Office\\Office16\\* on most devices.
+
+The following table provides an example of how to list applications for each business group at the early stage of designing your application control policies. Eventually, as more planning information is added to the list, the information can be used to build AppLocker rules.
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Organizational unit</th>
+<th align="left">Implement AppLocker?</th>
+<th align="left">Apps</th>
+<th align="left">Installation path</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Teller-East and Teller-West</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Teller Software</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p></td>
+<td align="left"><p>C:\Windows</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>HR-All</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Check Payout</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Time Sheet Organizer</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Internet Explorer 7</p></td>
+<td align="left"><p>C:\Program Files\Internet Explorer\</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p></td>
+<td align="left"><p>C:\Windows</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Note**  
+AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.
+
+ 
+
+**Event processing**
+
+As you create your list of apps, you need to consider how to manage the events that are generated by user access, or you need to deny running those apps to make your users as productive as possible. The following list is an example of what to consider and what to record:
+
+-   Will event forwarding be implemented for AppLocker events?
+
+-   What is the location of the AppLocker event collection?
+
+-   Should an event archival policy be implemented?
+
+-   Will the events be analyzed and how often?
+
+-   Should a security policy be in place for event collection?
+
+**Policy maintenance**
+
+As you create your list of apps, you need to consider how to manage and maintain the policies that you will eventually create. The following list is an example of what to consider and what to record:
+
+-   How will rules be updated for emergency app access and permanent access?
+
+-   How will apps be removed?
+
+-   How many older versions of the same app will be maintained?
+
+-   How will new apps be introduced?
+
+## Next steps
+
+
+After you have created the list of applications, the next step is to identify the rule collections, which will become the application control policies. This information can be added to the table under the following columns:
+
+-   Use default rule or define new rule condition
+
+-   Allow or deny
+
+-   GPO name
+
+To identify the rule collections, see the following topics:
+
+-   [Select the types of rules to create](select-types-of-rules-to-create.md)
+
+-   [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/document-your-applocker-rules.md b/windows/keep-secure/document-your-applocker-rules.md
new file mode 100644
index 0000000000..9abb8817ee
--- /dev/null
+++ b/windows/keep-secure/document-your-applocker-rules.md
@@ -0,0 +1,138 @@
+---
+title: Document your AppLocker rules (Windows 10)
+description: This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded.
+ms.assetid: 91a198ce-104a-45ff-b49b-487fb40cd2dd
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Document your AppLocker rules
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded.
+
+## Record your findings
+
+
+To complete this AppLocker planning document, you should first complete the following steps:
+
+1.  [Determine your application control objectives](determine-your-application-control-objectives.md)
+
+2.  [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
+
+3.  [Select the types of rules to create](select-types-of-rules-to-create.md)
+
+Document the following items for each business group or organizational unit:
+
+-   Whether your organization will use the built-in default AppLocker rules to allow system files to run.
+
+-   The types of rule conditions that you will use to create rules, stated in order of preference.
+
+The following table details sample data for documenting rule type and rule condition findings. In addition, you should now consider whether to allow an app to run or deny permission for it to run. For info about these settings, see [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md).
+
+<table style="width:100%;">
+<colgroup>
+<col width="14%" />
+<col width="14%" />
+<col width="14%" />
+<col width="14%" />
+<col width="14%" />
+<col width="14%" />
+<col width="14%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Organizational unit</th>
+<th align="left">Implement AppLocker?</th>
+<th align="left">Applications</th>
+<th align="left">Installation path</th>
+<th align="left">Use default rule or define new rule condition</th>
+<th align="left">Allow or deny</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Teller-East and Teller-West</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Teller Software</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Create a path exception to the default rule to exclude \Windows\Temp</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>HR-All</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Check Payout</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Time Sheet Organizer</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p></td>
+<td align="left"><p>File is not signed; create a file hash condition</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Internet Explorer 7</p></td>
+<td align="left"><p>C:\Program Files\Internet Explorer\</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Use the default rule for the Windows path</p></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Next steps
+
+
+For each rule, determine whether to use the allow or deny option. Then, three tasks remain:
+
+-   [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+
+-   [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
+
+-   [Create your AppLocker planning document](create-your-applocker-planning-document.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md
new file mode 100644
index 0000000000..de5c0393cd
--- /dev/null
+++ b/windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md
@@ -0,0 +1,137 @@
+---
+title: Domain controller Allow server operators to schedule tasks (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Domain controller Allow server operators to schedule tasks security policy setting.
+ms.assetid: 198b12a4-8a5d-48e8-a752-2073b8a2cb0d
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Domain controller: Allow server operators to schedule tasks
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Domain controller: Allow server operators to schedule tasks** security policy setting.
+
+## Reference
+
+
+This policy setting determines whether server operators can use the**at** command to submit jobs. If you enable this policy setting, jobs that are created by server operators by means of the **at** command run in the context of the account that runs the Task Scheduler service. By default, that is the Local System account.
+
+**Note**  
+This security option setting affects only the scheduler tool for the **at** command. It does not affect the Task Scheduler tool.
+
+ 
+
+Enabling this policy setting means jobs that are created by server operators through the **at** command will be executed in the context of the account that is running that service—by default, that is the Local System account. This means that server operators can perform tasks that the Local System account is able to do, but server operators would normally not be able to do, such as add their account to the local Administrators group.
+
+The impact of enabling this policy setting should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by using the Task Scheduler Wizard, but those jobs will run in the context of the account that the user authenticates with when setting up the job.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+-   Best practices for this policy are dependent on your security and operational requirements for task scheduling.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Command-line tools
+
+The **at** command schedules commands and programs to run on a computer at a specified time and date. The Schedule service must be running to use the **at** command.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Tasks that run under the context of the Local System account can affect resources that are at a higher privilege level than the user account that scheduled the task.
+
+### Countermeasure
+
+Disable the **Domain controller: Allow server operators to schedule tasks** setting.
+
+### Potential impact
+
+The impact should be small for most organizations. Users (including those in the Server Operators group) can still create jobs by means of the Task Scheduler snap-in. However, those jobs run in the context of the account that the user authenticates with when setting up the job.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md
new file mode 100644
index 0000000000..72848b8339
--- /dev/null
+++ b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md
@@ -0,0 +1,135 @@
+---
+title: Domain controller LDAP server signing requirements (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server signing requirements security policy setting.
+ms.assetid: fe122179-7571-465b-98d0-b8ce0f224390
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Domain controller: LDAP server signing requirements
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server signing requirements** security policy setting.
+
+## Reference
+
+
+This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing.
+
+Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, this means that a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower the risk of a malicious user accomplishing this in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks extremely difficult.
+
+This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL.
+
+If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected.
+
+**Caution**  
+If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server.
+
+ 
+
+### Possible values
+
+-   None. Data signatures are not required to bind with the server. If the client computer requests data signing, the server supports it.
+
+-   Require signature. The LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Sockets Layer (TLS/SSL) is in use.
+
+-   Not defined.
+
+### Best practices
+
+-   It is advisable to set **Domain controller: LDAP server signing requirements** to **Require signature**. Clients that do not support LDAP signing will be unable to execute LDAP queries against the domain controllers.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>None</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Where LDAP servers are concerned, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks extremely difficult.
+
+### Countermeasure
+
+Configure the **Domain controller: LDAP server signing requirements** setting to **Require signature**.
+
+### Potential impact
+
+Client device that do not support LDAP signing cannot run LDAP queries against the domain controllers.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md b/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md
new file mode 100644
index 0000000000..8b810e64e2
--- /dev/null
+++ b/windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md
@@ -0,0 +1,130 @@
+---
+title: Domain controller Refuse machine account password changes (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Domain controller Refuse machine account password changes security policy setting.
+ms.assetid: 5a7fa2e2-e1a8-4833-90f7-aa83e3b456a9
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Domain controller: Refuse machine account password changes
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Domain controller: Refuse machine account password changes** security policy setting.
+
+## Reference
+
+
+This policy setting enables or disables blocking a domain controller from accepting password change requests for machine accounts. By default, devices joined to the domain change their machine account passwords every 30 days. If enabled, the domain controller will refuse machine account password change requests.
+
+### Possible values
+
+-   Enabled
+
+    When enabled, this setting does not allow a domain controller to accept any changes to a machine account's password.
+
+-   Disabled
+
+    When disabled, this setting allows a domain controller to accept any changes to a machine account's password.
+
+-   Not defined
+
+    Same as Disabled.
+
+### Best practices
+
+-   Enabling this policy setting on all domain controllers in a domain prevents domain members from changing their machine account passwords. This, in turn, leaves those passwords susceptible to attack. Make sure that this conforms to your overall security policy for the domain.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+If you enable this policy setting on all domain controllers in a domain, domain members cannot change their machine account passwords, and those passwords are more susceptible to attack.
+
+### Countermeasure
+
+Disable the **Domain controller: Refuse machine account password changes** setting.
+
+### Potential impact
+
+None. This is the default configuration.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
new file mode 100644
index 0000000000..951b940928
--- /dev/null
+++ b/windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
@@ -0,0 +1,169 @@
+---
+title: Domain member Digitally encrypt or sign secure channel data (always) (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt or sign secure channel data (always) security policy setting.
+ms.assetid: 4480c7cb-adca-4f29-b4b8-06eb68d272bf
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Domain member: Digitally encrypt or sign secure channel data (always)
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt or sign secure channel data (always)** security policy setting.
+
+## Reference
+
+
+This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. Logon information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
+
+The following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic:
+
+-   Domain member: Digitally encrypt or sign secure channel data (always)
+
+-   [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
+
+-   [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
+
+Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data.
+
+To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a device running Windows othat has joined a domain to have access to the user account database in its domain and in any trusted domains.
+
+To enable the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of signing or encrypting all secure-channel data.
+
+Enabling the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting automatically enables the [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) policy setting.
+
+When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass-through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
+
+### Possible values
+
+-   Enabled
+
+    The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+
+-   Disabled
+
+    The encryption and signing of all secure channel traffic is negotiated with the domain controller, in which case the level of signing and encryption depends on the version of the domain controller and the settings of the following policies:
+
+    1.  [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
+
+    2.  [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
+
+-   Not defined
+
+### Best practices
+
+-   Set **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled**.
+
+-   Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**.
+
+-   Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**.
+
+**Note**  
+You can enable the policy settings [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) on all devices in the domain that support these policy settings without affecting earlier-version clients and applications.
+
+ 
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+Distribution of this policy through Group Policy overrides the Local Security Policy setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the device is configured to encrypt or sign secure channel data, when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
+
+### Countermeasure
+
+Select one of the following settings as appropriate for your environment to configure the computers in your domain to encrypt or sign secure channel data.
+
+-   **Domain member: Digitally encrypt or sign secure channel data (always)**
+
+-   [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
+
+-   [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
+
+### Potential impact
+
+Digital encryption and signing of the secure channel is a good idea because the secure channel protects domain credentials as they are sent to the domain controller.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
new file mode 100644
index 0000000000..d27e70e4a0
--- /dev/null
+++ b/windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
@@ -0,0 +1,161 @@
+---
+title: Domain member Digitally encrypt secure channel data (when possible) (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt secure channel data (when possible) security policy setting.
+ms.assetid: 73e6023e-0af3-4531-8238-82f0f0e4965b
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Domain member: Digitally encrypt secure channel data (when possible)
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt secure channel data (when possible)** security policy setting.
+
+## Reference
+
+
+This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Logon information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
+
+In addition to this policy setting, the following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic:
+
+-   [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
+
+-   [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
+
+Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data.
+
+To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains.
+
+Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting.
+
+When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
+
+### Possible values
+
+-   Enabled
+
+    The domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only logon information that is transmitted over the secure channel will be encrypted.
+
+-   Disabled
+
+    The domain member will not attempt to negotiate secure channel encryption.
+
+    **Note**  
+    If the security policy setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled, this setting will be overwritten.
+
+     
+
+-   Not defined
+
+### Best practices
+
+-   Set [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled**.
+
+-   Set **Domain member: Digitally encrypt secure channel data (when possible)** to **Enabled**.
+
+-   Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+Distribution of this policy through Group Policy does not override the Local Security Policy setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
+
+### Countermeasure
+
+Select one of the following settings as appropriate for your environment to configure the computers in your domain to encrypt or sign secure channel data:
+
+-   [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
+
+-   **Domain member: Digitally encrypt secure channel data (when possible)**
+
+-   [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
+
+### Potential impact
+
+Digital signing of the secure channel is a good idea because it protects domain credentials as they are sent to the domain controller.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md
new file mode 100644
index 0000000000..d3e4df1b1f
--- /dev/null
+++ b/windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md
@@ -0,0 +1,163 @@
+---
+title: Domain member Digitally sign secure channel data (when possible) (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Domain member Digitally sign secure channel data (when possible) security policy setting.
+ms.assetid: a643e491-4f45-40ea-b12c-4dbe47e54f34
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Domain member: Digitally sign secure channel data (when possible)
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Domain member: Digitally sign secure channel data (when possible)** security policy setting.
+
+## Reference
+
+
+This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Logon information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
+
+The following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic:
+
+-   [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
+
+-   [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
+
+-   Domain member: Digitally sign secure channel data (when possible)
+
+Setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data.
+
+To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate computer accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains.
+
+Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting.
+
+When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
+
+### Possible values
+
+-   Enabled
+
+    The domain member will request signing of all secure channel traffic. If the domain controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.
+
+-   Disabled
+
+    Signing will not be negotiated unless the policy [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled.
+
+-   Not defined
+
+### Best practices
+
+-   Set [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled**.
+
+-   Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**.
+
+-   Set **Domain member: Digitally sign secure channel data (when possible)** to **Enabled**.
+
+**Note**  
+You can enable the other two policy settings, Domain member: [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and **Domain member: Digitally sign secure channel data (when possible)**, on all devices joined to the domain that support these policy settings without affecting earlier-version clients and applications.
+
+ 
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+Distribution of this policy through Group Policy does not override the Local Security Policy setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
+
+### Countermeasure
+
+Because these policies are closely related and useful depending on your environment, select one of the following settings as appropriate to configure the devices in your domain to encrypt or sign secure channel data when possible.
+
+-   [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
+
+-   [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
+
+-   **Domain member: Digitally sign secure channel data (when possible)**
+
+### Potential impact
+
+Digital signing of the secure channel is a good idea because the secure channel protects domain credentials as they are sent to the domain controller.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/domain-member-disable-machine-account-password-changes.md b/windows/keep-secure/domain-member-disable-machine-account-password-changes.md
new file mode 100644
index 0000000000..e25f87d1fa
--- /dev/null
+++ b/windows/keep-secure/domain-member-disable-machine-account-password-changes.md
@@ -0,0 +1,128 @@
+---
+title: Domain member Disable machine account password changes (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Domain member Disable machine account password changes security policy setting.
+ms.assetid: 1f660300-a07a-4243-a09f-140aa1ab8867
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Domain member: Disable machine account password changes
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Domain member: Disable machine account password changes** security policy setting.
+
+## Reference
+
+
+The **Domain member: Disable machine account password changes** policy setting determines whether a domain member periodically changes its machine account password. Setting its value to **Enabled** prevents the domain member from changing the machine account password. Setting it to **Disabled** allows the domain member to change the machine account password as specified by the value of the [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md) policy setting, which is every 30 days by default.
+
+By default, devices that belong to a domain are automatically required to change the passwords for their accounts every 30 days. Devices that are no longer able to automatically change their machine password are at risk of a malicious user determining the password for the system's domain account.
+
+Verify that the **Domain member: Disable machine account password changes** option is set to **Disabled**.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+### Best practices
+
+1.  Do not enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it is established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions.
+
+2.  Do not use this policy setting in an attempt to support dual-boot scenarios that use the same machine account. If you want to dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to make it easier for organizations that stockpile pre-built computers that are put into production months later; those devices do not have to be rejoined to the domain.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices that cannot automatically change their account password are at risk from an attacker who could determine the password for the machine's domain account.
+
+### Countermeasure
+
+Verify that the **Domain member: Disable machine account password changes** setting is configured to **Disabled**.
+
+### Potential impact
+
+None. This is the default configuration.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/domain-member-maximum-machine-account-password-age.md b/windows/keep-secure/domain-member-maximum-machine-account-password-age.md
new file mode 100644
index 0000000000..78a8d9b843
--- /dev/null
+++ b/windows/keep-secure/domain-member-maximum-machine-account-password-age.md
@@ -0,0 +1,126 @@
+---
+title: Domain member Maximum machine account password age (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Domain member Maximum machine account password age security policy setting.
+ms.assetid: 0ec6f7c1-4d82-4339-94c0-debb2d1ac109
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Domain member: Maximum machine account password age
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Domain member: Maximum machine account password age** security policy setting.
+
+## Reference
+
+
+The **Domain member: Maximum machine account password age** policy setting determines the maximum allowable age for a machine account password.
+
+In Active Directory–based domains, each device has an account and password, just like every user. By default, the domain members automatically change their domain password every 30 days. Increasing this interval significantly, or setting it to **0** so that the device no longer change their passwords, gives a malicious user more time to undertake a brute-force password-guessing attack against one of the machine accounts.
+
+### Possible values
+
+-   User-defined number of days between 0 and 999
+
+-   Not defined.
+
+### Best practices
+
+1.  It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days.
+
+2.  Some organizations pre-build devices and then store them for later use or ship them to remote locations. If the machine's account has expired, it will no longer be able to authenticate with the domain. Devices that cannot authenticate with the domain must be removed from the domain and rejoined to it. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and configure the value for this policy setting to a larger number of days.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>30 days</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>30 days</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>30 days</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>30 days</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+In Active Directory–based domains, each device has an account and password, just as every user does. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their passwords, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts.
+
+### Countermeasure
+
+Configure the **Domain member: Maximum machine account password age** setting to 30 days.
+
+### Potential impact
+
+None. This is the default configuration.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md
new file mode 100644
index 0000000000..b230c318e1
--- /dev/null
+++ b/windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md
@@ -0,0 +1,140 @@
+---
+title: Domain member Require strong (Windows 2000 or later) session key (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Domain member Require strong (Windows 2000 or later) session key security policy setting.
+ms.assetid: 5ab8993c-5086-4f09-bc88-1b27454526bd
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Domain member: Require strong (Windows 2000 or later) session key
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Domain member: Require strong (Windows 2000 or later) session key** security policy setting.
+
+## Reference
+
+
+The **Domain member: Require strong (Windows 2000 or later) session key** policy setting determines whether a secure channel can be established with a domain controller that is not capable of encrypting secure channel traffic with a strong, 128-bit session key. Enabling this policy setting prevents establishing a secure channel with any domain controller that cannot encrypt secure channel data with a strong key. Disabling this policy setting allows 64-bit session keys.
+
+Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from eavesdropping and session-hijacking network attacks. Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the name of the sender, or it can be redirected.
+
+### Possible values
+
+-   Enabled
+
+    When enabled on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of encrypting secure channel data with a strong, 128-bit key. This means that all such domain controllers must be running at least Windows 2000 Server.
+
+-   Disabled
+
+    Allows 64-bit session keys to be used.
+
+-   Not defined.
+
+### Best practices
+
+-   It is advisable to set **Domain member: Require strong (Windows 2000 or later) session key** to Enabled. Enabling this policy setting ensures that all outgoing secure channel traffic will require a strong encryption key. Disabling this policy setting requires that key strength be negotiated. Only enable this option if the domain controllers in all trusted domains support strong keys. By default, this value is disabled.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.
+
+You will you be able to join devices that do not support this policy setting to domains where the domain controllers have this policy setting enabled.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Session keys that are used to establish secure channel communications between domain controllers and member computers are much stronger starting with Windows 2000.
+
+Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdrop. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)
+
+### Countermeasure
+
+Enable the **Domain member: Require strong (Windows 2000 or later) session key** setting.
+
+If you enable this policy setting, all outgoing secure channel traffic requires a strong encryption key. If you disable this policy setting, the key strength is negotiated. You should enable this policy setting only if the domain controllers in all trusted domains support strong keys. By default, this policy setting is disabled.
+
+### Potential impact
+
+Devices that do not support this policy setting cannot join domains in which the domain controllers have this policy setting enabled.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/edit-an-applocker-policy.md b/windows/keep-secure/edit-an-applocker-policy.md
new file mode 100644
index 0000000000..b878d37679
--- /dev/null
+++ b/windows/keep-secure/edit-an-applocker-policy.md
@@ -0,0 +1,136 @@
+---
+title: Edit an AppLocker policy (Windows 10)
+description: This topic for IT professionals describes the steps required to modify an AppLocker policy.
+ms.assetid: dbc72d1f-3fe0-46c2-aeeb-96621fce7637
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Edit an AppLocker policy
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes the steps required to modify an AppLocker policy.
+
+You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot create a new version of the policy by importing additional rules. To modify an AppLocker policy that is in production, you should use Group Policy management software that allows you to version Group Policy Objects (GPOs). If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You cannot automatically merge policies by using the AppLocker snap-in. You must create one rule collection from two or more policies. The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. For info about merging policies, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) or [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md).
+
+There are two methods you can use to edit an AppLocker policy:
+
+-   [Editing an AppLocker policy by using Group Policy](#bkmk-editapppolingpo)
+
+-   [Editing an AppLocker policy by using the Local Security Policy snap-in](#bkmk-editapplolnotingpo)
+
+## <a href="" id="bkmk-editapppolingpo"></a>Editing an AppLocker policy by using Group Policy
+
+
+The steps to edit an AppLocker policy distributed by Group Policy include the following:
+
+### Step 1: Use Group Policy management software to export the AppLocker policy from the GPO
+
+AppLocker provides a feature to export and import AppLocker policies as an XML file. This allows you to modify an AppLocker policy outside your production environment. Because updating an AppLocker policy in a deployed GPO could have unintended consequences, you should first export the AppLocker policy to an XML file. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md).
+
+### Step 2: Import the AppLocker policy into the AppLocker reference PC or the PC you use for policy maintenance
+
+After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
+
+**Caution**  
+Importing a policy onto another PC will overwrite the existing policy on that PC.
+
+ 
+
+### Step 3: Use AppLocker to modify and test the rule
+
+AppLocker provides ways to modify, delete, or add rules to a policy by modifying the rules within the collection.
+
+-   For the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md).
+
+-   For the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md).
+
+-   For procedures to create rules, see:
+
+    -   [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
+
+    -   [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
+
+    -   [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
+
+    -   [Enable the DLL rule collection](enable-the-dll-rule-collection.md)
+
+-   For steps to test an AppLocker policy, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md).
+
+-   For procedures to export the updated policy from the reference computer back into the GPO, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
+
+### Step 4: Use AppLocker and Group Policy to import the AppLocker policy back into the GPO
+
+For procedures to export the updated policy from the reference computer back into the GPO, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
+
+**Caution**  
+You should never edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed run, making changes to a live policy can create unexpected behavior. For info about testing policies, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md).
+
+ 
+
+**Note**  
+If you are performing these steps by using Microsoft Advanced Group Policy Management (AGPM), check out the GPO before exporting the policy.
+
+ 
+
+## <a href="" id="bkmk-editapplolnotingpo"></a>Editing an AppLocker policy by using the Local Security Policy snap-in
+
+
+The steps to edit an AppLocker policy distributed by using the Local Security Policy snap-in (secpol.msc) include the following tasks.
+
+### Step 1: Import the AppLocker policy
+
+On the PC where you maintain policies, open the AppLocker snap-in from the Local Security Policy snap-in (secpol.msc). If you exported the AppLocker policy from another PC, use AppLocker to import it onto the PC.
+
+After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
+
+**Caution**  
+Importing a policy onto another PC will overwrite the existing policy on that PC.
+
+ 
+
+### Step 2: Identify and modify the rule to change, delete, or add
+
+AppLocker provides ways to modify, delete, or add rules to a policy by modifying the rules within the collection.
+
+-   For the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md).
+
+-   For the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md).
+
+-   For procedures to create rules, see:
+
+    -   [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
+
+    -   [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
+
+    -   [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
+
+    -   [Enable the DLL rule collection](enable-the-dll-rule-collection.md)
+
+### Step 3: Test the effect of the policy
+
+For steps to test an AppLocker policy, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md).
+
+### Step 4: Export the policy to an XML file and propagate it to all targeted computers
+
+For procedures to export the updated policy from the reference computer to targeted computers, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
+
+## Additional resources
+
+
+-   For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/edit-applocker-rules.md b/windows/keep-secure/edit-applocker-rules.md
new file mode 100644
index 0000000000..e5b8372c9d
--- /dev/null
+++ b/windows/keep-secure/edit-applocker-rules.md
@@ -0,0 +1,81 @@
+---
+title: Edit AppLocker rules (Windows 10)
+description: This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.
+ms.assetid: 80016cda-b915-46a0-83c6-5e6b0b958e32
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Edit AppLocker rules
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.
+
+For more info about these rule types, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md).
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To edit a publisher rule**
+
+1.  Open the AppLocker console, and then click the appropriate rule collection.
+
+2.  In the **Action** pane, right-click the publisher rule, and then click **Properties**.
+
+3.  Click the appropriate tab to edit the rule properties.
+
+    -   Click the **General** tab to change the rule name, add a rule description, configure whether the rule is used to allow or deny applications, and set the security group for which this rule should apply.
+
+    -   Click the **Publisher** tab to configure the certificate's common name, the product name, the file name, or file version of the publisher.
+
+    -   Click the **Exceptions** tab to create or edit exceptions.
+
+    -   When you finish updating the rule, click **OK**.
+
+**To edit a file hash rule**
+
+1.  Open the AppLocker console, and then click the appropriate rule collection.
+
+2.  Choose the appropriate rule collection.
+
+3.  In the **Action** pane, right-click the file hash rule, and then click **Properties**.
+
+4.  Click the appropriate tab to edit the rule properties.
+
+    -   Click the **General** tab to change the rule name, add a rule description, configure whether the rule is used to allow or deny applications, and set the security group in which this rule should apply.
+
+    -   Click the **File Hash** tab to configure the files that should be used to enforce the rule. You can click **Browse Files** to add a specific file or click **Browse Folders** to add all files in a specified folder. To remove hashes individually, click **Remove**.
+
+    -   When you finish updating the rule, click **OK**.
+
+**To edit a path rule**
+
+1.  Open the AppLocker console, and then click the appropriate rule collection.
+
+2.  Choose the appropriate rule collection.
+
+3.  In the **Action** pane, right-click the path rule, and then click **Properties**.
+
+4.  Click the appropriate tab to edit the rule properties.
+
+    -   Click the **General** tab to change the rule name, add a rule description, configure whether the rule is used to allow or deny applications, and set the security group in which this rule should apply.
+
+    -   Click the **Path** tab to configure the path on the computer in which the rule should be enforced.
+
+    -   Click the **Exceptions** tab to create exceptions for specific files in a folder.
+
+    -   When you finish updating the rule, click **OK**.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
new file mode 100644
index 0000000000..34680d437c
--- /dev/null
+++ b/windows/keep-secure/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
@@ -0,0 +1,153 @@
+---
+title: Enable computer and user accounts to be trusted for delegation (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Enable computer and user accounts to be trusted for delegation security policy setting.
+ms.assetid: 524062d4-1595-41f3-8ce1-9c85fd21497b
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Enable computer and user accounts to be trusted for delegation
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Enable computer and user accounts to be trusted for delegation** security policy setting.
+
+## Reference
+
+
+This policy setting determines which users can set the **Trusted for Delegation** setting on a user or computer object.
+
+Security account delegation provides the ability to connect to multiple servers, and each server change retains the authentication credentials of the original client. Delegation of authentication is a capability that client and server applications use when they have multiple tiers. It allows a public-facing service to use client credentials to authenticate to an application or database service. For this configuration to be possible, the client and the server must run under accounts that are trusted for delegation.
+
+Only administrators who have the **Enable computer and user accounts to be trusted for delegation** credential can set up delegation. Domain admins and Enterprise admins have this credential. The procedure to allow a user to be trusted for delegation depends on the functionality level of the domain.
+
+The user or machine object that is granted this right must have write access to the account control flags. A server process running on a device (or under a user context) that is trusted for delegation can access resources on another computer by using the delegated credentials of a client. However, the client account must have Write access to the account control flags on the object.
+
+Constant: SeEnableDelegationPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not defined
+
+### Best practices
+
+-   There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It is only relevant on domain controllers and stand-alone devices.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools and guidance to help you manage this policy.
+
+Modifying this setting might affect compatibility with clients, services, and applications.
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+This user right is defined in the Default Domain Controller Group Policy Object (GPO) and in the local security policy of workstations and servers.
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Misuse of the **Enable computer and user accounts to be trusted for delegation** user right could allow unauthorized users to impersonate other users on the network. An attacker could exploit this privilege to gain access to network resources and make it difficult to determine what has happened after a security incident.
+
+### Countermeasure
+
+The **Enable computer and user accounts to be trusted for delegation** user right should be assigned only if there is a clear need for its functionality. When you assign this right, you should investigate the use of constrained delegation to control what the delegated accounts can do. On domain controllers, this right is assigned to the Administrators group by default.
+
+**Note**  
+There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It is only relevant on domain controllers and stand-alone computers.
+
+ 
+
+### Potential impact
+
+None. Not defined is the default configuration.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/enable-the-dll-rule-collection.md b/windows/keep-secure/enable-the-dll-rule-collection.md
new file mode 100644
index 0000000000..903c1b67bf
--- /dev/null
+++ b/windows/keep-secure/enable-the-dll-rule-collection.md
@@ -0,0 +1,44 @@
+---
+title: Enable the DLL rule collection (Windows 10)
+description: This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.
+ms.assetid: 88ef9561-6eb2-491a-803a-b8cdbfebae27
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Enable the DLL rule collection
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.
+
+The DLL rule collection includes the .dll and .ocx file formats.
+
+For info about these rules, see [DLL rules in AppLocker](dll-rules-in-applocker.md).
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To enable the DLL rule collection**
+
+1.  From the AppLocker console, right-click **AppLocker**, and then click **Properties.**
+
+2.  Click the **Advanced** tab, select the **Enable the DLL rule collection** check box, and then click **OK**.
+
+    **Important**  
+    Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps.
+
+     
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/encrypted-hard-drive.md b/windows/keep-secure/encrypted-hard-drive.md
new file mode 100644
index 0000000000..b283dc1b4c
--- /dev/null
+++ b/windows/keep-secure/encrypted-hard-drive.md
@@ -0,0 +1,131 @@
+---
+title: Encrypted Hard Drive (Windows 10)
+description: Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Encrypted Hard Drive
+
+
+**Applies to**
+
+-   Windows 10
+
+Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
+
+By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
+
+Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. In Windows 8, Windows Server 2012, and later you can install to these devices without additional modification.
+
+Some of the benefits of Encrypted Hard Drives include:
+
+-   **Better performance**: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
+
+-   **Strong security based in hardware**: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system
+
+-   **Ease of use**: Encryption is transparent to the user because it is on by default. There is no user interaction needed to enable encryption. Encrypted Hard Drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive.
+
+-   **Lower cost of ownership**: There is no need for new infrastructure to manage encryption keys, since BitLocker leverages your Active Directory Domain Services infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process.
+
+Encrypted Hard Drives are supported natively in the operating system through the following mechanisms:
+
+-   **Identification**: The operating system can identify that the drive is an Encrypted Hard Drive device type
+
+-   **Activation**: The operating system disk management utility can activate, create and map volumes to ranges/bands as appropriate
+
+-   **Configuration**: The operating system can create and map volumes to ranges/bands as appropriate
+
+-   **API**: API support for applications to manage Encrypted Hard Drives independently of BitLocker Drive Encryption (BDE)
+
+-   **BitLocker support**: Integration with the BitLocker Control Panel provides a seamless BitLocker end user experience.
+
+**Warning**  
+Self-Encrypting Hard Drives and Encrypted Hard Drives for Windows are not the same type of device. Encrypted Hard Drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-Encrypting Hard Drives do not have these requirements. It is important to confirm the device type is an Encrypted Hard Drive for Windows when planning for deployment.
+
+ 
+
+If you are a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](http://msdn.microsoft.com/library/windows/hardware/dn653989.aspx).
+
+## System Requirements
+
+
+To use Encrypted Hard Drive, the following system requirements apply:
+
+For Encrypted Hard Drives used as **data drives**:
+
+-   The drive must be in an uninitialized state.
+
+-   The drive must be in a security inactive state.
+
+For Encrypted Hard Drives used as **startup drives**:
+
+-   The drive must be in an uninitialized state.
+
+-   The drive must be in a security inactive state.
+
+-   The computer must be UEFI 2.3.1 based and have the EFI\_STORAGE\_SECURITY\_COMMAND\_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).
+
+-   The computer must have the Compatibility Support Module (CSM) disabled in UEFI.
+
+-   The computer must always boot natively from UEFI.
+
+**Warning**  
+All Encrypted Hard Drives must be attached to non-RAID controllers to function properly.
+
+ 
+
+## Technical overview
+
+
+Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering significantly improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-step process to complete read/write requests. In Windows Server 2012, Windows 8, or later, Encrypted Hard Drives offload the cryptographic operations to the drive controller for much greater efficiency. When the operating system an Encrypted Hard Drive, it activates the security mode. This activation lets the drive controller generate a media key for every volume that the host computer creates. This media key, which is never exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from the disk.
+
+## Configuring Encrypted Hard Drives as Startup drives
+
+
+Configuration of Encrypted Hard Drives as startup drives is done using the same methods as standard hard drives. These methods include:
+
+-   **Deploy from media**: Configuration of Encrypted Hard Drives happens automatically through the installation process.
+
+-   **Deploy from network**: This deployment method involves booting a Windows PE environment and using imaging tools to apply a Windows image from a network share. Using this method, the Enhanced Storage optional component needs to be included in the Windows PE image. You can enable this component using Server Manager, Windows PowerShell, or the DISM command line tool. If this component is not present, configuration of Encrypted Hard Drives will not work.
+
+-   **Deploy from server**: This deployment method involves PXE booting a client with Encrypted Hard Drives present. Configuration of Encrypted Hard Drives happens automatically in this environment when the Enhanced Storage component is added to the PXE boot image. During deployment, the [TCGSecurityActivationDisabled](http://msdn.microsoft.com/library/windows/hardware/dn923247.aspx) setting in unattend.xml controls the encryption behavior of Encrypted Hard Drives.
+
+-   **Disk Duplication**: This deployment method involves use of a previously configured device and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using at least Windows 8 or Windows Server 2012 for this configuration to work. Images made using disk duplicators will not work.
+
+### Encrypted Hard Drive Architecture
+
+Encrypted Hard Drives utilize two encryption keys on the device to control the locking and unlocking of data on the drive. These are the Data Encryption Key (DEK) and the Authentication Key (AK).
+
+The Data Encryption Key is the key used to encrypt all of the data on the drive. The drive generates the DEK and it never leaves the device. It is stored in an encrypted format at a random location on the drive. If the DEK is changed or erased, data encrypted using the DEK is irrecoverable.
+
+The Authentication Key is the key used to unlock data on the drive. A hash of the key is stored on drive and requires confirmation to decrypt the DEK.
+
+When a computer with an Encrypted Hard Drive is in a powered off state, the drive locks automatically. As a computer powers on, the device remains in a locked state and is only unlocked after the Authentication Key decrypts the Data Encryption Key. Once the Authentication Key decrypts the Data Encryption Key, read-write operations can take place on the device.
+
+When writing data to the drive, it passes through an encryption engine before the write operation completes. Likewise, reading data from the drive requires the encryption engine to decrypt the data before passing that data back to the user. In the event that the DEK needs to be changed or erased, the data on the drive does not need to be re-encrypted. A new Authentication Key needs to be created and it will re-encrypt the DEK. Once completed, the DEK can now be unlocked using the new AK and read-writes to the volume can continue.
+
+## Re-configuring Encrypted Hard Drives
+
+
+Many Encrypted Hard Drive devices come pre-configured for use. If reconfiguration of the drive is required, use the following procedure after removing all available volumes and reverting the drive to an uninitialized state:
+
+1.  Open Disk Management (diskmgmt.msc)
+
+2.  Initialize the disk and select the appropriate partition style (MBR or GPT)
+
+3.  Create one or more volumes on the disk.
+
+4.  Use the BitLocker setup wizard to enable BitLocker on the volume.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/enforce-applocker-rules.md b/windows/keep-secure/enforce-applocker-rules.md
new file mode 100644
index 0000000000..0e2fcdd077
--- /dev/null
+++ b/windows/keep-secure/enforce-applocker-rules.md
@@ -0,0 +1,40 @@
+---
+title: Enforce AppLocker rules (Windows 10)
+description: This topic for IT professionals describes how to enforce application control rules by using AppLocker.
+ms.assetid: e1528b7b-77f2-4419-8e27-c9cc3721d96d
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Enforce AppLocker rules
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes how to enforce application control rules by using AppLocker.
+
+After AppLocker rules are created within the rule collection, you can configure the enforcement setting to **Enforce rules** or **Audit only** on the rule collection.
+
+When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
+
+There is no audit mode for the DLL rule collection. DLL rules affect specific apps. Therefore, test the impact of these rules first before deploying them to production.
+
+To enforce AppLocker rules by configuring an AppLocker policy to **Enforce rules**, see [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md).
+
+**Caution**  
+AppLocker rules will be enforced immediately on the local device or when the Group Policy object (GPO) is updated by performing this procedure. If you want to see the effect of applying an AppLocker policy before setting the enforcement setting to **Enforce rules**, configure the policy to **Audit only**. For info about how to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)or [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/enforce-password-history.md b/windows/keep-secure/enforce-password-history.md
new file mode 100644
index 0000000000..8a06a8f98b
--- /dev/null
+++ b/windows/keep-secure/enforce-password-history.md
@@ -0,0 +1,139 @@
+---
+title: Enforce password history (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Enforce password history security policy setting.
+ms.assetid: 8b2ab871-3e52-4dd1-9776-68bb1e935442
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Enforce password history
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting.
+
+## Reference
+
+
+The **Enforce password history** policy setting determines the number of unique new passwords that must be associated with a user account before an old password can be reused.
+
+Password reuse is an important concern in any organization. Many users want to reuse the same password for their account over a long period of time. The longer the same password is used for a particular account, the greater the chance that an attacker will be able to determine the password through brute force attacks. If users are required to change their password, but they can reuse an old password, the effectiveness of a good password policy is greatly reduced.
+
+Specifying a low number for **Enforce password history** allows users to continually use the same small number of passwords repeatedly. If you do not also set [Minimum password age](minimum-password-age.md), users can change their password as many times in a row as necessary to reuse their original password.
+
+### Possible values
+
+-   User-specified number from 0 through 24
+
+-   Not defined
+
+### Best practices
+
+-   Set **Enforce password history** to 24. This will help mitigate vulnerabilities that are caused by password reuse.
+
+-   Set [Maximum password age](maximum-password-age.md) to expire passwords between 60 and 90 days. Try to expire the passwords between major business cycles to prevent work loss.
+
+-   Configure [Minimum password age](minimum-password-age.md) so that you do not allow passwords to be changed immediately.
+
+### Location
+
+**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**
+
+### Default values
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>24 passwords remembered</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>0 passwords remembered</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>24 passwords remembered</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>24 passwords remembered</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Effective GPO default settings on client computers</p></td>
+<td align="left"><p>24 passwords remembered</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced.
+
+If you specify a low number for this policy setting, users can use the same small number of passwords repeatedly. If you do not also configure the [Minimum password age](minimum-password-age.md) policy setting, users might repeatedly change their passwords until they can reuse their original password.
+
+**Note**  
+After an account has been compromised, a simple password reset might not be enough to restrict a malicious user because the malicious user might have modified the user's environment so that the password is changed back to a known value automatically at a certain time. If an account has been compromised, it is best to delete the account and assign the user a new account after all affected systems have been restored to normal operations and verified that they are no longer compromised.
+
+ 
+
+### Countermeasure
+
+Configure the **Enforce password history** policy setting to 24 (the maximum setting) to help minimize the number of vulnerabilities that are caused by password reuse.
+
+For this policy setting to be effective, you should also configure effective values for the [Minimum password age](minimum-password-age.md) and [Maximum password age](maximum-password-age.md) policy settings.
+
+### Potential impact
+
+The major impact of configuring the **Enforce password history** setting to 24 is that users must create a new password every time they are required to change their old one. If users are required to change their passwords to new unique values, there is an increased risk of users who write their passwords somewhere so that they do not forget them. Another risk is that users may create passwords that change incrementally (for example, password01, password02, and so on) to facilitate memorization, but this makes them easier for an attacker to guess. Also, an excessively low value for the [Maximum password age](maximum-password-age.md) policy setting is likely to increase administrative overhead because users who forget their passwords might ask the Help Desk to reset them frequently.
+
+## Related topics
+
+
+[Password Policy](password-policy.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/enforce-user-logon-restrictions.md b/windows/keep-secure/enforce-user-logon-restrictions.md
new file mode 100644
index 0000000000..18dd084c4c
--- /dev/null
+++ b/windows/keep-secure/enforce-user-logon-restrictions.md
@@ -0,0 +1,140 @@
+---
+title: Enforce user logon restrictions (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Enforce user logon restrictions security policy setting.
+ms.assetid: 5891cb73-f1ec-48b9-b703-39249e48a29f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Enforce user logon restrictions
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Enforce user logon restrictions** security policy setting.
+
+## Reference
+
+
+The **Enforce user logon restrictions** policy setting determines whether the Kerberos V5 Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the user account. Validating each request for a session ticket is optional because the extra step takes time, and that can slow network access to services.
+
+The possible values for this Group Policy setting are:
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+-   If this policy setting is disabled, users might be granted session tickets for services that they do not have the right to use.
+
+    It is advisable to set **Enforce user logon restrictions** to Enabled.
+
+### Location
+
+**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy**
+
+### Default Values
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server Type or GPO</th>
+<th align="left">Default Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the device is not required for this policy setting to be effective.
+
+### Group Policy
+
+Client devices will get the new setting during the next scheduled and successful Group Policy refresh. But for domain controllers to assign these new settings immediately, a gpupdate.exe /force is required. On the local device, the Security Configuration Engine will refresh this setting in about five minutes.
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+If you disable this policy setting, users could receive session tickets for services that they no longer have the right to use because the right was removed after they logged on.
+
+### Countermeasure
+
+Enable the **Enforce user logon restrictions** setting.
+
+### Potential impact
+
+None. This is the default configuration.
+
+## Related topics
+
+
+[Kerberos Policy](kerberos-policy.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md b/windows/keep-secure/enlightened-microsoft-apps-and-edp.md
new file mode 100644
index 0000000000..9f6d2e6ed6
--- /dev/null
+++ b/windows/keep-secure/enlightened-microsoft-apps-and-edp.md
@@ -0,0 +1,88 @@
+---
+title: List of enlightened Microsoft apps for use with enterprise data protection (EDP) (Windows 10)
+description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list.
+ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f
+keywords: ["EDP", "Enterprise Data Protection"]
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: eross-msft
+---
+
+# List of enlightened Microsoft apps for use with enterprise data protection (EDP)
+
+**Applies to:**
+
+-   Windows 10 Insider Preview
+-   Windows 10 Mobile Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
+
+Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your **Protected Apps** list.
+
+## Enlightened versus unenlightened apps
+Apps can be enlightened (policy-aware) or unenlightened (policy unaware).
+
+-   **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.
+
+-   **Unenlightened apps** consider all data corporate and encrypt everything. Typically, you can tell an unenlightened app because:
+
+    -   Windows Desktop shows it as always running in enterprise mode.
+
+    -   Windows **Save As** experiences only allow you to save your files as enterprise.
+
+## List of enlightened Microsoft apps
+Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
+
+-   Microsoft Edge
+
+-   Internet Explorer 11
+
+-   Microsoft People
+
+-   Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
+
+-   Microsoft Photos
+
+-   Microsoft OneDrive
+
+-   Groove Music
+
+-   Notepad
+
+-   Microsoft Paint
+
+-   Microsoft Movies & TV
+
+-   Microsoft Messaging
+
+## Adding enlightened Microsoft apps to the Protected Apps list
+You can add any or all of the enlightened Microsoft apps to your Protected Apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager.
+
+|Product name |App info |
+|-------------|---------|
+|Microsoft Edge |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.MicrosoftEdge<br>**App Type:** Universal app |
+|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** iexplore.exe<br>**App Type:** Desktop app |
+|Microsoft People |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.People<br>**App Type:** Universal app |
+|Word Mobile |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.Word<br>**App Type:** Universal app |
+|Excel Mobile |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.Excel<br>**App Type:** Universal app |
+|PowerPoint Mobile |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.PowerPoint<br>**App Type:** Universal app |
+|OneNote |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.OneNote<br>**App Type:** Universal app |
+|Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** microsoft.windowscommunicationsapps<br>**App Type:** Universal app |
+|Microsoft Photos |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Windows.Photos<br>**App Type:** Universal app |
+|Microsoft OneDrive |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** microsoft.microsoftskydrive<br>**App Type:** Universal app |
+|Groove Music |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneMusic<br>**App Type:** Universal app |
+|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** notepad.exe<br>**App Type:** Desktop app |
+|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** mspaint.exe<br>**App Type:** Desktop app |
+|Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneVideo<br>**App Type:** Universal app |
+|Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Messaging<br>**App Type:** Universal app |
+
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/executable-rules-in-applocker.md b/windows/keep-secure/executable-rules-in-applocker.md
new file mode 100644
index 0000000000..9bc04a00e9
--- /dev/null
+++ b/windows/keep-secure/executable-rules-in-applocker.md
@@ -0,0 +1,73 @@
+---
+title: Executable rules in AppLocker (Windows 10)
+description: This topic describes the file formats and available default rules for the executable rule collection.
+ms.assetid: 65e62f90-6caa-48f8-836a-91f8ac9018ee
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Executable rules in AppLocker
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic describes the file formats and available default rules for the executable rule collection.
+
+AppLocker defines executable rules as any files with the .exe and .com extensions that are associated with an app. Because all of the default rules for the executable rule collection are based on folder paths, all files under those paths will be allowed. The following table lists the default rules that are available for the executable rule collection.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Purpose</th>
+<th align="left">Name</th>
+<th align="left">User</th>
+<th align="left">Rule condition type</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Allow members of the local Administrators group access to run all executable files</p></td>
+<td align="left"><p>(Default Rule) All files</p></td>
+<td align="left"><p>BUILTIN\Administrators</p></td>
+<td align="left"><p>Path: *</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Allow all users to run executable files in the Windows folder</p></td>
+<td align="left"><p>(Default Rule) All files located in the Windows folder</p></td>
+<td align="left"><p>Everyone</p></td>
+<td align="left"><p>Path: %windir%\*</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Allow all users to run executable files in the Program Files folder</p></td>
+<td align="left"><p>(Default Rule) All files located in the Program Files folder</p></td>
+<td align="left"><p>Everyone</p></td>
+<td align="left"><p>Path: %programfiles%\*</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Understanding AppLocker Default Rules](understanding-applocker-default-rules.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md b/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md
new file mode 100644
index 0000000000..4d3bebaea0
--- /dev/null
+++ b/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md
@@ -0,0 +1,43 @@
+---
+title: Export an AppLocker policy from a GPO (Windows 10)
+description: This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.
+ms.assetid: 7db59719-a8be-418b-bbfd-22cf2176c9c0
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Export an AppLocker policy from a GPO
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.
+
+Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Therefore, export the policy from the GPO and update the rule or rules by using AppLocker on your AppLocker reference device
+
+To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
+
+**Export the policy from the GPO**
+
+1.  In the Group Policy Management Console (GPMC), open the GPO that you want to edit.
+
+2.  In the console tree under **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Application Control Policies**, click **AppLocker**.
+
+3.  Right-click **AppLocker**, and then click **Export Policy**.
+
+4.  In the **Export Policy** dialog box, type a name for the exported policy (for example, the name of the GPO), select a location to save the policy, and then click **Save**.
+
+5.  The **AppLocker** dialog box will notify you of how many rules were exported. Click **OK**.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md b/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md
new file mode 100644
index 0000000000..db8273ad60
--- /dev/null
+++ b/windows/keep-secure/export-an-applocker-policy-to-an-xml-file.md
@@ -0,0 +1,37 @@
+---
+title: Export an AppLocker policy to an XML file (Windows 10)
+description: This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.
+ms.assetid: 979bd23f-6815-478b-a6a4-a25239cb1080
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Export an AppLocker policy to an XML file
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.
+
+Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
+
+**To export an AppLocker policy to an XML file**
+
+1.  From the AppLocker console, right-click **AppLocker**, and then click **Export Policy**.
+
+2.  Browse to the location where you want to save the XML file.
+
+3.  In the **File name** box, type a file name for the XML file, and then click **Save**.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/file-system-global-object-access-auditing.md b/windows/keep-secure/file-system-global-object-access-auditing.md
new file mode 100644
index 0000000000..b9eaa059fb
--- /dev/null
+++ b/windows/keep-secure/file-system-global-object-access-auditing.md
@@ -0,0 +1,38 @@
+---
+title: File System (Global Object Access Auditing) (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, File System (Global Object Access Auditing), which enables you to configure a global system access control list (SACL) on the file system for an entire computer.
+ms.assetid: 4f215d61-0e23-46e4-9e58-08511105d25b
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# File System (Global Object Access Auditing)
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **File System (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the file system for an entire computer.
+
+If you select the **Configure security** check box on the policy’s property page, you can add a user or group to the global SACL. This enables you to define computer system access control lists (SACLs) per object type for the file system. The specified SACL is then automatically applied to every file system object type.
+
+If both a file or folder SACL and a global SACL are configured on a computer, the effective SACL is derived by combining the file or folder SACL and the global SACL. This means that an audit event is generated if an activity matches either the file or folder SACL or the global SACL.
+
+This policy setting must be used in combination with the **File System** security policy setting under Object Access. For more information, see [Audit File System](audit-file-system.md).
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/force-shutdown-from-a-remote-system.md b/windows/keep-secure/force-shutdown-from-a-remote-system.md
new file mode 100644
index 0000000000..28d7bc97d6
--- /dev/null
+++ b/windows/keep-secure/force-shutdown-from-a-remote-system.md
@@ -0,0 +1,146 @@
+---
+title: Force shutdown from a remote system (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Force shutdown from a remote system security policy setting.
+ms.assetid: 63129243-31ea-42a4-a598-c7064f48a3df
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Force shutdown from a remote system
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Force shutdown from a remote system** security policy setting.
+
+## Reference
+
+
+This security setting determines which users are allowed to shut down a device from a remote location on the network. This allows members of the Administrators group or specific users to manage computers (for tasks such as a restart) from a remote location.
+
+Constant: SeRemoteShutdownPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Administrators
+
+### Best practices
+
+-   Explicitly restrict this user right to members of the Administrators group or other specifically assigned roles that require this capability, such as non-administrative operations staff.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default this setting is Administrators and Server Operators on domain controllers and Administrators on stand-alone servers.
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p>
+<p>Server Operators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Server Operators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the computer is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+This policy setting must be applied on the computer that is being accessed remotely.
+
+### Group Policy
+
+This user right is defined in the Default Domain Controller Group Policy Object (GPO) and in the local security policy of workstations and servers.
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Any user who can shut down a device could cause a denial-of-service condition to occur. Therefore, this user right should be tightly restricted.
+
+### Countermeasure
+
+Restrict the **Force shutdown from a remote system** user right to members of the Administrators group or other specifically assigned roles that require this capability, such as non-administrative operations staff.
+
+### Potential impact
+
+On a domain controller, if you remove the **Force shutdown from a remote system** user right from the Server Operator group, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should confirm that delegated activities are not adversely affected.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/generate-security-audits.md b/windows/keep-secure/generate-security-audits.md
new file mode 100644
index 0000000000..db7aaf05aa
--- /dev/null
+++ b/windows/keep-secure/generate-security-audits.md
@@ -0,0 +1,149 @@
+---
+title: Generate security audits (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Generate security audits security policy setting.
+ms.assetid: c0e1cd80-840e-4c74-917c-5c2349de885f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Generate security audits
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Generate security audits** security policy setting.
+
+## Reference
+
+
+This policy setting determines which accounts can be used by a process to generate audit records in the security event log. The Local Security Authority Subsystem Service (LSASS) writes events to the log. You can use the information in the security event log to trace unauthorized device access.
+
+Constant: SeAuditPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Local Service
+
+-   Network Service
+
+### Best practices
+
+-   Because the audit log can potentially be an attack vector if an account is compromised, ensure that only the Local Service and Network Service accounts have the **Generate security audits** user right assigned to them.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default, this setting is Local Service and Network Service on domain controllers and stand-alone servers.
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Local Service</p>
+<p>Network Service</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Local Service</p>
+<p>Network Service</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Local Service</p>
+<p>Network Service</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Local Service</p>
+<p>Network Service</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Local Service</p>
+<p>Network Service</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the computer is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial-of-service (DoS) if the [Audit: Shut down system immediately if unable to log security audits](audit-shut-down-system-immediately-if-unable-to-log-security-audits.md) security policy setting is enabled.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+A malicious user could use accounts that can write to the Security log to fill that log with meaningless events. If the computer is configured to overwrite events as needed, malicious users could use this method to remove evidence of their unauthorized activities. If the computer is configured to shut down when it is unable to write to the Security log, and it is not configured to automatically back up the log files, this method could be used to create a DoS condition.
+
+### Countermeasure
+
+Ensure that only the Local Service and Network Service accounts have the **Generate security audits** user right assigned to them.
+
+### Potential impact
+
+None. Restricting the **Generate security audits** user right to the Local Service and Network Service accounts is the default configuration.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
new file mode 100644
index 0000000000..93cfb12e01
--- /dev/null
+++ b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
@@ -0,0 +1,232 @@
+---
+title: Update and manage Windows Defender in Windows 10 (Windows 10)
+description: IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using Group Policy SettingsWindows Management Instrumentation (WMI)PowerShell.
+ms.assetid: 045F5BF2-87D7-4522-97E1-C1D508E063A7
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Update and manage Windows Defender in Windows 10
+
+
+**Applies to**
+
+-   Windows 10
+
+IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using:
+
+-   Group Policy Settings
+-   Windows Management Instrumentation (WMI)
+-   PowerShell
+
+## Manage Windows Defender endpoints through Active Directory and WSUS
+
+
+All Windows 10 endpoints are installed with Windows Defender and include support for management through:
+
+-   Active Directory
+-   WSUS
+
+You can use the Active Directory to configure the settings; Group policies can be used for centralized configuration and enforcement of many Windows Defender settings including client user interface, scan settings, and exclusions.
+
+WSUS can be used to view basic update compliance and deploy updates manually or through automatic rules.
+
+Note that System Center 2012 R2 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, and Microsoft Intune can provide centralized management of Windows Defender, including:
+
+-   Settings management
+-   Definition update management
+-   Alerts and alert management
+-   Reports and reporting
+
+When you enable *Endpoint Protection* on your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for System Center Endpoint Protection or Intune will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed. Learn more about managing *Endpoint Protection*:
+-   [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://technet.microsoft.com/library/dn646970.aspx)
+-   [Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508760.aspx)
+
+Read more about System Center Configuration Manager in [Introduction to Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508781.aspx).
+
+**Important**  You must be licensed to use *Endpoint Protection* to manage clients in your Configuration Manager hierarchy.
+
+ 
+
+## Apply updates to Windows Defender endpoints
+
+
+It is important to keep Windows Defender endpoints updated to ensure they are protected. All Windows Defender updates, including General Distribution Release (GDR) updates, are now applied as operating system updates.
+
+You can manage the distribution of updates through the [Windows Server Update Services (WSUS)](https://technet.microsoft.com/windowsserver/bb332157).
+
+## Manage email scans in Windows Defender
+
+
+You can use Windows Defender to scan email files. Malware can install itself and hide in email files, and although real-time protection offers you the best protection from email malware, you can also scan emails stored on your PC or server with Windows Defender.
+
+**Important**  Mail scanning only applies to on-demand and scheduled scans, not on-access scans.
+
+ 
+
+Windows Defender scans Microsoft Office Outlook 2003 and older email files. We identify the file type at run-time based on the content of the file, not on location or extension.
+
+**Note**  Scanning email files might increase the time required to complete a scan.
+
+ 
+
+Windows Defender can extract embedded objects within a file (attachments and archived files, for example) and scan internally.
+
+**Note**  While Windows Defender can be configured to scan email files, it can only remediate threats detected inside certain files, for example:
+-   DBX
+-   MBX
+-   MIME
+
+ 
+
+You can configure Windows Defender to scan PST files used by Outlook 2003 or older versions (where the archive type is set to non-uni-code), but Windows Defender cannot remediate threats detected inside PST files. We recommend using real-time protection to protect against email malware.
+
+If Windows Defender detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat:
+
+-   Email subject
+-   Attachment name
+
+Email scanning in Windows Defender is turned off by default. There are three ways you can manage scans through Windows Defender:
+
+-   *Group Policy* settings
+-   WMI
+-   PowerShell
+
+**Important**  There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles:
+-   [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1)
+-   [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2)
+
+ 
+
+## Use *Group Policy* settings to enable email scans
+
+
+This policy setting allows you to turn on email scanning. When email scanning is enabled, the engine will parse the mailbox and mail files to analyze the mail bodies and attachments.
+
+Turn on email scanning with the following *Group Policy* settings:
+
+1.  Open the **Group Policy Editor**.
+2.  In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
+3.  Click **Scan**.
+4.  Double-click **Turn on e-mail scanning**.
+
+    This will open the **Turn on e-mail scanning** window: ![turn on e-mail scanning window](images/defender-scanemailfiles.png)
+
+5.  Select **Enabled**.
+6.  Click **OK** to apply changes.
+
+## Use WMI to disable email scans
+
+
+You can write a WMI script or application to disable email scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
+
+Use the **DisableEmailScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
+
+**DisableEmailScanning**
+Data type: **boolean**
+Access type: Read-only
+Disable email scanning.
+## Use PowerShell to enable email scans
+
+
+You can also enable email scanning using the following PowerShell parameter:
+
+1.  Open PowerShell or PowerShellIntegrated Scripting Environment (ISE).
+2.  Type **Set-MpPreference -DisableEmailScanning $false**.
+
+Read more about this in:
+
+-   • [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
+-   • [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
+
+## Manage archive scans in Windows Defender
+
+
+You can use Windows Defender to scan archive files. Malware can install itself and hide in archive files, and although real-time protection offers you the best protection from malware, you can also scan archives stored on your PC or server with Windows Defender.
+
+**Important**  Archive scanning only applies to on-demand and scheduled scans, not on-access scans.
+
+ 
+
+Archive scanning in Windows Defender is turned on by default. There are four ways you can manage scans through Windows Defender:
+
+-   *Group Policy* settings
+-   WMI
+-   PowerShell
+-   Endpoint Protection
+
+**Note**  Scanning archive files might increase the time required to complete a scan.
+
+ 
+
+If you exclude an archive file type by using the **Extensions** box, Windows Defender will not scan files with that extension (no matter what the content is), even when you have selected the **Scan archive files** check box. For example, if you exclude .rar files but there’s a .r00 file that’s actually .rar content, it will still be scanned if archive scanning is enabled.
+
+## Use *Group Policy* settings to enable archive scans
+
+
+This policy setting allows you to turn on archive scanning.
+
+Turn on email scanning with the following *Group Policy* settings:
+
+1.  Open the **Group Policy Editor**.
+2.  In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
+3.  Click **Scan**.
+4.  Double-click **Scan archive files**.
+
+    This will open the **Scan archive files** window: ![scan archive files window](images/defender-scanarchivefiles.png)
+
+5.  Select **Enabled**.
+6.  Click **OK** to apply changes.
+
+There are a number of archive scan settings in the **Scan** repository you can configure through *Group Policy*, for example:
+
+-   Maximum directory depth level into which archive files are unpacked during scanning ![specify the maximum depth to scan archive files window](images/defender-scanarchivedepth.png)
+-   Maximum size of archive files that will be scanned ![specify the maximum size of archive files to be scanned window](images/defender-scanarchivesize.png)
+-   Maximum percentage CPU utilization permitted during a scan ![specify the maximum percentage od cpu utilization during a scan window](images/defender-scanarchivecpu.png)
+
+## Use WMI to disable archive scans
+
+
+You can write a WMI script or application to disable archive scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
+
+Use the **DisableArchiveScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
+
+**DisableArchiveScanning**
+Data type: **boolean**
+Access type: Read-only
+Disable archive scanning.
+## Use PowerShell to enable archive scans
+
+
+You can also enable archive scanning using the following PowerShell parameter:
+
+1.  Open PowerShell or PowerShellISE.
+2.  Type **Set-MpPreference -DisableArchiveScanning $false**.
+
+Read more about this in:
+
+-   • [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
+-   • [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
+
+## Use Endpoint Protection to configure archive scans
+
+
+In Endpoint Protection, you can use the advanced scanning options to configure archive scanning. For more information, see [What are advanced scanning options?](https://technet.microsoft.com/library/ff823807.aspx)
+
+## Related topics
+
+
+[Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
+
+[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md
new file mode 100644
index 0000000000..2780dd8b05
--- /dev/null
+++ b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md
@@ -0,0 +1,323 @@
+---
+title: Get apps to run on Device Guard-protected devices (Windows 10)
+description: Windows 10 introduces several new features and settings that when combined all equal what we're calling, Device Guard.
+ms.assetid: E62B68C3-8B9F-4842-90FC-B4EE9FF8A67E
+keywords: ["Package Inspector", "packageinspector.exe", "sign catalog file"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Get apps to run on Device Guard-protected devices
+
+
+**Applies to**
+
+-   Windows 10
+
+Windows 10 introduces several new features and settings that when combined all equal what we're calling, Device Guard. Device Guard can help to protect your enterprise devices against the accidental running of malicious apps by requiring all of your apps to be signed by a trusted entity.
+
+To use Device Guard in an enterprise, you must be able to get your existing line-of-business and Independent Software Vendor (ISV)-developed apps to run on a protected device. Unfortunately, many line-of-business apps aren't signed, and in many cases, aren't even being actively developed. Similarly, you may have unsigned software from an ISV that you want to run, or you want to run certain applications from an ISV while not trusting all applications from that ISV. As part of the Device Guard features, Windows 10 includes a new tool called Package Inspector. Package Inspector scans your unsigned apps, and creates catalog files of the installed and running binaries, which can then be signed by the Sign Tool Windows SDK utility and distributed using Group Policy so that your apps will run on Device Guard-protected devices.
+
+## What you need to run your apps on Device-Guard protected devices
+
+
+Before you can get your apps to run on Device Guard-protected devices, you must have:
+
+-   A device running Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016 Technical Preview.
+
+-   Determined which unsigned apps you need to include in your catalog file.
+
+-   Created a code integrity policy for use by Device Guard.
+
+-   A [code signing certificate](http://go.microsoft.com/fwlink/p/?LinkId=619282), created using an internal public key infrastructure (PKI).
+
+-   [SignTool]( http://go.microsoft.com/fwlink/p/?LinkId=619283). A command-line tool that digitally signs files, verifies signatures in files, or time stamps files. The tool is installed in the \\Bin folder of the Microsoft Windows Software Development Kit (SDK) installation path.
+
+## Create a catalog file for unsigned apps
+
+
+You must run Package Inspector on a device that's running a temporary Code Integrity Policy in audit mode, created explicitly for this purpose. Audit mode lets this policy catch any binaries missed by the inspection tool, but because it's audit mode, allows everything to continue running.
+
+**Important**  This temporary policy, shouldn't be used for normal business purposes.
+
+ 
+
+**To create a catalog file for an existing app**
+
+1.  Start PowerShell as an administrator, and create your temporary policy file by typing:
+
+    ``` syntax
+    mkdir temp
+    New-CIPolicy -l FileName -f .\tempdeny.xml -s .\temp -u
+    ConvertFrom-CIPolicy .\tempdeny.xml .\tempdeny.bin
+    cp .\tempdeny.bin C:\Windows\System32\CodeIntegrity\SIPolicy.p7b
+    ```
+
+2.  Restart your device.
+
+3.  Start PowerShell as an administrator, and start scanning your file system by typing:
+
+    ``` syntax
+    PackageInspector.exe start c:
+    ```
+
+    Where:
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Option</th>
+    <th align="left">Description</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>start &lt;<em>drive_letter</em>&gt;:</p></td>
+    <td align="left"><p>Specifies to start a scan. For example, starting to scan the C: drive.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>-path</p></td>
+    <td align="left"><p>File path to the package being inspected.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+4.  Copy the app installation media to your C:\\ drive, and then install and run the program.
+
+    Copying the media to your local drive helps to make sure that the installer and its related files are included in your catalog file. If you miss the install files, your Code Integrity Policy might trust the app to run, but not to install. After you've installed the app, you should check for updates. If updates happen while the app is open, you should close and restart the app to make sure everything is caught during the inspection process.
+
+    **Note**  
+    Because the Package Inspector creates a log entry in the catalog for every binary laid down on the file system, we recommend that you don't run any other installations or updates during the scanning process.
+
+     
+
+5.  **Optional:** If you want to create a multi-app catalog (many apps included in a single catalog file), you can continue to run Steps 2-3 for each additional app. After you've added all of the apps you want to add, you can continue to Step 5.
+
+    **Note**  To streamline your process, we suggest:
+    -   **Actively supported and updated apps.** Create a single catalog file for each app.
+
+    -   **Legacy apps, non-active or not updated.** Create a single catalog file for all of your legacy apps.
+
+     
+
+6.  Stop the scanning process and create the .\\InspectedPackage.cat and InspectedPackage.cdf files for your single app in your specified location, by typing:
+
+    ``` syntax
+    PackageInspector.exe stop c:
+    ```
+
+You can also use the `scan` command in place of using both `start` and `stop` if you want to create a catalog of files that are already present on your hard drive. The `scan` command recursively scans a specified directory and includes all signable files in the catalog. You can scan a specified directory by typing:
+
+``` syntax
+PackageInspector.exe scan c:\<insert directory path>
+```
+
+The following table shows the available options for both the `scan` and `stop` commands.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Option</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>stop &lt;<em>drive_letter</em>&gt;:</p></td>
+<td align="left"><p>Specifies that a scan of the specified location is complete, creating either a catalog or a definition file. For example, <em>C:</em></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>scan <em>&lt;path to scan&gt;</em></p></td>
+<td align="left"><p>Specifies a directory path to scan. This command recursively scans a specified directory and includes all signable files in the catalog.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>-out</p></td>
+<td align="left"><p>Specifies what type of info should be created by the tool. You can use either <code>CAT</code> for a catalog file, <code>CDF</code> for a catalog definition file or <code>list</code> for a delimited list of files.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>-listpath</p></td>
+<td align="left"><p>Specifies the location where the installer will output the list of files for <code>-out list</code>.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>-cdfPath &lt;<em>file_name</em>&gt;</p></td>
+<td align="left"><p>Specifies where the tool should put the created .cdf file. If you use this option, you must also specify the file name.</p>
+<p>We recommend that you use the full path to the file. However, relative paths are supported.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>-resdir</p></td>
+<td align="left"><p>This option isn't currently supported.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>-name</p></td>
+<td align="left"><p>This option isn't currently supported.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>-ph <code>[true|false]</code></p></td>
+<td align="left"><p>Specifies whether to include page hashes in the catalog. You can use either <code>True</code> to add the hashes or <code>False</code> to not add the hashes.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>-en</p></td>
+<td align="left"><p>Specifies the catalog's encoding type. By default, it's PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, 0x00010001.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>-ca1</p></td>
+<td align="left"><p>Specifies the CATATTR1 in the catalog and catalog definition files.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>-ca2</p></td>
+<td align="left"><p>Specifies the CATATTR2 in the catalog and catalog definition files.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+You can add additional parameters to your catalog beyond what's listed here. For more info, see the [MakeCat](http://go.microsoft.com/fwlink/p/?LinkId=618024) topic.
+
+## Sign your catalog file using Sign Tool
+
+
+You can sign your catalog file using Sign Tool, located in the Windows 7 or later Windows Software Development Kit (SDK) or by using the Device Guard signing portal. For details on using the Device Guard signing portal, see [Device Guard signing](http://go.microsoft.com/fwlink/p/?LinkID=698760).
+
+This process shows how to use a password-protected Personal Information Exchange (.pfx) file to sign the catalog file.
+
+**Important**  To use this tool, you must have an internal certificate authority code signing certificate, or a code signing certificate issued by an external third-party certificate authority.
+
+ 
+
+**To use Sign Tool**
+
+1.  Check that your code signing certificates have been imported into your certificate store or that they're on the file system.
+
+2.  Open SignTool.exe and sign the catalog file, based on where your certificate is stored.
+
+    If you are using the PFX from a file system location:
+
+    ``` syntax
+    signtool sign /f <\\SignCertLocation> /p <\\password> /fd sha256 /v
+    ```
+
+    If you have imported the certificate into your cert store:
+
+    ``` syntax
+    signtool sign /n <\\CertSubjectName> /fd sha256 /v <CatalogNameAndLocation>
+    ```
+
+    Where:
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Option</th>
+    <th align="left">Description</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>signtool</p></td>
+    <td align="left"><p>Specifies the full path location to SignTool.exe.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>sign</p></td>
+    <td align="left"><p>Digitally signs files. For a list of the options supported by the sign command, see the [SignTool options](http://go.microsoft.com/fwlink/p/?LinkId=619283).</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>/n <em>SubjectName</em></p></td>
+    <td align="left"><p>Specifies the name of the subject of the signing certificate. This value can be a substring of the entire subject name.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>/f <em>SignCertFileLocation</em></p></td>
+    <td align="left"><p>Specifies the signing certificate in a file.</p>
+    <p>If the file is in .pfx format and protected by a password, use the /p option to specify the password. If the file does not contain private keys, use the /csp and /k options to specify the .csp and private key container name.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>/p <em>Password</em></p></td>
+    <td align="left"><p>Specifies the password to use when opening a PFX file. (Use the /f option to specify a PFX file.)</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>/fd <em>Algorithm</em></p></td>
+    <td align="left"><p>Specifies the file digest algorithm to use for creating file signatures. The default is SHA2.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>/v</p></td>
+    <td align="left"><p>Displays verbose output regardless of whether the command runs successfully or fails, and displays warning messages.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    For more detailed info and examples using the available options, see the [SignTool.exe (Sign Tool)](http://go.microsoft.com/fwlink/p/?LinkId=618026) topic.
+
+3.  In File Explorer, right-click your catalog file, click **Properties**, and then click the **Digital Signatures** tab to make sure your catalog file's digital signature is accurate.
+
+4.  Copy your catalog file to C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} and test the file.
+
+    **Note**  For testing purposes, you can manually copy your file to this location. However, we recommend that you use Group Policy to copy the catalog file to all of your devices for large-scale implementations.
+
+     
+
+## Troubleshooting the Package Inspector
+
+
+If you see "Error 1181" while stopping the Package Inspector, you'll need to increase your USN journal size and then clear all of the cached data before re-scanning the impacted apps.
+
+You must make sure that you clear the cache by creating and setting a new temporary policy. If you reuse the same policy, the Package Inspector will fail.
+
+**To increase your journal size**
+
+1.  Open a command-prompt window, and then type:
+
+    ``` syntax
+    fsutil usn createjournal m=0x8000000 a=0x800000 C:
+    ```
+
+    Where the "m" value needs to be increased. We recommend that you change the value to at least 4 times the default value of m=0x2000000.
+
+2.  Re-run the failed app installation(s).
+
+**To clear your cached data and re-scan your apps**
+
+1.  Delete the SIPolicy.p7b file from the C:\\Windows\\System32\\CodeIntegrity\\ folder.
+
+2.  Create a new temporary Code Integrity Policy to clear all of the cached data by starting Windows Powershell as an administrator and typing:
+
+    ``` syntax
+    mkdir temp
+    cp C:\Windows\System32\PackageInspector.exe .\temp\
+    New-CIPolicy -l Hash -f .\DenyPackageInspector.xml -s .\temp -u -deny
+    ConvertFrom-CIPolicy .\DenyPackageInspector.xml .\DenyPackageInspector.bin
+    cp .\DenyPackageInspector.bin C:\Windows\System32\SIPolicy.p7b
+    ```
+
+3.  Restart your device and follow the steps in the [Create a catalog file for unsigned apps](#create-a-catalog-file-for-unsigned-apps) section.
+
+## Related topics
+
+
+[Download SignTool]( http://go.microsoft.com/fwlink/p/?LinkId=619283)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/guidance-and-best-practices-edp.md b/windows/keep-secure/guidance-and-best-practices-edp.md
new file mode 100644
index 0000000000..9f3cf12980
--- /dev/null
+++ b/windows/keep-secure/guidance-and-best-practices-edp.md
@@ -0,0 +1,37 @@
+---
+title: General guidance and best practices for enterprise data protection (EDP) (Windows 10)
+description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP).
+ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0
+keywords: ["EDP", "Enterprise Data Protection"]
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: eross-msft
+---
+
+# General guidance and best practices for enterprise data protection (EDP)
+**Applies to:**
+
+-   Windows 10 Insider Preview
+-   Windows 10 Mobile Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
+
+This section includes info about the enlightened Microsoft apps, including how to add them to your **Protected Apps** list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP).
+
+## In this section
+|Topic |Description |
+|------|------------|
+|[Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your **Protected Apps** list. |
+|[Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) |We've come up with a list of suggested testing scenarios that you can use to test EDP in your company. |
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/how-applocker-works-techref.md b/windows/keep-secure/how-applocker-works-techref.md
new file mode 100644
index 0000000000..344c66263f
--- /dev/null
+++ b/windows/keep-secure/how-applocker-works-techref.md
@@ -0,0 +1,72 @@
+---
+title: How AppLocker works (Windows 10)
+description: This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies.
+ms.assetid: 24bb1d73-0ff5-4af7-8b8a-2fa44d4ddbcd
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# How AppLocker works
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies.
+
+The following topics explain how AppLocker policies for each of the rule condition types are evaluated:
+
+-   [AppLocker architecture and components](applocker-architecture-and-components.md)
+
+-   [AppLocker processes and interactions](applocker-processes-and-interactions.md)
+
+The following topics explain how AppLocker rules and policies work:
+
+-   [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md)
+
+-   [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md)
+
+-   [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md)
+
+-   [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md)
+
+-   [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md)
+
+    -   [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md)
+
+    -   [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md)
+
+    -   [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md)
+
+-   [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
+
+    -   [Executable rules in AppLocker](executable-rules-in-applocker.md)
+
+    -   [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md)
+
+    -   [Script rules in AppLocker](script-rules-in-applocker.md)
+
+    -   [DLL rules in AppLocker](dll-rules-in-applocker.md)
+
+    -   [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md)
+
+## Additional resources
+
+
+-   [AppLocker Design Guide](applocker-policies-design-guide.md)
+
+-   [AppLocker deployment guide](applocker-policies-deployment-guide.md)
+
+-   [Administer AppLocker](administer-applocker.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/how-to-configure-security-policy-settings.md b/windows/keep-secure/how-to-configure-security-policy-settings.md
new file mode 100644
index 0000000000..43a7e1c656
--- /dev/null
+++ b/windows/keep-secure/how-to-configure-security-policy-settings.md
@@ -0,0 +1,115 @@
+---
+title: Configure security policy settings (Windows 10)
+description: Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.
+ms.assetid: 63b0967b-a9fe-4d92-90af-67469ee20320
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Configure security policy settings
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.
+
+You must have Administrators rights on the local device, or you must have the appropriate permissions to update a Group Policy Object (GPO) on the domain controller to perform these procedures.
+
+When a local setting is inaccessible, it indicates that a GPO currently controls that setting.
+
+## <a href="" id="bkmk-local"></a>To configure a setting using the Local Security Policy console
+
+
+1.  To open Local Security Policy, on the **Start** screen, type **secpol.msc**, and then press ENTER.
+
+2.  Under **Security Settings** of the console tree, do one of the following:
+
+    -   Click **Account Policies** to edit the **Password Policy** or **Account Lockout Policy**.
+
+    -   Click **Local Policies** to edit an **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
+
+3.  When you find the policy setting in the details pane, double-click the security policy that you want to modify.
+
+4.  Modify the security policy setting, and then click **OK**.
+
+    **Note**  
+    -   Some security policy settings require that the device be restarted before the setting takes effect.
+
+    -   Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+     
+
+## <a href="" id="bkmk-domain"></a>To configure a security policy setting using the Local Group Policy Editor console
+
+
+You must have the appropriate permissions to install and use the Microsoft Management Console (MMC), and to update a Group Policy Object (GPO) on the domain controller to perform these procedures.
+
+1.  Open the Local Group Policy Editor (gpedit.msc).
+
+2.  In the console tree, click **Computer Configuration**, click **Windows Settings**, and then click **Security Settings**.
+
+3.  Do one of the following:
+
+    -   Click **Account Policies** to edit the **Password Policy** or **Account Lockout Policy**.
+
+    -   Click **Local Policies** to edit an **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
+
+4.  In the details pane, double-click the security policy setting that you want to modify.
+
+    **Note**  
+       If this security policy has not yet been defined, select the **Define these policy settings** check box.
+
+     
+
+5.  Modify the security policy setting, and then click **OK**.
+
+**Note**  If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console.
+
+ 
+
+## <a href="" id="bkmk-dc"></a>To configure a setting for a domain controller
+
+
+The following procedure describes how to configure a security policy setting for only a domain controller (from the domain controller).
+
+1.  To open the domain controller security policy, in the console tree, locate *GroupPolicyObject \[ComputerName\]* Policy, click **Computer Configuration**, click **Windows Settings**, and then click **Security Settings**.
+
+2.  Do one of the following:
+
+    -   Double-click **Account Policies** to edit the **Password Policy**, **Account Lockout Policy**, or **Kerberos Policy**.
+
+    -   Click **Local Policies** to edit the **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
+
+3.  In the details pane, double-click the security policy that you want to modify.
+
+    **Note**  
+    If this security policy has not yet been defined, select the **Define these policy settings** check box.
+
+     
+
+4.  Modify the security policy setting, and then click **OK**.
+
+**Important**  
+-   Always test a newly created policy in a test organizational unit before you apply it to your network.
+
+-   When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings.
+
+ 
+
+## Related topics
+
+
+[Security policy settings reference](security-policy-settings-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/how-user-account-control-works.md b/windows/keep-secure/how-user-account-control-works.md
new file mode 100644
index 0000000000..c410eb2314
--- /dev/null
+++ b/windows/keep-secure/how-user-account-control-works.md
@@ -0,0 +1,278 @@
+---
+title: How User Account Control works (Windows 10)
+description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
+ms.assetid: 9f921779-0fd3-4206-b0e4-05a19883ee59
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# How User Account Control works
+
+
+**Applies to**
+
+-   Windows 10
+
+User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
+
+## UAC process and interactions
+
+
+Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows 10 protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.
+
+In order to better understand how this process happens, let's look at the Windows logon process.
+
+### Logon process
+
+The following shows how the logon process for an administrator differs from the logon process for a standard user.
+
+![uac windows logon process](images/uacwindowslogonprocess.gif)
+
+By default, standard users and administrators access resources and run apps in the security context of standard users. When a user logs on to a computer, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges.
+
+When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. The standard user access token is used to start apps that do not perform administrative tasks (standard user apps). The standard user access token is then used to display the desktop (explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token.
+
+A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 10 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
+
+### The UAC User Experience
+
+When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows 10 is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt.
+
+The alternative to running as a standard user is to run as an administrator in Admin Approval Mode. With the built-in UAC elevation component, members of the local Administrators group can easily perform an administrative task by providing approval. The default, built-in UAC elevation component for an administrator account in Admin Approval Mode is called the consent prompt.
+
+**The consent and credential prompts**
+
+With UAC enabled, Windows 10 prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed.
+
+**The consent prompt**
+
+The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token. The following is an example of the UAC consent prompt.
+
+![uac consent prompt](images/uacconsentprompt.gif)
+
+**The credential prompt**
+
+The credential prompt is presented when a standard user attempts to perform a task that requires a user's administrative access token. Administrators can also be required to provide their credentials by setting the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting value to **Prompt for credentials**.
+
+The following is an example of the UAC credential prompt.
+
+![uac credential prompt](images/uaccredentialprompt.gif)
+
+**UAC elevation prompts**
+
+The UAC elevation prompts are color-coded to be app-specific, enabling for immediate identification of an application's potential security risk. When an app attempts to run with an administrator's full access token, Windows 10 first analyzes the executable file to determine its publisher. Apps are first separated into three categories based on the file's publisher: Windows 10, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows 10 determines which color elevation prompt to present to the user.
+
+The elevation prompt color-coding is as follows:
+
+-   Red background with a red shield icon: The app is blocked by Group Policy or is from a publisher that is blocked.
+
+-   Blue background with a blue and gold shield icon: The application is a Windows 10 administrative app, such as a Control Panel item.
+
+-   Blue background with a blue shield icon: The application is signed by using Authenticode and is trusted by the local computer.
+
+-   Yellow background with a yellow shield icon: The application is unsigned or signed but is not yet trusted by the local computer.
+
+**Shield icon**
+
+Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screen shot of the **Date and Time Properties** Control Panel item.
+
+![uac shield icon](images/uacshieldicon.png)
+
+The shield icon on the **Change date and time** button indicates that the process requires a full administrator access token and will display a UAC elevation prompt.
+
+**Securing the elevation prompt**
+
+The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 10. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting enabled.
+
+When an executable file requests elevation, the interactive desktop, also called the user desktop, is switched to the secure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. When the user clicks **Yes** or **No**, the desktop switches back to the user desktop.
+
+Malware can present an imitation of the secure desktop, but when the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting is set to **Prompt for consent**, the malware does not gain elevation if the user clicks **Yes** on the imitation. If the policy setting is set to **Prompt for credentials**, malware imitating the credential prompt may be able to gather the credentials from the user. However, the malware does not gain elevated privilege and the system has other protections that mitigate malware from taking control of the user interface even with a harvested password.
+
+While malware could present an imitation of the secure desktop, this issue cannot occur unless a user previously installed the malware on the PC. Because processes requiring an administrator access token cannot silently install when UAC is enabled, the user must explicitly provide consent by clicking **Yes** or by providing administrator credentials. The specific behavior of the UAC elevation prompt is dependent upon Group Policy.
+
+## UAC Architecture
+
+
+The following diagram details the UAC architecture.
+
+![uac architecture](images/uacarchitecture.gif)
+
+To better understand each component, review the table below:
+
+Component
+Description
+**User**
+
+User performs operation requiring privilege
+
+If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute.
+
+ShellExecute
+
+ShellExecute calls CreateProcess. ShellExecute looks for the ERROR\_ELEVATION\_REQUIRED error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt.
+
+CreateProcess
+
+If the application requires elevation, CreateProcess rejects the call with ERROR\_ELEVATION\_REQUIRED.
+
+**System**
+
+Application Information service
+
+A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required and (depending on Group Policy) consent is given by the user to do so.
+
+Elevating an ActiveX install
+
+If ActiveX is not installed, the system checks the UAC slider level. If ActiveX is installed, the **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked.
+
+Check UAC slider level
+
+UAC has four levels of notification to choose from and a slider to use to select the notification level:
+
+-   High
+
+    If the slider is set to **Always notify**, the system checks whether the secure desktop is enabled.
+
+-   Medium
+
+    If the slider is set to **Notify me only when programs try to make changes to my computer**, the **User Account Control: Only elevate executable files that are signed and validated** policy setting is checked:
+
+    -   If the policy setting is enabled, the public key infrastructure (PKI) certification path validation is enforced for a given file before it is permitted to run.
+
+    -   If the policy setting is not enabled (default), the PKI certification path validation is not enforced before a given file is permitted to run. The **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked.
+
+-   Low
+
+    If the slider is set to **Notify me only when apps try to make changes to my computer (do not dim by desktop)**, the CreateProcess is called.
+
+-   Never Notify
+
+    If the slider is set to **Never notify me when**, UAC prompt will never notify when an app is trying to install or trying to make any change on the computer.
+
+    **Important**  
+    This setting is not recommended. This setting is the same as setting the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting to **Elevate without prompting**.
+
+     
+
+Secure desktop enabled
+
+The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is checked:
+
+-   If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
+
+-   If the secure desktop is not enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used.
+
+CreateProcess
+
+CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation. The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file. CreateProcess fails if the requested execution level specified in the manifest does not match the access token and returns an error (ERROR\_ELEVATION\_REQUIRED) to ShellExecute.
+
+AppCompat
+
+The AppCompat database stores information in the application compatibility fix entries for an application.
+
+Fusion
+
+The Fusion database stores information from application manifests that describe the applications. The manifest schema is updated to add a new requested execution level field.
+
+Installer detection
+
+Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent.
+
+**Kernel**
+
+Virtualization
+
+Virtualization technology ensures that non-compliant apps do not silently fail to run or fail in a way that the cause cannot be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas.
+
+File system and registry
+
+The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second.
+
+ 
+
+The slider will never turn UAC completely off. If you set it to **Never notify**, it will:
+
+-   Keep the UAC service running.
+
+-   Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt.
+
+-   Automatically deny all elevation requests for standard users.
+
+**Important**  
+In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.
+
+ 
+
+**Warning**  
+Universal Windows apps will not work when UAC is disabled.
+
+ 
+
+### Virtualization
+
+Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you do not need to replace the majority of apps when UAC is turned on.
+
+Windows 10 includes file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app.
+
+Most app tasks operate properly by using virtualization features. Although virtualization allows a majority of applications to run, it is a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization.
+
+Virtualization is not an option in the following scenarios:
+
+-   Virtualization does not apply to apps that are elevated and run with a full administrative access token.
+
+-   Virtualization supports only 32-bit apps. Non-elevated 64-bit apps simply receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations.
+
+-   Virtualization is disabled if the app includes an app manifest with a requested execution level attribute.
+
+### Request execution levels
+
+An app manifest is an XML file that describes and identifies the shared and private side-by-side assemblies that an app should bind to at run time. The app manifest includes entries for UAC app compatibility purposes. Administrative apps that include an entry in the app manifest prompt the user for permission to access the user's access token. Although they lack an entry in the app manifest, most administrative app can run without modification by using app compatibility fixes. App compatibility fixes are database entries that enable applications that are not UAC-compliant to work properly.
+
+All UAC-compliant apps should have a requested execution level added to the application manifest. If the application requires administrative access to the system, then marking the app with a requested execution level of "require administrator" ensures that the system identifies this program as an administrative app and performs the necessary elevation steps. Requested execution levels specify the privileges required for an app.
+
+### Installer detection technology
+
+Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 also heuristically detects updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
+
+Installer detection only applies to:
+
+-   32-bit executable files.
+
+-   Applications without a requested execution level attribute.
+
+-   Interactive processes running as a standard user with UAC enabled.
+
+Before a 32-bit process is created, the following attributes are checked to determine whether it is an installer:
+
+-   The file name includes keywords such as "install," "setup," or "update."
+
+-   Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.
+
+-   Keywords in the side-by-side manifest are embedded in the executable file.
+
+-   Keywords in specific StringTable entries are linked in the executable file.
+
+-   Key attributes in the resource script data are linked in the executable file.
+
+-   There are targeted sequences of bytes within the executable file.
+
+**Note**  
+The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
+
+ 
+
+**Note**  
+The User Account Control: Detect application installations and prompt for elevation policy setting must be enabled for installer detection to detect installation programs. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/images/applocker-plan-inheritance.gif b/windows/keep-secure/images/applocker-plan-inheritance.gif
new file mode 100644
index 0000000000..1af294fdf5
Binary files /dev/null and b/windows/keep-secure/images/applocker-plan-inheritance.gif differ
diff --git a/windows/keep-secure/images/applocker-plandeploy-quickreference.gif b/windows/keep-secure/images/applocker-plandeploy-quickreference.gif
new file mode 100644
index 0000000000..453d8e2088
Binary files /dev/null and b/windows/keep-secure/images/applocker-plandeploy-quickreference.gif differ
diff --git a/windows/keep-secure/images/authflow.png b/windows/keep-secure/images/authflow.png
new file mode 100644
index 0000000000..1ddf18cc1f
Binary files /dev/null and b/windows/keep-secure/images/authflow.png differ
diff --git a/windows/keep-secure/images/bitlockernetworkunlocksequence.png b/windows/keep-secure/images/bitlockernetworkunlocksequence.png
new file mode 100644
index 0000000000..fe459be8e0
Binary files /dev/null and b/windows/keep-secure/images/bitlockernetworkunlocksequence.png differ
diff --git a/windows/keep-secure/images/bitlockerprebootprotection-bios-uefi-startup.jpg b/windows/keep-secure/images/bitlockerprebootprotection-bios-uefi-startup.jpg
new file mode 100644
index 0000000000..95afbf2ccc
Binary files /dev/null and b/windows/keep-secure/images/bitlockerprebootprotection-bios-uefi-startup.jpg differ
diff --git a/windows/keep-secure/images/bitlockerprebootprotection-counterwin7.jpg b/windows/keep-secure/images/bitlockerprebootprotection-counterwin7.jpg
new file mode 100644
index 0000000000..d2caa05b03
Binary files /dev/null and b/windows/keep-secure/images/bitlockerprebootprotection-counterwin7.jpg differ
diff --git a/windows/keep-secure/images/bitlockerprebootprotection-counterwin8.jpg b/windows/keep-secure/images/bitlockerprebootprotection-counterwin8.jpg
new file mode 100644
index 0000000000..14a30db7c4
Binary files /dev/null and b/windows/keep-secure/images/bitlockerprebootprotection-counterwin8.jpg differ
diff --git a/windows/keep-secure/images/bitlockerprebootprotection-counterwin81.jpg b/windows/keep-secure/images/bitlockerprebootprotection-counterwin81.jpg
new file mode 100644
index 0000000000..e691dcbc53
Binary files /dev/null and b/windows/keep-secure/images/bitlockerprebootprotection-counterwin81.jpg differ
diff --git a/windows/keep-secure/images/blockedappmsg.gif b/windows/keep-secure/images/blockedappmsg.gif
new file mode 100644
index 0000000000..7c79b6e8aa
Binary files /dev/null and b/windows/keep-secure/images/blockedappmsg.gif differ
diff --git a/windows/keep-secure/images/bt-passcode.png b/windows/keep-secure/images/bt-passcode.png
new file mode 100644
index 0000000000..4941075883
Binary files /dev/null and b/windows/keep-secure/images/bt-passcode.png differ
diff --git a/windows/keep-secure/images/btpair.png b/windows/keep-secure/images/btpair.png
new file mode 100644
index 0000000000..16c087111d
Binary files /dev/null and b/windows/keep-secure/images/btpair.png differ
diff --git a/windows/keep-secure/images/capi-gpo.png b/windows/keep-secure/images/capi-gpo.png
new file mode 100644
index 0000000000..fb5b69fc27
Binary files /dev/null and b/windows/keep-secure/images/capi-gpo.png differ
diff --git a/windows/keep-secure/images/connect.png b/windows/keep-secure/images/connect.png
new file mode 100644
index 0000000000..2338eda8d2
Binary files /dev/null and b/windows/keep-secure/images/connect.png differ
diff --git a/windows/keep-secure/images/corpown.png b/windows/keep-secure/images/corpown.png
new file mode 100644
index 0000000000..f87d33ce86
Binary files /dev/null and b/windows/keep-secure/images/corpown.png differ
diff --git a/windows/keep-secure/images/credguard-gp.png b/windows/keep-secure/images/credguard-gp.png
new file mode 100644
index 0000000000..8c91b114df
Binary files /dev/null and b/windows/keep-secure/images/credguard-gp.png differ
diff --git a/windows/keep-secure/images/credguard-msinfo32.png b/windows/keep-secure/images/credguard-msinfo32.png
new file mode 100644
index 0000000000..56a43ce2db
Binary files /dev/null and b/windows/keep-secure/images/credguard-msinfo32.png differ
diff --git a/windows/keep-secure/images/credguard.png b/windows/keep-secure/images/credguard.png
new file mode 100644
index 0000000000..170e84a3cd
Binary files /dev/null and b/windows/keep-secure/images/credguard.png differ
diff --git a/windows/keep-secure/images/defender-gp-defsharesfield.png b/windows/keep-secure/images/defender-gp-defsharesfield.png
new file mode 100644
index 0000000000..bd40c53930
Binary files /dev/null and b/windows/keep-secure/images/defender-gp-defsharesfield.png differ
diff --git a/windows/keep-secure/images/defender-gp-defsourcefield.png b/windows/keep-secure/images/defender-gp-defsourcefield.png
new file mode 100644
index 0000000000..9ce64c0b3c
Binary files /dev/null and b/windows/keep-secure/images/defender-gp-defsourcefield.png differ
diff --git a/windows/keep-secure/images/defender-scanarchivecpu.png b/windows/keep-secure/images/defender-scanarchivecpu.png
new file mode 100644
index 0000000000..03f469da10
Binary files /dev/null and b/windows/keep-secure/images/defender-scanarchivecpu.png differ
diff --git a/windows/keep-secure/images/defender-scanarchivedepth.png b/windows/keep-secure/images/defender-scanarchivedepth.png
new file mode 100644
index 0000000000..051b12d342
Binary files /dev/null and b/windows/keep-secure/images/defender-scanarchivedepth.png differ
diff --git a/windows/keep-secure/images/defender-scanarchivefiles.png b/windows/keep-secure/images/defender-scanarchivefiles.png
new file mode 100644
index 0000000000..64b8a47f65
Binary files /dev/null and b/windows/keep-secure/images/defender-scanarchivefiles.png differ
diff --git a/windows/keep-secure/images/defender-scanarchivesize.png b/windows/keep-secure/images/defender-scanarchivesize.png
new file mode 100644
index 0000000000..3c2d70974c
Binary files /dev/null and b/windows/keep-secure/images/defender-scanarchivesize.png differ
diff --git a/windows/keep-secure/images/defender-scanemailfiles.png b/windows/keep-secure/images/defender-scanemailfiles.png
new file mode 100644
index 0000000000..8d03c9c1c2
Binary files /dev/null and b/windows/keep-secure/images/defender-scanemailfiles.png differ
diff --git a/windows/keep-secure/images/defender-updatedefs2.png b/windows/keep-secure/images/defender-updatedefs2.png
new file mode 100644
index 0000000000..2ec979e605
Binary files /dev/null and b/windows/keep-secure/images/defender-updatedefs2.png differ
diff --git a/windows/keep-secure/images/device-guard-gp.png b/windows/keep-secure/images/device-guard-gp.png
new file mode 100644
index 0000000000..0c2c1c9d4f
Binary files /dev/null and b/windows/keep-secure/images/device-guard-gp.png differ
diff --git a/windows/keep-secure/images/dg-fig1-enableos.png b/windows/keep-secure/images/dg-fig1-enableos.png
new file mode 100644
index 0000000000..cefb124344
Binary files /dev/null and b/windows/keep-secure/images/dg-fig1-enableos.png differ
diff --git a/windows/keep-secure/images/dg-fig10-enablecredentialguard.png b/windows/keep-secure/images/dg-fig10-enablecredentialguard.png
new file mode 100644
index 0000000000..938e397751
Binary files /dev/null and b/windows/keep-secure/images/dg-fig10-enablecredentialguard.png differ
diff --git a/windows/keep-secure/images/dg-fig11-dgproperties.png b/windows/keep-secure/images/dg-fig11-dgproperties.png
new file mode 100644
index 0000000000..ce16705d0f
Binary files /dev/null and b/windows/keep-secure/images/dg-fig11-dgproperties.png differ
diff --git a/windows/keep-secure/images/dg-fig12-verifysigning.png b/windows/keep-secure/images/dg-fig12-verifysigning.png
new file mode 100644
index 0000000000..fa2c162cc0
Binary files /dev/null and b/windows/keep-secure/images/dg-fig12-verifysigning.png differ
diff --git a/windows/keep-secure/images/dg-fig13-createnewgpo.png b/windows/keep-secure/images/dg-fig13-createnewgpo.png
new file mode 100644
index 0000000000..d640052d26
Binary files /dev/null and b/windows/keep-secure/images/dg-fig13-createnewgpo.png differ
diff --git a/windows/keep-secure/images/dg-fig14-createnewfile.png b/windows/keep-secure/images/dg-fig14-createnewfile.png
new file mode 100644
index 0000000000..4439bd2764
Binary files /dev/null and b/windows/keep-secure/images/dg-fig14-createnewfile.png differ
diff --git a/windows/keep-secure/images/dg-fig15-setnewfileprops.png b/windows/keep-secure/images/dg-fig15-setnewfileprops.png
new file mode 100644
index 0000000000..db0ddb80db
Binary files /dev/null and b/windows/keep-secure/images/dg-fig15-setnewfileprops.png differ
diff --git a/windows/keep-secure/images/dg-fig16-specifyinfo.png b/windows/keep-secure/images/dg-fig16-specifyinfo.png
new file mode 100644
index 0000000000..55344d70d1
Binary files /dev/null and b/windows/keep-secure/images/dg-fig16-specifyinfo.png differ
diff --git a/windows/keep-secure/images/dg-fig17-specifyinfo.png b/windows/keep-secure/images/dg-fig17-specifyinfo.png
new file mode 100644
index 0000000000..d79ca2c2af
Binary files /dev/null and b/windows/keep-secure/images/dg-fig17-specifyinfo.png differ
diff --git a/windows/keep-secure/images/dg-fig18-specifyux.png b/windows/keep-secure/images/dg-fig18-specifyux.png
new file mode 100644
index 0000000000..08492ef73b
Binary files /dev/null and b/windows/keep-secure/images/dg-fig18-specifyux.png differ
diff --git a/windows/keep-secure/images/dg-fig19-customsettings.png b/windows/keep-secure/images/dg-fig19-customsettings.png
new file mode 100644
index 0000000000..2c5c7236eb
Binary files /dev/null and b/windows/keep-secure/images/dg-fig19-customsettings.png differ
diff --git a/windows/keep-secure/images/dg-fig2-createou.png b/windows/keep-secure/images/dg-fig2-createou.png
new file mode 100644
index 0000000000..d640052d26
Binary files /dev/null and b/windows/keep-secure/images/dg-fig2-createou.png differ
diff --git a/windows/keep-secure/images/dg-fig20-setsoftwareinv.png b/windows/keep-secure/images/dg-fig20-setsoftwareinv.png
new file mode 100644
index 0000000000..2c838be648
Binary files /dev/null and b/windows/keep-secure/images/dg-fig20-setsoftwareinv.png differ
diff --git a/windows/keep-secure/images/dg-fig21-pathproperties.png b/windows/keep-secure/images/dg-fig21-pathproperties.png
new file mode 100644
index 0000000000..9499946283
Binary files /dev/null and b/windows/keep-secure/images/dg-fig21-pathproperties.png differ
diff --git a/windows/keep-secure/images/dg-fig22-deploycode.png b/windows/keep-secure/images/dg-fig22-deploycode.png
new file mode 100644
index 0000000000..4f6746eddf
Binary files /dev/null and b/windows/keep-secure/images/dg-fig22-deploycode.png differ
diff --git a/windows/keep-secure/images/dg-fig23-exceptionstocode.png b/windows/keep-secure/images/dg-fig23-exceptionstocode.png
new file mode 100644
index 0000000000..c6b33e6139
Binary files /dev/null and b/windows/keep-secure/images/dg-fig23-exceptionstocode.png differ
diff --git a/windows/keep-secure/images/dg-fig24-creategpo.png b/windows/keep-secure/images/dg-fig24-creategpo.png
new file mode 100644
index 0000000000..d640052d26
Binary files /dev/null and b/windows/keep-secure/images/dg-fig24-creategpo.png differ
diff --git a/windows/keep-secure/images/dg-fig25-editcode.png b/windows/keep-secure/images/dg-fig25-editcode.png
new file mode 100644
index 0000000000..e3729e8214
Binary files /dev/null and b/windows/keep-secure/images/dg-fig25-editcode.png differ
diff --git a/windows/keep-secure/images/dg-fig26-enablecode.png b/windows/keep-secure/images/dg-fig26-enablecode.png
new file mode 100644
index 0000000000..4f6746eddf
Binary files /dev/null and b/windows/keep-secure/images/dg-fig26-enablecode.png differ
diff --git a/windows/keep-secure/images/dg-fig27-managecerttemp.png b/windows/keep-secure/images/dg-fig27-managecerttemp.png
new file mode 100644
index 0000000000..9f0ed93274
Binary files /dev/null and b/windows/keep-secure/images/dg-fig27-managecerttemp.png differ
diff --git a/windows/keep-secure/images/dg-fig29-enableconstraints.png b/windows/keep-secure/images/dg-fig29-enableconstraints.png
new file mode 100644
index 0000000000..bad5fe7cdd
Binary files /dev/null and b/windows/keep-secure/images/dg-fig29-enableconstraints.png differ
diff --git a/windows/keep-secure/images/dg-fig3-enablevbs.png b/windows/keep-secure/images/dg-fig3-enablevbs.png
new file mode 100644
index 0000000000..d457c0bb96
Binary files /dev/null and b/windows/keep-secure/images/dg-fig3-enablevbs.png differ
diff --git a/windows/keep-secure/images/dg-fig30-selectnewcert.png b/windows/keep-secure/images/dg-fig30-selectnewcert.png
new file mode 100644
index 0000000000..11687d092c
Binary files /dev/null and b/windows/keep-secure/images/dg-fig30-selectnewcert.png differ
diff --git a/windows/keep-secure/images/dg-fig31-getmoreinfo.png b/windows/keep-secure/images/dg-fig31-getmoreinfo.png
new file mode 100644
index 0000000000..7661cb4eb9
Binary files /dev/null and b/windows/keep-secure/images/dg-fig31-getmoreinfo.png differ
diff --git a/windows/keep-secure/images/dg-fig5-createnewou.png b/windows/keep-secure/images/dg-fig5-createnewou.png
new file mode 100644
index 0000000000..d640052d26
Binary files /dev/null and b/windows/keep-secure/images/dg-fig5-createnewou.png differ
diff --git a/windows/keep-secure/images/dg-fig6-enablevbs.png b/windows/keep-secure/images/dg-fig6-enablevbs.png
new file mode 100644
index 0000000000..b9a4b1881f
Binary files /dev/null and b/windows/keep-secure/images/dg-fig6-enablevbs.png differ
diff --git a/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png b/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png
new file mode 100644
index 0000000000..bf0d55dd7f
Binary files /dev/null and b/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png differ
diff --git a/windows/keep-secure/images/dg-fig8-createoulinked.png b/windows/keep-secure/images/dg-fig8-createoulinked.png
new file mode 100644
index 0000000000..d640052d26
Binary files /dev/null and b/windows/keep-secure/images/dg-fig8-createoulinked.png differ
diff --git a/windows/keep-secure/images/dg-fig9-enablevbs.png b/windows/keep-secure/images/dg-fig9-enablevbs.png
new file mode 100644
index 0000000000..3a33c13350
Binary files /dev/null and b/windows/keep-secure/images/dg-fig9-enablevbs.png differ
diff --git a/windows/keep-secure/images/edp-sccm-adddesktopapp.png b/windows/keep-secure/images/edp-sccm-adddesktopapp.png
new file mode 100644
index 0000000000..5ceed9bc66
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-adddesktopapp.png differ
diff --git a/windows/keep-secure/images/edp-sccm-addpolicy.png b/windows/keep-secure/images/edp-sccm-addpolicy.png
new file mode 100644
index 0000000000..d506a859a2
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-addpolicy.png differ
diff --git a/windows/keep-secure/images/edp-sccm-adduniversalapp.png b/windows/keep-secure/images/edp-sccm-adduniversalapp.png
new file mode 100644
index 0000000000..bd5009afdc
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-adduniversalapp.png differ
diff --git a/windows/keep-secure/images/edp-sccm-appmgmt.png b/windows/keep-secure/images/edp-sccm-appmgmt.png
new file mode 100644
index 0000000000..0a9d23f405
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-appmgmt.png differ
diff --git a/windows/keep-secure/images/edp-sccm-devicesettings.png b/windows/keep-secure/images/edp-sccm-devicesettings.png
new file mode 100644
index 0000000000..3056cc1c96
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-devicesettings.png differ
diff --git a/windows/keep-secure/images/edp-sccm-generalscreen.png b/windows/keep-secure/images/edp-sccm-generalscreen.png
new file mode 100644
index 0000000000..788cef4b8a
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-generalscreen.png differ
diff --git a/windows/keep-secure/images/edp-sccm-optsettings.png b/windows/keep-secure/images/edp-sccm-optsettings.png
new file mode 100644
index 0000000000..d786610c07
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-optsettings.png differ
diff --git a/windows/keep-secure/images/edp-sccm-primarydomain2.png b/windows/keep-secure/images/edp-sccm-primarydomain2.png
new file mode 100644
index 0000000000..5cb9990baf
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-primarydomain2.png differ
diff --git a/windows/keep-secure/images/edp-sccm-summaryscreen.png b/windows/keep-secure/images/edp-sccm-summaryscreen.png
new file mode 100644
index 0000000000..2e9d7b138b
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-summaryscreen.png differ
diff --git a/windows/keep-secure/images/edp-sccm-supportedplat.png b/windows/keep-secure/images/edp-sccm-supportedplat.png
new file mode 100644
index 0000000000..dc72f15692
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-supportedplat.png differ
diff --git a/windows/keep-secure/images/emailsecurity.png b/windows/keep-secure/images/emailsecurity.png
new file mode 100644
index 0000000000..4181fc4f45
Binary files /dev/null and b/windows/keep-secure/images/emailsecurity.png differ
diff --git a/windows/keep-secure/images/hellosettings.png b/windows/keep-secure/images/hellosettings.png
new file mode 100644
index 0000000000..77a8753b5c
Binary files /dev/null and b/windows/keep-secure/images/hellosettings.png differ
diff --git a/windows/keep-secure/images/hva-fig1-endtoend1.png b/windows/keep-secure/images/hva-fig1-endtoend1.png
new file mode 100644
index 0000000000..f298a9973b
Binary files /dev/null and b/windows/keep-secure/images/hva-fig1-endtoend1.png differ
diff --git a/windows/keep-secure/images/hva-fig10-conditionalaccesscontrol.png b/windows/keep-secure/images/hva-fig10-conditionalaccesscontrol.png
new file mode 100644
index 0000000000..ee0e379f1e
Binary files /dev/null and b/windows/keep-secure/images/hva-fig10-conditionalaccesscontrol.png differ
diff --git a/windows/keep-secure/images/hva-fig11-office365.png b/windows/keep-secure/images/hva-fig11-office365.png
new file mode 100644
index 0000000000..6e949942d0
Binary files /dev/null and b/windows/keep-secure/images/hva-fig11-office365.png differ
diff --git a/windows/keep-secure/images/hva-fig12-conditionalaccess12.png b/windows/keep-secure/images/hva-fig12-conditionalaccess12.png
new file mode 100644
index 0000000000..612a4d1d13
Binary files /dev/null and b/windows/keep-secure/images/hva-fig12-conditionalaccess12.png differ
diff --git a/windows/keep-secure/images/hva-fig2-assessfromcloud2.png b/windows/keep-secure/images/hva-fig2-assessfromcloud2.png
new file mode 100644
index 0000000000..0ded3ee620
Binary files /dev/null and b/windows/keep-secure/images/hva-fig2-assessfromcloud2.png differ
diff --git a/windows/keep-secure/images/hva-fig3-endtoendoverview3.png b/windows/keep-secure/images/hva-fig3-endtoendoverview3.png
new file mode 100644
index 0000000000..d49ead9cd1
Binary files /dev/null and b/windows/keep-secure/images/hva-fig3-endtoendoverview3.png differ
diff --git a/windows/keep-secure/images/hva-fig4-hardware.png b/windows/keep-secure/images/hva-fig4-hardware.png
new file mode 100644
index 0000000000..c9f5e811bc
Binary files /dev/null and b/windows/keep-secure/images/hva-fig4-hardware.png differ
diff --git a/windows/keep-secure/images/hva-fig5-virtualbasedsecurity.png b/windows/keep-secure/images/hva-fig5-virtualbasedsecurity.png
new file mode 100644
index 0000000000..2c30e29cd8
Binary files /dev/null and b/windows/keep-secure/images/hva-fig5-virtualbasedsecurity.png differ
diff --git a/windows/keep-secure/images/hva-fig6-logs.png b/windows/keep-secure/images/hva-fig6-logs.png
new file mode 100644
index 0000000000..3657f33193
Binary files /dev/null and b/windows/keep-secure/images/hva-fig6-logs.png differ
diff --git a/windows/keep-secure/images/hva-fig7-measurement.png b/windows/keep-secure/images/hva-fig7-measurement.png
new file mode 100644
index 0000000000..46f5239c48
Binary files /dev/null and b/windows/keep-secure/images/hva-fig7-measurement.png differ
diff --git a/windows/keep-secure/images/hva-fig8-evaldevicehealth8.png b/windows/keep-secure/images/hva-fig8-evaldevicehealth8.png
new file mode 100644
index 0000000000..7c3e5e11b2
Binary files /dev/null and b/windows/keep-secure/images/hva-fig8-evaldevicehealth8.png differ
diff --git a/windows/keep-secure/images/hva-fig8a-healthattest8a.png b/windows/keep-secure/images/hva-fig8a-healthattest8a.png
new file mode 100644
index 0000000000..7b7bdb5387
Binary files /dev/null and b/windows/keep-secure/images/hva-fig8a-healthattest8a.png differ
diff --git a/windows/keep-secure/images/hva-fig9-intune.png b/windows/keep-secure/images/hva-fig9-intune.png
new file mode 100644
index 0000000000..a5302ff88b
Binary files /dev/null and b/windows/keep-secure/images/hva-fig9-intune.png differ
diff --git a/windows/keep-secure/images/installcert.png b/windows/keep-secure/images/installcert.png
new file mode 100644
index 0000000000..5b5187fa68
Binary files /dev/null and b/windows/keep-secure/images/installcert.png differ
diff --git a/windows/keep-secure/images/intune-add-desktop-app.png b/windows/keep-secure/images/intune-add-desktop-app.png
new file mode 100644
index 0000000000..8d8186398a
Binary files /dev/null and b/windows/keep-secure/images/intune-add-desktop-app.png differ
diff --git a/windows/keep-secure/images/intune-addapps.png b/windows/keep-secure/images/intune-addapps.png
new file mode 100644
index 0000000000..431eab4f59
Binary files /dev/null and b/windows/keep-secure/images/intune-addapps.png differ
diff --git a/windows/keep-secure/images/intune-createnewpolicy.png b/windows/keep-secure/images/intune-createnewpolicy.png
new file mode 100644
index 0000000000..02a989d8ae
Binary files /dev/null and b/windows/keep-secure/images/intune-createnewpolicy.png differ
diff --git a/windows/keep-secure/images/intune-data-recovery.png b/windows/keep-secure/images/intune-data-recovery.png
new file mode 100644
index 0000000000..0913c7a22b
Binary files /dev/null and b/windows/keep-secure/images/intune-data-recovery.png differ
diff --git a/windows/keep-secure/images/intune-deploy-vpn.png b/windows/keep-secure/images/intune-deploy-vpn.png
new file mode 100644
index 0000000000..de066d3a8b
Binary files /dev/null and b/windows/keep-secure/images/intune-deploy-vpn.png differ
diff --git a/windows/keep-secure/images/intune-edpsettings.png b/windows/keep-secure/images/intune-edpsettings.png
new file mode 100644
index 0000000000..882bf0d46b
Binary files /dev/null and b/windows/keep-secure/images/intune-edpsettings.png differ
diff --git a/windows/keep-secure/images/intune-encryption-level.png b/windows/keep-secure/images/intune-encryption-level.png
new file mode 100644
index 0000000000..f094fae2f9
Binary files /dev/null and b/windows/keep-secure/images/intune-encryption-level.png differ
diff --git a/windows/keep-secure/images/intune-groupselection.png b/windows/keep-secure/images/intune-groupselection.png
new file mode 100644
index 0000000000..992d7a52cf
Binary files /dev/null and b/windows/keep-secure/images/intune-groupselection.png differ
diff --git a/windows/keep-secure/images/intune-managedeployment.png b/windows/keep-secure/images/intune-managedeployment.png
new file mode 100644
index 0000000000..93d37116ef
Binary files /dev/null and b/windows/keep-secure/images/intune-managedeployment.png differ
diff --git a/windows/keep-secure/images/intune-namedescription.png b/windows/keep-secure/images/intune-namedescription.png
new file mode 100644
index 0000000000..874b8b52a5
Binary files /dev/null and b/windows/keep-secure/images/intune-namedescription.png differ
diff --git a/windows/keep-secure/images/intune-networklocation.png b/windows/keep-secure/images/intune-networklocation.png
new file mode 100644
index 0000000000..3b1ec39b7c
Binary files /dev/null and b/windows/keep-secure/images/intune-networklocation.png differ
diff --git a/windows/keep-secure/images/intune-primary-domain.png b/windows/keep-secure/images/intune-primary-domain.png
new file mode 100644
index 0000000000..72105fab7c
Binary files /dev/null and b/windows/keep-secure/images/intune-primary-domain.png differ
diff --git a/windows/keep-secure/images/intune-vpn-authentication.png b/windows/keep-secure/images/intune-vpn-authentication.png
new file mode 100644
index 0000000000..49c41b313d
Binary files /dev/null and b/windows/keep-secure/images/intune-vpn-authentication.png differ
diff --git a/windows/keep-secure/images/intune-vpn-createpolicy.png b/windows/keep-secure/images/intune-vpn-createpolicy.png
new file mode 100644
index 0000000000..51abff3771
Binary files /dev/null and b/windows/keep-secure/images/intune-vpn-createpolicy.png differ
diff --git a/windows/keep-secure/images/intune-vpn-customconfig.png b/windows/keep-secure/images/intune-vpn-customconfig.png
new file mode 100644
index 0000000000..1e1dd0345b
Binary files /dev/null and b/windows/keep-secure/images/intune-vpn-customconfig.png differ
diff --git a/windows/keep-secure/images/intune-vpn-edpmodeid.png b/windows/keep-secure/images/intune-vpn-edpmodeid.png
new file mode 100644
index 0000000000..80852af30d
Binary files /dev/null and b/windows/keep-secure/images/intune-vpn-edpmodeid.png differ
diff --git a/windows/keep-secure/images/intune-vpn-omaurisettings.png b/windows/keep-secure/images/intune-vpn-omaurisettings.png
new file mode 100644
index 0000000000..382301498e
Binary files /dev/null and b/windows/keep-secure/images/intune-vpn-omaurisettings.png differ
diff --git a/windows/keep-secure/images/intune-vpn-titledescription.png b/windows/keep-secure/images/intune-vpn-titledescription.png
new file mode 100644
index 0000000000..a1d9bc70d9
Binary files /dev/null and b/windows/keep-secure/images/intune-vpn-titledescription.png differ
diff --git a/windows/keep-secure/images/intune-vpn-vpnsettings.png b/windows/keep-secure/images/intune-vpn-vpnsettings.png
new file mode 100644
index 0000000000..b09cb58508
Binary files /dev/null and b/windows/keep-secure/images/intune-vpn-vpnsettings.png differ
diff --git a/windows/keep-secure/images/mailsettings.png b/windows/keep-secure/images/mailsettings.png
new file mode 100644
index 0000000000..02423ab89c
Binary files /dev/null and b/windows/keep-secure/images/mailsettings.png differ
diff --git a/windows/keep-secure/images/mobile-security-guide-fig1.png b/windows/keep-secure/images/mobile-security-guide-fig1.png
new file mode 100644
index 0000000000..4bdc6c0c9c
Binary files /dev/null and b/windows/keep-secure/images/mobile-security-guide-fig1.png differ
diff --git a/windows/keep-secure/images/mobile-security-guide-fig2.png b/windows/keep-secure/images/mobile-security-guide-fig2.png
new file mode 100644
index 0000000000..becb48f0ed
Binary files /dev/null and b/windows/keep-secure/images/mobile-security-guide-fig2.png differ
diff --git a/windows/keep-secure/images/mobile-security-guide-figure3.png b/windows/keep-secure/images/mobile-security-guide-figure3.png
new file mode 100644
index 0000000000..f78d187b04
Binary files /dev/null and b/windows/keep-secure/images/mobile-security-guide-figure3.png differ
diff --git a/windows/keep-secure/images/mobile-security-guide-figure4.png b/windows/keep-secure/images/mobile-security-guide-figure4.png
new file mode 100644
index 0000000000..6f9b3725f8
Binary files /dev/null and b/windows/keep-secure/images/mobile-security-guide-figure4.png differ
diff --git a/windows/keep-secure/images/passport-fig1.png b/windows/keep-secure/images/passport-fig1.png
new file mode 100644
index 0000000000..3144e48b59
Binary files /dev/null and b/windows/keep-secure/images/passport-fig1.png differ
diff --git a/windows/keep-secure/images/passport-fig2-pinimmeduse.png b/windows/keep-secure/images/passport-fig2-pinimmeduse.png
new file mode 100644
index 0000000000..d52ab7168e
Binary files /dev/null and b/windows/keep-secure/images/passport-fig2-pinimmeduse.png differ
diff --git a/windows/keep-secure/images/passport-fig3-logicalcontainer.png b/windows/keep-secure/images/passport-fig3-logicalcontainer.png
new file mode 100644
index 0000000000..d00836529a
Binary files /dev/null and b/windows/keep-secure/images/passport-fig3-logicalcontainer.png differ
diff --git a/windows/keep-secure/images/passport-fig4-join.png b/windows/keep-secure/images/passport-fig4-join.png
new file mode 100644
index 0000000000..367d78a5aa
Binary files /dev/null and b/windows/keep-secure/images/passport-fig4-join.png differ
diff --git a/windows/keep-secure/images/pinerror.png b/windows/keep-secure/images/pinerror.png
new file mode 100644
index 0000000000..188b981299
Binary files /dev/null and b/windows/keep-secure/images/pinerror.png differ
diff --git a/windows/keep-secure/images/runkey.png b/windows/keep-secure/images/runkey.png
new file mode 100644
index 0000000000..7059da453d
Binary files /dev/null and b/windows/keep-secure/images/runkey.png differ
diff --git a/windows/keep-secure/images/runoncekey.png b/windows/keep-secure/images/runoncekey.png
new file mode 100644
index 0000000000..fe9cd06b5d
Binary files /dev/null and b/windows/keep-secure/images/runoncekey.png differ
diff --git a/windows/keep-secure/images/sccm-primary-domain.png b/windows/keep-secure/images/sccm-primary-domain.png
new file mode 100644
index 0000000000..ca2c5a0b78
Binary files /dev/null and b/windows/keep-secure/images/sccm-primary-domain.png differ
diff --git a/windows/keep-secure/images/secpol-architecture.gif b/windows/keep-secure/images/secpol-architecture.gif
new file mode 100644
index 0000000000..aa7f16b61a
Binary files /dev/null and b/windows/keep-secure/images/secpol-architecture.gif differ
diff --git a/windows/keep-secure/images/secpol-components.gif b/windows/keep-secure/images/secpol-components.gif
new file mode 100644
index 0000000000..df39c95345
Binary files /dev/null and b/windows/keep-secure/images/secpol-components.gif differ
diff --git a/windows/keep-secure/images/secpol-multigpomerge.gif b/windows/keep-secure/images/secpol-multigpomerge.gif
new file mode 100644
index 0000000000..8a637c8319
Binary files /dev/null and b/windows/keep-secure/images/secpol-multigpomerge.gif differ
diff --git a/windows/keep-secure/images/secpol-processes.gif b/windows/keep-secure/images/secpol-processes.gif
new file mode 100644
index 0000000000..a1fc126115
Binary files /dev/null and b/windows/keep-secure/images/secpol-processes.gif differ
diff --git a/windows/keep-secure/images/security-fig1-invalidaccess.png b/windows/keep-secure/images/security-fig1-invalidaccess.png
new file mode 100644
index 0000000000..8aa3535761
Binary files /dev/null and b/windows/keep-secure/images/security-fig1-invalidaccess.png differ
diff --git a/windows/keep-secure/images/security-fig10-optinsettings.png b/windows/keep-secure/images/security-fig10-optinsettings.png
new file mode 100644
index 0000000000..6754e27e0c
Binary files /dev/null and b/windows/keep-secure/images/security-fig10-optinsettings.png differ
diff --git a/windows/keep-secure/images/security-fig11-defendersettings.png b/windows/keep-secure/images/security-fig11-defendersettings.png
new file mode 100644
index 0000000000..bba84ac28f
Binary files /dev/null and b/windows/keep-secure/images/security-fig11-defendersettings.png differ
diff --git a/windows/keep-secure/images/security-fig2-vbsarchitecture.png b/windows/keep-secure/images/security-fig2-vbsarchitecture.png
new file mode 100644
index 0000000000..55301bf8c2
Binary files /dev/null and b/windows/keep-secure/images/security-fig2-vbsarchitecture.png differ
diff --git a/windows/keep-secure/images/security-fig3-healthattestation.png b/windows/keep-secure/images/security-fig3-healthattestation.png
new file mode 100644
index 0000000000..8cc8003555
Binary files /dev/null and b/windows/keep-secure/images/security-fig3-healthattestation.png differ
diff --git a/windows/keep-secure/images/security-fig4-aslr.png b/windows/keep-secure/images/security-fig4-aslr.png
new file mode 100644
index 0000000000..a84f09fe89
Binary files /dev/null and b/windows/keep-secure/images/security-fig4-aslr.png differ
diff --git a/windows/keep-secure/images/security-fig5-dep.png b/windows/keep-secure/images/security-fig5-dep.png
new file mode 100644
index 0000000000..f4e6874400
Binary files /dev/null and b/windows/keep-secure/images/security-fig5-dep.png differ
diff --git a/windows/keep-secure/images/security-fig6-edge2.png b/windows/keep-secure/images/security-fig6-edge2.png
new file mode 100644
index 0000000000..d3d2d9c2e5
Binary files /dev/null and b/windows/keep-secure/images/security-fig6-edge2.png differ
diff --git a/windows/keep-secure/images/security-fig7-smartscreenfilter.png b/windows/keep-secure/images/security-fig7-smartscreenfilter.png
new file mode 100644
index 0000000000..dba19d0f08
Binary files /dev/null and b/windows/keep-secure/images/security-fig7-smartscreenfilter.png differ
diff --git a/windows/keep-secure/images/security-fig8-smartscreenconfig.png b/windows/keep-secure/images/security-fig8-smartscreenconfig.png
new file mode 100644
index 0000000000..1377b79de8
Binary files /dev/null and b/windows/keep-secure/images/security-fig8-smartscreenconfig.png differ
diff --git a/windows/keep-secure/images/security-fig9-windows7allow.png b/windows/keep-secure/images/security-fig9-windows7allow.png
new file mode 100644
index 0000000000..cc2bc0e16b
Binary files /dev/null and b/windows/keep-secure/images/security-fig9-windows7allow.png differ
diff --git a/windows/keep-secure/images/signencrypt.png b/windows/keep-secure/images/signencrypt.png
new file mode 100644
index 0000000000..2542682d9a
Binary files /dev/null and b/windows/keep-secure/images/signencrypt.png differ
diff --git a/windows/keep-secure/images/uacarchitecture.gif b/windows/keep-secure/images/uacarchitecture.gif
new file mode 100644
index 0000000000..47a6e0be57
Binary files /dev/null and b/windows/keep-secure/images/uacarchitecture.gif differ
diff --git a/windows/keep-secure/images/uacconsentprompt.gif b/windows/keep-secure/images/uacconsentprompt.gif
new file mode 100644
index 0000000000..ec65e67586
Binary files /dev/null and b/windows/keep-secure/images/uacconsentprompt.gif differ
diff --git a/windows/keep-secure/images/uaccredentialprompt.gif b/windows/keep-secure/images/uaccredentialprompt.gif
new file mode 100644
index 0000000000..86374d118b
Binary files /dev/null and b/windows/keep-secure/images/uaccredentialprompt.gif differ
diff --git a/windows/keep-secure/images/uacshieldicon.png b/windows/keep-secure/images/uacshieldicon.png
new file mode 100644
index 0000000000..8df37f2c12
Binary files /dev/null and b/windows/keep-secure/images/uacshieldicon.png differ
diff --git a/windows/keep-secure/images/uacwindowslogonprocess.gif b/windows/keep-secure/images/uacwindowslogonprocess.gif
new file mode 100644
index 0000000000..588d0bde8d
Binary files /dev/null and b/windows/keep-secure/images/uacwindowslogonprocess.gif differ
diff --git a/windows/keep-secure/images/wef-client-config.png b/windows/keep-secure/images/wef-client-config.png
new file mode 100644
index 0000000000..a26694eef3
Binary files /dev/null and b/windows/keep-secure/images/wef-client-config.png differ
diff --git a/windows/keep-secure/impersonate-a-client-after-authentication.md b/windows/keep-secure/impersonate-a-client-after-authentication.md
new file mode 100644
index 0000000000..c43d7641b6
--- /dev/null
+++ b/windows/keep-secure/impersonate-a-client-after-authentication.md
@@ -0,0 +1,171 @@
+---
+title: Impersonate a client after authentication (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Impersonate a client after authentication security policy setting.
+ms.assetid: 4cd241e2-c680-4b43-8ed0-3b391925cec5
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Impersonate a client after authentication
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Impersonate a client after authentication** security policy setting.
+
+## Reference
+
+
+This policy setting determines which programs are allowed to impersonate a user or another specified account and act on behalf of the user. If this user right is required for this type of impersonation, an unauthorized user cannot cause a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created to impersonate that client. (Such an action could elevate the unauthorized user's permissions to administrative or system levels.)
+
+Impersonation is the ability of a thread to run in a security context that is different from the context of the process that owns the thread. Impersonation is designed to meet the security requirements of client/server applications. When running in a client's security context, a service "is" the client, to some degree. One of the service's threads uses an access token representing the client's credentials to obtain access to the objects to which the client has access.
+
+The primary reason for impersonation is to cause access checks to be performed against the client's identity. Using the client's identity for access checks can cause access to be either restricted or expanded, depending on what the client has permission to do.
+
+Services that are started by the Service Control Manager have the built-in Service group added by default to their access tokens. COM servers that are started by the COM infrastructure and configured to run under a specific account also have the Service group added to their access tokens. As a result, these processes are assigned this user right when they are started.
+
+Constant: SeImpersonatePrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Default values
+
+-   Not defined
+
+### Best practices
+
+-   A user can impersonate an access token if any of the following conditions exist:
+
+    -   The access token that is being impersonated is for this user.
+
+    -   The user in this session logged on to the network with explicit credentials to create the access token.
+
+    -   The requested level is less than Impersonate, such as Anonymous or Identify.
+
+    Because of these factors, users do not usually need to have this user right assigned.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default, this setting is Administrators, Local Service, Network Service, and Service on domain controllers and stand-alone servers.
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not eefined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p>
+<p>Local Service</p>
+<p>Network Service</p>
+<p>Service</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Local Service</p>
+<p>Network Service</p>
+<p>Service</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Local Service</p>
+<p>Network Service</p>
+<p>Service</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Local Service</p>
+<p>Network Service</p>
+<p>Service</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Local Service</p>
+<p>Network Service</p>
+<p>Service</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the computer is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+An attacker with the **Impersonate a client after authentication** user right could create a service, mislead a client into connecting to the service, and then impersonate that computer to elevate the attacker's level of access to that of the device.
+
+### Countermeasure
+
+On member servers, ensure that only the Administrators and Service groups (Local Service, Network Service, and Service) have the **Impersonate a client after authentication** user right assigned to them.
+
+### Potential impact
+
+In most cases, this configuration has no impact. If you have installed optional components such as ASP.NET or IIS, you may need to assign the **Impersonate a client after authentication** user right to additional accounts that are required by those components, such as IUSR\_*&lt;ComputerName&gt;*, IIS\_WPG, ASP.NET, or IWAM\_*&lt;ComputerName&gt;*.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
new file mode 100644
index 0000000000..e7c4e15101
--- /dev/null
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@@ -0,0 +1,398 @@
+---
+title: Implement Microsoft Passport in your organization (Windows 10)
+description: You can create a Group Policy or mobile device management (MDM) policy that will implement Microsoft Passport on devices running Windows 10.
+ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8
+keywords: ["identity", "PIN", "biometric", "Hello"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Implement Microsoft Passport in your organization
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+You can create a Group Policy or mobile device management (MDM) policy that will implement Microsoft Passport on devices running Windows 10.
+
+**Important**  
+The Group Policy setting **Turn on PIN sign-in** does not apply to Windows 10. Use **Microsoft Passport for Work** policy settings to manage PINs.
+
+ 
+
+## Group Policy settings for Passport
+
+
+The following table lists the Group Policy settings that you can configure for Passport use in your workplace. These policy settings are available in **Computer Configuration** &gt; **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Passport for Work**.
+
+<table>
+<tr>
+<th colspan="2">Policy</th>
+<th>Options</th>
+</tr>
+<tr>
+<td>Use Microsoft Passport for Work</td>
+<td></td>
+<td>
+<p><b>Not configured</b>: Users can provision Passport for Work, which encrypts their domain password.</p>
+<p><b>Enabled</b>: Device provisions Passport for Work using keys or certificates for all users.</p>
+<p><b>Disabled</b>: Device does not provision Passport for Work for any user.</p>
+</td>
+</tr>
+<tr>
+<td>Use a hardware security device</td>
+<td></td>
+<td>
+<p><b>Not configured</b>: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
+<p><b>Enabled</b>: Passport for Work will only be provisioned using TPM.</p>
+<p><b>Disabled</b>: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
+</td>
+</tr>
+<tr>
+<td>Use biometrics</td>
+<td></td>
+<td>
+<p><b>Not configured</b>: Biometrics can be used as a gesture in place of a PIN.</p>
+<p><b>Enabled</b>: Biometrics can be used as a gesture in place of a PIN.</p>
+<p><b>Disabled</b>: Only a PIN can be used as a gesture.</p>
+</td>
+</tr>
+<tr>
+<td rowspan="8">PIN Complexity</td>
+<td>Require digits</td>
+<td>
+<p><b>Not configured</b>: Users must include a digit in their PIN.</p>
+<p><b>Enabled</b>: Users must include a digit in their PIN.</p>
+<p><b>Disabled</b>: Users cannot use digits in their PIN.</p>
+</td>
+</tr>
+<tr>
+<td>Require lowercase letters</td>
+<td>
+<p><b>Not configured</b>: Users cannot use lowercase letters in their PIN.</p>
+<p><b>Enabled</b>: Users must include at least one lowercase letter in their PIN.</p>
+<p><b>Disabled</b>: Users cannot use lowercase letters in their PIN.</p>
+</td>
+</tr>
+<tr>
+<td>Maximum PIN length</td>
+<td>
+<p><b>Not configured</b>: PIN length must be less than or equal to 127.</p>
+<p><b>Enabled</b>: PIN length must be less than or equal to the number you specify.</p>
+<p><b>Disabled</b>: PIN length must be less than or equal to 127.</p>
+</td>
+</tr>
+<tr>
+<td>Minimum PIN length</td>
+<td>
+<p><b>Not configured</b>: PIN length must be greater  than or equal to 4.</p>
+<p><b>Enabled</b>: PIN length must be greater than or equal to the number you specify.</p>
+<p><b>Disabled</b>: PIN length must be greater  than or equal to 4.</p>
+</td>
+</tr>
+<tr>
+<td>Expiration</td>
+<td>
+<p><b>Not configured</b>: PIN does not expire.</p>
+<p><b>Enabled</b>: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.</p>
+<p><b>Disabled</b>: PIN does not expire.</p>
+</td>
+</tr>
+<tr>
+<td>History</td>
+<td>
+<p><b>Not configured</b>: Previous PINs are not stored.</p>
+<p><b>Enabled</b>: Specify the number of previous PINs that can be associated to a user account that can't be reused.</p>
+<p><b>Disabled</b>: Previous PINs are not stored.</p>
+<div class="alert"><b>Note</b>  Current PIN is included in PIN history.</div>
+<div> </div>
+</td>
+</tr>
+<tr>
+<td>Require special characters</td>
+<td>
+<p><b>Not configured</b>: Users cannot include a special character in their PIN.</p>
+<p><b>Enabled</b>: Users must include at least one special character in their PIN.</p>
+<p><b>Disabled</b>: Users cannot include a special character in their PIN.</p>
+</td>
+</tr>
+<tr>
+<td>Require uppercase letters</td>
+<td>
+<p><b>Not configured</b>: Users cannot include an uppercase letter in their PIN.</p>
+<p><b>Enabled</b>: Users must include at least one uppercase letter in their PIN.</p>
+<p><b>Disabled</b>: Users cannot include an uppercase letter in their PIN.</p>
+</td>
+</tr>
+<tr>
+<td><a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Remote Passport</a></td>
+<td>
+<p>Use Remote Passport</p>
+<div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
+<div> </div>
+</td>
+<td>
+<p><b>Not configured</b>: Remote Passport is disabled.</p>
+<p><b>Enabled</b>: Users can use a portable, registered device as a companion device for desktop authentication.</p>
+<p><b>Disabled</b>: Remote Passport is disabled.</p>
+</td>
+</tr>
+</table>
+
+## MDM policy settings for Passport
+
+
+The following table lists the MDM policy settings that you can configure for Passport use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkId=692070).
+
+<table>
+<tr>
+<th colspan="2">Policy</th>
+<th>Scope</th>
+<th>Default</th>
+<th>Options</th>
+</tr>
+<tr>
+<td>UsePassportForWork</td>
+<td></td>
+<td>Device</td>
+<td>True</td>
+<td>
+<p>True: Passport will be provisioned for all users on the device.</p>
+<p>False: Users will not be able to provision Passport. </p>
+<div class="alert"><b>Note</b>  If Passport is enabled, and then the policy is changed to False, users who previously set up Passport can continue to use it, but will not be able to set up Passport on other devices.</div>
+<div> </div>
+</td>
+</tr>
+<tr>
+<td>RequireSecurityDevice</td>
+<td></td>
+<td>Device</td>
+<td>False</td>
+<td>
+<p>True: Passport will only be provisioned using TPM.</p>
+<p>False: Passport will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
+</td>
+</tr>
+<tr>
+<td rowspan="2">Biometrics</td>
+<td>
+<p>UseBiometrics</p>
+</td>
+<td>Device </td>
+<td>False</td>
+<td>
+<p>True: Biometrics can be used as a gesture in place of a PIN for domain logon.</p>
+<p>False: Only a PIN can be used as a gesture for domain logon.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>FacialFeaturesUser</p>
+<p>EnhancedAntiSpoofing</p>
+</td>
+<td>Device</td>
+<td>Not configured</td>
+<td>
+<p>Not configured: users can choose whether to turn on enhanced anti-spoofing.</p>
+<p>True: Enhanced anti-spoofing is required on devices which support it.</p>
+<p>False: Users cannot turn on enhanced anti-spoofing.</p>
+</td>
+</tr>
+<tr>
+<td rowspan="9">PINComplexity</td>
+</tr>
+<tr>
+<td>Digits </td>
+<td>Device or user</td>
+<td>2 </td>
+<td>
+<p>1: Numbers are not allowed. </p>
+<p>2: At least one number is required.</p>
+</td>
+</tr>
+<tr>
+<td>Lowercase letters </td>
+<td>Device or user</td>
+<td>1 </td>
+<td>
+<p>1: Lowercase letters are not allowed. </p>
+<p>2: At least one lowercase letter is required.</p>
+</td>
+</tr>
+<tr>
+<td>Maximum PIN length </td>
+<td>Device or user</td>
+<td>127 </td>
+<td>
+<p>Maximum length that can be set is 127. Maximum length cannot be less than minimum setting.</p>
+</td>
+</tr>
+<tr>
+<td>Minimum PIN length</td>
+<td>Device or user</td>
+<td>4</td>
+<td>
+<p>Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting.</p>
+</td>
+</tr>
+<tr>
+<td>Expiration </td>
+<td>Device or user</td>
+<td>0</td>
+<td>
+<p>Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. 
+</p>
+</td>
+</tr>
+<tr>
+<td>History</td>
+<td>Device or user</td>
+<td>0</td>
+<td>
+<p>Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. 
+</p>
+</td>
+</tr>
+<tr>
+<td>Special characters</td>
+<td>Device or user</td>
+<td>1</td>
+<td>
+<p>1: Special characters are not allowed. </p>
+<p>2: At least one special character is required.</p>
+</td>
+</tr>
+<tr>
+<td>Uppercase letters</td>
+<td>Device or user</td>
+<td>1</td>
+<td>
+<p>1: Uppercase letters are not allowed </p>
+<p>2: At least one uppercase letter is required</p>
+</td>
+</tr>
+<tr>
+<td>Remote</td>
+<td>
+<p>UseRemotePassport</p>
+<div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
+<div> </div>
+</td>
+<td>Device or user</td>
+<td>False</td>
+<td>
+<p>True: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Remote Passport</a> is enabled.</p>
+<p>False: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Remote Passport</a> is disabled.</p>
+</td>
+</tr>
+</table>
+
+**Note**  
+If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN.
+
+ 
+
+## Prerequisites
+
+
+You’ll need this software to set Microsoft Passport policies in your enterprise.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Microsoft Passport mode</th>
+<th align="left">Azure AD</th>
+<th align="left">Active Directory (AD) on-premises (available with production release of Windows Server 2016 Technical Preview)</th>
+<th align="left">Azure AD/AD hybrid (available with production release of Windows Server 2016 Technical Preview)</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">Key-based authentication</td>
+<td align="left">Azure AD subscription</td>
+<td align="left"><ul>
+<li>Active Directory Federation Service (AD FS) (Windows Server 2016 Technical Preview)</li>
+<li>A few Windows Server 2016 Technical Preview domain controllers on-site</li>
+<li>Microsoft System Center 2012 R2 Configuration Manager SP2</li>
+</ul></td>
+<td align="left"><ul>
+<li>Azure AD subscription</li>
+<li>[Azure AD Connect](http://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
+<li>A few Windows Server 2016 Technical Preview domain controllers on-site</li>
+<li>A management solution, such as Configuration Manager, Group Policy, or MDM</li>
+<li>Active Directory Certificate Services (AD CS) without Network Device Enrollment Service (NDES)</li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left">Certificate-based authentication</td>
+<td align="left"><ul>
+<li>Azure AD subscription</li>
+<li>Intune or non-Microsoft mobile device management (MDM) solution</li>
+<li>PKI infrastructure</li>
+</ul></td>
+<td align="left"><ul>
+<li>ADFS (Windows Server 2016 Technical Preview)</li>
+<li>Active Directory Domain Services (AD DS) Windows Server 2016 Technical Preview schema</li>
+<li>PKI infrastructure</li>
+<li>Configuration Manager SP2, Intune, or non-Microsoft MDM solution</li>
+</ul></td>
+<td align="left"><ul>
+<li>Azure AD subscription</li>
+<li>[Azure AD Connect](http://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
+<li>AD CS with NDES</li>
+<li>Configuration Manager (current branch) or Configuration Manager 2016 Technical Preview for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work</li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+Configuration Manager and MDM provide the ability to manage Passport policy and to deploy and manage certificates protected by Passport.
+
+Azure AD provides the ability to register devices with your enterprise and to provision Passport for organization accounts.
+
+Active Directory provides the ability to authorize users and devices using keys protected by Passport if domain controllers are running Windows 10 and the Microsoft Passport provisioning service in Windows 10 AD FS.
+
+## Passport for BYOD
+
+
+Passport can be managed on personal devices that your employees use for work purposes using MDM. On personal devices, users can create a personal Passport PIN for unlocking the device and a separate work PIN for access to work resources.
+
+The work PIN is managed using the same Passport policies that you can use to manage Passport on organization owned devices. The personal PIN is managed separately using DeviceLock policy. DeviceLock policy can be used to control length, complexity, history, and expiration requirements and can be configured using the [Policy configuration service provider](http://go.microsoft.com/fwlink/p/?LinkID=623244).
+
+## Related topics
+
+
+[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
+
+[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
+
+[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+
+[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
+
+[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
+
+[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+
+[Event ID 300 - Passport successfully created](passport-event-300.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/import-an-applocker-policy-from-another-computer.md b/windows/keep-secure/import-an-applocker-policy-from-another-computer.md
new file mode 100644
index 0000000000..f8a57d092a
--- /dev/null
+++ b/windows/keep-secure/import-an-applocker-policy-from-another-computer.md
@@ -0,0 +1,46 @@
+---
+title: Import an AppLocker policy from another computer (Windows 10)
+description: This topic for IT professionals describes how to import an AppLocker policy.
+ms.assetid: b48cb2b2-8ef8-4cc0-89bd-309d0b1832f6
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Import an AppLocker policy from another computer
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes how to import an AppLocker policy.
+
+Before completing this procedure, you should have exported an AppLocker policy. For more information, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md).
+
+Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
+
+**Caution**  
+Importing a policy will overwrite the existing policy on that computer.
+
+ 
+
+**To import an AppLocker policy**
+
+1.  From the AppLocker console, right-click **AppLocker**, and then click **Import Policy**.
+
+2.  In the **Import Policy** dialog box, locate the file that you exported, and then click **Open**.
+
+3.  The **Import Policy** dialog box will warn you that importing a policy will overwrite the existing rules and enforcement settings. If acceptable, click **OK** to import and overwrite the policy.
+
+4.  The **AppLocker** dialog box will notify you of how many rules were overwritten and imported. Click **OK**.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md b/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md
new file mode 100644
index 0000000000..5124290a7d
--- /dev/null
+++ b/windows/keep-secure/import-an-applocker-policy-into-a-gpo.md
@@ -0,0 +1,48 @@
+---
+title: Import an AppLocker policy into a GPO (Windows 10)
+description: This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).
+ms.assetid: 0629ce44-f5e2-48a8-ba47-06544c73261f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Import an AppLocker policy into a GPO
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).
+
+AppLocker policies can be created as local security policies and modified like any other local security policy, or they can be created as part of a GPO and managed by using Group Policy. You can create AppLocker policies on any supported computer. For info about which Windows editions are supported, see [Requirements to Use AppLocker](requirements-to-use-applocker.md).
+
+**Important**  
+Follow your organization's standard procedures for updating GPOs. For info about specific steps to follow for AppLocker policies, see [Maintain AppLocker policies](maintain-applocker-policies.md).
+
+ 
+
+To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
+
+**To import an AppLocker policy into a GPO**
+
+1.  In the Group Policy Management Console (GPMC), open the GPO that you want to edit.
+
+2.  In the console tree under **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Application Control Policies**, click **AppLocker**.
+
+3.  Right-click **AppLocker**, and then click **Import Policy**.
+
+4.  In the **Import Policy** dialog box, locate the XML policy file, and click **Open**.
+
+5.  The **AppLocker** dialog box will notify you of how many rules were imported. Click **OK**.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/increase-a-process-working-set.md b/windows/keep-secure/increase-a-process-working-set.md
new file mode 100644
index 0000000000..de979e2f5a
--- /dev/null
+++ b/windows/keep-secure/increase-a-process-working-set.md
@@ -0,0 +1,140 @@
+---
+title: Increase a process working set (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Increase a process working set security policy setting.
+ms.assetid: b742ad96-37f3-4686-b8f7-f2b48367105b
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Increase a process working set
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Increase a process working set** security policy setting.
+
+## Reference
+
+
+This policy setting determines which users can increase or decrease the size of the working set of a process. The working set of a process is the set of memory pages currently visible to the process in physical RAM. These pages are resident, and they are available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process.
+
+Constant: SeIncreaseWorkingSetPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not Defined
+
+### Best practices
+
+-   You should make users aware that adverse performance issues may occur if they modify this security setting.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default, standard users have this right.
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not Defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Users</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Users</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Users</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Users</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Users</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the computer is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Increasing the working set size for a process decreases the amount of physical memory that is available to the rest of the system.
+
+### Countermeasure
+
+Increase user’s awareness about the impact of increasing the working set of a process and how to recognize that their system is adversely affected if they change this setting.
+
+### Potential impact
+
+None. Allowing standard users to increase the working set of a process is the default configuration.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/increase-scheduling-priority.md b/windows/keep-secure/increase-scheduling-priority.md
new file mode 100644
index 0000000000..62107e69fa
--- /dev/null
+++ b/windows/keep-secure/increase-scheduling-priority.md
@@ -0,0 +1,144 @@
+---
+title: Increase scheduling priority (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Increase scheduling priority security policy setting.
+ms.assetid: fbec5973-d35e-4797-9626-d0d56061527f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Increase scheduling priority
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Increase scheduling priority** security policy setting.
+
+## Reference
+
+
+This policy setting determines which user accounts can increase the base priority class of a process. It is not a privileged operation to increase relative priority within a priority class. This user right is not required by administrative tools that are supplied with the operating system, but it might be required by software development tools.
+
+Specifically, this security setting determines which accounts can use a process with Write Property access to another process to increase the run priority that is assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.
+
+Constant: SeIncreaseBasePriorityPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not defined
+
+-   Administrators
+
+### Best practices
+
+-   Allow the default value, Administrators, as the only account responsible for controlling process scheduling priorities.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default this setting is Administrators on domain controllers and on stand-alone servers.
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the computer is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+A user who is assigned this user right could increase the scheduling priority of a process to Real-Time, which would leave little processing time for all other processes and could lead to a denial-of-service condition.
+
+### Countermeasure
+
+Verify that only Administrators have the **Increase scheduling priority** user right assigned to them.
+
+### Potential impact
+
+None. Restricting the **Increase scheduling priority** user right to members of the Administrators group is the default configuration.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md
new file mode 100644
index 0000000000..80a12f1d0e
--- /dev/null
+++ b/windows/keep-secure/index.md
@@ -0,0 +1,100 @@
+---
+title: Keep Windows 10 secure (Windows 10)
+description: Learn about keeping Windows 10 and Windows 10 Mobile secure.
+ms.assetid: EA559BA8-734F-41DB-A74A-D8DBF36BE920
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Keep Windows 10 secure
+
+
+Learn about keeping Windows 10 and Windows 10 Mobile secure.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md)</p></td>
+<td align="left"><p>This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)</p></td>
+<td align="left"><p>To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Device Guard certification and compliance](device-guard-certification-and-compliance.md)</p></td>
+<td align="left"><p>Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)</p></td>
+<td align="left"><p>In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)</p></td>
+<td align="left"><p>Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md)</p></td>
+<td align="left"><p>In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)</p></td>
+<td align="left"><p>Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Protect derived domain credentials with Credential Guard](credential-guard.md)</p></td>
+<td align="left"><p>Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md)</p></td>
+<td align="left"><p>With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info to a public Yammer group or tweet, or saves an in-progress sales report to their public cloud storage.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)</p></td>
+<td align="left"><p>Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[VPN profile options](vpn-profile-options.md)</p></td>
+<td align="left"><p>Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Security technologies](security-technologies.md)</p></td>
+<td align="left"><p>Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Enterprise security guides](windows-10-enterprise-security-guides.md)</p></td>
+<td align="left"><p>Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Windows 10 and Windows 10 Mobile](../index.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
new file mode 100644
index 0000000000..5a4aa84615
--- /dev/null
+++ b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
@@ -0,0 +1,280 @@
+---
+title: Initialize and configure ownership of the TPM (Windows 10)
+description: This topic for the IT professional describes how to initialize and set the ownership the Trusted Platform Module (TPM), turn the TPM on and off, and clear TPM keys.
+ms.assetid: 1166efaf-7aa3-4420-9279-435d9c6ac6f8
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Initialize and configure ownership of the TPM
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes how to initialize and set the ownership the Trusted Platform Module (TPM), turn the TPM on and off, and clear TPM keys. It also explains how to troubleshoot issues that you might encounter as a result of using these procedures.
+
+## <a href="" id="bkmk-init"></a>About TPM initialization and ownership
+
+
+The TPM must be initialized and ownership must be taken before it can be used to help secure your computer. The owner of the TPM is the user who possesses the owner password and is able to set it and change it. Only one owner password exists per TPM. The owner of the TPM can make full use of TPM capabilities. Taking ownership of the TPM can be done as part of the initialization process.
+
+When you start the TPM Initialization Wizard, which is accessed through the TPM Microsoft Management Console (MMC), you can determine whether the computer's TPM has been initialized. You can also view the TPM properties.
+
+This topic contains procedures for the following tasks:
+
+-   [Initialize the TPM and set ownership](#bkmk-initializetpm)
+
+-   [Troubleshoot TPM initialization](#bkmk-troubleshootinit)
+
+-   [Turn on or turn off the TPM](#bkmk-onoff)
+
+-   [Clear all the keys from the TPM](#bkmk-clear1)
+
+-   [Use the TPM cmdlets](#bkmk-tpmcmdlets)
+
+## <a href="" id="bkmk-initializetpm"></a>Initialize the TPM and set ownership
+
+
+Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. In addition, the computer must be equipped with a Trusted Computing Group-compliant BIOS.
+
+**To start the TPM Initialization Wizard**
+
+1.  Open the TPM Management console (tpm.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+
+2.  On the **Action** menu, click **Initialize TPM** to start the TPM Initialization Wizard.
+
+3.  If the TPM has never been initialized or is turned off, the TPM Initialization Wizard displays the **Turn on the TPM security hardware** dialog box. This dialog box provides guidance for initializing or turning on the TPM. Follow the instructions in the wizard.
+
+    **Note**  
+    If the TPM is already turned on, the TPM Initialization Wizard displays the **Create the TPM owner password** dialog box. Skip the remainder of this procedure and continue with the [To set ownership of the TPM](#bkmk-setownership) procedure.
+
+     
+
+    **Note**  
+    If the TPM Initialization Wizard detects that you do not have a compatible BIOS, you cannot continue with the TPM Initialization Wizard, and you are alerted to consult the computer manufacturer's documentation for instructions to initialize the TPM.
+
+     
+
+4.  Click **Restart**.
+
+5.  Follow the BIOS screen prompts. An acceptance prompt is displayed to ensure that a user has physical access to the computer and that no malicious software is attempting to turn on the TPM.
+
+    **Note**  
+    BIOS screen prompts and the required keystrokes vary by computer manufacturer.
+
+     
+
+6.  After the computer restarts, sign in to the computer with the same administrative credentials that you used to start this procedure.
+
+7.  The TPM Initialization Wizard automatically restarts. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+
+8.  Continue with the next procedure to take ownership of the TPM.
+
+To finish initializing the TPM for use, you must set an owner for the TPM. The process of taking ownership includes creating an owner password for the TPM.
+
+**To set ownership of the TPM**
+
+1.  If you are not continuing immediately from the last procedure, start the TPM Initialization Wizard. If you need to review the steps to do so, see the previous procedure [To start the TPM Initialization Wizard](#bkmk-starttpminitwizard).
+
+2.  In the **Create the TPM owner password** dialog box, click **Automatically create the password (recommended)**.
+
+3.  In the **Save your TPM owner password** dialog box, click **Save the password**.
+
+4.  In the **Save As** dialog box, select a location to save the password, and then click **Save**. The password file is saved as *computer\_name.tpm*.
+
+    **Important**  
+    We highly recommend saving the TPM owner password to a removable storage device and storing it in a safe location.
+
+     
+
+5.  Click **Print the password** if you want to print a copy of your password.
+
+    **Important**  
+    We highly recommend printing a copy of your TPM owner password and storing it in a safe location.
+
+     
+
+6.  Click **Initialize**.
+
+    **Note**  
+    The process of initializing the TPM might take a few minutes to complete.
+
+     
+
+7.  Click **Close**.
+
+    **Caution**  
+    Do not lose your password. If you do, you will be unable to make administrative changes unless you clear the TPM, which can result in data loss.
+
+     
+
+## <a href="" id="bkmk-troubleshootinit"></a>Troubleshoot TPM initialization
+
+
+Managing the Trusted Platform Module (TPM) is usually a straightforward procedure. If are unable to complete the initialization procedure, review the following information:
+
+-   If the TPM is not detected by Windows, verify that your computer hardware contains a Trusted Computing Group-compliant BIOS. Ensure that no BIOS settings have been used to hide the TPM from the operating system.
+
+-   If you are attempting to initialize the TPM as part of the BitLocker setup, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM is not present on the computer. If you have a non-Microsoft driver installed, remove it and then try to initialize the TPM. The following table lists the three standard TPM drivers that are provided by Microsoft.
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Driver name</th>
+    <th align="left">Manufacturer</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>Trusted Platform Module 1.2</p></td>
+    <td align="left"><p>(Standard)</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Broadcom Trusted Platform Module (A1), v1.2</p></td>
+    <td align="left"><p>Broadcom</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>Broadcom Trusted Platform Module (A2), v1.2</p></td>
+    <td align="left"><p>Broadcom</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+-   If the TPM has been previously initialized and you do not have the owner password, you may have to clear or reset the TPM to the factory default values. For more information, see [Clear all the keys from the TPM](#bkmk-clear1).
+
+    **Caution**  
+    Clearing the TPM can result in data loss. To avoid data loss, make sure that you have a backup or recovery method for any data that is protected or encrypted by the TPM.
+
+     
+
+Because your TPM security hardware is a physical part of your computer, you may want to read the manuals or instructions that came with your computer, or search the manufacturer's website.
+
+**Network connection**
+
+You cannot complete the initialization of the Trusted Platform Module (TPM) when your computer is disconnected from your organization's network if either of the following conditions exist:
+
+-   An administrator has configured your computer to require that TPM recovery information be saved in Active Directory Domain Services (AD DS). This requirement can be configured through Group Policy.
+
+-   A domain controller cannot be reached. This can occur on a computer that is currently disconnected from the network, separated from the domain by a firewall, or experiencing a network component failure (such as an unplugged cable or a faulty network adapter).
+
+In either case, an error message appears, and you cannot complete the initialization process. To avoid this issue, initialize the TPM while you are connected to the corporate network and you can contact a domain controller.
+
+**Systems with multiple TPMs**
+
+Some systems may have multiple TPMs and the active TPM may be toggled in the BIOS. Windows 10 does not support this behavior. If you switch TPMs, functionality that depends on the TPM will not work with the new TPM unless it is cleared and put through provisioning. Performing this clear may cause data loss, in particular of keys and certificates associated with the previous TPM. For example, toggling TPMs will cause Bitlocker to enter recovery mode. It is strongly recommended that, on systems with two TPMs, one TPM is selected to be used and the selection is not changed.
+
+## <a href="" id="bkmk-onoff"></a>Turn on or turn off the TPM
+
+
+Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC.
+
+### <a href="" id="turn-on-the-tpm-"></a>Turn on the TPM
+
+If the TPM has been initialized but has never been used, or if you want to use the TPM after you have turned it off, you can use the following procedure to turn on the TPM.
+
+**To turn on the TPM**
+
+1.  Open the TPM MMC (tpm.msc).
+
+2.  In the **Action** pane, click **Turn TPM On** to display the **Turn on the TPM Security Hardware** page. Read the instructions on this page.
+
+3.  Click **Shutdown** (or **Restart**), and then follow the BIOS screen prompts.
+
+    After the computer restarts, but before you sign in to Windows, you will be prompted to accept the reconfiguration of the TPM. This ensures that the user has physical access to the computer and that malicious software is not attempting to make changes to the TPM.
+
+### <a href="" id="turn-off-the-tpm-"></a>Turn off the TPM
+
+If you want to stop using the services that are provided by the TPM, you can use the TPM MMC to turn off the TPM. If you have the TPM owner password, physical access to the computer is not required to turn off the TPM. If you do not have the TPM owner password, you must have physical access to the computer to turn off the TPM.
+
+**To turn off the TPM**
+
+1.  Open the TPM MMC (tpm.msc).
+
+2.  In the **Action** pane, click **Turn TPM Off** to display the **Turn off the TPM security hardware** page.
+
+3.  In the **Turn off the TPM security hardware** dialog box, select a method to enter your owner password and turning off the TPM:
+
+    -   If you saved your TPM owner password on a removable storage device, insert it, and then click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, click **Browse** to locate the .tpm file that is saved on your removable storage device, click **Open**, and then click **Turn TPM Off**.
+
+    -   If you do not have the removable storage device with your saved TPM owner password, click **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then click **Turn TPM Off**.
+
+    -   If you do not know your TPM owner password, click **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent BIOS screens to turn off the TPM without entering the password.
+
+## <a href="" id="bkmk-clear1"></a>Clear all the keys from the TPM
+
+
+Clearing the TPM resets it to an unowned state. After clearing the TPM, you need to complete the TPM initialization process before using software that relies on the TPM, such as BitLocker Drive Encryption. By default, the TPM is initialized automatically.
+
+**Important**  
+Clearing the TPM can result in data loss. To avoid data loss, make sure that you have a backup or recovery method for any data that is protected or encrypted by the TPM.
+
+ 
+
+After the TPM is cleared, it is also turned off.
+
+To temporarily suspend TPM operations, turn off the TPM instead of clearing it.
+
+Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
+
+**To clear the TPM**
+
+1.  Open the TPM MMC (tpm.msc).
+
+2.  If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+
+3.  Under **Actions**, click **Clear TPM**.
+
+    **Warning**  
+    If the TPM is off, reinitialize it before clearing it.
+
+    Clearing the TPM resets it to factory defaults and turns it off. You will lose all created keys and data that is protected by those keys.
+
+     
+
+4.  In the **Clear the TPM security hardware** dialog box, select one of the following methods to enter your password and clear the TPM:
+
+    -   If you have the removable storage device with your saved TPM owner password, insert it, and click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, use **Browse** to navigate to the .tpm file that is saved on your removable storage device. Click **Open**, and then click **Clear TPM**.
+
+    -   If you do not have the removable storage device with your saved password, click **I want to enter the owner password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and click **Clear TPM**.
+
+    -   If you do not know your TPM owner password, click **I don't have the TPM owner password**, and follow the instructions that are provided to clear the TPM without entering the password.
+
+    **Note**  
+    If you have physical access to the computer, you can clear the TPM and perform a limited number of management tasks without entering the TPM owner password.
+
+     
+
+    The status of your TPM is displayed under **Status** in TPM MMC.
+
+## <a href="" id="bkmk-tpmcmdlets"></a>Use the TPM cmdlets
+
+
+If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command:
+
+**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets**
+
+For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+
+## Additional resources
+
+
+For more info about TPM, see [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md#bkmk-additionalresources).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md
new file mode 100644
index 0000000000..b7e631595a
--- /dev/null
+++ b/windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md
@@ -0,0 +1,87 @@
+---
+title: Install digital certificates on Windows 10 Mobile (Windows 10)
+description: Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information.
+ms.assetid: FF7B1BE9-41F4-44B0-A442-249B650CEE25
+keywords: ["S/MIME", "PFX", "SCEP"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Install digital certificates on Windows 10 Mobile
+
+
+**Applies to**
+
+-   Windows 10 Mobile
+
+Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services.
+
+Certificates in Windows 10 Mobile are primarily used for the following purposes:
+
+-   To create a secure channel using Secure Sockets Layer (SSL) between a phone and a web server or service.
+-   To authenticate a user to a reverse proxy server that is used to enable Microsoft Exchange ActiveSync (EAS) for email.
+-   For installation and licensing of applications (from the Windows Phone Store or a custom company distribution site).
+
+## Install certificates using Internet Explorer
+
+
+A certificate can be posted on a website and made available to users through a device-accessible URL that they can use to download the certificate. When a user accesses the page and taps the certificate, it opens on the device. The user can inspect the certificate, and if they choose to continue, the certificate is installed on the Windows 10 Mobile device.
+
+## Install certificates using email
+
+
+The Windows 10 Mobile certificate installer supports .cer, .p7b, .pem, and .pfx files. To install certificates via email, make sure your mail filters do not block .cer files. Certificates that are sent via email appear as message attachments. When a certificate is received, a user can tap to review the contents and then tap to install the certificate. Typically, when an identity certificate is installed, the user is prompted for the password (or passphrase) that protects it.
+
+## Install certificates using mobile device management (MDM)
+
+
+Windows 10 Mobile supports root, CA, and client certificate to be configured via MDM. Using MDM, an administrator can directly add, delete, or query root and CA certificates, and configure the device to enroll a client certificate with a certificate enrollment server that supports Simple Certificate Enrollment Protocol (SCEP). SCEP enrolled client certificates are used by Wi-Fi, VPN, email, and browser for certificate-based client authentication. An MDM server can also query and delete SCEP enrolled client certificate (including user installed certificates), or trigger a new enrollment request before the current certificate is expired.
+
+**Warning**  
+Do not use SCEP for encryption certificates for S/MIME. You must use a PFX certificate profile to support S/MIME on Windows 10 Mobile. For instructions on creating a PFX certificate profile in Microsoft Intune, see [Enable access to company resources using certificate profiles with Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=718216).
+
+ 
+
+**Process of installing certificates using MDM**
+
+1.  The MDM server generates the initial cert enroll request including challenge password, SCEP server URL, and other enrollment related parameters.
+2.  The policy is converted to the OMA DM request and sent to the device.
+3.  The trusted CA certificate is installed directly during MDM request.
+4.  The device accepts certificate enrollment request.
+5.  The device generates private/public key pair.
+6.  The device connects to Internet facing point exposed by MDM server.
+7.  MDM server creates a certificate that is signed with proper CA certificate and returns it to device.
+
+    **Note**  
+    The device supports the pending function to allow server side to do additional verification before issuing the cert. In this case, a pending status is sent back to the device. The device will periodically contact the server, based on preconfigured retry count and retry period parameters. Retrying ends when either:
+
+    A certificate is successfully received from the server
+
+    The server returns an error
+
+    The number of retries reaches the preconfigured limit
+
+     
+
+8.  The cert is installed in the device. Browser, Wi-Fi, VPN, email, and other first party applications have access to this certificate.
+
+    **Note**  
+    If MDM requested private key being stored in Trusted Process Module (TPM) (configured during enrollment request), the private key will be saved in TPM. Note that SCEP enrolled cert protected by TPM isn’t guarded by a PIN. However, if the certificate is imported to the Passport for Work Key Storage Provider (KSP), it is guarded by the Passport PIN.
+
+     
+
+## Related topics
+
+
+[Configure S/MIME](configure-s-mime.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md
new file mode 100644
index 0000000000..fc7f8995ad
--- /dev/null
+++ b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md
@@ -0,0 +1,146 @@
+---
+title: Interactive logon Display user information when the session is locked (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Interactive logon Display user information when the session is locked security policy setting.
+ms.assetid: 9146aa3d-9b2f-47ba-ac03-ff43efb10530
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Interactive logon: Display user information when the session is locked
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Interactive logon: Display user information when the session is locked** security policy setting.
+
+## Reference
+
+
+When a session is locked in a Windows operating system (meaning the user at the computer pressed CTRL+ALT+DEL and the Secure Desktop is displayed), user information is displayed. By default, this information is in the form of **&lt;user name&gt; is logged on**. The displayed user name is the user’s full name as set on the Properties page for that user. These settings do not apply to the logon tiles, which are displayed on the desktop after using the **Switch User** feature. The information that is displayed can be changed to meet your security requirements using the following possible values.
+
+### Possible values
+
+-   **User display name, domain and user names**
+
+    If this is a local logon, the user’s full name is displayed on the Secure Desktop. If it is a domain logon, the user’s domain and user’s account name is displayed.
+
+-   **User display name only**
+
+    The name of the user who locked the session is displayed on the Secure Desktop as the user’s full name.
+
+-   **Do not display user information**
+
+    No names are displayed on the Secure Desktop, but user’s full names will be displayed on the **Switch user** desktop.
+
+-   Blank.
+
+    Default setting. This translates to “Not defined,” but it will display the user’s full name in the same manner as the **User display name, domain and user names** option. When an option is set, you cannot reset this policy to blank, or not defined.
+
+### Best practices
+
+Your implementation of this policy depends on your security requirements for displayed logon information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have computers with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy.
+
+Depending on your security policy, you might also want to enable the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to logon.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or Group Policy object (GPO)</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p><strong>User display name, domain and user names</strong></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p><strong>User display name, domain and user names</strong></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Effective GPO default settings on client computers</p></td>
+<td align="left"><p><strong>User display name, domain and user names</strong></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Policy conflict considerations
+
+None
+
+### Group Policy
+
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+When a computer displays the Secure Desktop in an unsecured area, certain user information can be readily available to anyone looking at the monitor, either physically or through a remote connection. The displayed user information could include the domain user account name or the full name of the user who locked the session or who had logged on last.
+
+### Countermeasure
+
+Enabling this policy setting allows the operating system to hide certain user information from being displayed on the Secure Desktop (after the device has been booted or when the session has been locked by using CTRL+ALT+DEL). However, user information is displayed if the **Switch user** feature is used so that the logon tiles are displayed for each logged on user.
+
+You might also want to enable the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to logon.
+
+### Potential impact
+
+If you do not enable this policy, the effect will be the same as enabling the policy and selecting the **User display name, domain and user names** option.
+
+If the policy is enabled and set to **Do not display user information**, an observer cannot see who is logged onto the Secure Desktop, but the logon tile is still present if the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy is not enabled. Depending on how the logon tiles are configured, they could provide visual clues as to who is logged on. In addition, if the Interactive logon: Do not display last user name policy is not enabled, then the **Switch user** feature will show user information.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md
new file mode 100644
index 0000000000..c8547849bb
--- /dev/null
+++ b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md
@@ -0,0 +1,136 @@
+---
+title: Interactive logon Do not display last user name (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not display last user name security policy setting.
+ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Interactive logon: Do not display last user name
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display last user name** security policy setting.
+
+## Reference
+
+
+This security policy setting determines whether the name of the last user to log on to the device is displayed on the Secure Desktop.
+
+If this policy is enabled, the full name of the last user to successfully log on is not displayed on the Secure Desktop, nor is the user’s logon tile displayed. Additionally, if the **Switch user** feature is used, the full name and logon tile are not displayed. The logon screen requests a qualified domain account name (or local user name) and password.
+
+If this policy is disabled, the full name of the last user to log on is displayed, and the user’s logon tile is displayed. This behavior is the same when the **Switch user** feature is used.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+Your implementation of this policy depends on your security requirements for displayed logon information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy.
+
+Depending on your security policy, you might also want to enable the [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md) policy, which will prevent the Windows operating system from displaying the logon name when the session is locked or started.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or Group Policy object (GPO)</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Effective GPO default settings on client computers</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Policy conflict considerations
+
+None.
+
+### Group Policy
+
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+An attacker with access to the console (for example, someone with physical access or someone who can connect to the device through Remote Desktop Session Host) could view the name of the last user who logged on. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try to log on.
+
+### Countermeasure
+
+Enable the **Interactive logon: Do not display last user name** setting.
+
+### Potential impact
+
+Users must always type their user names and passwords when they log on locally or to the domain. The logon tiles of all logged on users are not displayed.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md
new file mode 100644
index 0000000000..daac336396
--- /dev/null
+++ b/windows/keep-secure/interactive-logon-do-not-require-ctrl-alt-del.md
@@ -0,0 +1,142 @@
+---
+title: Interactive logon Do not require CTRL+ALT+DEL (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not require CTRL+ALT+DEL security policy setting.
+ms.assetid: 04e2c000-2eb2-4d4b-8179-1e2cb4793e18
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Interactive logon: Do not require CTRL+ALT+DEL
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not require CTRL+ALT+DEL** security policy setting.
+
+## Reference
+
+
+This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.
+
+If this policy setting is enabled on a device, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords.
+
+If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to the Windows operating system (unless they are using a smart card for logon).
+
+Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to device running the Windows operating system; however, not having to press the CTRL+ALT+DELETE key combination leaves users susceptible to attacks that attempt to intercept their passwords. Requiring CTRL+ALT+DELETE before users log on ensures that users are communicating by means of a trusted path when entering their passwords.
+
+A malicious user might install malware that looks like the standard logon dialog box for the Windows operating system, and capture a user's password. The attacker can then log on to the compromised account with whatever level of user rights that user has.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+-   It is advisable to set **Disable CTRL+ALT+DEL requirement for logon** to **Disabled**. Unless they are using a smart card to log on, users will have to simultaneously press three keys before the logon dialog box appears.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Policy conflict considerations
+
+Beginning with Windows Server 2008 and Windows Vista, the CTRL+ALT+DELETE key combination is required to authenticate if this policy is disabled.
+
+### Group Policy
+
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+This setting makes it easier for users with certain types of physical impairments to log on to devices that run the Windows operating system. However, if users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path.
+
+If this setting is enabled, an attacker could install malware that looks like the standard logon dialog box in the Windows operating system, and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has.
+
+### Countermeasure
+
+Disable the **Interactive logon: Do not require CTRL+ALT+DEL** setting.
+
+### Potential impact
+
+Unless they use a smart card to log on, users must simultaneously press the three keys before the logon dialog box is displayed.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md b/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md
new file mode 100644
index 0000000000..871200c86d
--- /dev/null
+++ b/windows/keep-secure/interactive-logon-machine-account-lockout-threshold.md
@@ -0,0 +1,132 @@
+---
+title: Interactive logon Machine account lockout threshold (Windows 10)
+description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Machine account lockout threshold security policy setting.
+ms.assetid: ebbd8e22-2611-4ebe-9db9-d49344e631e4
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Interactive logon: Machine account lockout threshold
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine account lockout threshold** security policy setting.
+
+## Reference
+
+
+Beginning with Windows Server 2012 and Windows 8, the **Interactive logon: Machine account threshold** security policy setting enforces the lockout policy on those computers that have BitLocker enabled to protect operating system volumes.
+
+The security setting allows you to set a threshold for the number of failed logon attempts that causes the device to be locked by using BitLocker. This means, if the specified maximum number of failed logon attempts is exceeded, the device will invalidate the Trusted Platform Module (TPM) protector and any other protector except the 48-digit recovery password, and then reboot. During Device Lockout mode, the computer or device only boots into the touch-enabled Windows Recovery Environment (WinRE) until an authorized user enters the recovery password to restore full access.
+
+Failed password attempts on workstations or member servers that have been locked by using either Ctrl+Alt+Delete or password-protected screen savers count as failed logon attempts.
+
+### Possible values
+
+You can set the **invalid logon attempts** value between 1 and 999. Values from 1 to 3 are interpreted as 4. If you set the value to 0, or leave blank, the computer or device will never be locked as a result of this policy setting.
+
+### <a href="" id="bkmk-bestpractices"></a>Best practices
+
+Use this policy setting in conjunction with your other failed account logon attempts policy. For example, if the [Account lockout threshold](account-lockout-threshold.md) policy setting is set at 4, then setting **Interactive logon: Machine account lockout threshold** at 6 allows the user to restore access to resources without having to restore access to the device resulting from a BitLocker lock out.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+A restart is required for changes to this policy to become effective when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+Because this policy setting was introduced in Windows Server 2012 and Windows 8, it can only be set locally on those devices that contain this policy setting, but it can be set and distributed through Group Policy to any computer running the Windows operating system that supports Group Policy and is BitLocker-enabled.
+
+When setting this policy, consider the [Account lockout threshold](account-lockout-threshold.md) policy setting, which determines the number of failed logon attempts that will cause a user account to be locked out.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+This policy setting helps protect a BitLocker-encrypted device from attackers attempting to brute-force guess the Windows sign-in password. If not set, then attackers can attempt innumerable passwords, if no other account protection mechanisms are in place.
+
+### Countermeasure
+
+Use this policy setting in conjunction with your other failed account logon attempts policy. For example, if the [Account lockout threshold](account-lockout-threshold.md) policy setting is set at 4, then setting **Interactive logon: Machine account lockout threshold** at 6 allows the user to restore access to resources without having to restore access to the device resulting from a BitLocker lock out.
+
+### Potential impact
+
+If not set, the device could be compromised by an attacker using brute-force password cracking software.
+
+If set too low, productivity might be hindered because users who become locked out will be unable to access the device without providing the 48-digit BitLocker recovery password.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/interactive-logon-machine-inactivity-limit.md b/windows/keep-secure/interactive-logon-machine-inactivity-limit.md
new file mode 100644
index 0000000000..ac48acba83
--- /dev/null
+++ b/windows/keep-secure/interactive-logon-machine-inactivity-limit.md
@@ -0,0 +1,126 @@
+---
+title: Interactive logon Machine inactivity limit (Windows 10)
+description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Machine inactivity limit security policy setting.
+ms.assetid: 7065b4a9-0d52-41d5-afc4-5aedfc4162b5
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Interactive logon: Machine inactivity limit
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine inactivity limit** security policy setting.
+
+## Reference
+
+
+Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver. This policy setting allows you to control the locking time by using Group Policy.
+
+### Possible values
+
+The automatic lock of the device is set in elapsed seconds of inactivity, which can range from zero (0) to 599,940 seconds (166.65 hours).
+
+If no value (blank) or zero (0) is present in the **Machine will be locked after** input field, then the policy setting is disabled and no action is taken on user-input inactivity for the session.
+
+### Best practices
+
+Set the time for elapsed user-input inactivity based on the device’s usage and location requirements. For example, if the device or device is in a public area, you might want to have the device automatically lock after a short period of inactivity to prevent unauthorized access. However, if the device is used by an individual or group of trusted individuals, such as in a restricted manufacturing area, automatically locking the device might hinder productivity.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+Restart is required for changes to this policy to become effective when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+Because this policy setting was introduced in Windows Server 2012 and Windows 8, it can only be set locally on those computers that contain this policy setting, but it can be set and distributed through Group Policy to any computer running the Windows operating system that supports Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+This policy setting helps you prevent unauthorized access to devices under your control when the currently signed-in user leaves without deliberately locking the desktop. In versions earlier than Windows Server 2012 and Windows 8, the desktop-locking mechanism was set on individual computers in Personalization in Control Panel.
+
+### Countermeasure
+
+Set the time for elapsed user-input inactivity time by using the security policy setting **Interactive logon: Machine inactivity limit** based on the device’s usage and location requirements.
+
+### Potential impact
+
+This security policy setting can limit unauthorized access to unsecured computers; however, that requirement must be balanced with the productivity requirements of the intended user.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md
new file mode 100644
index 0000000000..c3ae488699
--- /dev/null
+++ b/windows/keep-secure/interactive-logon-message-text-for-users-attempting-to-log-on.md
@@ -0,0 +1,150 @@
+---
+title: Interactive logon Message text for users attempting to log on (Windows 10)
+description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Message text for users attempting to log on security policy setting.
+ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Interactive logon: Message text for users attempting to log on
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Message text for users attempting to log on** security policy setting.
+
+## Reference
+
+
+The **Interactive logon: Message text for users attempting to log on** and [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they log on. Interactive logon: Message title for users attempting to log on specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited.
+
+Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers.
+
+When these policy settings are configured, users will see a dialog box before they can log on to the server console.
+
+### Possible values
+
+The possible values for this setting are:
+
+-   User-defined text
+
+-   Not defined
+
+### Best practices
+
+-   It is advisable to set **Interactive logon: Message text for users attempting to log on** to a value similar to one of the following:
+
+    1.  IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION.
+
+    2.  This system is restricted to authorized users. Individuals who attempt unauthorized access will be prosecuted. If you are unauthorized, terminate access now. Click OK to indicate your acceptance of this information.
+
+**Important**  
+Any warning that you display in the title or text should be approved by representatives from your organization's legal and human resources departments.
+
+ 
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes different requirements to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+There are two policy settings that relate to logon displays:
+
+-   **Interactive logon: Message text for users attempting to log on**
+
+-   [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md)
+
+The first policy setting specifies a text message that displays to users when they log on, and the second policy setting specifies a title for the title bar of the text message window. Many organizations use this text for legal purposes; for example, to warn users about the ramifications of misuse of company information, or to warn them that their actions may be audited.
+
+### Vulnerability
+
+Users often do not understand the importance of security practices. However, the display of a warning message before logon may help prevent an attack by warning malicious or uninformed users about the consequences of their misconduct before it happens. It may also help reinforce corporate policies by notifying employees of appropriate policies during the logon process.
+
+### Countermeasure
+
+Configure the **Interactive logon: Message text for users attempting to log on** and [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) settings to an appropriate value for your organization.
+
+**Note**  
+Any warning message that displays should be approved by your organization's legal and human resources representatives.
+
+ 
+
+### Potential impact
+
+Users see a message in a dialog box before they can log on to the server console.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md
new file mode 100644
index 0000000000..7c09c135ab
--- /dev/null
+++ b/windows/keep-secure/interactive-logon-message-title-for-users-attempting-to-log-on.md
@@ -0,0 +1,149 @@
+---
+title: Interactive logon Message title for users attempting to log on (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Message title for users attempting to log on security policy setting.
+ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Interactive logon: Message title for users attempting to log on
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Message title for users attempting to log on** security policy setting.
+
+## Reference
+
+
+This security setting allows you to specify a title that appears in the title bar of the window that contains the **Interactive logon: Message title for users attempting to log on**. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited.
+
+The **Interactive logon: Message title for users attempting to log on** and [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message title for users attempting to log on** specifies a message title to be displayed to users when they log on.
+
+Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers.
+
+When these policy settings are configured, users will see a dialog box before they can log on to the server console.
+
+### Possible values
+
+-   *User-defined title*
+
+-   Not defined
+
+### Best practices
+
+1.  It is advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one the following:
+
+    -   RESTRICTED SYSTEM
+
+        or
+
+    -   WARNING: This system is restricted to authorized users.
+
+2.  Set the policy [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) to reinforce the meaning of the message’s title.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+There are two policy settings that relate to logon displays:
+
+-   [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md)
+
+-   **Interactive logon: Message title for users attempting to log on**
+
+The first policy setting specifies a text message that displays to users when they log on, and the second policy setting specifies a title for the title bar of the text message window. Many organizations use this text for legal purposes; for example, to warn users about the ramifications of misuse of company information, or to warn them that their actions may be audited.
+
+### Vulnerability
+
+Users often do not understand the importance of security practices. However, the display of a warning message with an appropriate title before logon may help prevent an attack by warning malicious or uninformed users about the consequences of their misconduct before it happens. It may also help reinforce corporate policies by notifying employees of appropriate policies during the logon process.
+
+### Countermeasure
+
+Configure the [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) and **Interactive logon: Message title for users attempting to log on** settings to an appropriate value for your organization.
+
+**Note**  
+Any warning message that displays should be approved by your organization's legal and human resources representatives.
+
+ 
+
+### Potential impact
+
+Users see a message in a dialog box before they can log on to the server console.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
new file mode 100644
index 0000000000..2fa2d1f18d
--- /dev/null
+++ b/windows/keep-secure/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
@@ -0,0 +1,146 @@
+---
+title: Interactive logon Number of previous logons to cache (in case domain controller is not available) (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Number of previous logons to cache (in case domain controller is not available) security policy setting.
+ms.assetid: 660e925e-cc3e-4098-a41e-eb8db8062d8d
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Interactive logon: Number of previous logons to cache (in case domain controller is not available)
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** security policy setting.
+
+## Reference
+
+
+The **Interactive logon: Number of previous logons to cache (in case domain controller is not available**) policy setting determines whether a user can log on to a Windows domain by using cached account information. Logon information for domain accounts can be cached locally so that, if a domain controller cannot be contacted on subsequent logons, a user can still log on. This policy setting determines the number of unique users whose logon information is cached locally.
+
+If a domain controller is unavailable and a user's logon information is cached, the user is prompted with the following message:
+
+A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes to your profile since you last logged on might not be available.
+
+If a domain controller is unavailable and a user's logon information is not cached, the user is prompted with this message:
+
+The system cannot log you on now because the domain *DOMAIN NAME* is not available.
+
+The value of this policy setting indicates the number of users whose logon information the server caches locally. If the value is 10, the server caches logon information for 10 users. When an eleventh user logs on to the device, the server overwrites the oldest cached logon session.
+
+Users who access the server console will have their logon credentials cached on that server. A malicious user who is able to access the file system of the server can locate this cached information and use a brute-force attack to determine user passwords. Windows mitigates this type of attack by encrypting the information and keeping the cached credentials in the system's registries, which are spread across numerous physical locations.
+
+### Possible values
+
+-   A user-defined number from 0 through 50
+
+-   Not defined
+
+### Best practices
+
+It is advisable to set **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** to 0. Setting this value to 0 disables the local caching of logon information. Additional countermeasures include enforcing strong password policies and physically securing the computers. If the value is set to 0, users will be unable to log on to any computers if there is no domain controller available to authenticate them. Organizations might want to set **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** to 2 for end-user systems, especially for mobile users. Setting this value to 2 means that the user's logon information will still be in the cache even if a member of the IT department has recently logged on to their device to perform system maintenance. This way, those users will be able to log on to their devices when they are not connected to the corporate network.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>10 logons</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>10 logons</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>10 logons</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>10 logons</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
+### Policy conflict considerations
+
+None
+
+### Group Policy
+
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+The number that is assigned to this policy setting indicates the number of users whose logon information is cache locally by the servers. If the number is set to 10, the server caches logon information for 10 users. When an eleventh user logs on to the device, the server overwrites the oldest cached logon session.
+
+Users who access the server console have their logon credentials cached on that server. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to attempt to determine user passwords.
+
+To mitigate this type of attack, Windows encrypts the information and obscures its physical location.
+
+### Countermeasure
+
+Configure the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** setting to 0, which disables the local caching of logon information. Additional countermeasures include enforcement of strong password policies and physically secure locations for the computers.
+
+### Potential impact
+
+Users cannot log on to any devices if there is no domain controller available to authenticate them. Organizations can configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's logon information is still in the cache, even if a member of the IT department has recently logged on to the device to perform system maintenance. This method allows users to log on to their computers when they are not connected to the organization's network.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md
new file mode 100644
index 0000000000..55d44d3f87
--- /dev/null
+++ b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md
@@ -0,0 +1,134 @@
+---
+title: Interactive logon Prompt user to change password before expiration (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Prompt user to change password before expiration security policy setting.
+ms.assetid: 8fe94781-40f7-4fbe-8cfd-5e116e6833e9
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Interactive logon: Prompt user to change password before expiration
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Prompt user to change password before expiration** security policy setting.
+
+## Reference
+
+
+The **Interactive logon: Prompt user to change password before expiration** policy setting determines how many days in advance users are warned that their passwords are about to expire. With this advance warning, the user has time to construct a password that is sufficiently strong.
+
+### Possible values
+
+-   A user-defined number of days from 0 through 999.
+
+-   Not defined.
+
+### Best practices
+
+1.  Configure user passwords to expire periodically. Users will need warning that their passwords are going to expire, or they might inadvertently get locked out of the system. This could lead to confusion for users who access the network locally, or make it impossible for users who access the network through dial-up or virtual private network (VPN) connections to log on.
+
+2.  Set **Interactive logon: Prompt user to change password before expiration** to 5 days. When their password expiration date is 5 or fewer days away, users will see a dialog box each time they log on to the domain.
+
+3.  Do not set the value to 0, which results in displaying the password expiration warning every time the user logs on.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>14 days *</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>14 days *</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>14 days *</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>14 days *</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Policy conflict considerations
+
+None.
+
+### Group Policy
+
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+If user passwords are configured to expire periodically in your organization, users need to be warned when this is about to happen, or they may be locked out of the device inadvertently when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections.
+
+### Countermeasure
+
+Configure the **Interactive logon: Prompt user to change password before expiration** setting to 14 days.
+
+### Potential impact
+
+Users see a dialog-box prompt to change their password each time that they log on to the domain when their password is configured to expire in 14 or fewer days.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
new file mode 100644
index 0000000000..d32bae622c
--- /dev/null
+++ b/windows/keep-secure/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
@@ -0,0 +1,138 @@
+---
+title: Interactive logon Require Domain Controller authentication to unlock workstation (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Interactive logon Require Domain Controller authentication to unlock workstation security policy setting.
+ms.assetid: 97618ed3-e946-47db-a212-b5e7a4fc6ffc
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Interactive logon: Require Domain Controller authentication to unlock workstation
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require Domain Controller authentication to unlock workstation** security policy setting.
+
+## Reference
+
+
+Unlocking a locked device requires logon information. For domain accounts, the **Interactive logon: Require Domain Controller authentication to unlock workstation** policy setting determines whether it is necessary to contact a domain controller to unlock a device. Enabling this policy setting requires a domain controller to authenticate the domain account that is being used to unlock the device. Disabling this policy setting allows a user to unlock the device without the computer verifying the logon information with a domain controller. However, if [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) is set to a value greater than zero, the user's cached credentials will be used to unlock the system.
+
+The device caches (locally in memory) the credentials of any users who have been authenticated. The device uses these cached credentials to authenticate anyone who attempts to unlock the console.
+
+When cached credentials are used, any changes that have recently been made to the account (such as user rights assignments, account lockout, or the account being disabled) are not considered or applied after this authentication process. This means not only that user rights are not updated, but more importantly that disabled accounts are still able to unlock the console of the system.
+
+It is advisable to set **Interactive logon: Require Domain Controller authentication to unlock workstation** to Enabled and set [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) to 0. When the console of a device is locked by a user or automatically by a screen saver time-out, the console can only be unlocked if the user is able to re-authenticate to the domain controller. If no domain controller is available, users cannot unlock their devices.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+-   Set **Interactive logon: Require Domain Controller authentication to unlock workstation** to Enabled and set [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) to 0. When the console of a device is locked by a user or automatically by a screen saver time-out, the console can only be unlocked if the user is able to re-authenticate to the domain controller. If no domain controller is available, users cannot unlock their devices.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Policy conflict considerations
+
+None
+
+### Group Policy
+
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+By default, the device caches locally in memory the credentials of any users who are authenticated. The device uses these cached credentials to authenticate anyone who attempts to unlock the console. When cached credentials are used, any changes that have recently been made to the account—such as user rights assignments, account lockout, or the account being disabled—are not considered or applied after the account is authenticated. User privileges are not updated, and disabled accounts are still able to unlock the console of the device
+
+### Countermeasure
+
+Configure the **Interactive logon: Require Domain Controller authentication to unlock workstation** setting to Enabled and configure the [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) setting to 0.
+
+### Potential impact
+
+When the console on a device is locked by a user or automatically by a screen-saver timeout, the console can be unlocked only if the user can re-authenticate to the domain controller. If no domain controller is available, users cannot unlock their workstations. If you configure the [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) setting to 0, users whose domain controllers are unavailable (such as mobile or remote users) cannot log on.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/interactive-logon-require-smart-card.md b/windows/keep-secure/interactive-logon-require-smart-card.md
new file mode 100644
index 0000000000..275ffa00b6
--- /dev/null
+++ b/windows/keep-secure/interactive-logon-require-smart-card.md
@@ -0,0 +1,134 @@
+---
+title: Interactive logon Require smart card (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Require smart card security policy setting.
+ms.assetid: c6a8c040-cbc7-472d-8bc5-579ddf3cbd6c
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Interactive logon: Require smart card
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Require smart card** security policy setting.
+
+## Reference
+
+
+The **Interactive logon: Require smart card** policy setting requires users to log on to a device by using a smart card.
+
+Requiring users to use long, complex passwords for authentication enhances network security, especially if the users must change their passwords regularly. This reduces the chance that a malicious user will be able to guess a user's password through a brute-force attack. Using smart cards rather than passwords for authentication dramatically increases security because, with today's technology, it is nearly impossible for a malicious user to impersonate another user. Smart cards that require personal identification numbers (PINs) provide two-factor authentication: the user who attempts to log on must possess the smart card and know its PIN. A malicious user who captures the authentication traffic between the user's device and the domain controller will find it extremely difficult to decrypt the traffic: even if they do, the next time the user logs on to the network, a new session key will be generated for encrypting traffic between the user and the domain controller.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+-   Set **Interactive logon: Require smart card** to Enabled. All users will have to use smart cards to log on to the network. This means that the organization must have a reliable public key infrastructure (PKI) in place, and provide smart cards and smart card readers for all users.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Policy conflict considerations
+
+None.
+
+### Group Policy
+
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+It can be difficult to make users choose strong passwords, and even strong passwords are vulnerable to brute-force attacks if an attacker has sufficient time and computing resources.
+
+### Countermeasure
+
+For users with access to computers that contain sensitive data, issue smart cards to users and configure the **Interactive logon: Require smart card** setting to Enabled.
+
+### Potential impact
+
+All users of a device with this setting enabled must use smart cards to log on locally. This means that the organization must have a reliable public key infrastructure (PKI) as well as smart cards and smart card readers for these users. These requirements are significant challenges because expertise and resources are required to plan for and deploy these technologies. Active Directory Certificate Services (AD CS) can be used to implement and manage certificates. You can use automatic user and device enrollment and renewal on the client.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md b/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md
new file mode 100644
index 0000000000..59ca4aad03
--- /dev/null
+++ b/windows/keep-secure/interactive-logon-smart-card-removal-behavior.md
@@ -0,0 +1,150 @@
+---
+title: Interactive logon Smart card removal behavior (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Smart card removal behavior security policy setting.
+ms.assetid: 61487820-9d49-4979-b15d-c7e735999460
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Interactive logon: Smart card removal behavior
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting.
+
+## Reference
+
+
+This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
+
+If smart cards are used for authentication, the device should automatically lock itself when the card is removed—that way, if users forget to manually lock their devices when they are away from them, malicious users cannot gain access.
+
+If you select **Force Logoff** in the property sheet for this policy setting, the user is automatically logged off when the smart card is removed. Users will have to reinsert their smart cards and reenter their PINs when they return to their workstations.
+
+### Possible values
+
+-   No Action
+
+-   Lock Workstation
+
+    If you select this, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
+
+-   Force Logoff
+
+    If you select this, the user is automatically logged off when the smart card is removed.
+
+-   Disconnect if a remote Remote Desktop Services session
+
+    If you select this, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.
+
+-   Not Defined
+
+### Best practices
+
+-   Set **Interactive logon: Smart card removal behavior** to **Lock Workstation**. If you select **Lock Workstation** in the property sheet for this policy setting, the workstation is locked when the smart card is removed. This allows users to leave the area, take their smart card with them, and still maintain a protected session.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>No Action</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>No Action</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>No Action</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>No Action</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Policy conflict considerations
+
+None
+
+### Group Policy
+
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their devices. If smart cards are used for authentication, the device should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources by using those credentials.
+
+### Countermeasure
+
+Configure the **Interactive logon: Smart card removal behavior** setting to **Lock Workstation**.
+
+If you select **Lock Workstation** for this policy setting, the device locks when the smart card is removed. Users can leave the area, take their smart card with them, and still maintain a protected session. This behavior is similar to the setting that requires users to log on when resuming work on the device after the screen saver has started.
+
+If you select **Force Logoff** for this policy setting, the user is automatically logged off when the smart card is removed. This setting is useful when a device is deployed as a public access point, such as a kiosk or other type of shared device
+
+### Potential impact
+
+If you select **Force Logoff**, users must insert their smart cards and enter their PINs when they return to their workstations.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/kerberos-policy.md b/windows/keep-secure/kerberos-policy.md
new file mode 100644
index 0000000000..7462552b9e
--- /dev/null
+++ b/windows/keep-secure/kerberos-policy.md
@@ -0,0 +1,78 @@
+---
+title: Kerberos Policy (Windows 10)
+description: Describes the Kerberos Policy settings and provides links to policy setting descriptions.
+ms.assetid: 94017dd9-b1a3-4624-af9f-b29161b4bf38
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Kerberos Policy
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the Kerberos Policy settings and provides links to policy setting descriptions.
+
+The Kerberos version 5 authentication protocol provides the default mechanism for authentication services and the authorization data necessary for a user to access a resource and perform a task on that resource. By reducing the lifetime of Kerberos tickets, you reduce the risk of a legitimate user's credentials being stolen and successfully used by an attacker. However, this also increases the authorization overhead. In most environments, these settings should not need to be changed.
+
+These policy settings are located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy**.
+
+The following topics provide a discussion of implementation and best practices considerations, policy location, default values for the server type or GPO, relevant differences in operating system versions, security considerations (including the possible settings vulnerabilities of each setting), countermeasures you can take, and the potential impact for each setting.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Enforce user logon restrictions](enforce-user-logon-restrictions.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management, and security considerations for the <strong>Enforce user logon restrictions</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Maximum lifetime for service ticket](maximum-lifetime-for-service-ticket.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management, and security considerations for the <strong>Maximum lifetime for service ticket</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Maximum lifetime for user ticket](maximum-lifetime-for-user-ticket.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management, and security considerations for the <strong>Maximum lifetime for user ticket</strong> policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Maximum lifetime for user ticket renewal](maximum-lifetime-for-user-ticket-renewal.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management, and security considerations for the <strong>Maximum lifetime for user ticket renewal</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Maximum tolerance for computer clock synchronization](maximum-tolerance-for-computer-clock-synchronization.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management, and security considerations for the <strong>Maximum tolerance for computer clock synchronization</strong> security policy setting.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Configure security policy settings](how-to-configure-security-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/load-and-unload-device-drivers.md b/windows/keep-secure/load-and-unload-device-drivers.md
new file mode 100644
index 0000000000..b76083e989
--- /dev/null
+++ b/windows/keep-secure/load-and-unload-device-drivers.md
@@ -0,0 +1,153 @@
+---
+title: Load and unload device drivers (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Load and unload device drivers security policy setting.
+ms.assetid: 66262532-c610-470c-9792-35ff4389430f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Load and unload device drivers
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Load and unload device drivers** security policy setting.
+
+## Reference
+
+
+This policy setting determines which users can dynamically load and unload device drivers. This user right is not required if a signed driver for the new hardware already exists in the driver.cab file on the device. Device drivers run as highly privileged code.
+
+Windows supports the Plug and Play specifications that define how a computer can detect and configure newly added hardware, and then automatically install the device driver. Prior to Plug and Play, users needed to manually configure devices before attaching them to the device. This model allows a user to plug in the hardware, then Windows searches for an appropriate device driver package and automatically configures it to work without interfering with other devices.
+
+Because device driver software runs as if it is a part of the operating system with unrestricted access to the entire computer, it is critical that only known and authorized device drivers be permitted.
+
+Constant: SeLoadDriverPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Default values
+
+-   Not Defined
+
+### Best practices
+
+-   Because of the potential security risk, do not assign this user right to any user, group, or process that you do not want to take over the system.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default this setting is Administrators and Print Operators on domain controllers and Administrators on stand-alone servers.
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p>
+<p>Print Operators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Print Operators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Device drivers run as highly privileged code. A user who has the **Load and unload device drivers** user right could unintentionally install malware that masquerades as a device driver. Administrators should exercise care and install only drivers with verified digital signatures.
+
+**Note**  
+You must have this user right or be a member of the local Administrators group to install a new driver for a local printer or to manage a local printer and configure defaults for options such as duplex printing.
+
+ 
+
+### Countermeasure
+
+Do not assign the **Load and unload device drivers** user right to any user or group other than Administrators on member servers. On domain controllers, do not assign this user right to any user or group other than Domain Admins.
+
+### Potential impact
+
+If you remove the **Load and unload device drivers** user right from the Print Operators group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks are not negatively affected.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/lock-pages-in-memory.md b/windows/keep-secure/lock-pages-in-memory.md
new file mode 100644
index 0000000000..6454978bd9
--- /dev/null
+++ b/windows/keep-secure/lock-pages-in-memory.md
@@ -0,0 +1,147 @@
+---
+title: Lock pages in memory (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Lock pages in memory security policy setting.
+ms.assetid: cc724979-aec0-496d-be4e-7009aef660a3
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Lock pages in memory
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Lock pages in memory** security policy setting.
+
+## Reference
+
+
+This policy setting determines which accounts can use a process to keep data in physical memory, which prevents the computer from paging the data to virtual memory on a disk.
+
+Normally, an application running on Windows can negotiate for more physical memory, and in response to the request, the application begins to move the data from RAM (such as the data cache) to a disk. When the pageable memory is moved to a disk, more RAM is free for the operating system to use.
+
+Enabling this policy setting for a specific account (a user account or a process account for an application) prevents paging of the data. Thereby, the amount of memory that Windows can reclaim under pressure is limited. This could lead to performance degradation.
+
+**Note**  
+By configuring this policy setting, the performance of the Windows operating system will differ depending on if applications are running on 32-bit or 64-bit systems, and if they are virtualized images. Performance will also differ between earlier and later versions of the Windows operating system.
+
+ 
+
+Constant: SeLockMemoryPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not defined
+
+### Best practices
+
+Best practices are dependent on the platform architecture and the applications running on those platforms.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the computer is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Users with the **Lock pages in memory** user right could assign physical memory to several processes, which could leave little or no RAM for other processes and result in a denial-of-service condition.
+
+### Countermeasure
+
+Do not assign the **Lock pages in memory** user right to any accounts.
+
+### Potential impact
+
+None. Not defined is the default configuration.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/log-on-as-a-batch-job.md b/windows/keep-secure/log-on-as-a-batch-job.md
new file mode 100644
index 0000000000..d2a27b6c9c
--- /dev/null
+++ b/windows/keep-secure/log-on-as-a-batch-job.md
@@ -0,0 +1,152 @@
+---
+title: Log on as a batch job (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Log on as a batch job security policy setting.
+ms.assetid: 4eaddb51-0a18-470e-9d3d-5e7cd7970b41
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Log on as a batch job
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Log on as a batch job** security policy setting.
+
+## Reference
+
+
+This policy setting determines which accounts can log on by using a batch-queue tool such as the Task Scheduler service. When you use the Add Scheduled Task Wizard to schedule a task to run under a particular user name and password, that user is automatically assigned the **Log on as a batch job** user right. When the scheduled time arrives, the Task Scheduler service logs on the user as a batch job instead of as an interactive user, and the task runs in the user's security context.
+
+Constant: SeBatchLogonRight
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Default values
+
+-   Not Defined
+
+### Best practices
+
+-   Use discretion when assigning this right to specific users for security reasons. The default settings are sufficient in most cases.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default, this setting is for Administrators, Backup Operators, and Performance Log Users on domain controllers and on stand-alone servers.
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p>
+<p>Performance Log Users</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p>
+<p>Performance Log Users</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p>
+<p>Performance Log Users</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p>
+<p>Performance Log Users</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the computer is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Task Scheduler automatically grants this right when a user schedules a task. To override this behavior use the [Deny log on as a batch job](deny-log-on-as-a-batch-job.md) User Rights Assignment setting.
+
+Group Policy settings are applied in the following order, which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+The **Log on as a batch job** user right presents a low-risk vulnerability. For most organizations, the default settings are sufficient. Members of the local Administrators group have this right by default.
+
+### Countermeasure
+
+You should allow the computer to manage this user right automatically if you want to allow scheduled tasks to run for specific user accounts. If you do not want to use the Task Scheduler in this manner, configure the **Log on as a batch job** user right for only the Local Service account.
+
+For IIS servers, you should configure this policy locally instead of through domain–based Group Policy settings so that you can ensure the local IUSR\_*&lt;ComputerName&gt;* and IWAM\_*&lt;ComputerName&gt;* accounts have this user right.
+
+### Potential impact
+
+If you configure the **Log on as a batch job** setting by using domain-based Group Policy settings, the computer cannot assign the user right to accounts that are used for scheduled jobs in the Task Scheduler. If you install optional components such as ASP.NET or IIS, you may need to assign this user right to additional accounts that are required by those components. For example, IIS requires assignment of this user right to the IIS\_WPG group and the IUSR\_*&lt;ComputerName&gt;*, ASPNET, and IWAM\_*&lt;ComputerName&gt;* accounts. If this user right is not assigned to this group and these accounts, IIS cannot run some COM objects that are necessary for proper functionality.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/log-on-as-a-service.md b/windows/keep-secure/log-on-as-a-service.md
new file mode 100644
index 0000000000..ad2eda2c3f
--- /dev/null
+++ b/windows/keep-secure/log-on-as-a-service.md
@@ -0,0 +1,140 @@
+---
+title: Log on as a service (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Log on as a service security policy setting.
+ms.assetid: acc9a9e0-fd88-4cda-ab54-503120ba1f42
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Log on as a service
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Log on as a service** security policy setting.
+
+## Reference
+
+
+This policy setting determines which service accounts can register a process as a service. Running a process under a service account circumvents the need for human intervention.
+
+Constant: SeServiceLogonRight
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not Defined
+
+### Best practices
+
+-   Minimize the number of accounts that are granted this user right.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default this setting is Network Service on domain controllers and Network Service on stand-alone servers.
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Network Service</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Network Service</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Network Service</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the computer is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+The policy setting **Deny logon as a service** supersedes this policy setting if a user account is subject to both policies.
+
+Group Policy settings are applied in the following order, which will overwrite settings on the local device at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+The **Log on as a service** user right allows accounts to start network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced by the fact that only users with administrative privileges can install and configure services. An attacker who has already attained that level of access could configure the service to run with the Local System account.
+
+### Countermeasure
+
+By definition, the Network Service account has the **Log on as a service** user right. This right is not granted through the Group Policy setting. You should minimize the number of other accounts that are granted this user right.
+
+### Potential impact
+
+On most computers, restricting the **Log on as a service** user right to the Local System, Local Service, and Network Service built-in accounts is the default configuration, and there is no negative impact. However, if you have installed optional components such as ASP.NET or IIS, you may need to assign the **Log on as a service** user right to additional accounts that are required by those components. IIS requires that this user right be explicitly granted to the ASPNET user account.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/maintain-applocker-policies.md b/windows/keep-secure/maintain-applocker-policies.md
new file mode 100644
index 0000000000..edc7834283
--- /dev/null
+++ b/windows/keep-secure/maintain-applocker-policies.md
@@ -0,0 +1,127 @@
+---
+title: Maintain AppLocker policies (Windows 10)
+description: This topic describes how to maintain rules within AppLocker policies.
+ms.assetid: b4fbfdfe-ef3d-49e0-a390-f2dfe74602bc
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Maintain AppLocker policies
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic describes how to maintain rules within AppLocker policies.
+
+Common AppLocker maintenance scenarios include:
+
+-   A new app is deployed, and you need to update an AppLocker policy.
+
+-   A new version of an app is deployed, and you need to either update an AppLocker policy or create a new rule to update the policy.
+
+-   An app is no longer supported by your organization, so you need to prevent it from being used.
+
+-   An app appears to be blocked but should be allowed.
+
+-   An app appears to be allowed but should be blocked.
+
+-   A single user or small subset of users needs to use a specific app that is blocked.
+
+There are two methods you can use to maintain AppLocker policies:
+
+-   [Maintaining AppLocker policies by using Group Policy](#bkmk-applkr-use-gp)
+
+-   [Maintaining AppLocker policies on the local computer](#bkmk-applkr-use-locsnapin)
+
+As new apps are deployed or existing apps are removed by your organization or updated by the software publisher, you might need to make revisions to your rules and update the Group Policy Object (GPO) to ensure that your policy is current.
+
+You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs.
+
+**Caution**  
+You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
+
+ 
+
+## <a href="" id="bkmk-applkr-use-gp"></a>Maintaining AppLocker policies by using Group Policy
+
+
+For every scenario, the steps to maintain an AppLocker policy distributed by Group Policy include the following tasks.
+
+### Step 1: Understand the current behavior of the policy
+
+Before modifying a policy, evaluate how the policy is currently implemented. For example, if a new version of the application is deployed, you can use **Test-AppLockerPolicy** to verify the effectiveness of your current policy for that app.
+
+### Step 2: Export the AppLocker policy from the GPO
+
+Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Therefore, export the policy from the GPO and update the rule or rules by using AppLocker on your AppLocker reference or test computer. To prepare an AppLocker policy for modification, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md)
+
+### Step 3: Update the AppLocker policy by editing the appropriate AppLocker rule
+
+After the AppLocker policy has been exported from the GPO into the AppLocker reference or test computer, or has been accessed on the local computer, the specific rules can be modified as required.
+
+To modify AppLocker rules, see the following:
+
+-   [Edit AppLocker rules](edit-applocker-rules.md)
+
+-   [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md) or [Merge AppLocker policies manually](merge-applocker-policies-manually.md)
+
+-   [Delete an AppLocker rule](delete-an-applocker-rule.md)
+
+-   [Enforce AppLocker rules](enforce-applocker-rules.md)
+
+### Step 4: Test the AppLocker policy
+
+You should test each collection of rules to ensure that the rules perform as intended. (Because AppLocker rules are inherited from linked GPOs, you should deploy all rules for simultaneous testing in all test GPOs.) For steps to perform this testing, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md).
+
+### Step 5: Import the AppLocker policy into the GPO
+
+After testing, import the AppLocker policy back into the GPO for implementation. To update the GPO with a modified AppLocker policy, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
+
+### Step 6: Monitor the resulting policy behavior
+
+After deploying a policy, evaluate the policy's effectiveness.
+
+## <a href="" id="bkmk-applkr-use-locsnapin"></a>Maintaining AppLocker policies by using the Local Security Policy snap-in
+
+
+For every scenario, the steps to maintain an AppLocker policy by using the Local Group Policy Editor or the Local Security Policy snap-in include the following tasks.
+
+### Step 1: Understand the current behavior of the policy
+
+Before modifying a policy, evaluate how the policy is currently implemented.
+
+### Step 2: Update the AppLocker policy by modifying the appropriate AppLocker rule
+
+Rules are grouped into a collection, which can have the policy enforcement setting applied to it. By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed.
+
+To modify AppLocker rules, see the appropriate topic listed on [Administer AppLocker](administer-applocker.md).
+
+### Step 3: Test the AppLocker policy
+
+You should test each collection of rules to ensure that the rules perform as intended. For steps to perform this testing, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md).
+
+### Step 4: Deploy the policy with the modified rule
+
+You can export and then import AppLocker policies to deploy the policy to other computers running Windows 8 or later. To perform this task, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
+
+### Step 5: Monitor the resulting policy behavior
+
+After deploying a policy, evaluate the policy's effectiveness.
+
+## Additional resources
+
+
+-   For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/manage-auditing-and-security-log.md b/windows/keep-secure/manage-auditing-and-security-log.md
new file mode 100644
index 0000000000..8eb5c90fc8
--- /dev/null
+++ b/windows/keep-secure/manage-auditing-and-security-log.md
@@ -0,0 +1,153 @@
+---
+title: Manage auditing and security log (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Manage auditing and security log security policy setting.
+ms.assetid: 4b946c0d-f904-43db-b2d5-7f0917575347
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Manage auditing and security log
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Manage auditing and security log** security policy setting.
+
+## Reference
+
+
+This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys. These objects specify their system access control lists (SACL). A user who is assigned this user right can also view and clear the Security log in Event Viewer. For more info about the Object Access audit policy, see [Audit object access](basic-audit-object-access.md).
+
+Constant: SeSecurityPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Administrators
+
+-   Not Defined
+
+### Best practices
+
+1.  Before removing this right from a group, investigate whether applications are dependent on this right.
+
+2.  Generally, assigning this user right to groups other than Administrators is not necessary.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default this setting is Administrators on domain controllers and on stand-alone servers.
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the computer is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+Audits for object access are not performed unless you enable them by using the Local Group Policy Editor, the Group Policy Management Console (GPMC), or the Auditpol command-line tool.
+
+For more information about the Object Access audit policy, see [Audit object access](basic-audit-object-access.md).
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Anyone with the **Manage auditing and security log** user right can clear the Security log to erase important evidence of unauthorized activity.
+
+### Countermeasure
+
+Ensure that only the local Administrators group has the **Manage auditing and security log** user right.
+
+### Potential impact
+
+Restricting the **Manage auditing and security log** user right to the local Administrators group is the default configuration.
+
+**Warning**  
+If groups other than the local Administrators group have been assigned this user right, removing this user right might cause performance issues with other applications. Before removing this right from a group, investigate whether applications are dependent on this right.
+
+ 
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
new file mode 100644
index 0000000000..b6d3868c6d
--- /dev/null
+++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
@@ -0,0 +1,138 @@
+---
+title: Manage identity verification using Microsoft Passport (Windows 10)
+description: In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN.
+ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
+keywords: ["identity", "PIN", "biometric", "Hello"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Manage identity verification using Microsoft Passport
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN.
+
+Passport addresses the following problems with passwords:
+
+-   Passwords can be difficult to remember, and users often reuse passwords on multiple sites.
+
+-   Server breaches can expose symmetric network credentials.
+
+-   Passwords can be subject to [replay attacks](http://go.microsoft.com/fwlink/p/?LinkId=615673).
+
+-   Users can inadvertently expose their passwords due to [phishing attacks](http://go.microsoft.com/fwlink/p/?LinkId=615674).
+
+Passport lets users authenticate to:
+
+-   a Microsoft account.
+
+-   an Active Directory account.
+
+-   a Microsoft Azure Active Directory (AD) account.
+
+-   Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](http://go.microsoft.com/fwlink/p/?LinkId=533889) authentication
+
+After an initial two-step verification of the user during Passport enrollment, Passport is set up on the user's device and the user is asked to set a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify their identity. Windows then uses Passport to authenticate users and help them to access protected resources and services.
+
+As an administrator in an enterprise or educational organization, you can create policies to manage Passport use on Windows 10-based devices that connect to your organization.
+
+## Benefits of Microsoft Passport
+
+
+Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
+
+You may wonder [how a PIN can help protect a device better than a password](why-a-pin-is-better-than-a-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
+
+In Windows 10, Passport replaces passwords. The Passport provisioning process creates two cryptographic keys bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Passport enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Passport keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Passport keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Passport key is created in software.
+
+![how authentication works in microsoft passport](images/authflow.png)
+
+Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
+
+Passport helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Passport credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of TPMs.
+
+Microsoft Passport also enables Windows 10 Mobile devices to be used as [a remote credential](prepare-people-to-use-microsoft-passport.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Microsoft Passport on the user’s Windows 10 Mobile device. Because users carry their phone with them, Microsoft Passport makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
+
+**Note**  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+
+ 
+
+## How Microsoft Passport works: key points
+
+
+-   Passport credentials are based on certificate or asymmetrical key pair. Passport credentials are bound to the device, and the token that is obtained using the credential is also bound to the device.
+
+-   Identify provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps Microsoft Passport's public key to a user account during the registration step.
+
+-   Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
+
+-   Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Passport gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
+
+-   Private key never leaves a device. The authenticating server has a public key that is mapped to the user account during the registration process.
+
+-   PIN entry and Hello both trigger Windows 10 to verify the user's identity and authenticate using Passport keys or certificates.
+
+-   Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use separate containers for keys. Non-Microsoft identity providers can generate keys for their users in the same container as the Microsoft account; however, all keys are separated by identity providers' domains to help ensure user privacy.
+
+-   Certificates are added to the Passport container and are protected by the Passport gesture.
+
+-   Windows Update behavior: After a reboot is required by Windows Update, the last interactive user is automatically signed on without any user gesture and the session is locked so the user's lock screen apps can run.
+
+## Comparing key-based and certificate-based authentication
+
+
+Passport can use either keys (hardware or software) or certificates with keys in hardware or software to confirm identity. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Passport. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Passport.
+
+Hardware-based keys, which are generated by TPM, provide the highest level of assurance. When the TPM is manufactured, an Endorsement Key (EK) certificate is resident in the TPM. This EK certificate creates a root trust for all other keys that are generated on this TPM.
+
+EK certification is used to generate an attestation identity key (AIK) certificate issued by a Microsoft certificate authority. This AIK certificate can be used as an attestation claim to prove to identity providers that the Passport keys are generated on the same TPM. The Microsoft certificate authority (CA) generates the AIK certificate per device, per user, and per IDP to help ensure that user privacy is protected.
+
+When identity providers such as Active Directory or Azure AD enroll a certificate in Passport, Windows 10 will support the same set of scenarios as a smart card. When the credential type is a key, only key-based trust and operations will be supported.
+
+## Learn more
+
+
+[What's new in Active Directory Domain Services (AD DS) in Windows Server Technical Preview](http://go.microsoft.com/fwlink/p/?LinkId=708533)
+
+[Windows Hello face authentication](http://go.microsoft.com/fwlink/p/?LinkId=626024)
+
+[Biometrics hardware guidelines](http://go.microsoft.com/fwlink/p/?LinkId=626995)
+
+[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](http://go.microsoft.com/fwlink/p/?LinkId=533890)
+
+[Windows 10: The End Game for Passwords and Credential Theft?](http://go.microsoft.com/fwlink/p/?LinkId=533891)
+
+[Authenticating identities without passwords through Microsoft Passport](http://go.microsoft.com/fwlink/p/?LinkId=616778)
+
+[Microsoft Passport guide](http://go.microsoft.com/fwlink/p/?LinkId=691928)
+
+## Related topics
+
+
+[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
+
+[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
+
+[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
+
+[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+
+[Event ID 300 - Passport successfully created](passport-event-300.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/manage-packaged-apps-with-applocker.md b/windows/keep-secure/manage-packaged-apps-with-applocker.md
new file mode 100644
index 0000000000..0db2b96b96
--- /dev/null
+++ b/windows/keep-secure/manage-packaged-apps-with-applocker.md
@@ -0,0 +1,92 @@
+---
+title: Manage packaged apps with AppLocker (Windows 10)
+description: This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy.
+ms.assetid: 6d0c99e7-0284-4547-a30a-0685a9916650
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Manage packaged apps with AppLocker
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy.
+
+## Understanding Packaged apps and Packaged app installers for AppLocker
+
+
+Packaged apps, also known as Universal Windows apps, are based on a model that ensures all the files within an app package share the same identity. With classic Windows apps, each file within the app could have a unique identity. With packaged apps, it is possible to control the entire app by using a single AppLocker rule.
+
+**Note**  
+AppLocker supports only publisher rules for packaged apps. All packaged apps must be signed by the software publisher because Windows does not support unsigned packaged apps.
+
+ 
+
+Typically, an app consists of multiple components: the installer that is used to install the app, and one or more exes, dlls, or scripts. With classic Windows apps, not all these components always share common attributes such as the software’s publisher name, product name, and product version. Therefore, AppLocker controls each of these components separately through different rule collections, such as exe, dll, script, and Windows Installer rules. In contrast, all the components of a packaged app share the same publisher name, package name, and package version attributes. Therefore, you can control an entire app with a single rule.
+
+### <a href="" id="bkmk-compareclassicmetro"></a>Comparing classic Windows apps and packaged apps
+
+AppLocker policies for packaged apps can only be applied to apps installed on computers running at least Windows Server 2012 or Windows 8, but classic Windows apps can be controlled on devices running at least Windows Server 2008 R2 or Windows 7. The rules for classic Windows apps and packaged apps can be enforced in tandem. The differences between packaged apps and classic Windows apps that you should consider include:
+
+-   **Installing the apps**   All packaged apps can be installed by a standard user, whereas a number of classic Windows apps require administrative privileges to install. In an environment where most of the users are standard users, you might not have numerous exe rules (because classic Windows apps require administrative privileges to install), but you might want to have more explicit policies for packaged apps.
+
+-   **Changing the system state**   Classic Windows apps can be written to change the system state if they are run with administrative privileges. Most packaged apps cannot change the system state because they run with limited privileges. When you design your AppLocker policies, it is important to understand whether an app that you are allowing can make system-wide changes.
+
+-   **Acquiring the apps**   Packaged apps can be acquired through the Store, or by loading using Windows PowerShell cmdlets (which requires a special enterprise license). Classic Windows apps can be acquired through traditional means.
+
+AppLocker uses different rule collections to control packaged apps and classic Windows apps. You have the choice to control one type, the other type, or both.
+
+For info about controlling classic Windows apps, see [Administer AppLocker](administer-applocker.md).
+
+For more info about packaged apps, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md).
+
+## Design and deployment decisions
+
+
+You can use two methods to create an inventory of packaged apps on a computer: the AppLocker console or the **Get-AppxPackage** Windows PowerShell cmdlet.
+
+**Note**  
+Not all packaged apps are listed in AppLocker’s application inventory wizard. Certain app packages are framework packages that are leveraged by other apps. By themselves, these packages cannot do anything, but blocking such packages can inadvertently cause failure for apps that you want to allow. Instead, you can create Allow or Deny rules for the packaged apps that use these framework packages. The AppLocker user interface deliberately filters out all the packages that are registered as framework packages. For info about how to create an inventory list, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).
+
+ 
+
+For info about how to use the **Get-AppxPackage** Windows PowerShell cmdlet, see the [AppLocker PowerShell Command Reference](http://technet.microsoft.com/library/hh847210.aspx).
+
+For info about creating rules for Packaged apps, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md).
+
+Consider the following info when you are designing and deploying apps:
+
+-   Because AppLocker supports only publisher rules for packaged apps, collecting the installation path information for packaged apps is not necessary.
+
+-   You cannot create hash- or path-based rules for packaged apps because all packaged apps and packaged app installers are signed by the software publisher of the package. Classic Windows apps were not always consistently signed; therefore, AppLocker has to support hash- or path-based rules.
+
+-   By default, if there are no rules in a particular rule collection, AppLocker allows every file that is included in that rule collection. For example, if there are no Windows Installer rules, AppLocker allows all .msi, .msp, and .mst files to run. An existing AppLocker policy that was targeted at computers running Windows Server 2008 R2 and Windows 7 would not have rules for Packaged apps. Therefore, when a computer running at least Windows Server 2012 or Windows 8 joins a domain where an AppLocker policy is already configured, users would be allowed to run any packaged app. This might be contrary to your design.
+
+    To prevent all packaged apps from running on a newly domain-joined computer, by default AppLocker blocks all packaged apps on a computer running at least Windows Server 2012 or Windows 8 if the existing domain policy has rules configured in the exe rule collection. You must take explicit action to allow packaged apps in your enterprise. You can allow only a select set of packaged apps. Or if you want to allow all packaged apps, you can create a default rule for the packaged apps collection.
+
+## Using AppLocker to manage packaged apps
+
+
+Just as there are differences in managing each rule collection, you need to manage the packaged apps with the following strategy:
+
+1.  Gather information about which Packaged apps are running in your environment. For information about how to do this, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).
+
+2.  Create AppLocker rules for specific packaged apps based on your policy strategies. For more information, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) and [Packaged Apps Default Rules in AppLocker](http://technet.microsoft.com/library/ee460941(WS.10).aspx).
+
+3.  Continue to update the AppLocker policies as new package apps are introduced into your environment. To do this, see [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md).
+
+4.  Continue to monitor your environment to verify the effectiveness of the rules that are deployed in AppLocker policies. To do this, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/manage-tpm-commands.md b/windows/keep-secure/manage-tpm-commands.md
new file mode 100644
index 0000000000..1d9de633fa
--- /dev/null
+++ b/windows/keep-secure/manage-tpm-commands.md
@@ -0,0 +1,106 @@
+---
+title: Manage TPM commands (Windows 10)
+description: This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
+ms.assetid: a78e751a-2806-43ae-9c20-2e7ca466b765
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Manage TPM commands
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
+
+## <a href="" id="bkmk-commands1"></a>
+
+
+After a computer user takes ownership of the TPM, the TPM owner can limit which TPM commands can be run by creating a list of blocked TPM commands. The list can be created and applied to all computers in a domain by using Group Policy, or a list can be created for individual computers by using the TPM MMC. Because some hardware vendors might provide additional commands or the Trusted Computing Group may decide to add commands in the future, the TPM MMC also supports the ability to block new commands.
+
+Domain administrators can configure a list of blocked TPM commands by using Group Policy. Local administrators cannot allow TPM commands that are blocked through Group Policy. For more information about this Group Policy setting, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-clbtc).
+
+Local administrators can block commands by using the TPM MMC, and commands on the default block list are also blocked unless the Group Policy settings are changed from the default settings.
+
+Two policy settings control the enforcement which allows TPM commands to run. For more information about these policy settings, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-idlb).
+
+The following procedures describe how to manage the TPM command lists. You must be a member of the local Administrators group.
+
+**To block TPM commands by using the Local Group Policy Editor**
+
+1.  Open the Local Group Policy Editor (gpedit.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+
+    **Note**  
+    Administrators with appropriate rights in a domain can configure a Group Policy Object (GPO) that can be applied through Active Directory Domain Services (AD DS).
+
+     
+
+2.  In the console tree, under **Computer Configuration**, expand **Administrative Templates**, and then expand **System**.
+
+3.  Under **System**, click **Trusted Platform Module Services**.
+
+4.  In the details pane, double-click **Configure the list of blocked TPM commands**.
+
+5.  Click **Enabled**, and then click **Show**.
+
+6.  For each command that you want to block, click **Add**, enter the command number, and then click **OK**.
+
+    **Note**  
+    For a list of commands, see the [Trusted Platform Module (TPM) Specifications](http://go.microsoft.com/fwlink/p/?linkid=139770).
+
+     
+
+7.  After you have added numbers for each command that you want to block, click **OK** twice.
+
+8.  Close the Local Group Policy Editor.
+
+**To block or allow TPM commands by using the TPM MMC**
+
+1.  Open the TPM MMC (tpm.msc)
+
+2.  If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+
+3.  In the console tree, click **Command Management**. A list of TPM commands is displayed.
+
+4.  In the list, select a command that you want to block or allow.
+
+5.  Under **Actions**, click **Block Selected Command** or **Allow Selected Command** as needed. If **Allow Selected Command** is unavailable, that command is currently blocked by Group Policy.
+
+**To block new commands**
+
+1.  Open the TPM MMC (tpm.msc).
+
+    If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+
+2.  In the console tree, click **Command Management**. A list of TPM commands is displayed.
+
+3.  In the **Action** pane, click **Block New Command**. The **Block New Command** dialog box is displayed.
+
+4.  In the **Command Number** text box, type the number of the new command that you want to block, and then click **OK**. The command number you entered is added to the blocked list.
+
+## <a href="" id="bkmk-tpmcmdlets"></a>Use the TPM cmdlets
+
+
+If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command:
+
+**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets**
+
+For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
+
+## Additional resources
+
+
+For more info about TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md#bkmk-additionalresources).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/manage-tpm-lockout.md b/windows/keep-secure/manage-tpm-lockout.md
new file mode 100644
index 0000000000..2753d3dffc
--- /dev/null
+++ b/windows/keep-secure/manage-tpm-lockout.md
@@ -0,0 +1,97 @@
+---
+title: Manage TPM lockout (Windows 10)
+description: This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
+ms.assetid: bf27adbe-404c-4691-a644-29ec722a3f7b
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Manage TPM lockout
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
+
+## <a href="" id="bkmk-lockout1"></a>About TPM lockout
+
+
+The TPM will lock itself to prevent tampering or malicious attacks. TPM lockout often lasts for a variable amount of time or until the computer is turned off. While the TPM is in lockout mode, it generally returns an error message when it receives commands that require an authorization value. One exception is that the TPM always allows the owner at least one attempt to reset the TPM lockout when it is in lockout mode.
+
+TPM ownership is commonly taken the first time BitLocker Drive Encryption is turned on for the computer. In this case, the TPM owner authorization password is saved with the BitLocker recovery key. When the BitLocker recovery key is saved to a file, BitLocker also saves a TPM owner password file (.tpm) with the TPM owner password hash value. When the BitLocker recovery key is printed, the TPM owner password is printed at the same time. You can also save your TPM owner password hash value to Active Directory Domain Services (AD DS) if your organization's Group Policy settings are configured to do so.
+
+In some cases, encryption keys are protected by a TPM by requiring a valid authorization value to access the key. A common example is configuring BitLocker Drive Encryption to use the TPM plus PIN key protector. In this scenario, the user must type the correct PIN during the boot process to access the volume encryption key protected by the TPM. To prevent malicious users or software from discovering authorization values, TPMs implement protection logic. The protection logic is designed to slow or stop responses from the TPM if it detects that an entity might be trying to guess authorization values.
+
+The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM manufacturers implement different protection mechanisms and behavior. The general guidance is for the TPM chip to take exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. This can prevent them from using the TPM for a period of time.
+
+If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization.
+
+## Reset the TPM lockout by using the TPM MMC
+
+
+The following procedure explains the steps to reset the TPM lockout by using the TPM MMC.
+
+**To reset the TPM lockout**
+
+1.  Open the TPM MMC (tpm.msc).
+
+2.  In the **Action** pane, click **Reset TPM Lockout** to start the Reset TPM Lockout Wizard.
+
+3.  Choose one of the following methods to enter the TPM owner password:
+
+    -   If you saved your TPM owner password to a .tpm file, click **I have the owner password file**, and then type the path to the file, or click **Browse** to navigate to the file location.
+
+    -   If you want to manually enter your TPM owner password, click **I want to enter the owner password**, and then type the password in the text box provided.
+
+        **Note**  
+        If you enabled BitLocker and your TPM at the same time, and you printed your BitLocker recovery password when you turned on BitLocker, your TPM owner password may have printed with it.
+
+         
+
+## Use Group Policy to manage TPM lockout settings
+
+
+The TPM Group Policy settings in the following list are located at:
+
+**Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
+
+-   [Standard User Lockout Duration](trusted-platform-module-services-group-policy-settings.md#bkmk-individual)
+
+    This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for TPM commands that require authorization. An authorization failure occurs each time a user sends a command to the TPM and receives an error message that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, the user is prevented from sending commands to the TPM that require authorization.
+
+-   [Standard User Individual Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-suld)
+
+    This policy setting allows you to manage the maximum number of authorization failures for the TPM for each user. This value is the maximum number of authorization failures that each user can have before the user is not allowed to send commands to the TPM that require authorization. If the number of authorization failures equals the duration that is set for the policy setting, the user is prevented from sending commands to the TPM that require authorization.
+
+-   [Standard User Total Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#bkmk-total)
+
+    This policy setting allows you to manage the maximum number of authorization failures for the TPM for all standard users. If the total number of authorization failures for all users equals the duration that is set for the policy, all users are prevented from sending commands to the TPM that require authorization.
+
+For information about mitigating dictionary attacks that use the lockout settings, see [TPM fundamentals](tpm-fundamentals.md#bkmk-howtpmmitigates).
+
+## <a href="" id="bkmk-tpmcmdlets"></a>Use the TPM cmdlets
+
+
+If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command:
+
+**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets**
+
+For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+
+## Additional resources
+
+
+For more info about TPM, see [TPM technology overview](trusted-platform-module-overview.md#bkmk-additionalresources).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/maximum-lifetime-for-service-ticket.md b/windows/keep-secure/maximum-lifetime-for-service-ticket.md
new file mode 100644
index 0000000000..d1ddb01b51
--- /dev/null
+++ b/windows/keep-secure/maximum-lifetime-for-service-ticket.md
@@ -0,0 +1,142 @@
+---
+title: Maximum lifetime for service ticket (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for service ticket security policy setting.
+ms.assetid: 484bf05a-3858-47fc-bc02-6599ca860247
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Maximum lifetime for service ticket
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for service ticket** security policy setting.
+
+## Reference
+
+
+The **Maximum lifetime for service ticket** policy setting determines the maximum number of minutes that a granted session ticket can be used to access a particular service. The value must be 10 minutes or greater, and it must be less than or equal to the value of the **Maximum lifetime for service ticket** policy setting.
+
+The possible values for this Group Policy setting are:
+
+-   A user-defined number of minutes from 10 through 99,999, or 0 (in which case service tickets do not expire).
+
+-   Not defined.
+
+If a client presents an expired session ticket when it requests a connection to a server, the server returns an error message. The client must request a new session ticket from the Kerberos V5 KDC. After a connection is authenticated, however, it no longer matters whether the session ticket remains valid. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket that authenticated the connection expires during the connection.
+
+If the value for this policy setting is too high, users might be able to access network resources outside of their logon hours. In addition, users whose accounts have been disabled might be able to continue accessing network services by using valid service tickets that were issued before their account was disabled. If the value is set to 0, service tickets never expire.
+
+### Best practices
+
+-   It is advisable to set **Maximum lifetime for service ticket** to **600** minutes.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy
+
+### Default values
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server Type or GPO</th>
+<th align="left">Default Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>600 minutes</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>600 minutes</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the device is not required for this policy setting to be effective.
+
+This policy setting is configured on the domain controller.
+
+### Group Policy
+
+Client computers will get the new setting during the next scheduled and successful Group Policy refresh. But for domain controllers to assign these new settings immediately, a gpupdate.exe /force is required. On the local device, the Security Configuration Engine will refresh this setting in about five minutes.
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+If you configure the value for the **Maximum lifetime for service ticket** setting too high, users might be able to access network resources outside of their logon hours. Also, users whose accounts were disabled might continue to have access to network services with valid service tickets that were issued before their accounts were disabled.
+
+### Countermeasure
+
+Configure the **Maximum lifetime for service ticket** setting to 600 minutes.
+
+### Potential impact
+
+None. This is the default configuration.
+
+## Related topics
+
+
+[Kerberos Policy](kerberos-policy.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md b/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md
new file mode 100644
index 0000000000..2a1b0a18e3
--- /dev/null
+++ b/windows/keep-secure/maximum-lifetime-for-user-ticket-renewal.md
@@ -0,0 +1,139 @@
+---
+title: Maximum lifetime for user ticket renewal (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket renewal security policy setting.
+ms.assetid: f88cd819-3dd1-4e38-b560-13fe6881b609
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Maximum lifetime for user ticket renewal
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket renewal** security policy setting.
+
+## Reference
+
+
+The **Maximum lifetime for user ticket renewal** policy setting determines the period of time (in days) during which a user’s ticket-granting ticket can be renewed.
+
+The possible values for this Group Policy setting are:
+
+-   A user-defined number of days from 0 through 99,999
+
+-   Not defined
+
+### Best practices
+
+-   If the value for this policy setting is too high, users may be able to renew very old user ticket-granting tickets. If the value is 0, ticket-granting tickets never expire.
+
+    It is advisable to set **Maximum lifetime for user ticket renewal** to **7** days.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy
+
+### Default values
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>7 days</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>7 days</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Policy management
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the device is not required for this policy setting to be effective.
+
+This policy setting is configured on the domain controller.
+
+### Group Policy
+
+Client devices will get the new setting during the next scheduled and successful Group Policy refresh. But for domain controllers to assign these new settings immediately, a gpupdate.exe /force is required. On the local device, the Security Configuration Engine will refresh this setting in about five minutes.
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+If the value for the **Maximum lifetime for user ticket renewal** setting is too high, users might be able to renew very old user tickets.
+
+### Countermeasure
+
+Configure the **Maximum lifetime for user ticket renewal** setting to 7 days.
+
+### Potential impact
+
+None. This is the default configuration.
+
+## Related topics
+
+
+[Kerberos Policy](kerberos-policy.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/maximum-lifetime-for-user-ticket.md b/windows/keep-secure/maximum-lifetime-for-user-ticket.md
new file mode 100644
index 0000000000..7301401239
--- /dev/null
+++ b/windows/keep-secure/maximum-lifetime-for-user-ticket.md
@@ -0,0 +1,140 @@
+---
+title: Maximum lifetime for user ticket (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket policy setting.
+ms.assetid: bcb4ff59-334d-4c2f-99af-eca2b64011dc
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Maximum lifetime for user ticket
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket** policy setting.
+
+## Reference
+
+
+The **Maximum lifetime for user ticket** policy setting determines the maximum amount of time (in hours) that a user’s ticket-granting ticket can be used. When a user’s ticket-granting ticket expires, a new one must be requested or the existing one must be renewed.
+
+The possible values for this Group Policy setting are:
+
+-   A user-defined number of hours from 0 through 99,999
+
+-   Not defined
+
+If the value for this policy setting is too high, users might be able to access network resources outside of their logon hours, or users whose accounts have been disabled might be able to continue to access network services by using valid service tickets that were issued before their account was disabled. If the value is set to 0, ticket-granting tickets never expire.
+
+### Best practices
+
+-   It is advisable to set **Maximum lifetime for user ticket** to 10 hours.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy
+
+### Default Values
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server Type or GPO</th>
+<th align="left">Default Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>10 hours</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>10 hours</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the computer is not required for this policy setting to be effective.
+
+This policy setting is configured on the domain controller.
+
+### Group Policy
+
+Client devices will get the new setting during the next scheduled and successful Group Policy refresh. But for domain controllers to assign these new settings immediately, a gpupdate.exe /force is required. On the local computer, the Security Configuration Engine will refresh this setting in about five minutes.
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+If you configure the value for the **Maximum lifetime for user ticket** setting too high, users might be able to access network resources outside of their logon hours. Also, users whose accounts were disabled might continue to have access to network services with valid user tickets that were issued before their accounts were disabled. If you configure this value too low, ticket requests to the KDC may affect the performance of your KDC and present an opportunity for a DoS attack.
+
+### Countermeasure
+
+Configure the **Maximum lifetime for user ticket** setting with a value between 4 and 10 hours.
+
+### Potential impact
+
+Reducing this setting from the default value reduces the likelihood that the ticket-granting ticket will be used to access resources that the user does not have rights to. However, it requires more frequent requests to the KDC for ticket-granting tickets on behalf of users. Most KDCs can support a value of four hours without too much additional burden.
+
+## Related topics
+
+
+[Kerberos Policy](kerberos-policy.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/maximum-password-age.md b/windows/keep-secure/maximum-password-age.md
new file mode 100644
index 0000000000..b80a337270
--- /dev/null
+++ b/windows/keep-secure/maximum-password-age.md
@@ -0,0 +1,127 @@
+---
+title: Maximum password age (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Maximum password age security policy setting.
+ms.assetid: 2d6e70e7-c8b0-44fb-8113-870c6120871d
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Maximum password age
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting.
+
+## Reference
+
+
+The **Maximum password age** policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If **Maximum password age** is between 1 and 999 days, the minimum password age must be less than the maximum password age. If **Maximum password age** is set to 0, [Minimum password age](minimum-password-age.md) can be any value between 0 and 998 days.
+
+**Note**  
+Setting **Maximum password age** to -1 is equivalent to 0, which means it never expires. Setting it to any other negative number is equivalent to setting it to **Not Defined**.
+
+ 
+
+### Possible values
+
+-   User-specified number of days between 0 and 999
+
+-   Not defined
+
+### Best practices
+
+Set **Maximum password age** to a value between 30 and 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to compromise a user's password and have access to your network resources.
+
+### Location
+
+**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**
+
+### Default values
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or Group Policy Object (GPO)</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>42 days</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>42 days</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>42 days</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>42 days</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Effective GPO default settings on client computers</p></td>
+<td align="left"><p>42 days</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the **Maximum password age** policy setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access.
+
+### Countermeasure
+
+Configure the **Maximum password age** policy setting to a value that is suitable for your organization's business requirements.
+
+### Potential impact
+
+If the **Maximum password age** policy setting is too low, users are required to change their passwords very often. Such a configuration can reduce security in the organization because users might keep their passwords in an unsecured location or lose them. If the value for this policy setting is too high, the level of security within an organization is reduced because it allows potential attackers more time in which to discover user passwords or to use compromised accounts.
+
+## Related topics
+
+
+[Password Policy](password-policy.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md b/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md
new file mode 100644
index 0000000000..9fc39fe52d
--- /dev/null
+++ b/windows/keep-secure/maximum-tolerance-for-computer-clock-synchronization.md
@@ -0,0 +1,140 @@
+---
+title: Maximum tolerance for computer clock synchronization (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Maximum tolerance for computer clock synchronization security policy setting.
+ms.assetid: ba2cf59e-d69d-469e-95e3-8e6a0ba643af
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Maximum tolerance for computer clock synchronization
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Maximum tolerance for computer clock synchronization** security policy setting.
+
+## Reference
+
+
+This security setting determines the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the domain controller that provides Kerberos authentication.
+
+To prevent "replay attacks," the Kerberos v5 protocol uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both devices must be set to the same time and date. Because the clocks of two computers are often out of sync, you can use this policy setting to establish the maximum acceptable difference to the Kerberos protocol between a client clock and domain controller clock. If the difference between a client computer clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any time stamp that is used in a session between the two devices is considered to be authentic.
+
+The possible values for this Group Policy setting are:
+
+-   A user-defined number of minutes from 1 through 99,999
+
+-   Not defined
+
+### Best practices
+
+-   It is advisable to set **Maximum tolerance for computer clock synchronization** to a value of 5 minutes.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy
+
+### Default values
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>5 minutes</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>5 minutes</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the device is not required for this policy setting to be effective.
+
+This policy setting is configured on the domain controller.
+
+### Group Policy
+
+Client devices will get the new setting during the next scheduled and successful Group Policy refresh. But for domain controllers to assign these new settings immediately, a gpupdate.exe /force is required. On the local device, the Security Configuration Engine will refresh this setting in about five minutes.
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+To prevent "replay attacks" (which are attacks in which an authentication credential is resubmitted by a malicious user or program to gain access to a protected resource), the Kerberos protocol uses time stamps as part of its definition. For time stamps to work properly, the clocks of the client computer and the domain controller need to be closely synchronized. Because the clocks of two computers are often not synchronized, administrators can use this policy to establish the maximum acceptable difference to the Kerberos protocol between a client computer clock and a domain controller clock. If the difference between the client computer clock and the domain controller clock is less than the maximum time difference specified in this setting, any time stamp that is used in a session between the two computers is considered to be authentic.
+
+### Countermeasure
+
+Configure the **Maximum tolerance for computer clock synchronization** setting to 5 minutes.
+
+### Potential impact
+
+None. This is the default configuration.
+
+## Related topics
+
+
+[Kerberos Policy](kerberos-policy.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md
new file mode 100644
index 0000000000..746254c18e
--- /dev/null
+++ b/windows/keep-secure/merge-applocker-policies-by-using-set-applockerpolicy.md
@@ -0,0 +1,50 @@
+---
+title: Merge AppLocker policies by using Set-ApplockerPolicy (Windows 10)
+description: This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.
+ms.assetid: f1c7d5c0-463e-4fe2-a410-844a404f18d0
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Merge AppLocker policies by using Set-ApplockerPolicy
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.
+
+The **Set-AppLockerPolicy** cmdlet sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default. When the Merge parameter is used, rules in the specified AppLocker policy will be merged with the AppLocker rules in the target GPO specified in the LDAP path. The merging of policies will remove rules with duplicate rule IDs, and the enforcement setting specified by the AppLocker policy in the target GPO will be preserved. If the Merge parameter is not specified, then the new policy will overwrite the existing policy.
+
+For info about using **Set-AppLockerPolicy**, including syntax descriptions and parameters, see [Set-AppLockerPolicy](http://technet.microsoft.com/library/hh847212.aspx).
+
+For info about using Windows PowerShell for AppLocker, including how to import the AppLocker cmdlets into Windows PowerShell, see [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md).
+
+You can also manually merge AppLocker policies. For the procedure to do this, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md).
+
+**To merge a local AppLocker policy with another AppLocker policy by using LDAP paths**
+
+1.  Open the PowerShell command window. For info about performing Windows PowerShell commands for AppLocker, see [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md).
+
+2.  At the command prompt, type **C:\\PS&gt;Get-AppLockerPolicy -Local | Set-AppLockerPolicy -LDAP "LDAP: //***&lt;string&gt;***"** **-Merge** where *&lt;string&gt;* specifies the LDAP path of the unique GPO.
+
+## Example
+
+
+Gets the local AppLocker policy, and then merges the policy with the existing AppLocker policy in the GPO specified in the LDAP path.
+
+``` syntax
+C:\PS>Get-AppLockerPolicy -Local | Set-AppLockerPolicy -LDAP "LDAP://DC13.Contoso.com/CN={31B2F340-016D-11D2-945F-00C044FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com" -Merge
+```
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/merge-applocker-policies-manually.md b/windows/keep-secure/merge-applocker-policies-manually.md
new file mode 100644
index 0000000000..dc7b2e2f7c
--- /dev/null
+++ b/windows/keep-secure/merge-applocker-policies-manually.md
@@ -0,0 +1,119 @@
+---
+title: Merge AppLocker policies manually (Windows 10)
+description: This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).
+ms.assetid: 3605f293-e5f2-481d-8efd-775f9f23c30f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Merge AppLocker policies manually
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).
+
+If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You cannot automatically merge policies by using the AppLocker console. You must create one rule collection from two or more policies. For info about merging policies by using the cmdlet, see [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md).
+
+The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. Rule collections are specified within the **RuleCollection Type** element. The XML schema includes five attributes for the different rule collections, as shown in the following table:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Rule collection</th>
+<th align="left">RuleCollection Type element</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Executable rules</p></td>
+<td align="left"><p>Exe</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows Installer rules</p></td>
+<td align="left"><p>Msi</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Script rules</p></td>
+<td align="left"><p>Script</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DLL rules</p></td>
+<td align="left"><p>Dll</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Packaged apps and packaged app installers</p></td>
+<td align="left"><p>Appx</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+Rule enforcement is specified with the **EnforcementMode** element. The three enforcement modes in the XML correspond to the three enforcement modes in the AppLocker console, as shown in the following table:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">XML enforcement mode</th>
+<th align="left">Enforcement mode in Group Policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>NotConfigured</p></td>
+<td align="left"><p>Not configured (rules are enforced)</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>AuditOnly</p></td>
+<td align="left"><p>Audit only</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Enabled</p></td>
+<td align="left"><p>Enforce rules</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+Each of the three condition types use specific elements. For XML examples of the different rule types, see Merge AppLocker policies manually.
+
+Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
+
+**To merge two or more AppLocker policies**
+
+1.  Open an XML policy file in a text editor or XML editor, such as Notepad.
+
+2.  Select the rule collection where you want to copy rules from.
+
+3.  Select the rules that you want to add to another policy file, and then copy the text.
+
+4.  Open the policy where you want to add the copied rules.
+
+5.  Select and expand the rule collection where you want to add the rules.
+
+6.  At the bottom of the rule list for the collection, after the closing element, paste the rules that you copied from the first policy file. Verify that the opening and closing elements are intact, and then save the policy.
+
+7.  Upload the policy to a reference computer to ensure that it is functioning properly within the GPO.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md
new file mode 100644
index 0000000000..5eed7b34b9
--- /dev/null
+++ b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md
@@ -0,0 +1,169 @@
+---
+title: Microsoft network client Digitally sign communications (always) (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting.
+ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Microsoft network client: Digitally sign communications (always)
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting.
+
+## Reference
+
+
+The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted.
+
+Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
+
+If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
+
+If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled.
+
+Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.
+
+There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
+
+-   [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)
+
+-   [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
+
+-   [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+1.  Configure the following security policy settings as follows:
+
+    -   Disable **Microsoft network client: Digitally sign communications (always)**.
+
+    -   Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
+
+    -   Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
+
+    -   Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+
+2.  Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication, and gain unauthorized access to data.
+
+SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place.
+
+### Countermeasure
+
+Configure the settings as follows:
+
+-   Disable **Microsoft network client: Digitally sign communications (always)**.
+
+-   Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
+
+-   Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
+
+-   Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+
+In highly secure environments, we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
+
+**Note**  
+An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
+
+ 
+
+### Potential impact
+
+Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server.
+
+Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md
new file mode 100644
index 0000000000..d9567dee32
--- /dev/null
+++ b/windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md
@@ -0,0 +1,169 @@
+---
+title: Microsoft network client Digitally sign communications (if server agrees) (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Microsoft network client Digitally sign communications (if server agrees) security policy setting.
+ms.assetid: e553f700-aae5-425c-8650-f251c90ba5dd
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Microsoft network client: Digitally sign communications (if server agrees)
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting.
+
+## Reference
+
+
+The Server Message Block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted.
+
+Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
+
+If server-side SMB signing is required, a client computer will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
+
+If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled.
+
+Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.
+
+There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
+
+-   [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)
+
+-   [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md)
+
+-   [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+1.  Configure the following security policy settings as follows:
+
+    -   Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
+
+    -   Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
+
+    -   Enable **Microsoft Network Client: Digitally Sign Communications (If Server Agrees)**.
+
+    -   Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+
+2.  Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client device after legitimate authentication and gain unauthorized access to data.
+
+SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place.
+
+### Countermeasure
+
+Configure the settings as follows:
+
+-   Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
+
+-   Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
+
+-   Enable **Microsoft network client: Digitally sign communications (if server agrees)**.
+
+-   Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+
+In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
+
+**Note**  
+An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
+
+ 
+
+### Potential impact
+
+Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server.
+
+Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking attacks.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
new file mode 100644
index 0000000000..d65dfe9610
--- /dev/null
+++ b/windows/keep-secure/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
@@ -0,0 +1,128 @@
+---
+title: Microsoft network client Send unencrypted password to third-party SMB servers (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network client Send unencrypted password to third-party SMB servers security policy setting.
+ms.assetid: 97a76b93-afa7-4dd9-bb52-7c9e289b6017
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Microsoft network client: Send unencrypted password to third-party SMB servers
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Send unencrypted password to third-party SMB servers** security policy setting.
+
+## Reference
+
+
+The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. This policy setting allows or prevents the SMB redirector to send plaintext passwords to a non-Microsoft server service that does not support password encryption during authentication.
+
+### Possible values
+
+-   Enabled
+
+    The Server Message Block (SMB) redirector is allowed to send plaintext passwords to a non-Microsoft server service that does not support password encryption during authentication.
+
+-   Disabled
+
+    The Server Message Block (SMB) redirector only sends encrypted passwords to non-Microsoft SMB server services. If those server services do not support password encryption, the authentication request will fail.
+
+-   Not defined
+
+### Best practices
+
+-   It is advisable to set **Microsoft network client: Send unencrypted password to connect to third-party SMB servers** to Disabled.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+If you enable this policy setting, the server can transmit plaintext passwords across the network to other computers that offer SMB services. These other devices might not use any of the SMB security mechanisms that are included with Windows Server 2003 or later.
+
+### Countermeasure
+
+Disable the **Microsoft network client: Send unencrypted password to connect to third-party SMB servers** setting.
+
+### Potential impact
+
+Some older applications may not be able to communicate with the servers in your organization by means of the SMB protocol.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
new file mode 100644
index 0000000000..4b1e5d32b1
--- /dev/null
+++ b/windows/keep-secure/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
@@ -0,0 +1,126 @@
+---
+title: Microsoft network server Amount of idle time required before suspending session (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Microsoft network server Amount of idle time required before suspending session security policy setting.
+ms.assetid: 8227842a-569d-480f-b43c-43450bbaa722
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Microsoft network server: Amount of idle time required before suspending session
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Microsoft network server: Amount of idle time required before suspending session** security policy setting.
+
+## Reference
+
+
+Each Server Message Block (SMB) session consumes server resources. Establishing numerous null sessions will cause the server to slow down or possibly fail. A malicious user might repeatedly establish SMB sessions until the server stops responding; at this point, SMB services will become slow or unresponsive.
+
+The **Microsoft network server: Amount of idle time required before suspending session** policy setting determines the amount of continuous idle time that must pass in an SMB session before the session is suspended due to inactivity. You can use this policy setting to control when a device suspends an inactive SMB session. The session is automatically reestablished when client device activity resumes.
+
+### Possible values
+
+-   A user-defined number of minutes from 0 through 99,999
+
+    For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days. In effect, this value disables the policy.
+
+-   Not defined
+
+### Best practices
+
+-   It is advisable to set this policy to 15 minutes. There will be little impact because SMB sessions will be reestablished automatically if the client resumes activity.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>15 minutes</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>15 minutes</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>15 minutes</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>15 minutes</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Each SMB session consumes server resources, and numerous null sessions slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive.
+
+### Countermeasure
+
+The default behavior on a server mitigates this threat by design.
+
+### Potential impact
+
+There is little impact because SMB sessions are reestablished automatically if the client computer resumes activity.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
new file mode 100644
index 0000000000..ce20b1229e
--- /dev/null
+++ b/windows/keep-secure/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
@@ -0,0 +1,140 @@
+---
+title: Microsoft network server Attempt S4U2Self to obtain claim information (Windows 10)
+description: Describes the best practices, location, values, management, and security considerations for the Microsoft network server Attempt S4U2Self to obtain claim information security policy setting.
+ms.assetid: e4508387-35ed-4a3f-a47c-27f8396adbba
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Microsoft network server: Attempt S4U2Self to obtain claim information
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, management, and security considerations for the **Microsoft network server: Attempt S4U2Self to obtain claim information** security policy setting.
+
+## Reference
+
+
+This security setting supports client devices running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-for-User-to-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain. This setting should only be enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts might be in a domain that has client computers and domain controllers running a version of Windows prior to Windows 8 or Windows Server 2012.
+
+When enabled, this security setting causes the Windows file server to examine the access token of an authenticated network client principal and determines if claim information is present. If claims are not present, the file server will then use the Kerberos S4U2Self feature to attempt to contact a Windows Server 2012 domain controller in the client’s account domain and obtain a claims-enabled access token for the client principal. A claims-enabled token might be needed to access files or folders that have claim-based access control policy applied.
+
+If this setting is disabled, the Windows file server will not attempt to obtain a claim-enabled access token for the client principal.
+
+### Possible values
+
+-   **Default**
+
+    The Windows file server will examine the access token of an authenticated network client principal and determine if claim information is present.
+
+-   **Enabled**
+
+    Same as **Default**.
+
+-   **Disabled**
+
+-   **Not defined**
+
+    Same as **Disabled**.
+
+### Best practices
+
+This setting should be set to **Default** so that the file server can automatically evaluate whether claims are needed for the user. You should explicitly configure this setting to **Enabled** only if there are local file access policies that include user claims.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+This setting should only be enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts might be in a domain that has client computers and domain controllers running a version of Windows prior to Windows 8 or Windows Server 2012.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+None. Enabling this policy setting allows you take advantage of features in Windows Server 2012 and Windows 8 for specific scenarios to use claims-enabled tokens to access files or folders that have claim-based access control policy applied on Windows operating systems prior to Windows Server 2012 and Windows 8.
+
+### Countermeasure
+
+Not applicable.
+
+### Potential impact
+
+None.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md
new file mode 100644
index 0000000000..91004a814c
--- /dev/null
+++ b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md
@@ -0,0 +1,171 @@
+---
+title: Microsoft network server Digitally sign communications (always) (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (always) security policy setting.
+ms.assetid: 2007b622-7bc2-44e8-9cf1-d34b62117ea8
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Microsoft network server: Digitally sign communications (always)
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting.
+
+## Reference
+
+
+The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted.
+
+Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
+
+For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md). Devices that have this policy set will not be able to communicate with devices that do not have server-side packet signing enabled. By default, server-side packet signing is enabled only on domain controllers. Server-side packet signing can be enabled on devices by setting [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+
+If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
+
+If server-side SMB signing is enabled, SMB packet signing will be negotiated with client devices that have SMB signing enabled.
+
+Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.
+
+There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
+
+-   [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md)
+
+-   [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
+
+-   [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+1.  Configure the following security policy settings as follows:
+
+    -   Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
+
+    -   Disable **Microsoft network server: Digitally sign communications (always)**.
+
+    -   Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
+
+    -   Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+
+2.  Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client device after legitimate authentication and gain unauthorized access to data.
+
+SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place.
+
+### Countermeasure
+
+Configure the settings as follows:
+
+-   Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
+
+-   Disable **Microsoft network server: Digitally sign communications (always)**.
+
+-   Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
+
+-   Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
+
+In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
+
+**Note**  
+An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
+
+ 
+
+### Potential impact
+
+Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server.
+
+Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking attacks.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md
new file mode 100644
index 0000000000..2a46117e2c
--- /dev/null
+++ b/windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md
@@ -0,0 +1,169 @@
+---
+title: Microsoft network server Digitally sign communications (if client agrees) (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (if client agrees) security policy setting.
+ms.assetid: c92b2e3d-1dbf-4337-a145-b17a585f4fc1
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Microsoft network server: Digitally sign communications (if client agrees)
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting.
+
+## Reference
+
+
+The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted.
+
+Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
+
+If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
+
+If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled.
+
+Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.
+
+There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
+
+-   [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)
+
+-   [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
+
+-   [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md)
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+1.  Configure the following security policy settings as follows:
+
+    -   Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
+
+    -   Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
+
+    -   Enable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
+
+    -   Enable **Microsoft Network Server: Digitally Sign Communications (If Client Agrees)**.
+
+2.  Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication and gain unauthorized access to data.
+
+SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place.
+
+### Countermeasure
+
+Configure the settings as follows:
+
+-   Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
+
+-   Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
+
+-   Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
+
+-   Enable **Microsoft network server: Digitally sign communications (if client agrees)**.
+
+In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
+
+**Note**  
+An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
+
+ 
+
+### Potential impact
+
+SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server.
+
+Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
new file mode 100644
index 0000000000..18b1bba108
--- /dev/null
+++ b/windows/keep-secure/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
@@ -0,0 +1,132 @@
+---
+title: Microsoft network server Disconnect clients when logon hours expire (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Microsoft network server Disconnect clients when logon hours expire security policy setting.
+ms.assetid: 48b5c424-9ba8-416d-be7d-ccaabb3f49af
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Microsoft network server: Disconnect clients when logon hours expire
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Microsoft network server: Disconnect clients when logon hours expire** security policy setting.
+
+## Reference
+
+
+This policy setting enables or disables the forced disconnection of users who are connected to the local device outside their user account's valid logon hours. It affects the SMB component. If you enable this policy setting, client computer sessions with the SMB service are forcibly disconnected when the client's logon hours expire. If you disable this policy setting, established client device sessions are maintained after the client device's logon hours expire.
+
+### Possible values
+
+-   Enabled
+
+    Client device sessions with the SMB service are forcibly disconnected when the client device's logon hours expire. If logon hours are not used in your organization, enabling this policy setting will have no impact.
+
+-   Disabled
+
+    The system maintains an established client device session after the client device's logon hours have expired.
+
+-   Not defined
+
+### Best practices
+
+-   If you enable this policy setting, you should also enable [Network security: Force logoff when logon hours expire](network-security-force-logoff-when-logon-hours-expire.md).
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+If your organization configures logon hours for users, it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours can continue to use those resources with sessions that were established during allowed hours.
+
+### Countermeasure
+
+Enable the **Microsoft network server: Disconnect clients when logon hours expire** setting.
+
+### Potential impact
+
+If logon hours are not used in your organization, this policy setting has no impact. If logon hours are used, existing user sessions are forcibly terminated when their logon hours expire.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md
new file mode 100644
index 0000000000..b53e9c7660
--- /dev/null
+++ b/windows/keep-secure/microsoft-network-server-server-spn-target-name-validation-level.md
@@ -0,0 +1,151 @@
+---
+title: Microsoft network server Server SPN target name validation level (Windows 10)
+description: Describes the best practices, location, and values, policy management and security considerations for the Microsoft network server Server SPN target name validation level security policy setting.
+ms.assetid: 18337f78-eb45-42fd-bdbd-f8cd02c3e154
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Microsoft network server: Server SPN target name validation level
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, and values, policy management and security considerations for the **Microsoft network server: Server SPN target name validation level** security policy setting.
+
+## Reference
+
+
+This policy setting controls the level of validation that a server with shared folders or printers performs on the service principal name (SPN) that is provided by the client device when the client device establishes a session by using the Server Message Block (SMB) protocol. The level of validation can help prevent a class of attacks against SMB services (referred to as SMB relay attacks). This setting affects both SMB1 and SMB2.
+
+Servers that use SMB provide availability to their file systems and other resources, such as printers, to networked client devices. Most servers that use SMB validate user access to resources by using NT Domain authentication (NTLMv1 and NTLMv2) and the Kerberos protocol.
+
+### Possible values
+
+The options for validation levels are:
+
+-   **Off**
+
+    The SPN from a SMB client is not required or validated by the SMB server.
+
+-   **Accept if provided by client**
+
+    The SMB server will accept and validate the SPN provided by the SMB client and allow a session to be established if it matches the SMB server’s list of SPN’s. If the SPN does not match, the session request for that SMB client will be denied.
+
+-   **Required from client**
+
+    The SMB client must send a SPN name in session setup, and the SPN name provided must match the SMB server that is being requested to establish a connection. If no SPN is provided by the client device, or the SPN provided does not match, the session is denied.
+
+The default setting is Off.
+
+### Best practices
+
+This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities.
+
+**Note**  
+All Windows operating systems support a client-side SMB component and a server-side SMB component.
+
+ 
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or Group Policy object (GPO)</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Off</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Off</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Off</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>Validation level check not implemented</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>Validation level check not implemented</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Effective GPO default settings on client computers</p></td>
+<td align="left"><p>Validation level check not implemented</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Policy conflict considerations
+
+None.
+
+### Group Policy
+
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+This policy setting controls the level of validation that a server with shared folders or printers performs on the service principal name (SPN) that is provided by the client device when the client device establishes a session by using the SMB protocol. The level of validation can help prevent a class of attacks against SMB servers (referred to as SMB relay attacks). This setting will affect both SMB1 and SMB2.
+
+### Countermeasure
+
+For countermeasures that are appropriate to your environment, see **Possible values** above.
+
+### Potential impact
+
+All Windows operating systems support a client-side SMB component and a server-side SMB component. This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities.
+
+Because the SMB protocol is widely deployed, setting the options to **Accept if provided by client** or **Required from client** will prevent some clients from successfully authenticating to some servers in your environment.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/microsoft-passport-and-password-changes.md b/windows/keep-secure/microsoft-passport-and-password-changes.md
new file mode 100644
index 0000000000..f099cdf2ac
--- /dev/null
+++ b/windows/keep-secure/microsoft-passport-and-password-changes.md
@@ -0,0 +1,72 @@
+---
+title: Microsoft Passport and password changes (Windows 10)
+description: When you set up Microsoft Passport, the PIN or biometric (Windows Hello) gesture that you use is specific to that device.
+ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Microsoft Passport and password changes
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+When you set up Microsoft Passport, the PIN or biometric (Windows Hello) gesture that you use is specific to that device. You can set up Passport for the same account on multiple devices. If the PIN or biometric is configured as part of a Microsoft Passport for Work, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Microsoft Passport for Work is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Passport.
+
+## Example
+
+
+Let's suppose that you have set up a PIN for your Microsoft account on **Device A**. You use your PIN to sign in on **Device A** and then change the password for your Microsoft account.
+
+Because you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part.
+
+Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Passport on **Device A** knows will be outdated.
+
+**Note**  
+This example also applies to an Active Directory account when [Passport for Work is not implemented](implement-microsoft-passport-in-your-organization.md).
+
+ 
+
+## How to update Passport after you change your password on another device
+
+
+1.  When you try to sign in using your PIN or biometric, you will see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.**
+
+2.  Click **OK.**
+
+3.  Click **Sign-in options**.
+
+4.  Click the **Password** button.
+
+5.  Sign in with new password.
+
+6.  The next time that you sign in, you can select **Sign-in options** and then select **PIN** to resume using your PIN.
+
+## Related topics
+
+
+[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+
+[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
+
+[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
+
+[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+
+[Event ID 300 - Passport successfully created](passport-event-300.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
new file mode 100644
index 0000000000..af9f471ce3
--- /dev/null
+++ b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
@@ -0,0 +1,259 @@
+---
+title: Microsoft Passport errors during PIN creation (Windows 10)
+description: When you set up Microsoft Passport in Windows 10, you may get an error during the Create a work PIN step.
+ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
+keywords: ["PIN", "error", "create a work PIN"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Microsoft Passport errors during PIN creation
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+When you set up Microsoft Passport in Windows 10, you may get an error during the **Create a work PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
+
+## Where is the error code?
+
+
+The following image shows an example of an error during **Create a work PIN**.
+
+![](images/pinerror.png)
+
+## Error mitigations
+
+
+When a user encounters an error when creating the work PIN, advise the user to try the following steps. Many errors can be mitigated by one of these steps.
+
+1.  Try to create the PIN again. Some errors are transient and resolve themselves.
+
+2.  Log out, log in, and try to create the PIN again.
+
+3.  Reboot the device and then try to create the PIN again.
+
+4.  Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a desktop PC, go to **Settings** &gt; **System** &gt; **About** and select **Disconnect from organization**. To unjoin a device running Windows 10 Mobile, you must [reset the device](http://go.microsoft.com/fwlink/p/?LinkId=715697).
+
+5.  On mobile devices, if you are unable to setup a PIN after multiple attempts, reset your device and start over. For help on how to reset your phone go to [Reset my phone](http://go.microsoft.com/fwlink/p/?LinkId=715697).
+
+If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Hex</th>
+<th align="left">Cause</th>
+<th align="left">Mitigation</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">0x801C03ED</td>
+<td align="left"><p>Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed</p>
+<p>-or-</p>
+<p>Token was not found in the Authorization header</p>
+<p>-or-</p>
+<p>Failed to read one or more objects</p></td>
+<td align="left">Unjoin the device from Azure Active Directory (Azure AD) and rejoin</td>
+</tr>
+<tr class="even">
+<td align="left">0x801C044D</td>
+<td align="left">Authorization token does not contain device ID</td>
+<td align="left">Unjoin the device from Azure AD and rejoin</td>
+</tr>
+<tr class="odd">
+<td align="left">0x80090036</td>
+<td align="left">User cancelled an interactive dialog</td>
+<td align="left">User will be asked to try again</td>
+</tr>
+<tr class="even">
+<td align="left">0x80090011</td>
+<td align="left">The container or key was not found</td>
+<td align="left">Unjoin the device from Azure AD and rejoin</td>
+</tr>
+<tr class="odd">
+<td align="left">0x8009000F</td>
+<td align="left">The container or key already exists</td>
+<td align="left">Unjoin the device from Azure AD and rejoin</td>
+</tr>
+<tr class="even">
+<td align="left">0x8009002A</td>
+<td align="left">NTE_NO_MEMORY</td>
+<td align="left">Close programs which are taking up memory and try again.</td>
+</tr>
+<tr class="odd">
+<td align="left">0x80090005</td>
+<td align="left">NTE_BAD_DATA</td>
+<td align="left">Unjoin the device from Azure AD and rejoin</td>
+</tr>
+<tr class="even">
+<td align="left">0x80090031</td>
+<td align="left">NTE_AUTHENTICATION_IGNORED</td>
+<td align="left">Reboot the device. If the error occurs again after rebooting, [reset the TPM]( http://go.microsoft.com/fwlink/p/?LinkId=619969) or run [Clear-TPM](http://go.microsoft.com/fwlink/p/?LinkId=629650)</td>
+</tr>
+<tr class="odd">
+<td align="left">0x80090035</td>
+<td align="left">Policy requires TPM and the device does not have TPM.</td>
+<td align="left">Change the Passport policy to not require a TPM.</td>
+</tr>
+<tr class="even">
+<td align="left">0x801C0003</td>
+<td align="left">User is not authorized to enroll</td>
+<td align="left">Check if the user has permission to perform the operation​.</td>
+</tr>
+<tr class="odd">
+<td align="left">0x801C000E</td>
+<td align="left">Registration quota reached</td>
+<td align="left"><p>Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](http://go.microsoft.com/fwlink/p/?LinkId=626933).</p></td>
+</tr>
+<tr class="even">
+<td align="left">0x801C000F</td>
+<td align="left">Operation successful but the device requires a reboot</td>
+<td align="left">Reboot the device.</td>
+</tr>
+<tr class="odd">
+<td align="left">0x801C0010</td>
+<td align="left">The AIK certificate is not valid or trusted</td>
+<td align="left">Log out and then log in again.</td>
+</tr>
+<tr class="even">
+<td align="left">0x801C0011</td>
+<td align="left">The attestation statement of the transport key is invalid</td>
+<td align="left">Log out and then log in again.</td>
+</tr>
+<tr class="odd">
+<td align="left">0x801C0012</td>
+<td align="left">Discovery request is not in a valid format</td>
+<td align="left">Log out and then log in again.</td>
+</tr>
+<tr class="even">
+<td align="left">0x801C0015</td>
+<td align="left">The device is required to be joined to an Active Directory domain</td>
+<td align="left">​Join the device to an Active Directory domain.</td>
+</tr>
+<tr class="odd">
+<td align="left">0x801C0016</td>
+<td align="left">The federation provider configuration is empty</td>
+<td align="left">Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the file is not empty.</td>
+</tr>
+<tr class="even">
+<td align="left">0x801C0017</td>
+<td align="left">​The federation provider domain is empty</td>
+<td align="left">Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the FPDOMAINNAME element is not empty.</td>
+</tr>
+<tr class="odd">
+<td align="left">0x801C0018</td>
+<td align="left">The federation provider client configuration URL is empty</td>
+<td align="left">Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the CLIENTCONFIG element contains a valid URL.</td>
+</tr>
+<tr class="even">
+<td align="left">0x801C03E9</td>
+<td align="left">Server response message is invalid</td>
+<td align="left">Log out and then log in again.</td>
+</tr>
+<tr class="odd">
+<td align="left">0x801C03EA</td>
+<td align="left">Server failed to authorize user or device.</td>
+<td align="left">Check if the token is valid and user has permission to register Passport keys.</td>
+</tr>
+<tr class="even">
+<td align="left">0x801C03EB</td>
+<td align="left">Server response http status is not valid</td>
+<td align="left">Log out and then log in again.</td>
+</tr>
+<tr class="odd">
+<td align="left">0x801C03EC</td>
+<td align="left">Unhandled exception from server.</td>
+<td align="left">Log out and then log in again.</td>
+</tr>
+<tr class="even">
+<td align="left">0x801C03ED</td>
+<td align="left">The request sent to the server was invalid.</td>
+<td align="left">Log out and then log in again.</td>
+</tr>
+<tr class="odd">
+<td align="left">0x801C03EE</td>
+<td align="left">Attestation failed</td>
+<td align="left">Log out and then log in again.</td>
+</tr>
+<tr class="even">
+<td align="left">0x801C03EF</td>
+<td align="left">The AIK certificate is no longer valid</td>
+<td align="left">Log out and then log in again.</td>
+</tr>
+<tr class="odd">
+<td align="left">​0x801C044D</td>
+<td align="left">Unable to obtain user token</td>
+<td align="left">Log out and then log in again. Check network and credentials.</td>
+</tr>
+<tr class="even">
+<td align="left">0x801C044E</td>
+<td align="left">Failed to receive user creds input</td>
+<td align="left">Log out and then log in again.</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Errors with unknown mitigation
+
+
+For errors listed in this table, contact Microsoft Support for assistance.
+
+| Hex         | Cause                                                                                                 |
+|-------------|-------------------------------------------------------------------------------------------------------|
+| 0x80072f0c  | Unknown                                                                                               |
+| 0x80090027  | Caller provided wrong parameter. If third-party code receives this error they must change their code. |
+| 0x8009002D  | NTE\_INTERNAL\_ERROR                                                                                  |
+| 0x80090020  | NTE\_FAIL                                                                                             |
+| 0x801C0001  | ​ADRS server response is not in valid format                                                          |
+| 0x801C0002  | Server failed to authenticate the user                                                                |
+| 0x801C0006  | Unhandled exception from server                                                                       |
+| 0x801C000C  | Discovery failed                                                                                      |
+| 0x801C001B  | ​The device certificate is not found                                                                  |
+| 0x801C000B  | Redirection is needed and redirected location is not a well known server                              |
+| 0x801C0019  | ​The federation provider client configuration is empty                                                |
+| 0x801C001A  | The DRS endpoint in the federation provider client configuration is empty                             |
+| 0x801C0013  | Tenant ID is not found in the token                                                                   |
+| 0x801C0014  | User SID is not found in the token                                                                    |
+| 0x801C03F1  | There is no UPN in the token                                                                          |
+| 0x801C03F0  | ​There is no key registered for the user                                                              |
+| 0x801C03F1  | ​There is no UPN in the token                                                                         |
+| ​0x801C044C | There is no core window for the current thread                                                        |
+
+ 
+
+## Related topics
+
+
+[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+
+[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
+
+[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
+
+[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
+
+[Event ID 300 - Passport successfully created](passport-event-300.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md
new file mode 100644
index 0000000000..17108c5fef
--- /dev/null
+++ b/windows/keep-secure/microsoft-passport-guide.md
@@ -0,0 +1,489 @@
+---
+title: Microsoft Passport guide (Windows 10)
+description: This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10 operating system.
+ms.assetid: 11EA7826-DA6B-4E5C-99FB-142CC6BD9E84
+keywords: ["security", "credential", "password", "authentication"]
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Microsoft Passport guide
+
+
+**Applies to**
+
+-   Windows 10
+
+This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10 operating system. It highlights specific capabilities of these technologies that help mitigate threats from conventional credentials and provides guidance about how to design and deploy these technologies as part of your Windows 10 rollout.
+
+A fundamental assumption about information security is that a system can identify who’s using it. In identifying a user, the system can decide whether the user has identified himself or herself appropriately (a process known as authentication), and then determine what that properly authenticated user should be able to do (a process known as authorization). The overwhelming majority of computer systems deployed throughout the world depend on user credentials as a means of making authentication and authorization decisions, and that means that these systems depend on reusable, user-created passwords for their security. The oft-cited maxim that authentication can involve “something you know, something you have, or something you are” neatly highlights the issue: a reusable password is an authentication factor all by itself, so anyone who knows the password can impersonate the user who owns it.
+
+## Problems with traditional credentials
+
+
+Ever since the mid-1960s, when Fernando Corbató and his team at the Massachusetts Institute of Technology championed the introduction of the password, users and administrators have had to deal with the use of passwords for user authentication and authorization. Over time, the state of the art for password storage and use has advanced somewhat (with password hashing and salt being the two most noticeable improvements), but we’re still faced with two serious problems: passwords are easy to clone and easy to steal. Implementation faults may render them insecure, and users have a hard time balancing convenience and security.
+
+**Credential theft**
+
+The biggest risk of passwords is simple: an attacker can steal them easily. Every place a password is entered, processed, or stored is vulnerable. For example, an attacker can steal a collection of passwords or hashes from an authentication server by eavesdropping on network traffic to an application server, by implanting malware in an application or on a device, by logging user keystrokes on a device, or by watching to see which characters a user types — and those are just the most common attack methods. One can enact more exotic attacks to steal one or many passwords.
+
+The risk of theft is driven by the fact that the authentication factor the password represents is the password. Without additional authentication factors, the system assumes that anyone who knows the password is the authorized user.
+
+Another, related risk is that of credential replay, in which an attacker captures a valid credential by eavesdropping on an insecure network, and then replays it later to impersonate a valid user. Most authentication protocols (including Kerberos and OAuth) protect against replay attacks by including a time stamp in the credential exchange process, but that protects the token that the authentication system issues, not the password that the user provides to get the ticket in the first place.
+
+**Credential reuse**
+
+
+
+The common approach of using an email address as the user name makes a bad problem worse. An attacker who successfully recovers a user name–password pair from a compromised system can then try that same pair on other systems. Surprisingly often, this tactic works to allow attackers to springboard from a compromised system into other systems. The use of email addresses as user names leads to other problems, too, which we’ll explore later in this guide.
+
+### <a href="" id="trading"></a>
+
+**Trading convenience for complexity**
+
+Most security is a tradeoff between convenience and security: the more secure a system is, the less convenient it will typically be for users. Although system designers and implementers have a broad range of tools to make their systems more secure, users get a vote, too. When users perceive that a security mechanism gets in the way of what they want to do, they often look for ways to circumvent it. This behavior leads to an arms race of sorts, with users adopting strategies to minimize the effort required to comply with their organization’s password policies as those policies evolve.
+
+**Password complexity**
+
+If the major risk to passwords is that an attacker might guess them through brute-force analysis, it might seem reasonable to require users to include a broader character set in their passwords or make them longer, but as a practical matter, password length and complexity requirements have two negative side effects. First, they encourage password reuse. Estimates by [Herley, Florêncio, and van Oorschot](http://go.microsoft.com/fwlink/p/?LinkId=627392) calculate that the stronger a password is, the more likely it is to be reused. Because users put more effort into the creation and memorization of strong passwords, they are much more likely to use the same credential across multiple systems. Second, adding length or character set complexity to passwords does not necessarily make them more difficult to guess. For example, P@ssw0rd1 is nine characters long and includes uppercase and lowercase letters, numbers, and special characters, but it’s easily guessed by many of the common password-cracking tools now available on the Internet. These tools can attack passwords by using a pre-computed dictionary of common passwords, or they can start with a base word such as password, and then apply common character substitutions. A completely random eight-character password might therefore actually take longer to guess than P@ssw0rd123.
+
+**Password expiration**
+
+Because a reusable password is the only authentication factor in password-based systems, designers have attempted to reduce the risk of credential theft and reuse. One common method for doing so is the use of limited-lifetime passwords. Some systems allow for passwords that can be used only once, but by far the more common approach is to make passwords expire after a certain period. Limiting the useful lifetime of a password puts a cap on how long a stolen password will be useful to an attacker. This practice helps protect against cases where a long-lived password is stolen, held, and used for a long time, but it also harkens back to the time when password cracking was impractical for everyone except nation state-level attackers. A smart attacker would attempt to steal passwords rather than crack them because of the time penalty associated with password cracking.
+
+The widespread availability of commodity password-cracking tools and the massive computing power available through mechanisms such as GPU-powered crackers or distributed cloud-based cracking tools has reversed this equation so that it is often more effective for an attacker to crack a password than to try to steal it. In addition, the widespread availability of self-service [password-reset mechanisms](#password-reset) means that an attacker needs only a short window of time during which the password is valid to change the password and thus reset the validity period. Relatively few enterprise networks provide self-service password-reset mechanisms, but they are common for Internet services. In addition, many users use the secure credential store on Windows and Mac OS X systems to store valuable passwords for Internet services, so an attacker who can compromise the operating system password may be able to obtain a treasure trove of other service passwords at no cost.
+
+Finally, overly short timelines for password expiration can tempt users to make small changes in their passwords at each expiration period — for example, moving from password123 to password456 to password789. This approach reduces the work necessary to crack the password, especially if the attacker knows any of the old passwords.
+
+### <a href="" id="password-reset"></a>
+
+**Password-reset mechanisms**
+
+To let users better manage their own passwords, some services provide a way for users to change their own password. Some implementations require users to log on with their current password, while others allow users to select the **Forgot my password** option, which sends an email to the user’s registered email address. The problem with these mechanisms is that many of them are implemented such that an attacker can exploit them. For example, an attacker who can successfully guess or steal a user’s email password can merrily request password resets for all of the victim’s other accounts, because the reset emails go to the compromised account. For this reason, most enterprise networks are configured so that only administrators can reset user passwords; for example, Active Directory supports the use of a **Password must be changed on next logon** flag so that after the administrator resets a password, the user can reset the password only after providing the administrator-set password. Some mobile device management (MDM) systems support similar functionality for mobile devices.
+
+**User password carelessness**
+
+An insidious problem makes these design and implementation weaknesses worse: some users just aren’t careful with their passwords. They write them down in insecure locations, choose easy-to-guess passwords, take minimal (if any) precautions against malware, or even give their passwords to other people. These users aren’t necessarily careless because they don’t care; they want to get things done, and overly stringent password length or expiration policies or too many passwords hinders them.
+
+**Mitigate credential risks**
+
+Given the issues described so far, it might seem obvious that reusable passwords are a security hazard. The argument is simple: adding authentication factors reduces the value of the passwords themselves, because even a successful password theft won’t let an attacker log on to a system unless he or she also has the associated additional factors. Unfortunately, this simple argument has many practical complications. Security and operating system vendors have tried to solve the problems that reusable credentials pose for decades — with limited success.
+
+The most obvious mitigation to the risks reusable passwords pose is to add one or more authentication factors. At different times over the past 30 years, different vendors have attempted to solve this problem by calling for the use of biometric identifiers (including fingerprints, iris and retina scans, and hand geometry), software-based and hardware-based tokens, physical and virtual smart cards, and voice or Short Message Service (SMS) authentication through the user’s mobile phone. A detailed description of each of these authenticators and its pros and cons is outside the scope of this guide, but no matter which authentication method you choose, core challenges have limited adoption of all Multi-Factor Authentication (MFA) solutions, including:
+
+-   **Infrastructure complexity and cost.** Any system that requires the user to provide an additional authentication factor at the point of access has to have a way to collect that information. Although it’s possible to retrofit fielded hardware by adding fingerprint readers, eye scanners, smart card readers, and so on, few enterprises have been willing to take on the cost and support burden required to do so.
+
+-   **Lack of standardization.** Although Microsoft included operating system–level smart card support as part of the Windows Vista operating system, smart card and reader vendors were free to continue to ship their own drivers, as were manufacturers of other authentication devices. Lack of standardization led to both application and support fragmentation, which means that it wasn’t always possible to mix and match solutions within an enterprise, even when the manufacturers of those solutions advertised them as being compatible.
+
+-   **Backward compatibility.** Retrofitting already-deployed operating systems and applications to use MFA has proven an extremely difficult task. Nearly three years after its release, Microsoft Office 2013 is finally getting support for MFA. The vast majority of both commercial and custom line-of-business (LOB) applications will never be retrofitted to take advantage of any authentication system other than what the underlying operating system provides.
+
+-   **User inconvenience.** Solutions that require users to obtain, keep track of, and use physical tokens are often unpopular. If users have to have a particular token for remote access or other scenarios that are supposed to make things more convenient, they tend to become quickly dissatisfied with the burden of keeping up with an additional device. This pushback is multiplied for solutions that have to be attached to computers (such as smart card readers) because such solutions introduce problems of portability, driver support, and operating system and application integration.
+
+-   **Device compatibility.** Not every hardware form factor supports every authentication method. For example, despite occasional feeble efforts from vendors, no market for mobile phone-compatible smart card readers ever emerged. So when Microsoft first implemented smart cards as an authenticator for remote network access, one key limitation was that employees could log on only from desktop or laptop computers that had smart card readers. Any authentication method that relies on additional hardware or software may run into this problem. For example, several popular “soft token” systems rely on mobile apps that run on a limited number of mobile hardware platforms.
+
+Another pesky problem has to do with institutional knowledge and maturity. Strong authentication systems are complex. They have lots of components, and they can be expensive to design, maintain, and operate. For some enterprises, the additional cost and overhead of maintaining an in-house public key infrastructure (PKI) to issue smart cards or the burden of managing add-on devices exceeds the value they perceive in having stronger authentication. This is a special case of the common problem that financial institutions face: if the cost of fraud reduction is higher than the cost of the fraud itself, it’s hard to justify the economics of better fraud-prevention measures.
+
+## Solve credential problems
+
+
+Solving the problems that passwords pose is tricky. Tightening password policies alone won’t do it: users may just recycle, share, or write down passwords. Although user education is critical for authentication security, education alone doesn’t eliminate the problem, either.
+
+As you’ve seen, additional authenticators won’t necessarily help if the new authentication systems add complexity, cost, or fragility. In Windows 10, Microsoft addresses these problems with two new technologies: Windows Hello and Microsoft Passport. Working together, these technologies help increase both security and user convenience:
+
+-   Microsoft Passport replaces passwords with strong two-factor authentication (2FA) by verifying existing credentials and by creating a device-specific credential that a user gesture (either biometric or PIN-based) protects. This combination effectively replaces physical and virtual smart cards as well as reusable passwords for logon and access control.
+
+-   Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras, and fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ Microsoft Passport credentials.
+
+## What is Windows Hello?
+
+
+Windows Hello is the name Microsoft has given to the new biometric sign-in system built into Windows 10. Because it is built directly into the operating system, Windows Hello allows face or fingerprint identification to unlock users’ devices. Authentication happens when the user supplies his or her unique biometric identifier to access the device-specific Microsoft Passport credentials, which means that an attacker who steals the device can’t log on to it unless that attacker has the PIN. The Windows secure credential store protects biometric data on the device. By using Windows Hello to unlock a device, the authorized user gains access to all of his or her Windows experience, apps, data, websites, and services.
+
+The Windows Hello authenticator is known as a Hello. A Hello is unique to the combination of an individual device and a specific user; it doesn’t roam among devices, isn’t shared with a server, and cannot easily be extracted from a device. If multiple users share a device, each user gets a unique Hello for that device. You can think of a Hello as a token you can use to unlock (or release) a stored credential: the Hello itself doesn’t authenticate you to an app or service, but it releases credentials that can.
+
+At the launch of Windows 10, the operating system supported three Hello types:
+
+-   **PIN.** Before you can use Windows Hello to enable biometrics on a device, you must choose a PIN as your initial Hello gesture. After you’ve set a PIN, you can add biometric gestures if you want to. You can always use the PIN gesture to release your credentials, so you can still unlock and use your device even if you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
+
+-   **Facial recognition.** This type uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well.
+
+-   **Fingerprint recognition.** This type uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10.
+
+Biometric data used to implement these Hello gestures is stored securely on the local device only. It doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. Breaches that expose biometrics collected and stored for other uses (such as fingerprints collected and stored for law enforcement or background check purposes) don’t pose a significant threat: an attacker who steals biometrics literally has only a template of the identifier, and that template cannot easily be converted to a form that the attacker can present to a biometric sensor. The data path for Windows Hello-compatible sensors is resistant to tampering, too, which further reduces the chance that an attacker will be able to successfully inject faked biometric data. In addition, before an attacker can even attempt to inject data into the sensor pipeline, that attacker must gain physical access to the device — and an attacker who can do that can mount several other, less difficult attacks.
+
+Windows Hello offers several major benefits. First, when combined with Microsoft Passport, it effectively solves the problems of credential theft and sharing. Because an attacker must obtain both the device and the selected biometric, it is much more difficult to gain access without the user’s knowledge. Second, the use of biometrics means that users benefit from having a simple authenticator that’s always with them: there’s nothing to forget, lose, or leave behind. Instead of worrying about memorizing long, complex passwords, users can take advantage of a convenient, secure method for signing in to all their Windows devices. Finally, in many cases, there’s nothing additional to deploy or manage to use Windows Hello (although Microsoft Passport may require additional deployment, as described later in this guide). Windows Hello support is built directly into the operating system, and users or enterprises can add compatible biometric devices to provide biometric gesture recognition, either as part of a coordinated rollout or as individual users or groups decide to add the necessary sensors. Windows Hello is part of Windows, so no additional deployment is required to start using it.
+
+## What is Microsoft Passport?
+
+
+Windows Hello provides a robust way for a device to recognize an individual user; that addresses the first part of the path between a user and a requested service or data item. After the device has recognized the user, however, it still must authenticate the user before deciding whether to grant access to a requested resource. Microsoft Passport provides strong 2FA, fully integrated into Windows, that replaces reusable passwords with the combination of a specific device and a Hello or PIN. Microsoft Passport isn’t just a replacement for traditional 2FA systems, though. It’s conceptually similar to smart cards: authentication is performed by using cryptographic primitives instead of string comparisons, and the user’s key material is secure inside tamper-resistant hardware. Microsoft Passport doesn’t require the extra infrastructure components required for smart card deployment, either. In particular, you don’t need a PKI if you don’t currently have one. Microsoft Passport combines the major advantage of smart cards — deployment flexibility for virtual smart cards and robust security for physical smart cards — without any of their drawbacks.
+
+Microsoft Passport offers four significant advantages over the current state of Windows authentication: it’s more flexible, it’s based on industry standards, it’s an effective risk mitigator, and it’s ready for the enterprise. Let’s look at each of these advantages in more detail.
+
+**It’s flexible**
+
+Microsoft Passport offers unprecedented flexibility. Although the format and use of reusable passwords are fixed, Microsoft Passport gives both administrators and users options to manage authentication. First and foremost, Microsoft Passport works with both biometric identifiers and PINs, so users’ credentials are protected even on devices that don’t support biometrics. Users can even use their phone to release their credentials instead of a PIN or biometric gesture on the main device. Microsoft Passport seamlessly takes advantage of the hardware of the devices in use; as users upgrade to newer devices, Microsoft Passport is ready to use them, and organizations can upgrade existing devices by adding biometric sensors where appropriate.
+
+Microsoft Passport offers flexibility in the datacenter, too. To deploy it, in some modes you must add Windows Server 2016 Technical Preview domain controllers to your Active Directory environment, but you don’t have to replace or remove your existing Active Directory servers — the servers required for Microsoft Passport build on and add capability to your existing infrastructure. You don’t have to change the domain or forest functional level, and you can either add on-premises servers or use Microsoft Azure Active Directory to deploy Microsoft Passport on your network. The choice of which users you should enable for Microsoft Passport use is completely up to you: you choose the policies and devices to support and which authentication factors you want users to have access to. This makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding strong credential protection to users who don’t currently have it or to deploy Microsoft Passport in scenarios that call for extra protection for sensitive resources or systems (described in the [Design a Microsoft Passport deployment](#design) section).
+
+**It’s standardized**
+
+Both software vendors and enterprise customers have come to realize that proprietary identity and authentication systems are a dead end. The future lies with open, interoperable systems that allow secure authentication across a variety of devices, LOBs, and external applications and websites. To this end, a group of industry players formed the Fast IDentity Online Alliance (FIDO), a nonprofit organization intended to address the lack of interoperability among strong authentication devices as well as the problems users face when they have to create and remember multiple user names and passwords. The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. This new standard for security devices and browser plug ins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security. For more information, see the [FIDO Alliance website](http://go.microsoft.com/fwlink/p/?LinkId=627393).
+
+In 2013, Microsoft joined the FIDO Alliance. FIDO standards enable a universal framework that a global ecosystem delivers for a consistent and greatly improved user experience of strong passwordless authentication. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: passwordless (known as the Universal Authentication Framework \[UAF\]) and 2nd Factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals to combine the best parts of the U2F and UAF FIDO 1.0 standards. Microsoft is actively contributing to the proposals, and Windows 10 is a reference implementation of these concepts. In addition to supporting those protocols, the Windows implementation covers other aspects of the end-to-end experience that the specification does not cover, including user interface to, storage of, and protection for users’ device keys and the tokens issued after authentication; supporting administrator policies; and providing deployment tools. Microsoft expects to continue working with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for enterprises and consumers alike.
+
+**It’s effective**
+
+Microsoft Passport effectively mitigates two major security risks. First, by eliminating the use of reusable passwords for logon, it reduces the risk that a user’s credential will be copied or reused. On devices that support the Trusted Platform Module (TPM) standard, user key material can be stored in the user device’s TPM, which makes it more difficult for an attacker to capture the key material and reuse it. For devices that lack TPM, Microsoft Passport can encrypt and store credential data in software, but administrators can disable this feature to force a “TPM or nothing” deployment.
+
+Second, because Microsoft Passport doesn’t depend on a single, centralized server, the risk of compromise from a breach of that server is removed. Although an attacker could theoretically compromise a single device, there’s no single point of attack that an intruder can leverage to gain widespread access to the environment.
+
+**It’s enterprise-ready**
+
+Every edition of Windows 10 includes Microsoft Passport functionality for individual use; enterprise and personal users can take advantage of Microsoft Passport to protect their individual credentials with compatible applications and services. In addition, enterprises whose users are running Windows 10 Professional and Windows 10 Enterprise have the ability to use Microsoft Passport for Work, an enhanced version of Microsoft Passport that includes the ability to centrally manage Microsoft Passport settings for PIN strength and biometric use through Group Policy Objects (GPOs).
+
+## How Microsoft Passport works
+
+
+To use Microsoft Passport to sign in with an identity provider (IDP), a user needs a configured device, which means that the Microsoft Passport life cycle starts when you configure a device for Microsoft Passport use. When the device is set up, its user can use the device to authenticate to services. In this section, we explore how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
+
+**Register a new user or device**
+
+A goal of Microsoft Passport is to allow a user to open a brand-new device, securely join an organizational network to download and manage organizational data, and create a new Hello gesture to secure the device. Microsoft refers to the process of setting up a device for use with Microsoft Passport as registration.
+
+**Note**  
+This is separate from the organizational configuration required to use Microsoft Passport with Active Directory or Azure AD; that configuration is discussed later in this guide. This configuration must be completed before users can begin to register.
+
+ 
+
+The registration process works like this:
+
+1.  The user configures an account on the device.
+
+    This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as logging on with a Microsoft account. Logging on with a Microsoft account on a Windows 10 device automatically sets up Microsoft Passport on the device; users don’t have to do anything extra to enable it.
+
+2.  To log on using that account, the user has to enter the existing credentials for it.
+
+    The IDP that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends.
+
+3.  When the user has provided the proof to the IDP, the user enables PIN authentication (Figure 1).
+
+    The PIN will be associated with this particular credential.
+
+    ![figure 1](images/passport-fig1.png)
+
+    Figure 1. Set up a PIN in the **Account Settings** control panel item
+
+    When the user sets the PIN, it becomes usable immediately (Figure 2).
+
+    ![figure 2](images/passport-fig2-pinimmeduse.png)
+
+    Figure 2. When set, the PIN is immediately usable
+
+Remember that Microsoft Passport depends on pairing a device and a credential, so the PIN chosen is associated only with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Microsoft Passport supports are:
+
+-   A user who upgrades from the Windows 8.1 operating system will log on by using his or her existing enterprise password. That triggers MFA from the IDP side; after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN.
+
+-   A user who typically uses a smart card to log on will be prompted to set up a PIN the first time he or she logs on to a Windows 10 device the user has not previously logged on to.
+
+-   A user who typically uses a virtual smart card to log on will be prompted to set up a PIN the first time he or she logs on to a Windows 10 device the user has not previously logged on to.
+
+When the user has completed this process, Microsoft Passport generates a new public–private key pair on the device. The TPM generates and stores this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. The protector key securely wraps the authentication key for a specific container. Each container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys (each of which is associated with a unique gesture). Microsoft Passport also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
+
+At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means he or she is able to securely log on to the device with the PIN and thus that he or she can establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using his or her PIN, and then registers the new biometric (“smile for the camera!”), after which Windows generates a unique key pair and stores it securely. Future logons can then use either the PIN or the registered biometric gestures.
+
+**What’s a container?**
+
+You’ll often hear the term *container* used in reference to MDM solutions. Microsoft Passport uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 supports two containers: the default container holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and the enterprise container holds credentials associated with a workplace or school account.
+
+The enterprise container exists only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD. The enterprise container contains only key data for Active Directory or Azure AD. If the enterprise container is present on a device, it’s unlocked separately from the default container, which maintains separation of data and access across personal and enterprise credentials and services. For example, a user who uses a biometric gesture to log on to a managed computer can separately unlock his or her personal container by entering a PIN when logging on to make a purchase from a website.
+
+These containers are logically separate. Organizations don’t have any control over the credentials users store in the default container, and applications that authenticate against services in the default container can’t use credentials from the enterprise container. However, individual Windows applications can use the Microsoft Passport application programming interfaces (APIs) to request access to credentials as appropriate, so that both consumer and LOB applications can be enhanced to take advantage of Microsoft Passport.
+
+It’s important to keep in mind that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials Microsoft Passport stores are protected without the creation of actual containers or folders.
+
+Each container actually contains a set of keys, some of which are used to protect other keys. Figure 3 shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container.
+
+![figure 3](images/passport-fig3-logicalcontainer.png)
+
+Figure 3. Each logical container holds one or more sets of keys
+
+Containers can contain several types of key material:
+
+-   An *authentication key*, which is always an asymmetric public–private key pair. This key pair is generated during registration. It must be unlocked each time it’s accessed, by using either the user’s PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key.
+
+-   *Virtual smart card keys* are generated when a virtual smart card is generated and stored securely in the container. They’re available whenever the user’s container is unlocked.
+
+-   *Secure/Multipurpose Internet Mail Extensions (S/MIME) keys and certificates*, which a certification authority (CA) generates. The keys associated with the user’s S/MIME certificate can be stored in a Microsoft Passport container so they’re available to the user whenever the container is unlocked.
+
+-   The *IDP key*. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container as illustrated in Figure 3. For certificate-based Microsoft Passport for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this machine to the IDP. IDP keys are typically long lived but could have a shorter lifetime than the authentication key.
+
+Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
+
+-   The IDP key pair can be associated with an enterprise CA through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](http://go.microsoft.com/fwlink/p/?LinkId=733947). In this case, Microsoft Passport requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Microsoft Passport in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container.
+
+-   The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Microsoft Passport in environments that don’t have or need a PKI.
+
+**How keys are protected**
+
+Any time key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Microsoft Passport for Work implementation takes advantage of onboard TPM hardware to generate, store, and process keys. However, Microsoft Passport and Microsoft Passport for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the machine can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed.
+
+Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to reauthenticate to the IDP before the IDP allows him or her to re-register). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed.
+
+**Authentication**
+
+When a user wants to access protected key material — perhaps to use an Internet site that requires a logon or to access protected resources on a corporate intranet — the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called *releasing the key*. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. On a personal device that’s connected to an organizational network, users will use their personal PIN or biometric to release the key; on a device joined to an on-premises or Azure AD domain, they will use the organizational PIN.
+
+This process unlocks the protector key for the primary container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container.
+
+These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or log on to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Microsoft Passport layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Windows Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device.
+
+The actual authentication process works like this:
+
+1.  The client sends an empty authentication request to the IDP. (This is merely for the handshake process.)
+
+2.  The IDP returns a challenge, known as a *nonce*.
+
+3.  The device signs the nonce with the appropriate private key.
+
+4.  The device returns the original nonce, the signed nonce, and the ID of the key used to sign the nonce.
+
+5.  The IDP fetches the public key that the key ID specified, uses it to verify the signature on the nonce, and verifies that the nonce the device returned matches the original.
+
+6.  If all the checks in step 5 succeed, the IDP returns two data items: a symmetric key, which is encrypted with the device’s public key, and a security token, which is encrypted with the symmetric key.
+
+7.  The device uses its private key to decrypt the symmetric key, and then uses that symmetric key to decrypt the token.
+
+8.  The device makes a normal authentication request for the original resource, presenting the token from the IDP as its proof of authentication.
+
+When the IDP validates the signature, it is verifying that the request came from the specified user and device. The private key specific to the device signs the nonce, which allows the IDP to determine the identity of the requesting user and device so that it can apply policies for content access based on user, device type, or both together. For example, an IDP could allow access to one set of resources only from mobile devices and a different set from desktop devices.
+
+Remote unlock, which is planned for a future release of Windows 10, builds on these scenarios by enabling seamless remote authentication from a mobile device as a second factor. For example, suppose that you’re visiting another office at your company and you need to borrow a computer there temporarily, but you don’t want to potentially expose your credentials to capture. Rather than type in your credentials, you can click **other user** on the Windows 10 logon screen, type your user name, pick the tile for remote authentication, and use an app on your phone, which you already unlocked by using its built-in facial-recognition sensors. The phone and computer are paired and handshake via Bluetooth, you type your authentication PIN on the phone, and the computer gets confirmation of your identity from the IDP. All this happens without typing a password anywhere or typing your PIN on the PC.
+
+**The infrastructure**
+
+Microsoft Passport depends on having compatible IDPs available to it. As of this writing, that means you have four deployment possibilities:
+
+-   Use an existing Windows-based PKI centered around Active Directory Certificate Services. This option requires additional infrastructure, including a way to issue certificates to devices. You can use NDES to register devices directly, Microsoft System Center Configuration Manager Technical Preview or later for on-premises environments, or Microsoft Intune where it’s available to manage mobile device participation in Microsoft Passport.
+
+-   You can configure Windows Server 2016 Technical Preview domain controllers to act as IDPs for Microsoft Passport. In this mode, the Windows Server 2016 Technical Preview domain controllers act as IDPs alongside any existing Windows Server 2008 R2 or later domain controllers. There is no requirement to replace all existing domain controllers, merely to introduce at least one Windows Server 2016 Technical Preview domain controller per Active Directory site and update the forest Active Directory Domain Services (AD DS) schema to Windows Server 2016 Technical Preview.
+
+-   The normal discovery mechanism that clients use to find domain controllers and global catalogs relies on Domain Name System (DNS) SRV records, but those records don’t contain version data. Windows 10 computers will query DNS for SRV records to find all available Active Directory servers, and then query each server to identify those that can act as Microsoft Passport IDPs. The number of authentication requests your users generate, where your users are located, and the design of your network all drive the number of Windows Server 2016 Technical Preview domain controllers required.
+
+-   Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides.
+
+In addition to the IDP, Microsoft Passport requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the [Deployment requirements](#deployreq) section of this document.
+
+## <a href="" id="design"></a>Design a Microsoft Passport for Work deployment
+
+
+Microsoft Passport for Work is designed for integration with your existing and future directory infrastructure and device deployments, but this flexibility means there are many considerations to think about when you design your deployment. Some of these decisions are technical, while others are organizational or even political. In this section, we examine the key points where you have to make decisions about how to implement Microsoft Passport for Work. Remember, individual devices can use the individual version of Microsoft Passport without any infrastructure changes on your part. Microsoft Passport for Work allows you to control and centrally manage user authentication and device registration. To use the initial version of Microsoft Passport for Work, each device must have an Azure AD identity, so automatic registration of devices provides a means both to register new devices and to apply optional policies to manage Microsoft Passport for Work.
+
+**One deployment strategy**
+
+Different organizations will necessarily take different approaches to the deployment of Microsoft Passport depending on their capabilities and needs, but there is only one strategy: deploy Microsoft Passport for Work throughout the organization to get maximum protection for the maximum number of devices and resources. Organizations can take one of three basic routes to accomplish that strategy:
+
+-   Deploy Microsoft Passport for Work everywhere according to whatever device or user deployment strategy works best for the organization.
+
+-   Deploy Microsoft Passport for Work first to high-value or high-risk targets, by using conditional access policies to restrict access to key resources only to users who hold strong authentication credentials.
+
+-   Blend Microsoft Passport for Work into an existing multi-factor environment, using it as an additional form of strong authentication alongside physical or virtual smart cards.
+
+**Deploy Microsoft Passport for Work everywhere**
+
+In this approach, you deploy Microsoft Passport throughout the organization in a coordinated rollout. In some ways, this method is similar to any other desktop deployment project; the only real difference is that you must already have the Microsoft Passport infrastructure in place to support device registration before you can start using Microsoft Passport on Windows 10 devices.
+
+**Note**  
+You can still upgrade to Windows 10 or add new Windows 10 devices without changing your infrastructure. You just can’t use Microsoft Passport for Work on a device until the device joins Azure AD and receives the appropriate policy.
+
+ 
+
+The major benefit of this approach is that it provides uniform protection for all parts of the organization. Sophisticated attackers have shown a great deal of skill in breaching large organizations by identifying weak points in their security, including users and systems that don’t have high-value information but that can be exploited to get it. Applying consistent protection across every device that an attacker could use to access enterprise data is excellent protection against these types of attacks.
+
+The downside to this approach is its complexity. Smaller organizations may find that managing the rollout of a new operating system across all devices is beyond the scope of their experience and capability. For these organizations, users can self-upgrade, and new users may end up with Windows 10 because they get new devices when they join. Larger organizations, especially those that are highly decentralized or have operations across many physical sites, may have more deployment knowledge and resources but face the challenge of coordinating rollout efforts across a larger user base and footprint.
+
+For more information about desktop deployment of Windows 10, visit the [Windows 10 TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=626581).
+
+One key aspect of this deployment strategy is how to get Windows 10 in users’ hands. Because different organizations have wildly differing strategies to refresh hardware and software, there’s no one-size-fits-all strategy. For example, some organizations pursue a coordinated strategy that puts new desktop operating systems in users’ hands every 2–3 years on existing hardware, supplementing with new hardware only where and when required. Others tend to replace hardware and deploy whatever version of the Windows client operating system ships on the purchased devices. In both cases, there are typically separate deployment cycles for servers and server operating systems, and the desktop and server cycles may or may not be coordinated.
+
+In addition to the issue of Windows 10 deployment to users, you must consider how and when (or if!) you’ll deploy biometric devices to users. Because Windows Hello can take advantage of multiple biometric identifiers, you have a flexible range of device options, which includes the purchase of new devices that incorporate your selected biometric, seeding select users with appropriate devices, rollout of biometric devices as part of a scheduled hardware refresh and using PIN gestures until users get devices, or relying on remote unlock as a second authentication factor.
+
+**Deploy to high-value or high-risk targets**
+
+This strategy takes into account the fact that in most networks, not every asset is equally protected or equally valuable. There are two ways to think about this. One is that you can focus on protecting the users and services that are most at risk of compromise because of their value. Examples include sensitive internal databases or the user accounts of your key executives. The other option is that you can focus on areas of your network that are the most vulnerable, such as users who travel frequently (and thus run a higher risk of lost or stolen devices or drive-by credential theft). Either way, the strategy is the same: selectively and quickly deploy Microsoft Passport to protect specific people and resources. For example, you might issue new Windows 10 devices with biometric sensors to all users who need access to a sensitive internal database, and then deploy the minimum required infrastructure to support Microsoft Passport–secured access to that database for those users.
+
+One of the key design capabilities of Microsoft Passport for Work is that it supports Bring Your Own Device (BYOD) environments by allowing users to register their own devices with the organizational IDP (whether on premises, hybrid, or Azure AD). You may be able to take advantage of this capability to quickly deploy Microsoft Passport to protect your most vulnerable users or assets, ideally by using biometrics as an additional safety measure for the most valuable potential targets.
+
+**Blend Microsoft Passport with your infrastructure**
+
+Organizations that have already invested in smart cards, virtual smart cards, or token-based systems can still benefit from Microsoft Passport. Of those organizations, many use physical tokens and smart cards to protect only critical assets because of the expense and complexity of their deployment. Microsoft Passport offers a valuable complement to these systems because it protects users who currently rely on reusable credentials; protection of all users’ credentials is an important step toward blunting attacks that seek to leverage compromise of any credential into a widespread breach. This approach also gives you a great deal of flexibility in scheduling and deployment.
+
+Some enterprises have deployed multi-use smart cards that provide building-access control, access to copiers or other office equipment, stored value for lunchroom purchases, remote network access, and other services. Deployment of Microsoft Passport in such environments doesn’t prevent you from continuing to use smart cards for these services. You can leave the existing smart card infrastructure in place for its existing use cases, and then register desktop and mobile devices in Microsoft Passport and use Microsoft Passport to secure access to network and Internet resources. This approach requires a more complicated infrastructure and a greater degree of organizational maturity because it requires you to link your existing PKI with an enrollment service and Microsoft Passport itself.
+
+Smart cards can act as a useful complement to Microsoft Passport in another important way: to bootstrap the initial logon for Microsoft Passport registration. When a user registers with Microsoft Passport on a device, part of that registration process requires a conventional logon. Rather than using a traditional password, organizations that have previously deployed the necessary infrastructure for smart cards or virtual smart cards can allow their users to register new devices by logging on with a smart card or virtual smart card. After the user has proved his or her identity to the organizational IDP with the smart card, the user can set up a PIN and proceed to use Microsoft Passport for future logons.
+
+**Choose a rollout method**
+
+Which rollout method you choose depends on several factors:
+
+-   **How many devices you need to deploy.** This number has a huge influence on your overall deployment. A global rollout for 75,000 users has different requirements than a phased rollout for groups of 200–300 users in different cities.
+
+-   **How quickly you want to deploy Microsoft Passport for Work protection.** This is a classic cost–benefit tradeoff. You have to balance the security benefits of Microsoft Passport for Work against the cost and time required to deploy it broadly, and different organizations may make entirely different decisions depending on how they rate the costs and benefits involved. Getting the broadest possible Microsoft Passport coverage in the shortest time possible maximizes security benefits.
+
+-   **The type of devices you want to deploy.** Windows device manufacturers are aggressively introducing new devices optimized for Windows 10, leading to the possibility that you might deploy Microsoft Passport first on newly purchased tablets and portable devices, and then deploy it on the desktop as part of your normal refresh cycle.
+
+-   **What your current infrastructure looks like.** The individual version of Microsoft Passport doesn’t require changes to your Active Directory environment, but to support Microsoft Passport for Work, you may need a compatible MDM system. Depending on the size and composition of your network, mobile enrollment and management services deployment may be a major project in its own right.
+
+-   **Your plans for the cloud.** If you’re already planning a move to the cloud, Azure AD eases the process of Microsoft Passport for Work deployment, because you can use Azure AD as an IDP alongside your existing on-premises AD DS setup without making significant changes to your on-premises environment. Future versions of Microsoft Passport for Work will support the ability to simultaneously register devices that are already members of an on-premises AD DS domain in an Azure AD partition so that they use Microsoft Passport for Work from the cloud. Hybrid deployments that combine AD DS with Azure AD give you the ability to keep machine authentication and policy management against your local AD DS domain while providing the full set of Microsoft Passport for Work services (and Microsoft Office 365 integration) for your users. If you plan to use on-premises AD DS only, then the design and configuration of your on-premises environment will dictate what kind of changes you may need to make.
+
+### <a href="" id="deployreq"></a>
+
+**Deployment requirements**
+
+Table 1 lists six scenarios for deployment of Microsoft Passport for Work in the enterprise. The initial release of Windows 10 supports Azure AD–only scenarios, with support for on-premises Microsoft Passport for Work planned for a future release (see the [Roadmap](#roadmap) section for more details).
+
+Depending on the scenario you choose, Microsoft Passport for Work deployment may require four elements:
+
+-   An organizational IDP that supports Microsoft Passport. This can be Azure AD or a set of on-premises Windows Server 2016 Technical Preview domain controllers in an existing AD DS forest. Using Azure AD means that you can establish hybrid identity management, with Azure AD acting as a Microsoft Passport IDP and your on-premises AD DS environment handling older authentication requests. This approach provides all the flexibility of Azure AD with the ability to manage computer accounts and devices running older versions of Windows and on-premises applications such as Microsoft Exchange Server or Microsoft SharePoint.
+
+-   If you use certificates, an MDM system is required to allow policy management of Microsoft Passport for Work. Domain-joined devices in on-premises or hybrid deployments require Configuration Manager Technical Preview or later. Deployments with Azure AD must use either Intune or a compatible non-Microsoft MDM solution.
+
+-   On-premises deployments require the forthcoming Active Directory Federation Services (AD FS) version included in Windows Server 2016 Technical Preview to support provisioning of Microsoft Passport credentials to devices. In this scenario, AD FS takes the place of the provisioning that Azure AD performs in cloud-based deployments.
+
+-   Certificate-based Microsoft Passport deployments require a PKI, including CAs that are accessible to all devices that need to register. If you deploy certificate-based Microsoft Passport on premises, you don’t actually need Windows Server 2016 Technical Preview domain controllers. On-premises deployments do need to apply the Windows Server 2016 Technical Preview AD DS schema and have the Windows Server 2016 Technical Preview version of AD FS installed.
+
+Table 1. Deployment requirements for Microsoft Passport
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Microsoft Passport method</th>
+<th align="left">Azure AD</th>
+<th align="left">Hybrid Active Directory</th>
+<th align="left">On-premises Active Directory only</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">Key-based</td>
+<td align="left"><p>Azure AD subscription</p></td>
+<td align="left"><ul>
+<li>Azure AD subscription</li>
+<li>[Azure AD Connect](http://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
+<li>A few Windows Server 2016 Technical Preview domain controllers on-site</li>
+<li>A management solution, such as Configuration Manager, Group Policy, or MDM</li>
+<li>Active Directory Certificate Services (AD CS) without Network Device Enrollment Service (NDES)</li>
+</ul></td>
+<td align="left"><p>One or more Windows Server 2016 Technical Preview domain controllers</p>
+<p>AD FS of Windows Server 2016 Technical Preview</p></td>
+</tr>
+<tr class="even">
+<td align="left">Certificate-based</td>
+<td align="left"><p>Azure AD subscription</p>
+<p>PKI infrastructure</p>
+<p>Intune</p></td>
+<td align="left"><ul>
+<li>Azure AD subscription</li>
+<li>[Azure AD Connect](http://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
+<li>AD CS with NDES</li>
+<li>Configuration Manager (current branch) or Configuration Manager 2016 Technical Preview for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work</li>
+</ul></td>
+<td align="left"><p>AD DS Windows Server 2016 Technical Preview schema
</p>
+<p>AD FS of Windows Server 2016 Technical Preview</p>
+<p>PKI infrastructure
 System Center 2012 R2 Configuration Manager with SP2 or later</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+Note that the current release of Windows 10 supports the Azure AD–only scenarios. Microsoft provides the forward-looking guidance in Table 1 to help organizations prepare their environments for planned future releases of Microsoft Passport for Work capabilities.
+
+**Select policy settings**
+
+Another key aspect of Microsoft Passport for Work deployment involves the choice of which policy settings to apply to the enterprise. There are two parts to this choice: which policies you deploy to manage Microsoft Passport itself and which policies you deploy to control device management and registration. A complete guide to selecting effective policies is beyond the scope of this guide, but one example reference that may be useful is [Mobile device management capabilities in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=733877).
+
+## Implement Microsoft Passport
+
+
+No configuration is necessary to use Windows Hello or Microsoft Passport on individual user devices if those users just want to protect their personal credentials. Unless the enterprise disables the feature, users have the option to use Microsoft Passport for their personal credentials, even on devices that are registered with an organizational IDP. However, when you make Microsoft Passport for Work available for users, you must add the necessary components to your infrastructure, as described earlier in the [Deployment requirements](#deployreq) section.
+
+**How to use Azure AD**
+
+There are three scenarios for using Microsoft Passport for Work in Azure AD–only organizations:
+
+-   **Organizations that use the version of Azure AD included with Office 365.** For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network (Figure 4), the device is automatically joined to the Office 365 tenant’s directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone.
+
+-   **Organizations that use the free tier of Azure AD.** For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won’t be enabled unless and until the organization’s administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the **Connect to work or school** dialog box shown in Figure 4 will be automatically registered with Microsoft Passport for Work support, but previously joined devices will not be registered.
+
+-   **Organizations that have subscribed to Azure AD Premium have access to the full set of Azure AD MDM features.** These features include controls to manage Microsoft Passport for Work. You can set policies to disable or force the use of Microsoft Passport for Work, require the use of a TPM, and control the length and strength of PINs set on the device.
+
+    ![figure 4](images/passport-fig4-join.png)
+
+    Figure 4: Joining an Office 365 organization automatically registers the device in Azure AD
+
+**Enable device registration**
+
+If you want to use Microsoft Passport at Work with certificates, you’ll need a device registration system. That means that you set up Configuration Manager Technical Preview, Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Microsoft Passport for Work with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates.
+
+**Set Microsoft Passport policies**
+
+As of the initial release of Windows 10, you can control the following settings for the use of Microsoft Passport for Work:
+
+-   You can require that Microsoft Passport be available only on devices that have TPM security hardware, which means the device uses TPM 1.2 or TPM 2.0.
+
+-   You can enable Microsoft Passport with a hardware-preferred option, which means that keys will be generated on TPM 1.2 or TPM 2.0 when available and by software when TPM is not available.
+
+-   You can configure whether certificate-based Microsoft Passport is available to users. You do this as part of the device deployment process, not through a separately applied policy.
+
+-   You can define the complexity and length of the PIN that users generate at registration.
+
+-   You can control whether Windows Hello use is enabled in your organization.
+
+These settings can be implemented through GPOs or through configuration service providers (CSPs) in MDM systems, so you have a familiar and flexible set of tools you can use to apply them to exactly the users you want. (For details about the Microsoft Passport for Work CSP, see [PassportForWork CSP)](http://go.microsoft.com/fwlink/p/?LinkId=733876).
+
+## Roadmap
+
+
+The speed at which Universal Windows apps and services evolve means that the traditional design-build-test-release cycle for Windows is too slow to meet customers’ needs. As part of the release of Windows 10, Microsoft is changing how it engineers, tests, and distributes Windows. Rather than large, monolithic releases every 3–5 years, the Windows engineering team is committed to smaller, more frequent releases to get new features and services into the marketplace more rapidly without sacrificing security, quality, or usability. This model has worked well in Office 365 and the Xbox ecosystem.
+
+In the Windows 10 initial release, Microsoft supports the following Microsoft Passport and Windows Hello features:
+
+-   Biometric authentication, with fingerprint readers that use the Windows fingerprint reader framework
+
+-   Facial-recognition capability on devices that have compatible IR-capable cameras
+
+-   Microsoft Passport for personal credentials on individually owned and corporate-managed devices
+
+-   Microsoft Passport for Work support for organizations that have cloud-only Azure AD deployments
+
+-   Group Policy settings to control Microsoft Passport PIN length and complexity
+
+In future releases of Windows 10, we plan to add support for additional features:
+
+-   Additional biometric identifier types, including iris recognition
+
+-   Key-based Microsoft Passport for Work credentials for on-premises Azure AD deployments and hybrid on-premises/Azure AD deployments
+
+-   Microsoft Passport for Work certificates issued by a trusted PKI, including smart card and virtual smart card certificates
+
+-   TPM attestation to protect keys so that a malicious user or program can’t create keys in software (because those keys won’t be TPM attested and can thus be identified as fake)
+
+In the longer term, Microsoft will continue to improve on and expand the features of both Microsoft Passport and Windows Hello to cover additional customer requirements for manageability and security. We also are working with the FIDO Alliance and a variety of third parties to encourage adoption of Microsoft Passport by both web and LOB application developers.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/minimum-password-age.md b/windows/keep-secure/minimum-password-age.md
new file mode 100644
index 0000000000..e3b03a77c1
--- /dev/null
+++ b/windows/keep-secure/minimum-password-age.md
@@ -0,0 +1,126 @@
+---
+title: Minimum password age (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Minimum password age security policy setting.
+ms.assetid: 91915cb2-1b3f-4fb7-afa0-d03df95e8161
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Minimum password age
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting.
+
+## Reference
+
+
+The **Minimum password age** policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If [Maximum password age](maximum-password-age.md) is between 1 and 999 days, the minimum password age must be less than the maximum password age. If Maximum password age is set to 0, **Minimum password age** can be any value between 0 and 998 days.
+
+### Possible values
+
+-   User-specified number of days between 0 and 998
+
+-   Not defined
+
+### Best practices
+
+Set **Minimum password age** to a value of 2 days. Setting the number of days to 0 allows immediate password changes, which is not recommended.
+
+If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box. Otherwise, the user will not be able to change the password until the number of days specified by **Minimum password age**.
+
+### Location
+
+**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**
+
+### Default values
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or Group Policy Object (GPO)</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>1 day</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>0 days</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>1 day</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>1 day</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Effective GPO default settings on client computers</p></td>
+<td align="left"><p>1 day</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Users may have favorite passwords that they like to use because they are easy to remember and they believe that their password choice is secure from compromise. Unfortunately, passwords can be compromised and if an attacker is targeting a specific individual user account, with knowledge of data about that user, reuse of old passwords can cause a security breach.
+
+To address password reuse, you must use a combination of security settings. Using this policy setting with the [Enforce password history](enforce-password-history.md) policy setting prevents the easy reuse of old passwords. For example, if you configure the Enforce password history policy setting to ensure that users cannot reuse any of their last 12 passwords, but you do not configure the **Minimum password age** policy setting to a number that is greater than 0, users could change their password 13 times in a few minutes and reuse their original password. You must configure this policy setting to a number that is greater than 0 for the Enforce password history policy setting to be effective.
+
+### Countermeasure
+
+Configure the **Minimum password age** policy setting to a value of at least 2 days. Users should know about this limitation and contact the Help Desk if they need to change their password during that two-day period. If you configure the number of days to 0, immediate password changes would be allowed, which we do not recommend.
+
+### Potential impact
+
+If you set a password for a user but wants that user to change the password when the user first logs on, the administrator must select the **User must change password at next logon** check box, or the user cannot change the password until the next day.
+
+## Related topics
+
+
+[Password Policy](password-policy.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/minimum-password-length.md b/windows/keep-secure/minimum-password-length.md
new file mode 100644
index 0000000000..903f9b16ae
--- /dev/null
+++ b/windows/keep-secure/minimum-password-length.md
@@ -0,0 +1,133 @@
+---
+title: Minimum password length (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Minimum password length security policy setting.
+ms.assetid: 3d22eb9a-859a-4b6f-82f5-c270c427e17e
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Minimum password length
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting.
+
+## Reference
+
+
+The **Minimum password length** policy setting determines the least number of characters that can make up a password for a user account. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0.
+
+### Possible values
+
+-   User-specified number of characters between 0 and 14
+
+-   Not defined
+
+### Best practices
+
+Set Minimum password length to at least a value of 8. If the number of characters is set to 0, no password is required. In most environments, an eight-character password is recommended because it is long enough to provide adequate security and still short enough for users to easily remember. This value will help provide adequate defense against a brute force attack. Adding complexity requirements will help reduce the possibility of a dictionary attack. For more info, see [Password must meet complexity requirements](password-must-meet-complexity-requirements.md).
+
+Permitting short passwords reduces security because short passwords can be easily broken with tools that perform dictionary or brute force attacks against the passwords. Requiring very long passwords can result in mistyped passwords that might cause an account lockout and subsequently increase the volume of Help Desk calls.
+
+In addition, requiring extremely long passwords can actually decrease the security of an organization because users might be more likely to write down their passwords to avoid forgetting them. However, if users are taught that they can use passphrases (sentences such as "I want to drink a $5 milkshake"), they should be much more likely to remember.
+
+### Location
+
+**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**
+
+### Default values
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or Group Policy Object (GPO)</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>7 characters</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>0 characters</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>7 characters</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>7 characters</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Effective GPO default settings on client computers</p></td>
+<td align="left"><p>0 characters</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Types of password attacks include dictionary attacks (which attempt to use common words and phrases) and brute force attacks (which try every possible combination of characters). Also, attackers sometimes try to obtain the account database so they can use tools to discover the accounts and passwords.
+
+### Countermeasure
+
+Configure the **** policy setting to a value of 8 or more. If the number of characters is set to 0, no password will be required.
+
+In most environments, we recommend an eight-character password because it is long enough to provide adequate security, but not too difficult for users to easily remember. This configuration provides adequate defense against a brute force attack. Using the [Password must meet complexity requirements](password-must-meet-complexity-requirements.md) policy setting in addition to the **Minimum password length** setting helps reduce the possibility of a dictionary attack.
+
+**Note**  
+Some jurisdictions have established legal requirements for password length as part of establishing security regulations.
+
+ 
+
+### Potential impact
+
+Requirements for extremely long passwords can actually decrease the security of an organization because users might leave the information in an unsecured location or lose it. If very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of Help Desk calls. If your organization has issues with forgotten passwords due to password length requirements, consider teaching your users about passphrases, which are often easier to remember and, due to the larger number of character combinations, much harder to discover.
+
+## Related topics
+
+
+[Password Policy](password-policy.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/modify-an-object-label.md b/windows/keep-secure/modify-an-object-label.md
new file mode 100644
index 0000000000..4fbd65119c
--- /dev/null
+++ b/windows/keep-secure/modify-an-object-label.md
@@ -0,0 +1,156 @@
+---
+title: Modify an object label (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Modify an object label security policy setting.
+ms.assetid: 3e5a97dd-d363-43a8-ae80-452e866ebfd5
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Modify an object label
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Modify an object label** security policy setting.
+
+## Reference
+
+
+This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.
+
+The integrity label is used by the Windows Integrity Controls (WIC) feature, which was introduced in Windows Server 2008 and Windows Vista. WIC keeps lower integrity processes from modifying higher integrity processes by assigning one of six possible labels to objects on the system. Although similar to NTFS file and folder permissions, which are discretionary controls on objects, the WIC integrity levels are mandatory controls that are put in place and enforced by the operating system. The following list describes the integrity levels from lowest to highest:
+
+-   **Untrusted**   Default assignment for processes that are logged on anonymously.
+
+-   **Low**   Default assignment for processes that interact with the Internet.
+
+-   **Medium**   Default assignment for standard user accounts and any object that is not explicitly designated with a lower or higher integrity level.
+
+-   **High**  Default assignment for administrator accounts and processes that request to run using administrative rights.
+
+-   **System**   Default assignment for Windows kernel and core services.
+
+-   **Installer**   Used by setup programs to install software. It is important that only trusted software is installed on computers because objects that are assigned the Installer integrity level can install, modify, and uninstall all other objects.
+
+Constant: SeRelabelPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not Defined
+
+### Best practices
+
+-   Do not give any group this user right.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default this setting is Not defined on domain controllers and on stand-alone servers.
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the computer is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Anyone with the **Modify an object label** user right can change the integrity level of a file or process so that it becomes elevated or decreased to a point where it can be deleted by lower integrity processes. Either of these states effectively circumvents the protection that is offered by Windows Integrity Controls and makes your system vulnerable to attacks by malicious software.
+
+If malicious software is set with an elevated integrity level such as Trusted Installer or System, administrator accounts do not have sufficient integrity levels to delete the program from the system. In that case, use of the **Modify an object label** right is mandated so that the object can be re-labeled. However, the re-labeling must occur by using a process that is at the same or a higher level of integrity than the object that you are attempting to re-label.
+
+### Countermeasure
+
+Do not give any group this right. If necessary, implement it for a constrained period of time to a trusted individual to respond to a specific organizational need.
+
+### Potential impact
+
+None. Not defined is the default configuration.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/modify-firmware-environment-values.md b/windows/keep-secure/modify-firmware-environment-values.md
new file mode 100644
index 0000000000..b3679b1056
--- /dev/null
+++ b/windows/keep-secure/modify-firmware-environment-values.md
@@ -0,0 +1,152 @@
+---
+title: Modify firmware environment values (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Modify firmware environment values security policy setting.
+ms.assetid: 80bad5c4-d9eb-4e3a-a5dc-dcb742b83fca
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Modify firmware environment values
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Modify firmware environment values** security policy setting.
+
+## Reference
+
+
+This security setting determines who can modify firmware environment values. Firmware environment values are settings that are stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.
+
+On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the **Last Known Good Configuration** setting, which should only be modified by the system.
+
+On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the **Default Operating System** setting using the **Startup and Recovery** feature on the **Advanced** tab of **System Properties**.
+
+The exact setting for firmware environment values is determined by the boot firmware. The location of these values is also specified by the firmware. For example, on a UEFI-based system, NVRAM contains firmware environment values that specify system boot settings.
+
+On all computers, this user right is required to install or upgrade Windows.
+
+Constant: SeSystemEnvironmentPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Administrators
+
+-   Not Defined
+
+### Best practices
+
+-   Ensure that only the local Administrators group is assigned the **Modify firmware environment values** user right.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default this setting is Administrators on domain controllers and on stand-alone servers.
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Adminstrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Adminstrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Adminstrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Adminstrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Adminstrators</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+This security setting does not affect who can modify the system environment values and user environment values that are displayed on the **Advanced** tab of **System Properties**.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Anyone who is assigned the **Modify firmware environment values** user right could configure the settings of a hardware component to cause it to fail, which could lead to data corruption or a denial-of-service condition.
+
+### Countermeasure
+
+Ensure that only the local Administrators group is assigned the **Modify firmware environment values** user right.
+
+### Potential impact
+
+None. Restricting the **Modify firmware environment values** user right to the members of the local Administrators group is the default configuration.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/monitor-application-usage-with-applocker.md b/windows/keep-secure/monitor-application-usage-with-applocker.md
new file mode 100644
index 0000000000..2343d692f3
--- /dev/null
+++ b/windows/keep-secure/monitor-application-usage-with-applocker.md
@@ -0,0 +1,99 @@
+---
+title: Monitor app usage with AppLocker (Windows 10)
+description: This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied.
+ms.assetid: 0516da6e-ebe4-45b4-a97b-31daba96d1cf
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Monitor app usage with AppLocker
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied.
+
+Once you set rules and deploy the AppLocker policies, it is good practice to determine if the policy implementation is what you expected.
+
+### <a href="" id="bkmk-applkr-disc-effect-pol"></a>Discover the effect of an AppLocker policy
+
+You can evaluate how the AppLocker policy is currently implemented for documentation or audit purposes, or before you modify the policy. Updating your AppLocker Policy Deployment Planning document will help you track your findings. For information about creating this document, see [Create your AppLocker planning document](create-your-applocker-planning-document.md). You can perform one or more of the following steps to understand what application controls are currently enforced through AppLocker rules.
+
+-   **Analyze the AppLocker logs in Event Viewer**
+
+    When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are not enforced but are still evaluated to generate audit event data that is written to the AppLocker logs.
+
+    For the procedure to access the log, see [View the AppLocker Log in Event Viewer](#bkmk-applkr-view-log).
+
+-   **Enable the Audit only AppLocker enforcement setting**
+
+    By using the **Audit only** enforcement setting, you can ensure that the AppLocker rules are properly configured for your organization. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
+
+    For the procedure to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md).
+
+-   **Review AppLocker events with Get-AppLockerFileInformation**
+
+    For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if you are using the audit-only enforcement mode) and how many times the event has occurred for each file.
+
+    For the procedure to do this, see [Review AppLocker Events with Get-AppLockerFileInformation](#bkmk-applkr-review-events).
+
+-   **Review AppLocker events with Test-AppLockerPolicy**
+
+    You can use the **Test-AppLockerPolicy** Windows PowerShell cmdlet to determine whether any of the rules in your rule collections will be blocked on your reference device or the device on which you maintain policies.
+
+    For the procedure to do this, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).
+
+### <a href="" id="bkmk-applkr-review-events"></a>Review AppLocker events with Get-AppLockerFileInformation
+
+For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if the **Audit only** enforcement setting is applied) and how many times the event has occurred for each file.
+
+Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
+
+**Note**  
+If the AppLocker logs are not on your local device, you will need permission to view the logs. If the output is saved to a file, you will need permission to read that file.
+
+ 
+
+**To review AppLocker events with Get-AppLockerFileInformation**
+
+1.  At the command prompt, type **PowerShell**, and then press ENTER.
+
+2.  Run the following command to review how many times a file would have been blocked from running if rules were enforced:
+
+    `Get-AppLockerFileInformation –EventLog –EventType Audited –Statistics`
+
+3.  Run the following command to review how many times a file has been allowed to run or prevented from running:
+
+    `Get-AppLockerFileInformation –EventLog –EventType Allowed –Statistics`
+
+### <a href="" id="bkmk-applkr-view-log"></a>View the AppLocker Log in Event Viewer
+
+When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
+
+Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
+
+**To view events in the AppLocker log by using Event Viewer**
+
+1.  Open Event Viewer. To do this, click **Start**, type **eventvwr.msc**, and then press ENTER.
+
+2.  In the console tree under **Application and Services Logs\\Microsoft\\Windows**, double-click **AppLocker**.
+
+AppLocker events are listed in either the **EXE and DLL** log, the **MSI and Script** log, or the **Packaged app-Deployment** or **Packaged app-Execution** log. Event information includes the enforcement setting, file name, date and time, and user name. The logs can be exported to other file formats for further analysis.
+
+## Related topics
+
+
+[AppLocker](applocker-overview.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md b/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md
new file mode 100644
index 0000000000..b8e3992188
--- /dev/null
+++ b/windows/keep-secure/monitor-central-access-policy-and-rule-definitions.md
@@ -0,0 +1,84 @@
+---
+title: Monitor central access policy and rule definitions (Windows 10)
+description: This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects.
+ms.assetid: 553f98a6-7606-4518-a3c5-347a33105130
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Monitor central access policy and rule definitions
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects.
+
+Central access policies and rules determine access permissions for multiple files on multiple file servers. Therefore, it is important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS), and they can be monitored just like any other object in Active Directory. Central access policies and rules are critical elements in a Dynamic Access Control deployment. These policies and rules are stored in AD DS, so they should be less likely to be tampered with than other network objects. However, it is important to monitor these objects for potential changes in security auditing and to verify that policies are being enforced.
+
+Use the following procedures to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx).
+
+**Note**  
+Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
+
+ 
+
+**To configure settings to monitor changes to central access policy and rule definitions**
+
+1.  Sign in to your domain controller by using domain administrator credentials.
+
+2.  In Server Manager, point to **Tools**, and then click **Group Policy Management**.
+
+3.  In the console tree, right-click the default domain controller Group Policy Object, and then click **Edit**.
+
+4.  Double-click **Computer Configuration**, click **Security Settings**, expand **Advanced Audit Policy Configuration**, expand **System Audit Policies**, click **DS Access**, and then double-click **Audit directory service changes**.
+
+5.  Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
+
+6.  Close the Group Policy Management Editor.
+
+7.  Open the Active Directory Administrative Center.
+
+8.  Under Dynamic Access Control, right-click **Central Access Policies**, and then select **Properties**.
+
+9.  Click the **Security** tab, click **Advanced** to open the **Advanced Security Settings** dialog box, and then click the **Auditing** tab.
+
+10. Click **Add**, add a security auditing setting for the container, and then close all Security properties dialog boxes.
+
+After you configure settings to monitor changes to central access policy and central access rule definitions, verify that the changes are being monitored.
+
+**To verify that changes to central access policy and rule definitions are monitored**
+
+1.  Sign in to your domain controller by using domain administrator credentials.
+
+2.  Open the Active Directory Administrative Center.
+
+3.  Under **Dynamic Access Control**, right-click **Central Access Policies**, and then click **Properties**.
+
+4.  Click the **Security** tab, click **Advanced** to open the **Advanced Security Settings** dialog box, and then click the **Auditing** tab.
+
+5.  Click **Add**, add a security auditing setting for the container, and then close all Security properties dialog boxes.
+
+6.  In the **Central Access Policies** container, add a new central access policy (or select one that exists), click **Properties** in the **Tasks** pane, and then change one or more attributes.
+
+7.  Click **OK**, and then close the Active Directory Administrative Center.
+
+8.  In Server Manager, click **Tools**, and then click **Event Viewer**.
+
+9.  Expand **Windows Logs**, and then click **Security**. Verify that event 4819 appears in the security log.
+
+### Related resource
+
+[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/monitor-claim-types.md b/windows/keep-secure/monitor-claim-types.md
new file mode 100644
index 0000000000..67265eeab9
--- /dev/null
+++ b/windows/keep-secure/monitor-claim-types.md
@@ -0,0 +1,74 @@
+---
+title: Monitor claim types (Windows 10)
+description: This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.
+ms.assetid: 426084da-4eef-44af-aeec-e7ab4d4e2439
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Monitor claim types
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.
+
+Claim types are one of the basic building blocks of Dynamic Access Control. Claim types can include attributes such as the departments in an organization or the levels of security clearance that apply to classes of users. You can use security auditing to track whether claims are added, modified, enabled, disabled, or deleted.
+
+Use the following procedures to configure settings to monitor changes to claim types in AD DS. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx).
+
+**Note**  
+Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
+
+ 
+
+**To configure settings to monitor changes to claim types**
+
+1.  Sign in to your domain controller by using domain administrator credential.
+
+2.  In Server Manager, point to **Tools**, and then click **Group Policy Management**.
+
+3.  In the console tree, right-click the default domain controller Group Policy Object, and then click **Edit**.
+
+4.  Double-click **Computer Configuration**, click **Security Settings**, expand **Advanced Audit Policy Configuration**, expand **System Audit Policies**, click **DS Access**, and then double-click **Audit directory service changes**.
+
+5.  Select the **Configure the following audit events** check box, select the **Success** check box (andthe **Failure** check box, if desired), and then click **OK**.
+
+After you configure settings to monitor changes to claim types in AD DS, verify that the changes are being monitored.
+
+**To verify that changes to claim types are monitored**
+
+1.  Sign in to your domain controller by using domain administrator credentials.
+
+2.  Open the Active Directory Administrative Center.
+
+3.  Under **Dynamic Access Control**, right-click **Claim Types**, and then click **Properties**.
+
+4.  Click the **Security** tab, click **Advanced** to open the **Advanced Security Settings** dialog box, and then click the **Auditing** tab.
+
+5.  Click **Add**, add a security auditing setting for the container, and then close all the Security properties dialog boxes.
+
+6.  In the **Claim Types** container, add a new claim type or select an existing claim type. In the **Tasks** pane, click **Properties**, and then change one or more attributes.
+
+    Click **OK**, and then close the Active Directory Administrative Center.
+
+7.  Open Event Viewer on this domain controller, expand **Windows Logs**, and select the **Security** log.
+
+    Look for event 5137. Key information to look for includes the name of the new attribute that was added, the type of claim that was created, and the user who created the claim.
+
+### Related resource
+
+[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/monitor-resource-attribute-definitions.md b/windows/keep-secure/monitor-resource-attribute-definitions.md
new file mode 100644
index 0000000000..2412bd06b9
--- /dev/null
+++ b/windows/keep-secure/monitor-resource-attribute-definitions.md
@@ -0,0 +1,82 @@
+---
+title: Monitor resource attribute definitions (Windows 10)
+description: This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.
+ms.assetid: aace34b0-123a-4b83-9e09-f269220e79de
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Monitor resource attribute definitions
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.
+
+Resource attribute definitions define the basic properties of resource attributes, such as what it means for a resource to be defined as “high business value.” Resource attribute definitions are stored in AD DS under the Resource Properties container. Changes to these definitions could significantly change the protections that govern a resource, even if the resource attributes that apply to the resource remain unchanged. Changes can be monitored like any other AD DS object.
+
+For information about monitoring changes to the resource attributes that apply to files, see [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md).
+
+Use the following procedures to configure settings to monitor changes to resource attribute definitions in AD DS and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx).
+
+**Note**  
+Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
+
+ 
+
+**To configure settings to monitor changes to resource attributes**
+
+1.  Sign in to your domain controller by using domain administrator credentials.
+
+2.  In Server Manager, point to **Tools**, and then click **Group Policy Management**.
+
+3.  In the console tree, right-click the Group Policy Object for the default domain controller, and then click **Edit**.
+
+4.  Double-click **Computer Configuration**, click **Security Settings**, expand **Advanced Audit Policy Configuration**, expand **System Audit Policies**, click **DS Access**, and then double-click **Audit directory service changes**.
+
+5.  Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
+
+6.  Close the Group Policy Management Editor.
+
+7.  Open the Active Directory Administrative Center.
+
+8.  Under **Dynamic Access Control**, right-click **Resource Properties**, and then click **Properties**.
+
+9.  Click the **Security** tab, click **Advanced** to open the **Advanced Security Settings** dialog box, and then click the **Auditing** tab.
+
+10. Click **Add**, add a security auditing setting for the container, and then close all Security properties dialog boxes.
+
+After you configure settings to monitor changes to resource attributes in AD DS, verify that the changes are being monitored.
+
+**To verify that changes to resource definitions are monitored**
+
+1.  Sign in to your domain controller by using domain administrator credentials.
+
+2.  Open the Active Directory Administrative Center.
+
+3.  Under **Dynamic Access Control**, click **Resource Properties**, and then double-click a resource attribute.
+
+4.  Make changes to this resource attribute.
+
+5.  Click **OK**, and then close the Active Directory Administrative Center.
+
+6.  In Server Manager, click **Tools**, and then click **Event Viewer**.
+
+7.  Expand **Windows Logs**, and then click **Security**. Verify that event 5137 appears in the security log.
+
+### Related resource
+
+[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md
new file mode 100644
index 0000000000..322fd4217e
--- /dev/null
+++ b/windows/keep-secure/monitor-the-central-access-policies-associated-with-files-and-folders.md
@@ -0,0 +1,101 @@
+---
+title: Monitor the central access policies associated with files and folders (Windows 10)
+description: This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects.
+ms.assetid: 2ea8fc23-b3ac-432f-87b0-6a16506e8eed
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Monitor the central access policies associated with files and folders
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects.
+
+This security audit policy and the event that it records are generated when the central access policy that is associated with a file or folder is changed. This security audit policy is useful when an administrator wants to monitor potential changes on some, but not all, files and folders on a file server.
+
+For info about monitoring potential central access policy changes for an entire file server, see [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md).
+
+Use the following procedures to configure settings to monitor central access policies that are associated with files. These procedures assume that you have configured and deployed Dynamic Access Control in your network. For more information about how to configure and deploy Dynamic Access Control, see [Dynamic Access Control: Scenario Overview](http://technet.microsoft.com/library/hh831717.aspx).
+
+**Note**  
+Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
+
+ 
+
+**To configure settings to monitor central access policies associated with files or folders**
+
+1.  Sign in to your domain controller by using domain administrator credentials.
+
+2.  In Server Manager, point to **Tools**, and then click **Group Policy Management**.
+
+3.  In the console tree, right-click the flexible access Group Policy Object, and then click **Edit**.
+
+4.  Double-click **Computer Configuration**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Policy Change**, and then double-click **Audit Authorization Policy Change**.
+
+5.  Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
+
+6.  Enable auditing for a file or folder as described in the following procedure.
+
+**To enable auditing for a file or folder**
+
+1.  Sign in as a member of the local administrators group on the computer that contains the files or folders that you want to audit.
+
+2.  Right-click the file or folder, click **Properties**, and then click the **Security** tab.
+
+3.  Click **Advanced**, click the **Auditing** tab, and then click **Continue**.
+
+    If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+
+4.  Click **Add**, click **Select a principal**, type a user name or group name in the format **contoso\\user1**, and then click **OK**.
+
+5.  In the **Auditing Entry for** dialog box, select the permissions that you want to audit, such as **Full Control** or **Delete**.
+
+6.  Click **OK** four times to complete the configuration of the object SACL.
+
+7.  Open a File Explorer window and select or create a file or folder to audit.
+
+8.  Open an elevated command prompt, and run the following command:
+
+    **gpupdate /force**
+
+After you configure settings to monitor changes to the central access policies that are associated with files and folders, verify that the changes are being monitored.
+
+**To verify that changes to central access policies associated with files and folders are monitored**
+
+1.  Sign in as a member of the local administrators group on the computer that contains the files or folders that you want to audit.
+
+2.  Open a File Explorer window and select the file or folder that you configured for auditing in the previous procedure.
+
+3.  Right-click the file or folder, click **Properties**, click the **Security** tab, and then click **Advanced**.
+
+4.  Click the **Central Policy** tab, click **Change**, and select a different central access policy (if one is available) or select **No Central Access Policy**, and then click **OK** twice.
+
+    **Note**  
+    You must select a setting that is different than your original setting to generate the audit event.
+
+     
+
+5.  In Server Manager, click **Tools**, and then click **Event Viewer**.
+
+6.  Expand **Windows Logs**, and then click **Security**.
+
+7.  Look for event 4913, which is generated when the central access policy that is associated with a file or folder is changed. This event includes the security identifiers (SIDs) of the old and new central access policies.
+
+### Related resource
+
+[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md
new file mode 100644
index 0000000000..d19126daa6
--- /dev/null
+++ b/windows/keep-secure/monitor-the-central-access-policies-that-apply-on-a-file-server.md
@@ -0,0 +1,82 @@
+---
+title: Monitor the central access policies that apply on a file server (Windows 10)
+description: This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects.
+ms.assetid: 126b051e-c20d-41f1-b42f-6cff24dcf20c
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Monitor the central access policies that apply on a file server
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. Central access policies are created on a domain controller and then applied to file servers through Group Policy management.
+
+Use the following procedures to configure and verify security auditing settings that are used to monitor changes to the set of central access policies on a file server. The following procedures assume that you have configured and deployed dynamic access control, including central access policies, and claims in your network. If you have not yet deployed dynamic access control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx).
+
+**To configure settings to monitor changes to central access policies**
+
+1.  Sign in to your domain controller by using domain administrator credentials.
+
+2.  In Server Manager, point to **Tools**, and then click **Group Policy Management**.
+
+3.  In the console tree, right-click the flexible access Group Policy Object, and then click **Edit**.
+
+4.  Double-click **Computer Configuration**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Policy Change**, and then double-click **Other Policy Change Events**.
+
+    **Note**  
+    This policy setting monitors policy changes that might not be captured otherwise, such as central access policy changes or trusted platform module configuration changes.
+
+     
+
+5.  Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
+
+After you modify the central access policies on the domain controller, verify that the changes have been applied to the file server and that the proper events are logged.
+
+**To verify changes to the central access policies**
+
+1.  Sign in to your domain controller by using domain administrator credentials.
+
+2.  Open the Group Policy Management Console.
+
+3.  Right-click **Default domain policy**, and then click **Edit**.
+
+4.  Double-click **Computer Configuration**, double-click **Policies**, and then double-click **Windows Settings**.
+
+5.  Double-click **Security Settings**, right-click **File system**, and then click **Manage CAPs**.
+
+6.  In the wizard that appears, follow the instructions to add a new central access policy (CAP), and then click **OK**.
+
+7.  Use local administrator credentials to sign in to the server that hosts resources that are subject to the central access policies you changed.
+
+8.  Press the Windows key + R, then type **cmd** to open a Command Prompt window.
+
+    **Note**  
+    If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+
+     
+
+9.  Type **gpupdate /force**, and press ENTER.
+
+10. In Server Manager, click **Tools**, and then click **Event Viewer**.
+
+11. Expand **Windows Logs**, and then click **Security**. Verify that event 4819 appears in the security log.
+
+## Related resource
+
+
+[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md b/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md
new file mode 100644
index 0000000000..0e52151278
--- /dev/null
+++ b/windows/keep-secure/monitor-the-resource-attributes-on-files-and-folders.md
@@ -0,0 +1,80 @@
+---
+title: Monitor the resource attributes on files and folders (Windows 10)
+description: This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects.
+ms.assetid: 4944097b-320f-44c7-88ed-bf55946a358b
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Monitor the resource attributes on files and folders
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects.
+
+If your organization has a carefully thought out authorization configuration for resources, changes to these resource attributes can create potential security risks. Examples include:
+
+-   Changing files that have been marked as high business value to low business value.
+
+-   Changing the Retention attribute of files that have been marked for retention.
+
+-   Changing the Department attribute of files that are marked as belonging to a particular department.
+
+Use the following procedures to configure settings to monitor changes to resource attributes on files and folders. These procedures assume that have configured and deployed central access policies in your network. For more information about how to configure and deploy central access policies, see [Dynamic Access Control: Scenario Overview](http://technet.microsoft.com/library/hh831717.aspx) .
+
+**Note**  
+Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
+
+ 
+
+**To monitor changes to resource attributes on files**
+
+1.  Sign in to your domain controller by using domain administrator credentials.
+
+2.  In Server Manager, point to **Tools**, and then click **Group Policy Management**.
+
+3.  In the console tree, right-click the flexible access Group Policy Object, and then click **Edit**.
+
+4.  Double-click **Computer Configuration**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Policy Change**, and then double-click **Audit Authorization Policy Change**.
+
+5.  Select the **Configure the following audit events** check box, select the **Success** and **Failure** check boxes, and then click **OK**.
+
+After you configure settings to monitor resource attributes on files, verify that the changes are being monitored.
+
+**To verify that changes to resource attributes on files are monitored**
+
+1.  Use administrator credentials to sign in to the server that hosts the resource you want to monitor.
+
+2.  From an elevated command prompt, type **gpupdate /force**, and then press ENTER.
+
+3.  Attempt to change resource properties on one or more files and folders.
+
+4.  In Server Manager, click **Tools**, and then click **Event Viewer**.
+
+5.  Expand **Windows Logs**, and then click **Security**.
+
+6.  Depending on which resource attributes you attempted to change, you should look for the following events:
+
+    -   Event 4911, which tracks changes to file attributes
+
+    -   Event 4913, which tracks changes to central access policies
+
+    Key information to look for includes the name and account domain of the principal attempting to change the resource attribute, the object that the principal is attempting to modify, and information about the changes that are being attempted.
+
+### Related resource
+
+[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md b/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md
new file mode 100644
index 0000000000..4a241ac162
--- /dev/null
+++ b/windows/keep-secure/monitor-the-use-of-removable-storage-devices.md
@@ -0,0 +1,84 @@
+---
+title: Monitor the use of removable storage devices (Windows 10)
+description: This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects.
+ms.assetid: b0a9e4a5-b7ff-41c6-96ff-0228d4ba5da8
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Monitor the use of removable storage devices
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects.
+
+If you configure this policy setting, an audit event is generated each time a user attempts to copy, move, or save a resource to a removable storage device.
+
+Use the following procedures to monitor the use of removable storage devices and to verify that the devices are being monitored.
+
+**Note**  
+Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
+
+ 
+
+**To configure settings to monitor removable storage devices**
+
+1.  Sign in to your domain controller by using domain administrator credentials.
+
+2.  In Server Manager, point to **Tools**, and then click **Group Policy Management**.
+
+3.  In the console tree, right-click the flexible access Group Policy Object on the domain controller, and then click **Edit**.
+
+4.  Double-click **Computer Configuration**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Object Access**, and then double-click **Audit Removable Storage**.
+
+5.  Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
+
+6.  If you selected the **Failure** check box, double-click **Audit Handle Manipulation**, select the **Configure the following audit events check box**, and then select **Failure**.
+
+7.  Click **OK**, and then close the Group Policy Management Editor.
+
+After you configure the settings to monitor removable storage devices, use the following procedure to verify that the settings are active.
+
+**To verify that removable storage devices are monitored**
+
+1.  Sign in to the computer that hosts the resources that you want to monitor. Press the Windows key + R, and then type **cmd** to open a Command Prompt window.
+
+    **Note**  
+    If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+
+     
+
+2.  Type **gpupdate /force**, and press ENTER.
+
+3.  Connect a removable storage device to the targeted computer and attempt to copy a file that is protected with the Removable Storage Audit policy.
+
+4.  In Server Manager, click **Tools**, and then click **Event Viewer**.
+
+5.  Expand **Windows Logs**, and then click **Security**.
+
+6.  Look for event 4663, which logs successful attempts to write to or read from a removable storage device. Failures will log event 4656. Both events include **Task Category = Removable Storage device**.
+
+    Key information to look for includes the name and account domain of the user who attempted to access the file, the object that the user is attempting to access, resource attributes of the resource, and the type of access that was attempted.
+
+    **Note**  
+    We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event.
+
+     
+
+### Related resource
+
+[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md b/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md
new file mode 100644
index 0000000000..cee27df860
--- /dev/null
+++ b/windows/keep-secure/monitor-user-and-device-claims-during-sign-in.md
@@ -0,0 +1,68 @@
+---
+title: Monitor user and device claims during sign-in (Windows 10)
+description: This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects.
+ms.assetid: 71796ea9-5fe4-4183-8475-805c3c1f319f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Monitor user and device claims during sign-in
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects.
+
+Device claims are associated with the system that is used to access resources that are protected with Dynamic Access Control. User claims are attributes that are associated with a user. User claims and device claims are included in the user’s security token used at sign-on. For example, information about Department, Company, Project, or Security clearances might be included in the token.
+
+Use the following procedures to monitor changes to user claims and device claims in the user’s sign-on token and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx).
+
+**Note**  
+Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
+
+ 
+
+**To monitor user and device claims in user logon token**
+
+1.  Sign in to your domain controller by using domain administrator credentials.
+
+2.  In Server Manager, point to **Tools**, and then click **Group Policy Management**.
+
+3.  In the console tree, right-click the flexible access Group Policy Object, and then click **Edit**.
+
+4.  Double-click **Computer Configuration**, click **Security Settings**, expand **Advanced Audit Policy Configuration**, expand **System Audit Policies**, click **Logon/Logoff**, and then double-click **Audit User/Device claims**.
+
+5.  Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
+
+6.  Close the Group Policy Management Editor.
+
+After you configure settings to monitor user and device claims, verify that the changes are being monitored.
+
+**To verify that user and device claims in user logon token are monitored**
+
+1.  With local administrator credentials, sign in to a file server that is subject to the flexible access Group Policy Object.
+
+2.  Open an elevated command prompt, and run the following command:
+
+    **gpupdate force**
+
+3.  From a client computer, connect to a file share on the file server as a user who has access permissions to the file server.
+
+4.  On the file server, open Event Viewer, expand **Windows Logs**, and select the **Security** log. Look for event 4626, and confirm that it contains information about user claims and device claims.
+
+### Related resource
+
+[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md b/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md
new file mode 100644
index 0000000000..286cf227fe
--- /dev/null
+++ b/windows/keep-secure/network-access-allow-anonymous-sidname-translation.md
@@ -0,0 +1,144 @@
+---
+title: Network access Allow anonymous SID/Name translation (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Network access Allow anonymous SID/Name translation security policy setting.
+ms.assetid: 0144477f-22a6-4d06-b70a-9c9c2196e99e
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network access: Allow anonymous SID/Name translation
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Network access: Allow anonymous SID/Name translation** security policy setting.
+
+## Reference
+
+
+This policy setting enables or disables the ability of an anonymous user to request security identifier (SID) attributes for another user.
+
+If this policy setting is enabled, a user might use the well-known Administrators SID to get the real name of the built-in Administrator account, even if the account has been renamed. That person might then use the account name to initiate a brute-force password-guessing attack.
+
+Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.
+
+### Possible values
+
+-   Enabled
+
+    An anonymous user can request the SID attribute for another user. An anonymous user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. This setting affects the SID-to-name translation as well as the name-to-SID translation
+
+-   Disabled
+
+    Prevents an anonymous user from requesting the SID attribute for another user.
+
+-   Not defined
+
+### Best practices
+
+-   Set this policy to Disabled. This is the default value on member computers; therefore, it will have no impact on them. The default value for domain controllers is Enabled.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Note defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Operating system version differences
+
+The default value of this setting has changed between operating systems as follows:
+
+-   The default on domain controllers running Windows Server 2003 R2 or earlier was set to Enabled.
+
+-   The default on domain controllers running Windows Server 2008 and later is set to Disabled.
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+Modifying this setting may affect compatibility with client computers, services, and applications.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+If this policy setting is enabled, a user with local access could use the well-known Administrator's SID to learn the real name of the built-in Administrator account, even if it has been renamed. That person could then use the account name to initiate a password-guessing attack.
+
+### Countermeasure
+
+Disable the **Network access: Allow anonymous SID/Name translation** setting.
+
+### Potential impact
+
+Disabled is the default configuration for this policy setting on member devices; therefore, it has no impact on them. The default configuration for domain controllers is Enabled.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
new file mode 100644
index 0000000000..9b2363c07f
--- /dev/null
+++ b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
@@ -0,0 +1,134 @@
+---
+title: Network access Do not allow anonymous enumeration of SAM accounts and shares (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Network access Do not allow anonymous enumeration of SAM accounts and shares security policy setting.
+ms.assetid: 3686788d-4cc7-4222-9163-cbc7c3362d73
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network access: Do not allow anonymous enumeration of SAM accounts and shares
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts and shares** security policy setting.
+
+## Reference
+
+
+This policy setting determines which additional permissions will be assigned for anonymous connections to the device. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to give access to users in a trusted domain that does not maintain a reciprocal trust. However, even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON.
+
+This policy setting has no impact on domain controllers.
+
+Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+    No additional permissions can be assigned by the administrator for anonymous connections to the device. Anonymous connections will rely on default permissions. However, an unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social-engineering attacks.
+
+-   Not defined
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Policy conflicts
+
+Even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON (on systems earlier than Windows Server 2008 and Windows Vista).
+
+### Group Policy
+
+This policy has no impact on domain controllers.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social-engineering attacks.
+
+### Countermeasure
+
+Enable the **Network access: Do not allow anonymous enumeration of SAM accounts and shares** setting.
+
+### Potential impact
+
+It is impossible to grant access to users of another domain across a one-way trust because administrators in the trusting domain are unable to enumerate lists of accounts in the other domain. Users who access file and print servers anonymously are unable to list the shared network resources on those servers; the users must be authenticated before they can view the lists of shared folders and printers.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
new file mode 100644
index 0000000000..70eb372dcb
--- /dev/null
+++ b/windows/keep-secure/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
@@ -0,0 +1,134 @@
+---
+title: Network access Do not allow anonymous enumeration of SAM accounts (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Network access Do not allow anonymous enumeration of SAM accounts security policy setting.
+ms.assetid: 6ee25b33-ad43-4097-b031-7be680f64c7c
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network access: Do not allow anonymous enumeration of SAM accounts
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts** security policy setting.
+
+## Reference
+
+
+This policy setting determines which additional permissions will be assigned for anonymous connections to the device. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to give access to users in a trusted domain that does not maintain a reciprocal trust.
+
+This policy setting has no impact on domain controllers.
+
+Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+    No additional permissions can be assigned by the administrator for anonymous connections to the device. Anonymous connections will rely on default permissions.
+
+-   Not defined
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Policy conflicts
+
+Even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON (on systems earlier than Windows Server 2008 and Windows Vista).
+
+### Group Policy
+
+This policy has no impact on domain controllers.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+An unauthorized user could anonymously list account names and use the information to perform social engineering attacks or attempt to guess passwords. Social engineering attackers try to deceive users in some way to obtain passwords or some form of security information.
+
+### Countermeasure
+
+Enable the **Network access: Do not allow anonymous enumeration of SAM accounts** setting.
+
+### Potential impact
+
+It is impossible to grant access to users of another domain across a one-way trust because administrators in the trusting domain are unable to enumerate lists of accounts in the other domain. Users who access file and print servers anonymously are unable to list the shared network resources on those servers; the users must be authenticated before they can view the lists of shared folders and printers.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
new file mode 100644
index 0000000000..6fd38c9352
--- /dev/null
+++ b/windows/keep-secure/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
@@ -0,0 +1,144 @@
+---
+title: Network access Do not allow storage of passwords and credentials for network authentication (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Network access Do not allow storage of passwords and credentials for network authentication security policy setting.
+ms.assetid: b9b64360-36ea-40fa-b795-2d6558c46563
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network access: Do not allow storage of passwords and credentials for network authentication
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Network access: Do not allow storage of passwords and credentials for network authentication** security policy setting.
+
+## Reference
+
+
+This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication.
+
+### Possible values
+
+-   Enabled
+
+    Credential Manager does not store passwords and credentials on the device
+
+-   Disabled
+
+    Credential Manager will store passwords and credentials on this computer for later use for domain authentication.
+
+-   Not defined
+
+### Best practices
+
+It is a recommended practice to disable the ability of the Windows operating system to cache credentials on any device where credentials are not needed. Evaluate your servers and workstations to determine the requirements. Cached credentials are designed primarily to be used on laptops that require domain credentials when disconnected from the domain.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or Group Policy Object (GPO)</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Effective GPO default settings on client computers</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Policy management
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+A restart of the device is required before this policy will be effective when changes to this policy are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Passwords that are cached can be accessed by the user when logged on to the device. Although this information may sound obvious, a problem can arise if the user unknowingly runs malicious software that reads the passwords and forwards them to another, unauthorized user.
+
+**Note**  
+The chances of success for this exploit and others that involve malicious software are reduced significantly for organizations that effectively implement and manage an enterprise antivirus solution combined with sensible software restriction policies.
+
+ 
+
+Regardless of what encryption algorithm is used to encrypt the password verifier, a password verifier can be overwritten so that an attacker can authenticate as the user to whom the verifier belongs. Therefore, the administrator's password may be overwritten. This procedure requires physical access to the device. Utilities exist that can help overwrite the cached verifier. By using one of these utilities, an attacker can authenticate by using the overwritten value.
+
+Overwriting the administrator's password does not help the attacker access data that is encrypted by using that password. Also, overwriting the password does not help the attacker access any Encrypting File System (EFS) data that belongs to other users on that device. Overwriting the password does not help an attacker replace the verifier, because the base keying material is incorrect. Therefore, data that is encrypted by using Encrypting File System or by using the Data Protection API (DPAPI) will not decrypt.
+
+### Countermeasure
+
+Enable the **Network access: Do not allow storage of passwords and credentials for network authentication** setting.
+
+To limit the number of changed domain credentials that are stored on the computer, set the **cachedlogonscount** registry entry. By default, the operating system caches the verifier for each unique user's ten most recent valid logons. This value can be set to any value between 0 and 50. By default, all versions of the Windows operating system remember 10 cached logons, except Windows Server 2008 and later, which are set at 25.
+
+When you try to log on to a domain from a Windows-based client device, and a domain controller is unavailable, you do not receive an error message. Therefore, you may not notice that you logged on with cached domain credentials. You can set a notification of logon that uses cached domain credentials with the ReportDC registry entry.
+
+### Potential impact
+
+Users are forced to type passwords whenever they log on to their Microsoft Account or other network resources that are not accessible to their domain account. This policy setting should have no impact on users who access network resources that are configured to allow access with their Active Directory–based domain account.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md
new file mode 100644
index 0000000000..a1cbd0efd4
--- /dev/null
+++ b/windows/keep-secure/network-access-let-everyone-permissions-apply-to-anonymous-users.md
@@ -0,0 +1,130 @@
+---
+title: Network access Let Everyone permissions apply to anonymous users (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Network access Let Everyone permissions apply to anonymous users security policy setting.
+ms.assetid: cdbc5159-9173-497e-b46b-7325f4256353
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network access: Let Everyone permissions apply to anonymous users
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Network access: Let Everyone permissions apply to anonymous users** security policy setting.
+
+## Reference
+
+
+This policy setting determines what additional permissions are granted for anonymous connections to the device. If you enable this policy setting, anonymous users can enumerate the names of domain accounts and shared folders and perform certain other activities. This capability is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.
+
+By default, the token that is created for anonymous connections does not include the Everyone SID. Therefore, permissions that are assigned to the Everyone group do not apply to anonymous users.
+
+### Possible values
+
+-   Enabled
+
+    The Everyone SID is added to the token that is created for anonymous connections, and anonymous users can access any resource for which the Everyone group has been assigned permissions.
+
+-   Disabled
+
+    The Everyone SID is removed from the token that is created for anonymous connections.
+
+-   Not defined
+
+### Best practices
+
+-   Set this policy to **Disabled**.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Polices\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks.
+
+### Countermeasure
+
+Disable the **Network access: Let Everyone permissions apply to anonymous users** setting.
+
+### Potential impact
+
+None. This is the default configuration.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md
new file mode 100644
index 0000000000..3d5c222290
--- /dev/null
+++ b/windows/keep-secure/network-access-named-pipes-that-can-be-accessed-anonymously.md
@@ -0,0 +1,177 @@
+---
+title: Network access Named Pipes that can be accessed anonymously (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Network access Named Pipes that can be accessed anonymously security policy setting.
+ms.assetid: 8897d2a4-813e-4d2b-8518-fcee71e1cf2c
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network access: Named Pipes that can be accessed anonymously
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Network access: Named Pipes that can be accessed anonymously** security policy setting.
+
+## Reference
+
+
+This policy setting determines which communication sessions, or pipes, have attributes and permissions that allow anonymous access.
+
+Restricting access over named pipes such as COMNAP and LOCATOR helps prevent unauthorized access to the network.
+
+### Possible values
+
+-   User-defined list of shared folders
+
+-   Not defined
+
+### Best practices
+
+-   Set this policy to a null value; that is, enable the policy setting, but do not enter named pipes in the text box. This will disable null session access over named pipes, and applications that rely on this feature or on unauthenticated access to named pipes will no longer function.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Netlogon, samr, lsarpc</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Null</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Netlogon, samr, lsarpc</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes different features and tools available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+For this policy setting to take effect, you must also enable the [Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md) setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+You can restrict access over named pipes such as COMNAP and LOCATOR to help prevent unauthorized access to the network. The following list describes available named pipes and their purpose. These pipes were granted anonymous access in earlier versions of Windows and some legacy applications may still use them.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Named pipe</th>
+<th align="left">Purpose</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>COMNAP</p></td>
+<td align="left"><p>SNABase named pipe. Systems network Architecture (SNA) is a collection of network protocols that were originally developed for IBM mainframe computers.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>COMNODE</p></td>
+<td align="left"><p>SNA Server named pipe.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>SQL\QUERY</p></td>
+<td align="left"><p>Default named pipe for SQL Server.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>SPOOLSS</p></td>
+<td align="left"><p>Named pipe for the Print Spooler service.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>EPMAPPER</p></td>
+<td align="left"><p>End Point Mapper named pipe.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>LOCATOR</p></td>
+<td align="left"><p>Remote Procedure Call Locator service named pipe.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>TrlWks</p></td>
+<td align="left"><p>Distributed Link Tracking Client named pipe.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>TrkSvr</p></td>
+<td align="left"><p>Distributed Link Tracking Server named pipe.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Countermeasure
+
+Configure the **Network access: Named Pipes that can be accessed anonymously** setting to a null value (enable the setting but do not specify named pipes in the text box).
+
+### Potential impact
+
+This configuration disables null-session access over named pipes, and applications that rely on this feature or on unauthenticated access to named pipes no longer function. This may break trust between Windows Server 2003 domains in a mixed mode environment.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md
new file mode 100644
index 0000000000..b38246a85a
--- /dev/null
+++ b/windows/keep-secure/network-access-remotely-accessible-registry-paths-and-subpaths.md
@@ -0,0 +1,155 @@
+---
+title: Network access Remotely accessible registry paths and subpaths (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Network access Remotely accessible registry paths and subpaths security policy setting.
+ms.assetid: 3fcbbf70-a002-4f85-8e86-8dabad21928e
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network access: Remotely accessible registry paths and subpaths
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Network access: Remotely accessible registry paths and subpaths** security policy setting.
+
+## Reference
+
+
+This policy setting determines which registry paths and subpaths are accessible when an application or process references the WinReg key to determine access permissions.
+
+The registry is a database for device configuration information, much of which is sensitive. A malicious user can use it to facilitate unauthorized activities. The chance of this happening is reduced by the fact that the default ACLs that are assigned throughout the registry are fairly restrictive, and they help protect it from access by unauthorized users.
+
+To allow remote access, you must also enable the Remote Registry service.
+
+### Possible values
+
+-   User-defined list of paths
+
+-   Not Defined
+
+### Best practices
+
+-   Set this policy to a null value; that is, enable the policy setting, but do not enter any paths in the text box. Remote management tools, such as the Microsoft Baseline Security Analyzer and Configuration Manager, require remote access to the registry. Removing the default registry paths from the list of accessible paths might cause these and other management tools to fail.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>See the following registry key combination</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>See the following registry key combination</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>See the following registry key combination</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>See the following registry key combination</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The combination of all the following registry keys apply to the previous settings:
+
+1.  System\\CurrentControlSet\\Control\\Print\\Printers
+
+2.  System\\CurrentControlSet\\Services\\Eventlog
+
+3.  Software\\Microsoft\\OLAP Server
+
+4.  Software\\Microsoft\\Windows NT\\CurrentVersion\\Print
+
+5.  Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
+
+6.  System\\CurrentControlSet\\Control\\ContentIndex
+
+7.  System\\CurrentControlSet\\Control\\Terminal Server
+
+8.  System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig
+
+9.  System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration
+
+10. Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib
+
+11. System\\CurrentControlSet\\Services\\SysmonLog
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+The registry contains sensitive device configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs that are assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack.
+
+### Countermeasure
+
+Configure the **Network access: Remotely accessible registry paths and sub-paths** setting to a null value (enable the setting but do not enter any paths in the text box).
+
+### Potential impact
+
+Remote management tools such as MBSA and Configuration Manager require remote access to the registry to properly monitor and manage those computers. If you remove the default registry paths from the list of accessible ones, such remote management tools could fail.
+
+**Note**  
+If you want to allow remote access, you must also enable the Remote Registry service.
+
+ 
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-access-remotely-accessible-registry-paths.md b/windows/keep-secure/network-access-remotely-accessible-registry-paths.md
new file mode 100644
index 0000000000..dbc8008031
--- /dev/null
+++ b/windows/keep-secure/network-access-remotely-accessible-registry-paths.md
@@ -0,0 +1,139 @@
+---
+title: Network access Remotely accessible registry paths (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Network access Remotely accessible registry paths security policy setting.
+ms.assetid: 977f86ea-864f-4f1b-9756-22220efce0bd
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network access: Remotely accessible registry paths
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Network access: Remotely accessible registry paths** security policy setting.
+
+## Reference
+
+
+This policy setting determines which registry paths are accessible when an application or process references the WinReg key to determine access permissions.
+
+The registry is a database for device configuration information, much of which is sensitive. A malicious user can use the registry to facilitate unauthorized activities. To reduce the risk of this happening, suitable access control lists (ACLs) are assigned throughout the registry to help protect it from access by unauthorized users.
+
+To allow remote access, you must also enable the Remote Registry service.
+
+### Possible values
+
+-   User-defined list of paths
+
+-   Not Defined
+
+### Best practices
+
+-   Set this policy to a null value; that is, enable the policy setting but do not enter any paths in the text box. Remote management tools, such as the Microsoft Baseline Security Analyzer and Configuration Manager, require remote access to the registry. Removing the default registry paths from the list of accessible paths might cause these and other management tools to fail.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>See the following registry key combination</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>See the following registry key combination</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>See the following registry key combination</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>See the following registry key combination</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The combination of all the following registry keys apply to the previous settings:
+
+1.  System\\CurrentControlSet\\Control\\ProductOptions
+
+2.  System\\CurrentControlSet\\Control\\Server Applications
+
+3.  Software\\Microsoft\\Windows NT\\CurrentVersion
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+An attacker could use information in the registry to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users.
+
+### Countermeasure
+
+Configure the **Network access: Remotely accessible registry paths** setting to a null value (enable the setting, but do not enter any paths in the text box).
+
+### Potential impact
+
+Remote management tools such as the Microsoft Baseline Security Analyzer (MBSA) and Configuration Manager require remote access to the registry to properly monitor and manage those computers. If you remove the default registry paths from the list of accessible ones, such remote management tools could fail.
+
+**Note**  
+If you want to allow remote access, you must also enable the Remote Registry service.
+
+ 
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
new file mode 100644
index 0000000000..baaacfe3a8
--- /dev/null
+++ b/windows/keep-secure/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
@@ -0,0 +1,126 @@
+---
+title: Network access Restrict anonymous access to Named Pipes and Shares (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Network access Restrict anonymous access to Named Pipes and Shares security policy setting.
+ms.assetid: e66cd708-7322-4d49-9b57-1bf8ec7a4c10
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network access: Restrict anonymous access to Named Pipes and Shares
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict anonymous access to Named Pipes and Shares** security policy setting.
+
+## Reference
+
+
+This policy setting enables or disables the restriction of anonymous access to only those shared folders and pipes that are named in the **Network access: Named pipes that can be accessed anonymously** and [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md) settings. The setting controls null session access to shared folders on your computers by adding RestrictNullSessAccess with the value 1 in the registry key **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters**. This registry value toggles null session shared folders on or off to control whether the Server service restricts unauthenticated clients' access to named resources.
+
+Null sessions are a weakness that can be exploited through the various shared folders on the devices in your environment.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+-   Set this policy to Enabled. Enabling this policy setting restricts null session access to unauthenticated users to all server pipes and shared folders except those listed in the **NullSessionPipes** and **NullSessionShares** registry entries.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Null sessions are a weakness that can be exploited through shared folders (including the default shared folders) on devices in your environment.
+
+### Countermeasure
+
+Enable the **Network access: Restrict anonymous access to Named Pipes and Shares** setting.
+
+### Potential impact
+
+You can enable this policy setting to restrict null-session access for unauthenticated users to all server pipes and shared folders except those that are listed in the NullSessionPipes and NullSessionShares entries.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md b/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md
new file mode 100644
index 0000000000..14290aa358
--- /dev/null
+++ b/windows/keep-secure/network-access-shares-that-can-be-accessed-anonymously.md
@@ -0,0 +1,122 @@
+---
+title: Network access Shares that can be accessed anonymously (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Network access Shares that can be accessed anonymously security policy setting.
+ms.assetid: f3e4b919-8279-4972-b415-5f815e2f0a1a
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network access: Shares that can be accessed anonymously
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Network access: Shares that can be accessed anonymously** security policy setting.
+
+## Reference
+
+
+This policy setting determines which shared folders can be accessed by anonymous users.
+
+### Possible values
+
+-   User-defined list of shared folders
+
+-   Not Defined
+
+### Best practices
+
+-   Set this policy to a null value. There should be little impact because this is the default value. All users will have to be authenticated before they can access shared resources on the server.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Any shared folders that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data.
+
+### Countermeasure
+
+Configure the **Network access: Shares that can be accessed anonymously** setting to a null value.
+
+### Potential impact
+
+There should be little impact because this is the default configuration. Only authenticated users have access to shared resources on the server.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md b/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md
new file mode 100644
index 0000000000..e76dbe2316
--- /dev/null
+++ b/windows/keep-secure/network-access-sharing-and-security-model-for-local-accounts.md
@@ -0,0 +1,139 @@
+---
+title: Network access Sharing and security model for local accounts (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Network access Sharing and security model for local accounts security policy setting.
+ms.assetid: 0b3d703c-ea27-488f-8f59-b345af75b994
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network access: Sharing and security model for local accounts
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Network access: Sharing and security model for local accounts** security policy setting.
+
+## Reference
+
+
+This policy setting determines how network logons that use local accounts are authenticated. If you configure this policy setting to Classic, network logons that use local account credentials authenticate with those credentials. If you configure this policy setting to Guest only, network logons that use local accounts are automatically mapped to the Guest account. The Classic model provides precise control over access to resources, and it enables you to grant different types of access to different users for the same resource. Conversely, the Guest only model treats all users equally, and they all receive the same level of access to a given resource, which can be either Read Only or Modify.
+
+**Note**  
+This policy setting does not affect network logons that use domain accounts. Nor does this policy setting affect interactive logons that are performed remotely through services such as Telnet or Remote Desktop Services.
+
+When the device is not joined to a domain, this policy setting also tailors the **Sharing** and **Security** tabs in Windows Explorer to correspond to the sharing and security model that is being used.
+
+ 
+
+When the value of this policy setting is **Guest only - local users authenticate as Guest**, any user who can access your device over the network does so with Guest user rights. This means that they will probably be unable to write to shared folders. Although this does increase security, it makes it impossible for authorized users to access shared resources on those systems. When the value is **Classic - local users authenticate as themselves**, local accounts must be password-protected; otherwise, anyone can use those user accounts to access shared system resources.
+
+### Possible values
+
+-   Classic - Local users authenticate as themselves
+
+-   Guest only - Local users authenticate as Guest
+
+-   Not defined
+
+### Best practices
+
+1.  For network servers, set this policy to **Classic - local users authenticate as themselves**.
+
+2.  On end-user systems, set this policy to **Guest only - local users authenticate as Guest**.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Classic (local users authenticate as themselves)</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Classic (local users authenticate as themselves)</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Classic (local users authenticate as themselves)</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Classic (local users authenticate as themselves)</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+With the Guest only model, any user who can authenticate to your device over the network does so with Guest privileges, which probably means that they do not have Write access to shared resources on that device. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources.
+
+### Countermeasure
+
+For network servers, configure the **Network access: Sharing and security model for local accounts setting** to **Classic – local users authenticate as themselves**. On end-user computers, configure this policy setting to **Guest only – local users authenticate as guest**.
+
+### Potential impact
+
+None. This is the default configuration.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-list-manager-policies.md b/windows/keep-secure/network-list-manager-policies.md
new file mode 100644
index 0000000000..82b2e0ecd4
--- /dev/null
+++ b/windows/keep-secure/network-list-manager-policies.md
@@ -0,0 +1,97 @@
+---
+title: Network List Manager policies (Windows 10)
+description: Network List Manager policies are security settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices.
+ms.assetid: bd8109d4-b07c-4beb-a9a6-affae2ba2fda
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network List Manager policies
+
+
+**Applies to**
+
+-   Windows 10
+
+Network List Manager policies are security settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices.
+
+To configure Network List Manager Policies for one device, you can use the Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in, and edit the local computer policy. The Network List Manager Policies are located at the following path in Group Policy Object Editor:
+
+**Computer Configuration | Windows Settings | Security Settings | Network List Manager Policies**
+
+To configure Network List Manager Policies for many computers, such as for all of the Domain Computers in an Active Directory domain, follow Group Policy documentation to learn how to edit the policies for the object that you require. The path to the Network List Manager Policies is the same as the path listed above.
+
+### Policy settings for Network List Manager Policies
+
+The following policy settings are provided for Network List Manager Policies. These policy settings are located in the details pane of the Group Policy Object Editor, in **Network Name**.
+
+### Unidentified Networks
+
+This policy setting allows you to configure the **Network Location**, including the location type and the user permissions, for networks that Windows cannot identify due to a network issue or a lack of identifiable characters in the network information received by the operating system from the network. A network location identifies the type of network that a computer is connected to and automatically sets the appropriate firewall settings for that location. You can configure the following items for this policy setting:
+
+-   **Location type**. For this item, the following options are available:
+
+    -   **Not configured**. If you select this option, this policy setting does not apply a location type to unidentified network connections.
+
+    -   **Private**. If you select this option, this policy setting applies a location type of Private to unidentified network connections. A private network, such as a home or work network, is a location type that assumes that you trust the other computers on the network. Do not select this item if there is a possibility that an active, unidentified network is in a public place.
+
+    -   **Public**. If you select this option, this policy setting applies a location type of Public to unidentified network connections. A public network, such as a wireless network at an airport or coffee shop, is a location type that assumes that you do not trust the other computers on the network.
+
+-   **User permissions**. For this item, the following options are available:
+
+    -   **Not configured**. If you select this option, this policy setting does not specify whether users can change the location for unidentified network connections.
+
+    -   **User can change location**. If you select this option, this policy setting allows users to change an unidentified network connection location from Private to Public or from Public to Private.
+
+    -   **User cannot change location**. If you select this option, this policy setting does not allow users to change the location of an unidentified network connection.
+
+### Identifying Networks
+
+This policy setting allows you to configure the **Network Location** for networks that are in a temporary state while Windows works to identify the network and location type. A network location identifies the type of network that a computer is connected to and automatically sets the appropriate firewall settings for that location. You can configure the following items for this policy setting:
+
+-   **Location type**. For this item, the following options are available:
+
+    -   **Not configured**. If you select this option, this policy setting does not apply a location type to network connections that are in the process of being identified by Windows.
+
+    -   **Private**. If you select this option, this policy setting applies a location type of Private to network connections that are in the process of being identified. A private network, such as a home or work network, is a location type that assumes that you trust the other devices on the network. Do not select this item if there is a possibility that an active, unidentified network is in a public place.
+
+    -   **Public**. If you select this option, this policy setting applies a location type of Public to network connections that are in the process of being identified by Windows. A public network, such as a wireless network at an airport or coffee shop, is a location type that assumes that you do not trust the other devices on the network.
+
+### All Networks
+
+This policy setting allows you to specify the **User Permissions** that control whether users can change the network name, location, or icon, for all networks to which the user connects. You can configure the following items for this policy setting:
+
+-   **Network name**. For this item, the following options are available:
+
+    -   **Not configured**. If you select this option, this policy setting does not specify whether users can change the network name for all network connections.
+
+    -   **User can change name**. If you select this option, users can change the network name for all networks to which they connect.
+
+    -   **User cannot change name**. If you select this option, users cannot change the network name for any networks to which they connect.
+
+-   **Network location**. For this item, the following options are available:
+
+    -   **Not configured**. If you select this option, this policy setting does not specify whether users can change the location for all network connections.
+
+    -   **User can change location**. If you select this option, this policy setting allows users to change all network locations from Private to Public or from Public to Private.
+
+    -   **User cannot change location**. If you select this option, this policy setting does not allow users to change the location for any networks to which they connect.
+
+-   **Network icon**. For this item, the following options are available:
+
+    -   **Not configured**. If you select this option, this policy setting does not specify whether users can change the network icon for all network connections.
+
+    -   **User can change icon**. If you select this option, this policy setting allows users to change the network icon for all networks to which the user connects.
+
+    -   **User cannot change icon**. If you select this option, this policy setting does not allow users to change the network icon for any networks to which the user connects.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
new file mode 100644
index 0000000000..3933e3f9ff
--- /dev/null
+++ b/windows/keep-secure/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
@@ -0,0 +1,164 @@
+---
+title: Network security Allow Local System to use computer identity for NTLM (Windows 10)
+description: Describes the location, values, policy management, and security considerations for the Network security Allow Local System to use computer identity for NTLM security policy setting.
+ms.assetid: c46a658d-b7a4-4139-b7ea-b9268c240053
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network security: Allow Local System to use computer identity for NTLM
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the location, values, policy management, and security considerations for the **Network security: Allow Local System to use computer identity for NTLM** security policy setting.
+
+## Reference
+
+
+When services connect to devices that are running versions of the Windows operating system earlier than Windows Vista or Windows Server 2008, services that run as Local System and use SPNEGO (Negotiate) that revert to NTLM will authenticate anonymously. In Windows Server 2008 R2 and Windows 7 and later, if a service connects to a computer running Windows Server 2008 or Windows Vista, the system service uses the computer identity.
+
+When a service connects with the device identity, signing and encryption are supported to provide data protection. (When a service connects anonymously, a system-generated session key is created, which provides no protection, but it allows applications to sign and encrypt data without errors. Anonymous authentication uses a NULL session, which is a session with a server in which no user authentication is performed; and therefore, anonymous access is allowed.)
+
+### Possible values
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Windows Server 2008 and Windows Vista</th>
+<th align="left">At least Windows Server 2008 R2 and Windows 7</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Enabled</p></td>
+<td align="left"><p>Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.</p></td>
+<td align="left"><p>Services running as Local System that use Negotiate will use the computer identity. This is the default behavior.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Disabled</p></td>
+<td align="left"><p>Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. This is the default behavior.</p></td>
+<td align="left"><p>Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Neither</p></td>
+<td align="left"><p>Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.</p></td>
+<td align="left"><p>Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or Group Policy object (GPO)</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Effective GPO default settings on client computers</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Policy conflict considerations
+
+The policy [Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md), if enabled, will allow NTLM or Kerberos authentication to be used when a system service attempts authentication. This will increase the success of interoperability at the expense of security.
+
+The anonymous authentication behavior is different for Windows Server 2008 and Windows Vista than later versions of Windows. Configuring and applying this policy setting on those systems might not produce the same results.
+
+### Group Policy
+
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+When a service connects to computers running versions of Windows earlier than Windows Vista or Windows Server 2008, services that run as Local System and use SPNEGO (Negotiate) that revert to NTLM will use NULL session. In Windows Server 2008 R2 and Windows 7 and later, if a service connects to a computer running Windows Server 2008 or Windows Vista, the system service uses the computer identity.
+
+When a service connects with the computer identity, signing and encryption are supported to provide data protection. When a service connects with a NULL session, a system-generated session key is created, which provides no protection, but it allows applications to sign and encrypt data without errors.
+
+### Countermeasure
+
+You can configure the **Network security: Allow Local System to use computer identity for NTLM** security policy setting to allow Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication.
+
+### Potential impact
+
+If you do not configure this policy setting on Windows Server 2008 and Windows Vista, services running as Local System that use the default credentials will use the NULL session and revert to NTLM authentication for Windows operating systems earlier than Windows Vista or Windows Server 2008.
+
+Beginning with Windows Server 2008 R2 and Windows 7, the system allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md b/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md
new file mode 100644
index 0000000000..ca4c87257c
--- /dev/null
+++ b/windows/keep-secure/network-security-allow-localsystem-null-session-fallback.md
@@ -0,0 +1,119 @@
+---
+title: Network security Allow LocalSystem NULL session fallback (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Network security Allow LocalSystem NULL session fallback security policy setting.
+ms.assetid: 5b72edaa-bec7-4572-b6f0-648fc38f5395
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network security: Allow LocalSystem NULL session fallback
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Network security: Allow LocalSystem NULL session fallback** security policy setting.
+
+## Reference
+
+
+This policy affects session security during the authentication process between devices running Windows Server 2008 R2 and Windows 7 and later and those devices running earlier versions of the Windows operating system. For computers running Windows Server 2008 R2 and Windows 7 and later, services running as Local System require a service principal name (SPN) to generate the session key. However, if [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) is set to disabled, services running as Local System will fall back to using NULL session authentication when they transmit data to servers running versions of Windows earlier than Windows Vista or Windows Server 2008. NULL session does not establish a unique session key for each authentication; and thus, it cannot provide integrity or confidentiality protection. The setting **Network security: Allow LocalSystem NULL session fallback** determines whether services that request the use of session security are allowed to perform signature or encryption functions with a well-known key for application compatibility.
+
+### Possible values
+
+-   **Enabled**
+
+    When a service running as Local System connects with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. This increases application compatibility, but it degrades the level of security.
+
+-   **Disabled**
+
+    When a service running as Local System connects with a NULL session, session security will be unavailable. Calls seeking encryption or signing will fail. This setting is more secure, but at the risk of degrading application incompatibility. Calls that are using the device identity instead of a NULL session will still have full use of session security.
+
+-   Not defined. When this policy is not defined, the default takes effect. This is Enabled for versions of the Windows operating system earlier than Windows Server 2008 R2 and Windows 7, and it is Disabled otherwise.
+
+### Best practices
+
+When services connect with the device identity, signing and encryption are supported to provide data protection. When services connect with a NULL session, this level of data protection is not provided. However, you will need to evaluate your environment to determine the Windows operating system versions that you support. If this policy is enabled, some services may not be able to authenticate.
+
+This policy applies to Windows Server 2008 and Windows Vista (SP1 and later). When your environment no longer requires support for Windows NT 4, this policy should be disabled. By default, it is disabled in Windows 7 and Windows Server 2008 R2 and later.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or Group Policy Object (GPO)</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Effective GPO default settings on client computers</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+If this setting is Enabled, when a service connects with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. Data that is intended to be protected might be exposed.
+
+### Countermeasure
+
+You can configure the computer to use the computer identity for Local System with the policy **Network security: Allow Local System to use computer identity for NTLM**. If that is not possible, this policy can be used to prevent data from being exposed in transit if it was protected with a well-known key.
+
+### Potential impact
+
+If you enable this policy, services that use NULL session with Local System could fail to authenticate because they will be prohibited from using signing and encryption.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
new file mode 100644
index 0000000000..7072c876dd
--- /dev/null
+++ b/windows/keep-secure/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -0,0 +1,128 @@
+---
+title: Network security Allow PKU2U authentication requests to this computer to use online identities (Windows 10)
+description: Describes the best practices, location, and values for the Network Security Allow PKU2U authentication requests to this computer to use online identities security policy setting.
+ms.assetid: e04a854e-d94d-4306-9fb3-56e9bd7bb926
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network security: Allow PKU2U authentication requests to this computer to use online identities
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting.
+
+## Reference
+
+
+Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Support Provider (SSP) supports an extension SSP, Negoexts.dll. This extension SSP is treated as an authentication protocol by the Windows operating system, and it supports SSPs from Microsoft, including PKU2U. You can also develop or add other SSPs.
+
+When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
+
+**Note**  
+The ability to link online IDs can be performed by anyone with an account that has standard user’s credentials through **Credential Manager**.
+
+ 
+
+This policy is not configured by default on domain-joined devices. This would disallow the online identities to be able to authenticate to the domain-joined computers in Windows 7 and later.
+
+### Possible values
+
+-   **Enabled**
+
+    This will allow authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use on online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
+
+-   **Disabled**
+
+    This will prevent online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship.
+
+-   Not set. Not configuring this policy prevents online IDs from being used to authenticate the user. This is the default on domain-joined devices
+
+### Best practices
+
+Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or do not configure this policy to exclude online identities from being used to authenticate.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or Group Policy Object (GPO)</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Effective GPO default settings on client computers</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft Account, so that account can log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). Although this is beneficial for workgroups or home groups, using this feature in a domain-joined environment might circumvent your established security policies.
+
+### Countermeasure
+
+Set this policy to Disabled or do not configure this security policy for domain-joined devices.
+
+### Potential impact
+
+If you do not set or disable this policy, the PKU2U protocol will not be used to authenticate between peer devices, which forces users to follow domain defined access control policies. If you enable this policy, you will allow your users to authenticate by using local certificates between systems that are not part of a domain that uses PKU2U. This will allow users to share resources between devices
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md
new file mode 100644
index 0000000000..981f5cdd24
--- /dev/null
+++ b/windows/keep-secure/network-security-configure-encryption-types-allowed-for-kerberos.md
@@ -0,0 +1,177 @@
+---
+title: Network security Configure encryption types allowed for Kerberos Win7 only (Windows 10)
+description: Describes the best practices, location, values and security considerations for the Network security Configure encryption types allowed for Kerberos Win7 only security policy setting.
+ms.assetid: 303d32cc-415b-44ba-96c0-133934046ece
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network security: Configure encryption types allowed for Kerberos Win7 only
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos Win7 only** security policy setting.
+
+## Reference
+
+
+This policy setting allows you to set the encryption types that the Kerberos protocol is allowed to use. If it is not selected, the encryption type will not be allowed. This setting might affect compatibility with client computers or services and applications. Multiple selections are permitted.
+
+For more information, see [article 977321](http://support.microsoft.com/kb/977321) in the Microsoft Knowledge Base.
+
+The following table lists and explains the allowed encryption types.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Encryption type</th>
+<th align="left">Description and version support</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>DES_CBC_CRC</p></td>
+<td align="left"><p>Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function</p>
+<p>Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DES_CBC_MD5</p></td>
+<td align="left"><p>Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function</p>
+<p>Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>RC4_HMAC_MD5</p></td>
+<td align="left"><p>Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function</p>
+<p>Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>AES128_HMAC_SHA1</p></td>
+<td align="left"><p>Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).</p>
+<p>Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>AES256_HMAC_SHA1</p></td>
+<td align="left"><p>Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).</p>
+<p>Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Future encryption types</p></td>
+<td align="left"><p>Reserved by Microsoft for additional encryption types that might be implemented.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Possible values
+
+The encryption type options include:
+
+-   DES\_CBC\_CRC
+
+-   DES\_CBC\_MD5
+
+-   RC4\_HMAC\_MD5
+
+-   AES128\_HMAC\_SHA1
+
+-   AES256\_HMAC\_SHA1
+
+-   Future encryption types
+
+    As of the release of Windows 7 and Windows Server 2008 R2, this is reserved by Microsoft for additional encryption types that might be implemented.
+
+### Best practices
+
+You must analyze your environment to determine which encryption types will be supported and then select those that meet that evaluation.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or Group Policy Object (GPO)</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>None of these encryption types that are available in this policy are allowed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>None of these encryption types that are available in this policy are allowed.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Effective GPO default settings on client computers</p></td>
+<td align="left"><p>None of these encryption types that are available in this policy are allowed.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Windows Server 2008 R2 and Windows 7 do not support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running Windows Server 2008 R2 and Windows 7. You can also disable DES for your computers running Windows Vista and Windows Server 2008.
+
+### Countermeasure
+
+Do not configure this policy. This will force the computers running Windows Server 2008 R2 and Windows 7 to use the AES or RC4 cryptographic suites.
+
+### Potential impact
+
+If you do not select any of the encryption types, computers running Windows Server 2008 R2 and Windows 7 might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol.
+
+If you do select any encryption type, you will lower the effectiveness of encryption for Kerberos authentication but you will improve interoperability with computers running older versions of Windows.
+
+Contemporary non-Windows implementations of the Kerberos protocol support RC4 and AES 128-bit and AES 256-bit encryption. Most implementations, including the MIT Kerberos protocol and the Windows Kerberos protocol, are deprecating DES encryption.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
new file mode 100644
index 0000000000..2585a9b1fe
--- /dev/null
+++ b/windows/keep-secure/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
@@ -0,0 +1,128 @@
+---
+title: Network security Do not store LAN Manager hash value on next password change (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Network security Do not store LAN Manager hash value on next password change security policy setting.
+ms.assetid: 6452b268-e5ba-4889-9d38-db28f919af51
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network security: Do not store LAN Manager hash value on next password change
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Network security: Do not store LAN Manager hash value on next password change** security policy setting.
+
+## Reference
+
+
+This policy setting determines whether LAN Manager is prevented from storing hash values for the new password the next time the password is changed. Hash values are a representation of the password after the encryption algorithm is applied that corresponds to the format that is specified by the algorithm. To decrypt the hash value, the encryption algorithm must be determined and then reversed. The LAN Manager hash is relatively weak and prone to attack compared to the cryptographically stronger NTLM hash. Because the LM hash is stored on the local device in the security database, the passwords can be compromised if the security database, Security Accounts Manager (SAM), is attacked.
+
+By attacking the SAM file, attackers can potentially gain access to user names and password hashes. Attackers can use a password-cracking tool to determine what the password is. After they have access to this information, they can use it to gain access to resources on your network by impersonating users. Enabling this policy setting will not prevent these types of attacks, but it will make them much more difficult.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+1.  Set **Network security: Do not store LAN Manager hash value on next password change** to **Enabled**.
+
+2.  Require all users to set new passwords the next time they log on to the domain so that LAN Manager hashes are removed.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+The SAM file can be targeted by attackers who seek access to user names and password hashes. Such attacks use special tools to discover passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks are not prevented by enabling this policy setting because LAN Manager hashes are much weaker than NTLM hashes, but it is much more difficult for these attacks to succeed.
+
+### Countermeasure
+
+Enable the **Network security: Do not store LAN Manager hash value on next password change** setting. Require all users to set new passwords the next time they log on to the domain so that LAN Manager hashes are removed.
+
+### Potential impact
+
+Some non-Microsoft applications might not be able to connect to the system.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md b/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md
new file mode 100644
index 0000000000..2b6ab3ada7
--- /dev/null
+++ b/windows/keep-secure/network-security-force-logoff-when-logon-hours-expire.md
@@ -0,0 +1,130 @@
+---
+title: Network security Force logoff when logon hours expire (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Network security Force logoff when logon hours expire security policy setting.
+ms.assetid: 64d5dde4-58e4-4217-b2c4-73bd554ec926
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network security: Force logoff when logon hours expire
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Network security: Force logoff when logon hours expire** security policy setting.
+
+## Reference
+
+
+This security setting determines whether to disconnect users who are connected to the local device outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component.
+
+This policy setting does not apply to administrator accounts, but it behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy Object (GPO), even if there is a different account policy that is applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member devices) also receive the same account policy for their local accounts. However, local account policies for member devices can be different from the domain account policy by defining an account policy for the organizational unit that contains the member devices. Kerberos settings are not applied to member devices.
+
+### Possible values
+
+-   Enabled
+
+    When enabled, this policy causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire.
+
+-   Disabled
+
+    When disabled, this policy allows for the continuation of an established client session after the client's logon hours have expired.
+
+-   Not defined
+
+### Best practices
+
+-   Set **Network security: Force logoff when logon hours expire** to Enabled. SMB sessions will be terminated on member servers when a user's logon time expires, and the user will be unable to log on to the system until their next scheduled access time begins.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+If you disable this policy setting, users can remain connected to the computer outside of their allotted logon hours.
+
+### Countermeasure
+
+Enable the **Network security: Force logoff when logon hours expire** setting. This policy setting does not apply to administrator accounts.
+
+### Potential impact
+
+When a user's logon time expires, SMB sessions terminate. The user cannot log on to the device until the next scheduled access time commences.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-security-lan-manager-authentication-level.md b/windows/keep-secure/network-security-lan-manager-authentication-level.md
new file mode 100644
index 0000000000..5915894ae2
--- /dev/null
+++ b/windows/keep-secure/network-security-lan-manager-authentication-level.md
@@ -0,0 +1,199 @@
+---
+title: Network security LAN Manager authentication level (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Network security LAN Manager authentication level security policy setting.
+ms.assetid: bbe1a98c-420a-41e7-9d3c-3a2fe0f1843e
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network security: LAN Manager authentication level
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Network security: LAN Manager authentication level** security policy setting.
+
+## Reference
+
+
+This policy setting determines which challenge or response authentication protocol is used for network logons. LAN Manager (LM) includes client computer and server software from Microsoft that allows users to link personal devices together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory uses LM, NTLM, or NTLM version 2 (NTLMv2).
+
+LAN Manager authentication includes the LM, NTLM, and NTLMv2 variants, and it is the protocol that is used to authenticate all client devices running the Windows operating system when they perform the following operations:
+
+-   Join a domain
+
+-   Authenticate between Active Directory forests
+
+-   Authenticate to domains based on earlier versions of the Windows operating system
+
+-   Authenticate to computers that do not run Windows operating systems, beginning with Windows 2000
+
+-   Authenticate to computers that are not in the domain
+
+### Possible values
+
+-   Send LM & NTLM responses
+
+-   Send LM & NTLM - use NTLMv2 session security if negotiated
+
+-   Send NTLM responses only
+
+-   Send NTLMv2 responses only
+
+-   Send NTLMv2 responses only. Refuse LM
+
+-   Send NTLMv2 responses only. Refuse LM & NTLM
+
+-   Not Defined
+
+The **Network security: LAN Manager authentication level** setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the authentication level that servers accept. The following table identifies the policy settings, describes the setting, and identifies the security level used in the corresponding registry setting if you choose to use the registry to control this setting instead of the policy setting.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Description</th>
+<th align="left">Registry security level</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Send LM &amp; NTLM responses</p></td>
+<td align="left"><p>Client devices use LM and NTLM authentication, and they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.</p></td>
+<td align="left"><p>0</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Send LM &amp; NTLM – use NTLMv2 session security if negotiated</p></td>
+<td align="left"><p>Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.</p></td>
+<td align="left"><p>1</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Send NTLM response only</p></td>
+<td align="left"><p>Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.</p></td>
+<td align="left"><p>2</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Send NTLMv2 response only</p></td>
+<td align="left"><p>Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.</p></td>
+<td align="left"><p>3</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Send NTLMv2 response only. Refuse LM</p></td>
+<td align="left"><p>Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they will accept only NTLM and NTLMv2 authentication.</p></td>
+<td align="left"><p>4</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Send NTLMv2 response only. Refuse LM &amp; NTLM</p></td>
+<td align="left"><p>Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they will accept only NTLMv2 authentication.</p></td>
+<td align="left"><p>5</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Best practices
+
+-   Best practices are dependent on your specific security and authentication requirements.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Send NTLMv2 response only</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Send NTLMv2 response only</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Send NTLMv2 response only</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+Modifying this setting may affect compatibility with client devices, services, and applications.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+In Windows 7 and Windows Vista, this setting is undefined. In Windows Server 2008 R2 and later, this setting is configured to **Send NTLMv2 responses only**.
+
+### Countermeasure
+
+Configure the **Network security: LAN Manager Authentication Level** setting to **Send NTLMv2 responses only**. Microsoft and a number of independent organizations strongly recommend this level of authentication when all client computers support NTLMv2.
+
+### Potential impact
+
+Client devices that do not support NTLMv2 authentication cannot authenticate in the domain and access domain resources by using LM and NTLM.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-security-ldap-client-signing-requirements.md b/windows/keep-secure/network-security-ldap-client-signing-requirements.md
new file mode 100644
index 0000000000..ed336b244a
--- /dev/null
+++ b/windows/keep-secure/network-security-ldap-client-signing-requirements.md
@@ -0,0 +1,138 @@
+---
+title: Network security LDAP client signing requirements (Windows 10)
+description: This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting.
+ms.assetid: 38b35489-eb5b-4035-bc87-df63de50509c
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network security: LDAP client signing requirements
+
+
+**Applies to**
+
+-   Windows 10
+
+This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. This information applies to computers running at least the Windows Server 2008 operating system.
+
+## Reference
+
+
+This policy setting determines the level of data signing that is requested on behalf of client devices that issue LDAP BIND requests. The levels of data signing are described in the following list:
+
+-   **None**. The LDAP BIND request is issued with the caller-specified options.
+
+-   **Negotiate signing**. If Transport Layer Security/Secure Sockets Layer (TLS/SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the caller-specified options. If TLS/SSL has been started, the LDAP BIND request is initiated with the caller-specified options.
+
+-   **Require signing**. This level is the same as **Negotiate signing**. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is returned a message that the LDAP BIND command request failed.
+
+Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.
+
+### Possible values
+
+-   None
+
+-   Negotiate signing
+
+-   Require signature
+
+-   Not Defined
+
+### Best practices
+
+-   Set **Domain controller: LDAP server signing requirements** to **Require signature**. If you set the server to require LDAP signatures, you must also set the client devices to do so. Not setting the client devices will prevent client computers from communicating with the server. This can cause many features to fail, including user authentication, Group Policy, and logon scripts.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Negotiate signing</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Negotiate signing</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Negotiate signing</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Negotiate signing</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+Modifying this setting may affect compatibility with client devices, services, and applications.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client computer and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers.
+
+### Countermeasure
+
+Configure the **Network security: LDAP server signing requirements** setting to **Require signature**.
+
+### Potential impact
+
+If you configure the server to require LDAP signatures, you must also configure the client computers. If you do not configure the client devices, they cannot communicate with the server, which could cause many features to fail, including user authentication, Group Policy, and logon scripts.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
new file mode 100644
index 0000000000..0f6aa65a9c
--- /dev/null
+++ b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
@@ -0,0 +1,130 @@
+---
+title: Network security Minimum session security for NTLM SSP based (including secure RPC) clients (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Network security Minimum session security for NTLM SSP based (including secure RPC) clients security policy setting.
+ms.assetid: 89903de8-23d0-4e0f-9bef-c00cb7aebf00
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) clients** security policy setting.
+
+## Reference
+
+
+This policy setting allows a client device to require the negotiation of 128-bit encryption or NTLMv2 session security. These values are dependent on the **Network security: LAN Manager Authentication Level policy** setting value.
+
+### Possible values
+
+-   Require NTLMv2 session security
+
+    The connection fails if strong encryption (128-bit) is not negotiated.
+
+-   Require 128-bit encryption
+
+    The connection fails if the NTLMv2 protocol is not negotiated.
+
+### Best practices
+
+Practices in setting this policy are dependent on your security requirements.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Require 128-bit encryption</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Require 128-bit encryption</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Require 128-bit encryption</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Require 128-bit encryption</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Policy conflicts
+
+The settings for this security policy are dependent on the **Network security: LAN Manager Authentication Level policy** setting value. For info about this policy, see [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md).
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Network traffic that uses the NTLM Security Support Provider (NTLM SSP) could be exposed such that an attacker who has gained access to the network can create man-in-the-middle attacks.
+
+### Countermeasure
+
+Enable all options that are available for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) clients policy** setting.
+
+### Potential impact
+
+Client devices that enforce these settings cannot communicate with older servers that do not support them.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
new file mode 100644
index 0000000000..09698504bc
--- /dev/null
+++ b/windows/keep-secure/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
@@ -0,0 +1,130 @@
+---
+title: Network security Minimum session security for NTLM SSP based (including secure RPC) servers (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Network security Minimum session security for NTLM SSP based (including secure RPC) servers security policy setting.
+ms.assetid: c6a60c1b-bc8d-4d02-9481-f847a411b4fc
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) servers** security policy setting.
+
+## Reference
+
+
+This policy setting allows a client device to require the negotiation of 128-bit encryption or NTLMv2 session security. These values are dependent on the [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md) policy setting value.
+
+Setting all of these values for this policy setting will help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by a malicious user who has gained access to the same network. That is, these settings help protect against man-in-the-middle attacks.
+
+### Possible values
+
+-   Require 128-bit encryption. The connection fails if strong encryption (128-bit) is not negotiated.
+
+-   Require NTLMv2 session security. The connection fails if the NTLMv2 protocol is not negotiated.
+
+-   Not Defined.
+
+### Best practices
+
+-   Enable all values that are available for this security policy. Legacy client devices that do not support these policy settings will be unable to communicate with the server.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Require 128-bit encryption</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Require 128-bit encryption</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Require 128-bit encryption</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Require 128-bit encryption</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+###  Policy dependencies
+
+The settings for this security policy are dependent on the [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md) setting value.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Network traffic that uses the NTLM Security Support Provider (NTLM SSP) could be exposed such that an attacker who has gained access to the network can create man-in-the-middle attacks.
+
+### Countermeasure
+
+Enable all options that are available for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) servers** policy setting.
+
+### Potential impact
+
+Older client devices that do not support these security settings cannot communicate with the computer on which this policy is set.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
new file mode 100644
index 0000000000..cd2bf1d88c
--- /dev/null
+++ b/windows/keep-secure/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
@@ -0,0 +1,146 @@
+---
+title: Network security Restrict NTLM Add remote server exceptions for NTLM authentication (Windows 10)
+description: Describes the best practices, location, values, management aspects, and security considerations for the Network security Restrict NTLM Add remote server exceptions for NTLM authentication security policy setting.
+ms.assetid: 9b017399-0a54-4580-bfae-614c2beda3a1
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication** security policy setting.
+
+## Reference
+
+
+The **Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication** policy setting allows you to create an exception list of remote servers to which client devices are allowed to use NTLM authentication if the [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) policy setting is configured.
+
+If you configure this policy setting, you can define a list of remote servers to which client devices are allowed to use NTLM authentication.
+
+If you do not configure this policy setting, no exceptions will be applied, and if [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) is enabled, NTLM authentication attempts from the client devices will fail.
+
+List the NetBIOS server names that are used by the applications as the naming format, one per line. To ensure exceptions, the names that are used by all applications need to be in the list. A single asterisk (\*) can be used anywhere in the string as a wildcard character.
+
+### Possible values
+
+-   User-defined list of remote servers
+
+    When you enter a list of remote servers to which clients are allowed to use NTLM authentication, the policy is defined and enabled.
+
+-   Not defined
+
+    If you do not configure this policy setting by defining a list of servers, the policy is undefined and no exceptions will be applied.
+
+### Best practices
+
+1.  First enforce the [Network Security: Restrict NTLM: Audit incoming NTLM traffic](network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md) or [Network Security: Restrict NTLM: Audit NTLM authentication in this domain](network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md) policy setting and then review the operational event log to understand which servers are involved in these authentication attempts so you can decide which servers to exempt.
+
+2.  After you have set the server exception list, enforce the [Network Security: Restrict NTLM: Audit incoming NTLM traffic](network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md) or [Network Security: Restrict NTLM: Audit NTLM authentication in this domain](network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md) policy setting and then review the operational event log again before setting the policies to block NTLM traffic.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client computer effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes the features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+Setting and deploying this policy through Group Policy takes precedence over the setting on the local device. If the Group Policy setting is set to **Not Configured**, local settings will apply.
+
+### Auditing
+
+View the operational event log to see if your server exception list is functioning as intended. Audit and block events are recorded on this device in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**.
+
+There are no security audit policies that can be configured to view output from this policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+When it has been determined that the NTLM authentication protocol should not be used from a client device to any remote servers because you are required to use a more secure protocol such as Kerberos, there might be some client applications that still use NTLM. If so, and you set [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) to any of the deny options, those applications will fail because the outbound NTLM authentication traffic from the client computer will be blocked.
+
+If you define an exception list of servers to which client devices are allowed to use NTLM authentication, then NTLM authentication traffic will continue to flow between those client applications and servers. The servers then are vulnerable to any malicious attack that takes advantage of security weaknesses in NTLM.
+
+### Countermeasure
+
+When you use [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the remote servers in your environment. When assessed, you will have to determine on a case-by-case basis if NTLM authentication still minimally meets your security requirements. If not, the client application has to be upgraded to use something other than NTLM authentication.
+
+### Potential impact
+
+Defining a list of servers for this policy setting will enable NTLM authentication traffic from the client application that uses those servers, and this might result in a security vulnerability.
+
+If this list is not defined and [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) is enabled, then client applications that use NTLM will fail to authenticate to those servers that they have previously used.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
new file mode 100644
index 0000000000..dfb2288ae6
--- /dev/null
+++ b/windows/keep-secure/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
@@ -0,0 +1,146 @@
+---
+title: Network security Restrict NTLM Add server exceptions in this domain (Windows 10)
+description: Describes the best practices, location, values, management aspects, and security considerations for the Network security Restrict NTLM Add server exceptions in this domain security policy setting.
+ms.assetid: 2f981b68-6aa7-4dd9-b53d-d88551277cc0
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network security: Restrict NTLM: Add server exceptions in this domain
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add server exceptions in this domain** security policy setting.
+
+## Reference
+
+
+The **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting allows you to create an exception list of servers in this domain to which client device are allowed to use NTLM pass-through authentication if any of the deny options are set in the [Network Security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) policy setting.
+
+If you configure this policy setting, you can define a list of servers in this domain to which client devices are allowed to use NTLM authentication.
+
+If you do not configure this policy setting, no exceptions will be applied, and if **Network Security: Restrict NTLM: NTLM authentication in this domain** is enabled, all NTLM authentication attempts in the domain will fail.
+
+List the NetBIOS server names as the naming format, one per line. A single asterisk (\*) can be used anywhere in the string as a wildcard character.
+
+### Possible values
+
+-   User-defined list of servers
+
+    When you enter a list of servers in this domain to which clients are allowed to use NTLM authentication, the policy is defined and enabled.
+
+-   Not defined
+
+    If you do not configure this policy setting by defining a list of servers, the policy is undefined and no exceptions will be applied.
+
+### Best practices
+
+1.  First enforce the **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** policy setting, and then review the operational event log to understand what domain controllers are involved in these authentication attempts so you can decide which servers to exempt.
+
+2.  After you have set the server exception list, enforce the **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** policy setting, and then review the operational event log again before setting the policies to block NTLM traffic.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client computer effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes different features and tools available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy.
+
+### Group Policy
+
+Setting and deploying this policy via Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply.
+
+### Auditing
+
+View the operational event log to see if your server exception list is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**.
+
+There are no security audit policies that can be configured to view output from this policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+When it has been determined that the NTLM authentication protocol should not be used within a domain because you are required to use a more secure protocol such as Kerberos, there might be some NTLM authentication traffic that is still present in the domain. If so, and you set Network Security: [Network Security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) to any of the deny options, any NTLM authentication request will fail because the pass-through member server will block the NTLM request.
+
+If you define an exception list of servers in this domain to which client computers are allowed to use NTLM pass-through authentication, then NTLM authentication traffic will continue to flow between those servers, which make them vulnerable to any malicious attack that takes advantage of security weaknesses in NTLM.
+
+### Countermeasure
+
+When you use **Network Security: Restrict NTLM: NTLM authentication in this domain** in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the pass-through authentication servers. When assessed, you will have to determine on a case-by-case basis if NTLM authentication still minimally meets your security requirements.
+
+### Potential impact
+
+Defining a list of servers for this policy setting will enable NTLM authentication traffic between those servers might result in a security vulnerability.
+
+If this list is not defined and **Network Security: Restrict NTLM: NTLM authentication in this domain** is enabled, then NTLM authentication will fail on those pass-through servers in the domain that they have previously used
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
new file mode 100644
index 0000000000..f801658d52
--- /dev/null
+++ b/windows/keep-secure/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
@@ -0,0 +1,150 @@
+---
+title: Network security Restrict NTLM Audit incoming NTLM traffic (Windows 10)
+description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Audit incoming NTLM traffic security policy setting.
+ms.assetid: 37e380c2-22e1-44cd-9993-e12815b845cf
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network security: Restrict NTLM: Audit incoming NTLM traffic
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Audit incoming NTLM traffic** security policy setting.
+
+## Reference
+
+
+The **Network Security: Restrict NTLM: Audit incoming NTLM traffic** policy setting allows you to audit incoming NTLM traffic.
+
+When this audit policy is enabled within Group Policy, it is enforced on any server where that Group Policy is distributed. The events will be recorded in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. Using an audit event collection system can help you collect the events for analysis more efficiently.
+
+When you enable this policy on a server, only authentication traffic to that server will be logged.
+
+When you enable this audit policy, it functions in the same way as the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy, but it does not actually block any traffic. Therefore, you can use it effectively to understand the authentication traffic in your environment, and when you are ready to block that traffic, you can enable the Network Security: Restrict NTLM: Incoming NTLM traffic policy setting and select **Deny all accounts** or **Deny all domain accounts**.
+
+### Possible values
+
+-   Disable
+
+    The server on which this policy is set will not log events for incoming NTLM traffic.
+
+-   Enable auditing for domain accounts
+
+    The server on which this policy is set will log events for NTLM pass-through authentication requests only for accounts in the domain that would be blocked when the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy setting is set to **Deny all domain accounts**.
+
+-   Enable auditing for all accounts
+
+    The server on which this policy is set will log events for all NTLM authentication requests that would be blocked when the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy setting is set to **Deny all accounts**.
+
+-   Not defined
+
+    This is the same as **Disable**, and it results in no auditing of NTLM traffic.
+
+### Best practices
+
+Depending on your environment and the duration of your testing, monitor the log size regularly.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client computer effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes different features and tools available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy.
+
+### Group Policy
+
+Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply.
+
+### Auditing
+
+View the operational event log to see if this policy is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. Using an audit event collection system can help you collect the events for analysis more efficiently.
+
+There are no security audit event policies that can be configured to view output from this policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB relay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards.
+
+### Vulnerability
+
+Enabling this policy setting will reveal through logging which servers and client computers within your network or domain handle NTLM traffic. The identity of these devices can be used in malicious ways if NTLM authentication traffic is compromised. The policy setting does not prevent or mitigate any vulnerability because it is for audit purposes only.
+
+### Countermeasure
+
+Restrict access to the log files when this policy setting is enabled in your production environment.
+
+### Potential impact
+
+If you do not enable or configure this policy setting, no NTLM authentication traffic information will be logged. If you do enable this policy setting, only auditing functions will occur; no security enhancements will be implemented.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
new file mode 100644
index 0000000000..e8a80b5166
--- /dev/null
+++ b/windows/keep-secure/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
@@ -0,0 +1,148 @@
+---
+title: Network security Restrict NTLM Audit NTLM authentication in this domain (Windows 10)
+description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Audit NTLM authentication in this domain security policy setting.
+ms.assetid: 33183ef9-53b5-4258-8605-73dc46335e6e
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network security: Restrict NTLM: Audit NTLM authentication in this domain
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** security policy setting.
+
+## Reference
+
+
+The **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** policy setting allows you to audit on the domain controller NTLM authentication in that domain.
+
+When you enable this policy setting on the domain controller, only authentication traffic to that domain controller will be logged.
+
+When you enable this audit policy, it functions in the same way as the **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting, but it does not actually block any traffic. Therefore, you can use it effectively to understand the authentication traffic to your domain controllers and when you are ready to block that traffic, you can enable the **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting and select **Deny for domain accounts to domain servers**, **Deny for domain servers**, or **Deny for domain accounts**.
+
+### Possible values
+
+-   **Disable**
+
+    The domain controller on which this policy is set will not log events for incoming NTLM traffic.
+
+-   **Enable for domain accounts to domain servers**
+
+    The domain controller on which this policy is set will log events for NTLM authentication logon attempts for accounts in the domain to domain servers when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain accounts to domain servers**.
+
+-   **Enable for domain accounts**
+
+    The domain controller will log events for NTLM authentication logon attempts that use domain accounts when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain accounts**.
+
+-   Not defined
+
+    This is the same as **Disable** and results in no auditing of NTLM traffic.
+
+### Best practices
+
+Depending on your environment and the duration of your testing, monitor the operational event log size regularly.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client computer effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes different features and tools available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy.
+
+### Group Policy
+
+Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply.
+
+### Auditing
+
+View the operational event log to see if this policy is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. Using an audit event collection system can help you collect the events for analysis more efficiently.
+
+There are no security audit event policies that can be configured to view output from this policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards.
+
+### Vulnerability
+
+Enabling this policy setting will reveal through logging which devices within your network or domain handle NTLM traffic. The identity of these devices can be used in malicious ways if NTLM authentication traffic is compromised. The policy setting does not prevent or mitigate any vulnerability because it is for audit purposes only.
+
+### Countermeasure
+
+Restrict access to the log files when this policy setting is enabled in your production environment.
+
+### Potential impact
+
+If you do not enable or configure this policy setting, no NTLM authentication traffic information will be logged. If you do enable this policy setting, only auditing functions will occur; no security enhancements will be implemented.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md
new file mode 100644
index 0000000000..11866f1750
--- /dev/null
+++ b/windows/keep-secure/network-security-restrict-ntlm-incoming-ntlm-traffic.md
@@ -0,0 +1,144 @@
+---
+title: Network security Restrict NTLM Incoming NTLM traffic (Windows 10)
+description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Incoming NTLM traffic security policy setting.
+ms.assetid: c0eff7d3-ed59-4004-908a-2205295fefb8
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network security: Restrict NTLM: Incoming NTLM traffic
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Incoming NTLM traffic** security policy setting.
+
+## Reference
+
+
+The **Network Security: Restrict NTLM: Incoming NTLM traffic** policy setting allows you to deny or allow incoming NTLM traffic from client computers, other member servers, or a domain controller.
+
+### Possible values
+
+-   **Allow all**
+
+    The server will allow all NTLM authentication requests.
+
+-   **Deny all domain accounts**
+
+    The server will deny NTLM authentication requests for domain logon, return an NTLM blocked error message to the client device, and log the error, but the server will allow local account logon.
+
+-   **Deny all accounts**
+
+    The server will deny NTLM authentication requests from all incoming traffic (whether domain account logon or local account logon), return an NTLM blocked error message to the client device, and log the error.
+
+-   Not defined
+
+    This is the same as **Allow all**, and the server will allow all NTLM authentication requests.
+
+### Best practices
+
+If you select **Deny all domain accounts** or **Deny all accounts**, incoming NTLM traffic to the member server will be restricted. It is better to set the **Network Security: Restrict NTLM: Audit Incoming NTLM traffic** policy setting and then review the Operational log to understand what authentication attempts are made to the member servers, and subsequently what client applications are using NTLM.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client computer effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes different features and tools available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy.
+
+### <a href="" id="bkmk-grouppolicy"></a>Group Policy
+
+Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply.
+
+### Auditing
+
+View the operational event log to see if this policy is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**.
+
+There are no Security Audit Event policies that can be configured to view event output from this policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards.
+
+### Vulnerability
+
+Malicious attacks on NTLM authentication traffic that result in a compromised server can occur only if the server handles NTLM requests. If those requests are denied, brute force attacks on NTLM are eliminated.
+
+### Countermeasure
+
+When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as Kerberos, you can select one of several options that this security policy setting offers to restrict NTLM usage.
+
+### Potential impact
+
+If you configure this policy setting, numerous NTLM authentication requests could fail within your network, which could degrade productivity. Before implementing this change through this policy setting, set **Network security: Restrict NTLM: Audit Incoming NTLM traffic** to the same option so that you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md).
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
new file mode 100644
index 0000000000..47e59383c0
--- /dev/null
+++ b/windows/keep-secure/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
@@ -0,0 +1,154 @@
+---
+title: Network security Restrict NTLM NTLM authentication in this domain (Windows 10)
+description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM NTLM authentication in this domain security policy setting.
+ms.assetid: 4c7884e9-cc11-4402-96b6-89c77dc908f8
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network security: Restrict NTLM: NTLM authentication in this domain
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: NTLM authentication in this domain** security policy setting.
+
+## Reference
+
+
+The **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy setting does not affect interactive logon to this domain controller.
+
+### Possible values
+
+-   **Disable**
+
+    The domain controller will allow all NTLM pass-through authentication requests within the domain.
+
+-   **Deny for domain accounts to domain servers**
+
+    The domain controller will deny all NTLM authentication logon attempts using accounts from this domain to all servers in the domain. The NTLM authentication attempts will be blocked and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting.
+
+    NTLM can be used if the users are connecting to other domains. This depends on if any Restrict NTLM policies have been set on those domains.
+
+-   **Deny for domain accounts**
+
+    Only the domain controller will deny all NTLM authentication logon attempts from domain accounts and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting.
+
+-   **Deny for domain servers**
+
+    The domain controller will deny NTLM authentication requests to all servers in the domain and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. Servers that are not joined to the domain will not be affected if this policy setting is configured.
+
+-   **Deny all**
+
+    The domain controller will deny all NTLM pass-through authentication requests from its servers and for its accounts and return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting.
+
+-   Not defined
+
+    The domain controller will allow all NTLM authentication requests in the domain where the policy is deployed.
+
+### Best practices
+
+If you select any of the deny options, incoming NTLM traffic to the domain will be restricted. First, set the **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** policy setting, and then review the Operational log to understand what authentication attempts are made to the member servers. You can then add those member server names to a server exception list by using the [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md) policy setting.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Not configured</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Not configured</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Not configured</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>Not configured</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>Not configured</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client computer effective default settings</p></td>
+<td align="left"><p>Not configured</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes different features and tools available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy.
+
+### Group Policy
+
+Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply.
+
+### Auditing
+
+View the operational event log to see if this policy is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**.
+
+There are no security audit event policies that can be configured to view output from this policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards.
+
+### Vulnerability
+
+Malicious attacks on NTLM authentication traffic resulting in a compromised server or domain controller can occur only if the server or domain controller handles NTLM requests. If those requests are denied, this attack vector is eliminated.
+
+### Countermeasure
+
+When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage within the domain.
+
+### Potential impact
+
+If you configure this policy setting, numerous NTLM authentication requests could fail within the domain, which could degrade productivity. Before implementing this change through this policy setting, set **Network security: Restrict NTLM: Audit NTLM authentication in this domain** to the same option so that you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting by using [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md).
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
new file mode 100644
index 0000000000..defbe6351f
--- /dev/null
+++ b/windows/keep-secure/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
@@ -0,0 +1,149 @@
+---
+title: Network security Restrict NTLM Outgoing NTLM traffic to remote servers (Windows 10)
+description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Outgoing NTLM traffic to remote servers security policy setting.
+ms.assetid: 63437a90-764b-4f06-aed8-a4a26cf81bd1
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting.
+
+## Reference
+
+
+The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** policy setting allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system.
+
+**Warning**  
+Modifying this policy setting may affect compatibility with client computers, services, and applications.
+
+ 
+
+### <a href="" id="bkmk-resoutntlm-possvals"></a>Possible values
+
+-   **Allow all**
+
+    The device can authenticate identities to a remote server by using NTLM authentication because no restrictions exist.
+
+-   **Audit all**
+
+    The device that sends the NTLM authentication request to a remote server logs an event for each request. This allows you to identify those servers that receive NTLM authentication requests from the client device
+
+-   **Deny all**
+
+    The device cannot authenticate any identities to a remote server by using NTLM authentication. You can use the [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) policy setting to define a list of remote servers to which client devices are allowed to use NTLM authentication while denying others. This setting will also log an event on the device that is making the authentication request.
+
+-   Not defined
+
+    This is the same as **Allow all**, and the device will allow all NTLM authentication requests when the policy is deployed.
+
+### Best practices
+
+If you select **Deny all**, the client device cannot authenticate identities to a remote server by using NTLM authentication. First, select **Audit all** and then review the operational event log to understand which servers are involved in these authentication attempts. You can then add those server names to a server exception list by using the [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) policy setting.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client computer effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes different features and tools available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a restart when saved locally or distributed through Group Policy.
+
+### Group Policy
+
+Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply.
+
+### Auditing
+
+View the operational event log to see if this policy is functioning as intended. Audit and block events are recorded on this computer in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**.
+
+There are no security audit event policies that can be configured to view event output from this policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards.
+
+### Vulnerability
+
+Malicious attacks on NTLM authentication traffic that result in a compromised server or domain controller can occur only if the server or domain controller handles NTLM requests. If those requests are denied, this attack vector is eliminated.
+
+### Countermeasure
+
+When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as Kerberos, then you can select from several options to restrict NTLM usage to servers.
+
+### Potential impact
+
+If you configure this policy setting to deny all requests, numerous NTLM authentication requests to remote servers could fail, which could degrade productivity. Before implementing this restriction through this policy setting, select **Audit all** so that you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting by using [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md).
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/optimize-applocker-performance.md b/windows/keep-secure/optimize-applocker-performance.md
new file mode 100644
index 0000000000..87143fb82f
--- /dev/null
+++ b/windows/keep-secure/optimize-applocker-performance.md
@@ -0,0 +1,42 @@
+---
+title: Optimize AppLocker performance (Windows 10)
+description: This topic for IT professionals describes how to optimize AppLocker policy enforcement.
+ms.assetid: a20efa20-bc98-40fe-bd81-28ec4905e0f6
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Optimize AppLocker performance
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes how to optimize AppLocker policy enforcement.
+
+## Optimization of Group Policy
+
+
+AppLocker policies can be implemented by organization unit (OU) using Group Policy. If so, your Group Policy infrastructure should be optimized and retested for performance when AppLocker policies are added to existing Group Policy Objects (GPOs) or new GPOs are created, as you do with adding any policies to your GPOs.
+
+For more info, see the [Optimizing Group Policy Performance](http://go.microsoft.com/fwlink/p/?LinkId=163238) article in TechNet Magazine.
+
+### AppLocker rule limitations
+
+The more rules per GPO, the longer AppLocker requires for evaluation. There is no set limitation on the number of rules per GPO, but the number of rules that can fit into a 100 MB GPO varies based on the complexity of the rule, such as the number of file hashes included in a single file hash condition.
+
+### Using the DLL rule collection
+
+When the DLL rule collection is enabled, AppLocker must check each DLL that an application loads. The more DLLs, the longer AppLocker requires to complete the evaluation.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/overview-create-edp-policy.md b/windows/keep-secure/overview-create-edp-policy.md
new file mode 100644
index 0000000000..4510a031f4
--- /dev/null
+++ b/windows/keep-secure/overview-create-edp-policy.md
@@ -0,0 +1,35 @@
+---
+title: Create an enterprise data protection (EDP) policy (Windows 10)
+description: Microsoft Intune and System Center Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
+ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: eross-msft
+---
+
+# Create an enterprise data protection (EDP) policy
+**Applies to:**
+
+-   Windows 10 Insider Preview
+-   Windows 10 Mobile Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
+
+Microsoft Intune and System Center Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
+
+## In this section
+|Topic |Description |
+|------|------------|
+|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Intune helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
+|[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |Configuration Manager (version 1511 or later) helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
new file mode 100644
index 0000000000..428029452b
--- /dev/null
+++ b/windows/keep-secure/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
@@ -0,0 +1,49 @@
+---
+title: Packaged apps and packaged app installer rules in AppLocker (Windows 10)
+description: This topic explains the AppLocker rule collection for packaged app installers and packaged apps.
+ms.assetid: 8fd44d08-a0c2-4c5b-a91f-5cb9989f971d
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Packaged apps and packaged app installer rules in AppLocker
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic explains the AppLocker rule collection for packaged app installers and packaged apps.
+
+Universal Windows apps can be installed through the Windows Store or can be sideloaded using the Windows PowerShell cmdlets. Universal Windows apps can be installed by a standard user unlike some Classic Windows applications that sometimes require administrative privileges for installation.
+
+Typically, an app consists of multiple components – the installer used to install the app and one or more exes, dlls or scripts. With Classic Windows applications, not all those components always share common attributes such as the publisher name, product name and product version. Therefore, AppLocker has to control each of these components separately through different rule collections – exe, dll, script and Windows Installers. In contrast, all the components of a Universal Windows app share the same attributes: Publisher name, Package name and Package version. It is therefore possible to control an entire app with a single rule.
+
+AppLocker enforces rules for Universal Windows apps separately from Classic Windows applications. A single AppLocker rule for a Universal Windows app can control both the installation and the running of an app. Because all Universal Windows apps are signed, AppLocker supports only publisher rules for Universal Windows apps. A publisher rule for a Universal Windows app is based on the following attributes of the app:
+
+-   Publisher name
+
+-   Package name
+
+-   Package version
+
+In summary, including AppLocker rules for Universal Windows apps in your policy design provides:
+
+-   The ability to control the installation and running of the app
+
+-   The ability to control all the components of the app with a single rule rather than controlling individual binaries within the app
+
+-   The ability to create application control policies that survive app updates
+
+-   Management of Universal Windows apps through Group Policy.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/passport-event-300.md b/windows/keep-secure/passport-event-300.md
new file mode 100644
index 0000000000..d5f6dd3808
--- /dev/null
+++ b/windows/keep-secure/passport-event-300.md
@@ -0,0 +1,62 @@
+---
+title: Event ID 300 - Passport successfully created (Windows 10)
+description: This event is created when a Microsoft Passport for Enterprise is successfully created and registered with Azure Active Directory (Azure AD).
+ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04
+keywords: ["ngc"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Event ID 300 - Passport successfully created
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+This event is created when a Microsoft Passport for Enterprise is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
+
+## Event details
+
+
+|              |                                                                                                                                                                                                                                                                                                               |
+|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Product:** | Windows 10 operating system                                                                                                                                                                                                                                                                                   |
+| **ID:**      | 300                                                                                                                                                                                                                                                                                                           |
+| **Source:**  | Microsoft Azure Device Registration Service                                                                                                                                                                                                                                                                   |
+| **Version:** | 10                                                                                                                                                                                                                                                                                                            |
+| **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da. Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} |
+
+ 
+
+## Resolve
+
+
+This is a normal condition. No further action is required.
+
+## Related topics
+
+
+[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+
+[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
+
+[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
+
+[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
+
+[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/password-must-meet-complexity-requirements.md b/windows/keep-secure/password-must-meet-complexity-requirements.md
new file mode 100644
index 0000000000..c4b7b4420c
--- /dev/null
+++ b/windows/keep-secure/password-must-meet-complexity-requirements.md
@@ -0,0 +1,151 @@
+---
+title: Password must meet complexity requirements (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Password must meet complexity requirements security policy setting.
+ms.assetid: 94482ae3-9dda-42df-9782-2f66196e6afe
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Password must meet complexity requirements
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting.
+
+## Reference
+
+
+The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of guidelines that are considered important for a strong password. Enabling this policy setting requires passwords to meet the following requirements:
+
+1.  Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks are not case sensitive.
+
+    The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped.
+
+    The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
+
+2.  The password contains characters from three of the following categories:
+
+    -   Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
+
+    -   Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
+
+    -   Base 10 digits (0 through 9)
+
+    -   Non-alphanumeric characters (special characters) (for example, !, $, \#, %)
+
+    -   Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
+
+Complexity requirements are enforced when passwords are changed or created.
+
+The rules that are included in the Windows Server password complexity requirements are part of Passfilt.dll, and they cannot be directly modified.
+
+Enabling the default Passfilt.dll may cause some additional Help Desk calls for locked-out accounts because users might not be used to having passwords that contain characters other than those found in the alphabet. However, this policy setting is liberal enough that all users should be able to abide by the requirements with a minor learning curve.
+
+Additional settings that can be included in a custom Passfilt.dll are the use of non–upper-row characters. Upper-row characters are those that are typed by holding down the SHIFT key and typing any of the digits from 1 through 10.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 218,340,105,584,896 different possibilities for a single password. This makes a brute force attack difficult, but still not impossible.
+
+The use of ALT key character combinations can greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements can result in unhappy users and an extremely busy Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of this range can represent standard alphanumeric characters that do not add additional complexity to the password.)
+
+Passwords that contain only alphanumeric characters are easy to compromise by using publicly available tools. To prevent this, passwords should contain additional characters and meet complexity requirements.
+
+### Location
+
+**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**
+
+### Default values
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or Group Policy Object (GPO)</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Effective GPO default settings on client computers</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Passwords that contain only alphanumeric characters are extremely easy to discover with several publicly available tools.
+
+### Countermeasure
+
+Configure the **Passwords must meet complexity requirements** policy setting to Enabled and advise users to use a variety of characters in their passwords.
+
+When combined with a [Minimum password length](minimum-password-length.md) of 8, this policy setting ensures that the number of different possibilities for a single password is so great that it is difficult (but not impossible) for a brute force attack to succeed. (If the Minimum password length policy setting is increased, the average amount of time necessary for a successful attack also increases.)
+
+### Potential impact
+
+If the default password complexity configuration is retained, additional Help Desk calls for locked-out accounts could occur because users might not be accustomed to passwords that contain non-alphabetical characters, or they might have problems entering passwords that contain accented characters or symbols on keyboards with different layouts. However, all users should be able to comply with the complexity requirement with minimal difficulty.
+
+If your organization has more stringent security requirements, you can create a custom version of the Passfilt.dll file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper-row symbols. (Upper-row symbols are those that require you to press and hold the SHIFT key and then press any of the digits between 1 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password does not contain common dictionary words or fragments.
+
+The use of ALT key character combinations can greatly enhance the complexity of a password. However, such stringent password requirements can result in additional Help Desk requests. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 0128–0159 range. (ALT characters outside of this range can represent standard alphanumeric characters that would not add additional complexity to the password.)
+
+## Related topics
+
+
+[Password Policy](password-policy.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/password-policy.md b/windows/keep-secure/password-policy.md
new file mode 100644
index 0000000000..742ac0e7dd
--- /dev/null
+++ b/windows/keep-secure/password-policy.md
@@ -0,0 +1,94 @@
+---
+title: Password Policy (Windows 10)
+description: An overview of password policies for Windows and links to information for each policy setting.
+ms.assetid: aec1220d-a875-4575-9050-f02f9c54a3b6
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Password Policy
+
+
+**Applies to**
+
+-   Windows 10
+
+An overview of password policies for Windows and links to information for each policy setting.
+
+In many operating systems, the most common method to authenticate a user's identity is to use a secret passphrase or password. A secure network environment requires all users to use strong passwords, which have at least eight characters and include a combination of letters, numbers, and symbols. These passwords help prevent the compromise of user accounts and administrative accounts by unauthorized users who use manual methods or automated tools to guess weak passwords. Strong passwords that are changed regularly reduce the likelihood of a successful password attack.
+
+Introduced in Windows Server 2008 R2 and Windows Server 2008, Windows supports fine-grained password policies. This feature provides organizations with a way to define different password and account lockout policies for different sets of users in a domain. Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups.
+
+To apply a fine-grained password policy to users of an OU, you can use a shadow group. A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group. You can create additional shadow groups for other OUs as needed. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups.
+
+Fine-grained password policies include attributes for all the settings that can be defined in the default domain policy (except Kerberos settings) in addition to account lockout settings. When you specify a fine-grained password policy, you must specify all of these settings. By default, only members of the Domain Admins group can set fine-grained password policies. However, you can also delegate the ability to set these policies to other users. The domain must be running at least Windows Server 2008 R2 or Windows Server 2008 to use fine-grained password policies. Fine-grained password policies cannot be applied to an organizational unit (OU) directly.
+
+You can enforce the use of strong passwords through an appropriate password policy. There are password policy settings that control the complexity and lifetime of passwords, such as the **Passwords must meet complexity requirements** policy setting.
+
+You can configure the password policy settings in the following location by using the Group Policy Management Console:
+
+**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**
+
+If individual groups require distinct password policies, these groups should be separated into another domain or forest, based on additional requirements.
+
+The following topics provide a discussion of password policy implementation and best practices considerations, policy location, default values for the server type or GPO, relevant differences in operating system versions, security considerations (including the possible vulnerabilities of each setting), countermeasures that you can take, and the potential impact for each setting.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Enforce password history](enforce-password-history.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management, and security considerations for the <strong>Enforce password history</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Maximum password age](maximum-password-age.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management, and security considerations for the <strong>Maximum password age</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Minimum password age](minimum-password-age.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management, and security considerations for the <strong>Minimum password age</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Minimum password length](minimum-password-length.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management, and security considerations for the <strong>Minimum password length</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Password must meet complexity requirements](password-must-meet-complexity-requirements.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Password must meet complexity requirements</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Store passwords using reversible encryption](store-passwords-using-reversible-encryption.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Store passwords using reversible encryption</strong> security policy setting.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Configure security policy settings](how-to-configure-security-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/perform-volume-maintenance-tasks.md b/windows/keep-secure/perform-volume-maintenance-tasks.md
new file mode 100644
index 0000000000..6c1b779093
--- /dev/null
+++ b/windows/keep-secure/perform-volume-maintenance-tasks.md
@@ -0,0 +1,142 @@
+---
+title: Perform volume maintenance tasks (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Perform volume maintenance tasks security policy setting.
+ms.assetid: b6990813-3898-43e2-8221-c9c06d893244
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Perform volume maintenance tasks
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Perform volume maintenance tasks** security policy setting.
+
+## Reference
+
+
+This policy setting determines which users can perform volume or disk management tasks, such as defragmenting an existing volume, creating or removing volumes, and running the Disk Cleanup tool.
+
+Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
+
+Constant: SeManageVolumePrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not Defined
+
+### Best practices
+
+-   Ensure that only the local Administrators group is assigned the **Perform volume maintenance tasks** user right.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default this setting is Administrators on domain controllers and on stand-alone servers.
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+A user who is assigned the **Perform volume maintenance tasks** user right could delete a volume, which could result in the loss of data or a denial-of- service condition. Also, disk maintenance tasks can be used to modify data on the disk, such as user rights assignments that might lead to escalation of privileges.
+
+### Countermeasure
+
+Ensure that only the local Administrators group is assigned the **Perform volume maintenance tasks** user right.
+
+### Potential impact
+
+None. Restricting the **Perform volume maintenance tasks** user right to the local Administrators group is the default configuration.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/plan-for-applocker-policy-management.md b/windows/keep-secure/plan-for-applocker-policy-management.md
new file mode 100644
index 0000000000..e3f5b525a5
--- /dev/null
+++ b/windows/keep-secure/plan-for-applocker-policy-management.md
@@ -0,0 +1,140 @@
+---
+title: Plan for AppLocker policy management (Windows 10)
+description: This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies.
+ms.assetid: dccc196f-6ae0-4ae4-853a-a3312b18751b
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Plan for AppLocker policy management
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies.
+
+## Policy management
+
+
+Before you begin the deployment process, consider how the AppLocker rules will be managed. Developing a process for managing AppLocker rules helps assure that AppLocker continues to effectively control how applications are allowed to run in your organization.
+
+### Application and user support policy
+
+Developing a process for managing AppLocker rules helps assure that AppLocker continues to effectively control how applications are allowed to run in your organization. Considerations include:
+
+-   What type of end-user support is provided for blocked applications?
+
+-   How are new rules added to the policy?
+
+-   How are existing rules updated?
+
+-   Are events forwarded for review?
+
+**Help desk support**
+
+If your organization has an established help desk support department in place, consider the following when deploying AppLocker policies:
+
+-   What documentation does your support department require for new policy deployments?
+
+-   What are the critical processes in each business group both in work flow and timing that will be affected by application control policies and how could they affect your support department's workload?
+
+-   Who are the contacts in the support department?
+
+-   How will the support department resolve application control issues between the end user and those who maintain the AppLocker rules?
+
+**End-user support**
+
+Because AppLocker is preventing unapproved apps from running, it is important that your organization carefully plan how to provide end-user support. Considerations include:
+
+-   Do you want to use an intranet site as a first line of support for users who have tried to run a blocked app?
+
+-   How do you want to support exceptions to the policy? Will you allow users to run a script to temporarily allow access to a blocked app?
+
+**Using an intranet site**
+
+AppLocker can be configured to display the default message but with a custom URL. You can use this URL to redirect users to a support site that contains information about why the user received the error and which applications are allowed. If you do not display a custom URL for the message when an app is blocked, the default URL is used.
+
+The following image shows an example of the error message for a blocked app. You can use the **Set a support web link** policy setting to customize the **More information** link.
+
+![applocker blocked application error message](images/blockedappmsg.gif)
+
+For steps to display a custom URL for the message, see [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md).
+
+**AppLocker event management**
+
+Each time that a process requests permission to run, AppLocker creates an event in the AppLocker event log. The event details which file tried to run, the attributes of that file, the user that initiated the request, and the rule GUID that was used to make the AppLocker execution decision. The AppLocker event log is located in the following path: **Applications and Services Logs\\Microsoft\\Windows\\AppLocker**. The AppLocker log includes three logs:
+
+1.  **EXE and DLL**. Contains events for all files affected by the executable and DLL rule collections (.exe, .com, .dll, and .ocx).
+
+2.  **MSI and Script**. Contains events for all files affected by the Windows Installer and script rule collections (.msi, .msp, .ps1, .bat, .cmd, .vbs, and .js).
+
+3.  **Packaged app-Deployment** or **Packaged app-Execution**, contains events for all Universal Windows apps affected by the packaged app and packed app installer rule collection (.appx).
+
+Collecting these events in a central location can help you maintain your AppLocker policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](http://go.microsoft.com/fwlink/p/?LinkId=145012).
+
+### Policy maintenance
+
+As new apps are deployed or existing apps are updated by the software publisher, you will need to make revisions to your rule collections to ensure that the policy is current.
+
+You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. For more info about Advanced Group Policy Management, see [Advanced Group Policy Management Overview](http://go.microsoft.com/fwlink/p/?LinkId=145013) (http://go.microsoft.com/fwlink/p/?LinkId=145013).
+
+**Caution**  
+You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
+
+ 
+
+**New version of a supported app**
+
+When a new version of an app is deployed in the organization, you need to determine whether to continue to support the previous version of that app. To add the new version, you might only need to create a new rule for each file that is associated with the app. If you are using publisher conditions and the version is not specified, then the existing rule or rules might be sufficient to allow the updated file to run. You must ensure, however, that the updated app has not altered the file names or added files to support new functionality. If so, then you must modify the existing rules or create new rules. To continue to reuse a publisher-based rule without a specific file version, you must also ensure that the file's digital signature is still identical to the previous version—the publisher, product name, and file name (if configured in your rule) must all match for the rule to be correctly applied.
+
+To determine whether a file has been modified during an app update, review the publisher's release details provided with the update package. You can also review the publisher's web page to retrieve this information. Each file can also be inspected to determine the version.
+
+For files that are allowed or denied with file hash conditions, you must retrieve the new file hash. To add support for a new version and maintain support for the older version, you can either create a new file hash rule for the new version or edit the existing rule and add the new file hash to the list of conditions.
+
+For files with path conditions, you should verify that the installation path has not changed from what is stated in the rule. If the path has changed, you need to update the rule before installing the new version of the app
+
+**Recently deployed app**
+
+To support a new app, you must add one or more rules to the existing AppLocker policy.
+
+**App is no longer supported**
+
+If your organization has determined that it will no longer support an application that has AppLocker rules associated with it, the easiest way to prevent users from running the app is to delete these rules.
+
+**App is blocked but should be allowed**
+
+A file could be blocked for three reasons:
+
+-   The most common reason is that no rule exists to allow the app to run.
+
+-   There may be an existing rule that was created for the file that is too restrictive.
+
+-   A deny rule, which cannot be overridden, is explicitly blocking the file.
+
+Before editing the rule collection, first determine what rule is preventing the file from running. You can troubleshoot the problem by using the **Test-AppLockerPolicy** Windows PowerShell cmdlet. For more info about troubleshooting an AppLocker policy, see [Testing and Updating an AppLocker Policy](http://go.microsoft.com/fwlink/p/?LinkId=160269) (http://go.microsoft.com/fwlink/p/?LinkId=160269).
+
+## Next steps
+
+
+After deciding how your organization will manage your AppLocker policy, record your findings.
+
+-   **End-user support policy.** Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel have clear escalation steps so that the administrator can update the AppLocker policy, if necessary.
+
+-   **Event processing.** Document whether events will be collected in a central location called a store, how that store will be archived, and whether the events will be processed for analysis.
+
+-   **Policy maintenance.** Detail how rules will be added to the policy and in which GPO the rules are defined.
+
+For information and steps how to document your processes, see [Document your application control management processes](document-your-application-control-management-processes.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md b/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md
new file mode 100644
index 0000000000..6895bda120
--- /dev/null
+++ b/windows/keep-secure/planning-and-deploying-advanced-security-audit-policies.md
@@ -0,0 +1,553 @@
+---
+title: Planning and deploying advanced security audit policies (Windows 10)
+description: This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies.
+ms.assetid: 7428e1db-aba8-407b-a39e-509671e5a442
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Planning and deploying advanced security audit policies
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies.
+
+Organizations invest a large portion of their information technology budgets on security applications and services, such as antimalware software, firewalls, and encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights of users, or how carefully you configure security permissions on your data, you should not consider the job complete unless you have a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to circumvent them.
+
+To be well defined and timely, an auditing strategy must provide useful tracking data for an organization's most important resources, critical behaviors, and potential risks. In a growing number of organizations, it must also provide absolute proof that IT operations comply with corporate and regulatory requirements.
+
+Unfortunately, no organization has unlimited resources to monitor every resource and activity on a network. If you do not plan well, you will likely have gaps in your auditing strategy. However, if you try to audit every resource and activity, you may find yourself with far too much monitoring data, including thousands of benign audit entries that an analyst needs to sift through to identify the narrow set of entries that warrant closer examination. This could cause delays or even prevent auditors from identifying suspicious activity. Thus, too much monitoring can leave an organization as vulnerable as not enough monitoring.
+
+Here are some features that can help you focus your effort:
+
+-   **Advanced audit policy settings**. You can apply and manage detailed audit policy settings through Group Policy.
+
+-   **"Reason for access" auditing**. You can specify and identify the permissions that were used to generate a particular object access security event.
+
+-   **Global object access auditing**. You can define system access control lists (SACLs) for an entire computer file system or registry.
+
+To deploy these features and plan an effective security auditing strategy, you need to:
+
+-   Identify your most critical resources and the most important activities that need to be tracked.
+
+-   Identify the audit settings that can be used to track these activities.
+
+-   Assess the advantages and potential costs associated with each.
+
+-   Test these settings to validate your choices.
+
+-   Develop plans for deploying and managing your audit policy.
+
+## About this guide
+
+
+This document will guide you through the steps needed to plan a security auditing policy that uses Windows auditing features. This policy must identify and address vital business needs, including:
+
+-   Network reliability
+
+-   Regulatory requirements
+
+-   Protection of the organization's data and intellectual property
+
+-   Users, including employees, contractors, partners, and customers
+
+-   Client computers and applications
+
+-   Servers and the applications and services running on those servers
+
+The audit policy also must identify processes for managing audit data after it has been logged, including:
+
+-   Collecting, evaluating, and reviewing audit data
+
+-   Storing and (if required) disposing of audit data
+
+By carefully planning, designing, testing, and deploying a solution based on your organization's business requirements, you can provide the standardized functionality, security, and management control that your organization needs.
+
+## Understanding the security audit policy design process
+
+
+The process of designing and deploying a Windows security audit policy involves the following tasks, which are described in greater detail throughout this document:
+
+-   [Identifying your Windows security audit policy deployment goals](#bkmk-1)
+
+    This section helps define the business objectives that will guide your Windows security audit policy. It also helps you define the resources, users, and computers that will be the focus of your security auditing.
+
+-   [Mapping the security audit policy to groups of users, computers, and resources in your organization](#bkmk-2)
+
+    This section explains how to integrate security audit policy settings with domain Group Policy settings for different groups of users, computers, and resources. In addition, if your network includes multiple versions of Windows client and server operating systems, it also explains when to use basic audit policy settings and when to use advanced security audit policy settings.
+
+-   [Mapping your security auditing goals to a security audit policy configuration](#bkmk-3)
+
+    This section explains the categories of Windows security auditing settings that are available. It also identifies individual Windows security auditing policy settings that can be of particular value to address auditing scenarios.
+
+-   [Planning for security audit monitoring and management](#bkmk-4)
+
+    This section helps you plan to collect, analyze, and store Windows audit data. Depending on the number of computers and types of activity that you want to audit, Windows event logs can fill up quickly. In addition, this section explains how auditors can access and aggregate event data from multiple servers and desktop computers. It also explains how to address storage requirements, including how much audit data to store and how it must be stored.
+
+-   [Deploying the security audit policy](#bkmk-5)
+
+    This section provides recommendations and guidelines for the effective deployment of a Windows security audit policy. Configuring and deploying Windows audit policy settings in a test lab environment can help you confirm that the settings you have selected will produce the type of audit data you need. However, only a carefully staged pilot and incremental deployments based on your domain and organizational unit (OU) structure will enable you to confirm that the audit data you generate can be monitored and that it meets your organization's audit needs.
+
+## <a href="" id="bkmk-1"></a>Identifying your Windows security audit policy deployment goals
+
+
+A security audit policy must support and be a critical and integrated aspect of an organization's overall security design and framework.
+
+Every organization has a unique set of data and network assets (such as customer and financial data and trade secrets), physical resources (such as desktop computers, portable computers, and servers), and users (which can include various internal groups such as finance and marketing, and external groups such as partners, customers, and anonymous users on the website). Not all of these assets, resources, and users justify the cost of an audit. Your task is to identify which assets, resources, and users provide the strongest justification for the focus of a security audit.
+
+To create your Windows security audit plan, begin by identifying:
+
+-   The overall network environment, including the domains, OUs, and security groups.
+
+-   The resources on the network, the users of those resources, and how those resources are being used.
+
+-   Regulatory requirements.
+
+### Network environment
+
+An organization's domain and OU structure provide a fundamental starting point for thinking about how to apply a security audit policy because it likely provides a foundation of Group Policy Objects (GPOs) and logical grouping of resources and activities that you can use to apply the audit settings that you choose. It is also likely that certain portions of your domain and OU structure already provide logical groups of users, resources, and activities that justify the time and resources needed to audit them. For information about how to integrate a security audit policy with your domain and OU structure, see [Mapping security audit policy to groups of users, computers, and resources in your organization](#bkmk-2) later in this document.
+
+In addition to your domain model, you should also find out whether your organization creates and maintains a systematic threat model. A good threat model can help you identify threats to key components in your infrastructure, so you can define and apply audit settings that enhance the organization's ability to identify and counter those threats.
+
+**Important**  
+Including auditing within your organization's security plan also makes it possible to budget your resources on the areas where auditing can achieve the most positive results.
+
+ 
+
+For additional details about how to complete each of these steps and how to prepare a detailed threat model, download the [IT Infrastructure Threat Modeling Guide](http://go.microsoft.com/fwlink/p/?LinkId=163432).
+
+### Data and resources
+
+For data and resource auditing, you need to identify the most important types of data and resources (such as patient records, accounting data, or marketing plans) that can benefit from the closer monitoring that Windows auditing can provide. Some of these data resources might already be monitored through auditing features in products such as Microsoft SQL Server and Exchange Server. If so, you may want to consider how Windows auditing features can enhance the existing audit strategy. As with the domain and OU structure discussed previously, security auditing should focus on your most critical resources. You also must consider how much audit data you will be able to manage.
+
+You can record if these resources have high business impact, medium business impact, or low business impact, the cost to the organization if these data resources are accessed by unauthorized users, and the risk that this access can pose to the organization. The type of access by users (such as Read, Modify, or Copy) can also pose different levels of risk to an organization.
+
+Increasingly, data access and use is governed by regulations, and a breach can result in severe penalties and a loss in credibility for the organization. If regulatory compliance plays a role in how you manage your data, be sure to also document this information.
+
+The following table provides an example of a resource analysis for an organization.
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Resource class</th>
+<th align="left">Where stored</th>
+<th align="left">Organizational unit</th>
+<th align="left">Business impact</th>
+<th align="left">Security or regulatory requirements</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Payroll data</p></td>
+<td align="left"><p>Corp-Finance-1</p></td>
+<td align="left"><p>Accounting: Read/Write on Corp-Finance-1</p>
+<p>Departmental Payroll Managers: Write only on Corp-Finance-1</p></td>
+<td align="left"><p>High</p></td>
+<td align="left"><p>Financial integrity and employee privacy</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Patient medical records</p></td>
+<td align="left"><p>MedRec-2</p></td>
+<td align="left"><p>Doctors and Nurses: Read/Write on Med/Rec-2</p>
+<p>Lab Assistants: Write only on MedRec-2</p>
+<p>Accounting: Read only on MedRec-2</p></td>
+<td align="left"><p>High</p></td>
+<td align="left"><p>Strict legal and regulatory standards</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Consumer health information</p></td>
+<td align="left"><p>Web-Ext-1</p></td>
+<td align="left"><p>Public Relations Web Content Creators: Read/Write on Web-Ext-1</p>
+<p>Public: Read only on Web-Ext-1</p></td>
+<td align="left"><p>Low</p></td>
+<td align="left"><p>Public education and corporate image</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Users
+
+Many organizations find it useful to classify the types of users they have and base permissions on this classification. This same classification can help you identify which user activities should be the subject of security auditing and the amount of audit data they will generate.
+
+Organizations can create distinctions based on the type of rights and permissions needed by users to perform their jobs. For example, under the classification Administrators, larger organizations might assign local administrator responsibilities for a single computer, for specific applications such as Exchange Server or SQL Server, or for an entire domain. Under Users, permissions and Group Policy settings can apply to as many as all users in an organization or as few as a subset of the employees in a given department.
+
+Also, if your organization is subject to regulatory requirements, user activities such as accessing medical records or financial data may need to be audited to verify that you are complying with these requirements.
+
+To effectively audit user activity, begin by listing the different types of users in your organization and the types of data they need access to—in addition to the data they should not have access to.
+
+Also, if external users can access any of your organization's data, be sure to identify them, including if they belong to a business partner, customer, or general user, the data they have access to, and the permissions they have to access that data.
+
+The following table illustrates an analysis of users on a network. Although our example contains a single column titled "Possible auditing considerations," you may want to create additional columns to differentiate between different types of network activity, such as logon hours and permission use.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Groups</th>
+<th align="left">Data</th>
+<th align="left">Possible auditing considerations</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Account administrators</p></td>
+<td align="left"><p>User accounts and security groups</p></td>
+<td align="left"><p>Account administrators have full privileges to create new user accounts, reset passwords, and modify security group memberships. We need a mechanism to monitor these changes.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Members of the Finance OU</p></td>
+<td align="left"><p>Financial records</p></td>
+<td align="left"><p>Users in Finance have Read/Write access to critical financial records, but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>External partners</p></td>
+<td align="left"><p>Project Z</p></td>
+<td align="left"><p>Employees of partner organizations have Read/Write access to certain project data and servers relating to Project Z, but not to other servers or data on the network.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Computers
+
+Security and auditing requirements and audit event volume can vary considerably for different types of computers in an organization. These requirements can be based on:
+
+-   If the computers are servers, desktop computers, or portable computers.
+
+-   The important applications the computers run, such as Exchange Server, SQL Server, or Forefront Identity Manager.
+
+    **Note**  
+    If the server applications (including Exchange Server and SQL Server) have audit settings. For more information about auditing in Exchange Server, see the [Exchange 2010 Security Guide](http://go.microsoft.com/fwlink/p/?linkid=128052). For more information about auditing in SQL Server 2008, see [Auditing (Database Engine)](http://go.microsoft.com/fwlink/p/?LinkId=163434). For SQL Server 2012, see [SQL Server Audit (Database Engine)](http://technet.microsoft.com/library/cc280386.aspx).
+
+     
+
+-   The operating system versions.
+
+    **Note**  
+    The operating system version determines which auditing options are available and the volume of audit event data.
+
+     
+
+-   The business value of the data.
+
+For example, a web server that is accessed by external users requires different audit settings than a root certification authority (CA) that is never exposed to the public Internet or even to regular users on the organization's network.
+
+The following table illustrates an analysis of computers in an organization.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Type of computer and applications</th>
+<th align="left">Operating system version</th>
+<th align="left">Where located</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Servers hosting Exchange Server</p></td>
+<td align="left"><p>Windows Server 2008 R2</p></td>
+<td align="left"><p>ExchangeSrv OU</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>File servers</p></td>
+<td align="left"><p>Windows Server 2012</p></td>
+<td align="left"><p>Separate resource OUs by department and (in some cases) by location</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Portable computers</p></td>
+<td align="left"><p>Windows Vista and Windows 7</p></td>
+<td align="left"><p>Separate portable computer OUs by department and (in some cases) by location</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Web servers</p></td>
+<td align="left"><p>Windows Server 2008 R2</p></td>
+<td align="left"><p>WebSrv OU</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Regulatory requirements
+
+Many industries and locales have strict and specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, there are strict guidelines for who has access to records and how they are used. Many countries have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that can be used to comply with and verify compliance with these regulations.
+
+For more info, see the [System Center Process Pack for IT GRC](http://technet.microsoft.com/library/dd206732.aspx).
+
+## <a href="" id="bkmk-2"></a>Mapping the security audit policy to groups of users, computers, and resources in your organization
+
+
+By using Group Policy, you can apply your security audit policy to defined groups of users, computers, and resources. To map a security auditing policy to these defined groups in your organization, you should understand the following considerations for using Group Policy to apply security audit policy settings:
+
+-   The policy settings you identify can be applied by using one or more GPOs. To create and edit a GPO, use the Group Policy Management Console (GPMC). By using the GPMC to link a GPO to selected Active Directory sites, domains, and OUs, you apply the policy settings in the GPO to the users and computers in those Active Directory objects. An OU is the lowest-level Active Directory container to which you can assign Group Policy settings.
+
+-   For every policy setting that you select, you need to decide whether it should be enforced across the organization, or whether it should apply only to selected users or computers. You can then combine these audit policy settings into GPOs and link them to the appropriate Active Directory containers.
+
+-   By default, options set in GPOs that are linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, a GPO that is linked at a lower level can overwrite inherited policies.
+
+    For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing).
+
+-   Audit policies are computer policies. Therefore, they must be applied through GPOs that are applied to computer OUs, not to user OUs. However, in most cases you can apply audit settings for only specified resources and groups of users by configuring SACLs on the relevant objects. This enables auditing for a security group that contains only the users you specify.
+
+    For example, you could configure a SACL for a folder called Payroll Data on Accounting Server 1. This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events.
+
+-   Advanced security audit policy settings were introduced in Windows Server 2008 R2 or Windows 7 and can be applied to those operating systems and later. These advanced audit polices can only be applied by using Group Policy.
+
+    **Important**  
+    Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting.
+
+    If you use **Advanced Audit Policy Configuration** settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
+
+     
+
+The following are examples of how audit policies can be applied to an organization's OU structure:
+
+-   Apply data activity settings to an OU that contains file servers. If your organization has servers that contain particularly sensitive data, consider putting them in a separate OU so that you can configure and apply a more precise audit policy to these servers.
+
+-   Apply user activity audit policies to an OU that contains all computers in the organization. If your organization places users in OUs based on the department they work in, consider configuring and applying more detailed security permissions on critical resources that are accessed by employees who work in more sensitive areas, such as network administrators or the legal department.
+
+-   Apply network and system activity audit policies to OUs that contain the organization's most critical servers, such as domain controllers, CAs, email servers, or database servers.
+
+## <a href="" id="bkmk-3"></a>Mapping your security auditing goals to a security audit policy configuration
+
+
+After you identify your security auditing goals, you can begin to map them to a security audit policy configuration. This audit policy configuration must address your most critical security auditing goals, but it also must address your organization's constraints, such as the number of computers that need to be monitored, the number of activities that you want to audit, the number of audit events that your desired audit configuration will generate, and the number of administrators available to analyze and act upon audit data.
+
+To create your audit policy configuration, you need to:
+
+1.  Explore all of the audit policy settings that can be used to address your needs.
+
+2.  Choose the audit settings that will most effectively address the audit requirements identified in the previous section.
+
+3.  Confirm that the settings you choose are compatible with the operating systems running on the computers that you want to monitor.
+
+4.  Decide which configuration options (Success, Failure, or both Success and Failure) you want to use for the audit settings.
+
+5.  Deploy the audit settings in a lab or test environment to verify that they meet your desired results in terms of volume, supportability, and comprehensiveness. Then deploy the audit settings in a pilot production environment to ensure that your estimates of how much audit data your audit plan will generate are realistic and that you can manage this data.
+
+### Exploring audit policy options
+
+Security audit policy settings in the supported versions of Windows can be viewed and configured in the following locations:
+
+-   **Security Settings\\Local Policies\\Audit Policy**.
+
+-   **Security Settings\\Local Policies\\Security Options**.
+
+-   **Security Settings\\Advanced Audit Policy Configuration**. For more information, see [Advanced security audit policy settings](advanced-security-audit-policy-settings.md).
+
+### Choosing audit settings to use
+
+Depending on your goals, different sets of audit settings may be of particular value to you. For example, some settings under **Security Settings\\Advanced Audit Policy Configuration** can be used to monitor the following types of activity:
+
+-   Data and resources
+
+-   Users
+
+-   Network
+
+**Important**  
+Settings that are described in the Reference might also provide valuable information about activity audited by another setting. For example, the settings used to monitor user activity and network activity have obvious relevance to protecting your data resources. Likewise, attempts to compromise data resources have huge implications for overall network status, and potentially for how well you are managing the activities of users on the network.
+
+ 
+
+### Data and resource activity
+
+For many organizations, compromising the organization's data resources can cause tremendous financial losses, in addition to lost prestige and legal liability. If your organization has critical data resources that need to be protected against any breach, the following settings can provide extremely valuable monitoring and forensic data:
+
+-   Object Access\\[Audit File Share](audit-file-share.md). This policy setting allows you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access. The volume of event data generated by this setting will vary depending on the number of client computers that attempt to access the file share. On a file server or domain controller, volume may be high due to SYSVOL access by client computers for policy processing. If you do not need to record routine access by client computers that have permissions on the file share, you may want to log audit events only for failed attempts to access the file share.
+
+-   Object Access\\[Audit File System](audit-file-system.md). This policy setting determines whether the operating system audits user attempts to access file system objects. Audit events are only generated for objects (such as files and folders) that have configured SACLs, and only if the type of access requested (such as Write, Read, or Modify) and the account that is making the request match the settings in the SACL.
+
+    If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL. The amount of audit data generated by the **Audit File System** policy setting can vary considerably, depending on the number of objects that have been configured to be monitored.
+
+    **Note**  
+    To audit user attempts to access all file system objects on a computer, use the Global Object Access Auditing settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md).
+
+     
+
+-   Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md). This policy setting determines whether the operating system generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs generate these events, and only if the attempted handle operation matches the SACL.
+
+    Event volume can be high, depending on how SACLs are configured. When used together with the **Audit File System** or **Audit Registry** policy settings, the **Audit Handle Manipulation** policy setting can provide an administrator with useful "reason for access" audit data that details the precise permissions on which the audit event is based. For example, if a file is configured as a Read-only resource but a user attempts to save changes to the file, the audit event will log not only the event, but also the permissions that were used (or attempted to be used) to save the file changes.
+
+-   **Global Object Access Auditing**. A growing number of organizations are using security auditing to comply with regulatory requirements that govern data security and privacy. But demonstrating that strict controls are being enforced can be extremely difficult. To address this issue, the supported versions of Windows include two **Global Object Access Auditing** policy settings, one for the registry and one for the file system. When you configure these settings, they apply a global system access control SACL on all objects of that class on a system, which cannot be overridden or circumvented.
+
+    **Important**  
+    The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category.
+
+     
+
+### User activity
+
+The settings in the previous section relate to activity involving the files, folders, and network shares that are stored on a network, and the settings in this section focus on the users, including employees, partners, and customers, who may try to access those resources.
+
+In the majority of cases, these attempts will be legitimate and a network needs to make vital data readily available to legitimate users. However in other cases, employees, partners, and others may attempt to access resources that they have no legitimate reason to access. Security auditing can be used to track a wide variety of user activities on a particular computer to diagnose and resolve problems for legitimate users and identify and address illegitimate activities. The following are a few important settings that you should evaluate to track user activity on your network:
+
+-   Account Logon\\[Audit Credential Validation](audit-credential-validation.md). This is an extremely important policy setting because it enables you to track every successful and unsuccessful attempt to present credentials for a user logon. In particular, a pattern of unsuccessful attempts may indicate that a user or application is using credentials that are no longer valid, or attempting to use a variety of credentials in succession in hope that one of these attempts will eventually be successful. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
+
+-   Detailed Tracking\\[Audit Process Creation](audit-process-creation.md) and Detailed Tracking\\[Audit Process Termination](audit-process-termination.md). These policy settings can enable you to monitor the applications that a user opens and closes on a computer.
+
+-   DS Access\\[Audit Directory Service Access](audit-directory-service-access.md) and DS Access\\[Audit Directory Service Changes](audit-directory-service-changes.md). These policy settings provide a detailed audit trail of attempts to access create, modify, delete, move, or undelete objects in Active Directory Domain Services (AD DS). Only domain administrators have permissions to modify AD DS objects, so it is extremely important to identify malicious attempts to modify these objects. In addition, although domain administrators should be among an organization's most trusted employees, the use of **Audit Directory Service Access** and **Audit Directory Service Changes** settings allow you to monitor and verify that only approved changes are made to AD DS. These audit events are logged only on domain controllers.
+
+-   Logon/Logoff\\[Audit Account Lockout](audit-account-lockout.md). Another common security scenario occurs when a user attempts to log on with an account that has been locked out. It is important to identify these events and to determine whether the attempt to use an account that has been locked out is malicious.
+
+-   Logon/Logoff\\[Audit Logoff](audit-logoff.md) and Logon/Logoff\\[Audit Logon](audit-logon.md). Logon and logoff events are essential to tracking user activity and detecting potential attacks. Logon events are related to the creation of logon sessions, and they occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For network logon, such as accessing a shared resource, events are generated on the computer that hosts the resource that was accessed. Logoff events are generated when logon sessions are terminated.
+
+    **Note**  
+    There is no failure event for logoff activity because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown, and a logoff event is not generated.
+
+     
+
+-   Logon/Logoff\\[Audit Special Logon](audit-special-logon.md). A special logon has administrator-equivalent rights and can be used to elevate a process to a higher level. It is recommended to track these types of logons. For more information about this feature, see [article 947223](http://go.microsoft.com/fwlink/p/?linkid=120183) in the Microsoft Knowledge Base.
+
+-   Object Access\\[Audit Certification Services](audit-certification-services.md). This policy setting allows you to track and monitor a wide variety of activities on a computer that hosts Active Directory Certificate Services (AD CS) role services to ensure that only authorized users are performing or attempting to perform these tasks, and that only authorized or desired tasks are being performed.
+
+-   Object Access\\[Audit File System](audit-file-system.md) and Object Access\\[Audit File Share](audit-file-share.md). These policy settings are described in the previous section.
+
+-   Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md). This policy setting and its role in providing "reason for access" audit data is described in the previous section.
+
+-   Object Access\\[Audit Registry](audit-registry.md). Monitoring for changes to the registry is one of the most critical means that an administrator has to ensure malicious users do not make changes to essential computer settings. Audit events are only generated for objects that have configured SACLs, and only if the type of access that is requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.
+
+    **Important**  
+    On critical systems where all attempts to change registry settings need to be tracked, you can combine the **Audit Registry** policy setting with the **Global Object Access Auditing** policy settings to ensure that all attempts to modify registry settings on a computer are tracked.
+
+     
+
+-   Object Access\\[Audit SAM](audit-sam.md). The Security Accounts Manager (SAM) is a database that is present on computers running Windows that stores user accounts and security descriptors for users on the local computer. Changes to user and group objects are tracked by the **Account Management** audit category. However, user accounts with the proper user rights could potentially alter the files where the account and password information is stored in the system, bypassing any **Account Management** events.
+
+-   Privilege Use\\[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md). **Privilege Use** policy settings and audit events allow you to track the use of certain rights on one or more systems. If you configure this policy setting, an audit event is generated when sensitive rights requests are made.
+
+### Network activity
+
+The following network activity policy settings allow you to monitor security-related issues that are not necessarily covered in the data or user activity categories, but that can be equally important for network status and protection.
+
+-   **Account Management**. The policy settings in this category can be used to track attempts to create, delete, or modify user or computer accounts, security groups, or distribution groups. Monitoring these activities complements the monitoring strategies you select in the user activity and data activity sections.
+
+-   Account Logon\\[Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md) and Account Logon\\[Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md). Audit policy settings in the **Account Logon** category monitor activities that relate to the use of domain account credentials. These policy settings complement the policy settings in the **Logon/Logoff** category. The **Audit Kerberos Authentication Service** policy setting allows you to monitor the status of and potential threats to the Kerberos service. The Audit **Kerberos Service Ticket Operations** policy setting allows you to monitor the use of Kerberos service tickets.
+
+    **Note**  
+    **Account Logon** policy settings apply only to specific domain account activities, regardless of the computer that is accessed, whereas **Logon/Logoff** policy settings apply to the computer that hosts the resources being accessed.
+
+     
+
+-   Account Logon\\[Audit Other Account Logon Events](audit-other-account-logon-events.md). This policy setting can be used to track a number of different network activities, including attempts to create Remote Desktop connections, wired network connections, and wireless connections.
+
+-   **DS Access**. Policy settings in this category allow you to monitor the AD DS role services, which provide account data, validate logons, maintain network access permissions, and provide other services that are critical to the secure and proper functioning of a network. Therefore, auditing the rights to access and modify the configuration of a domain controller can help an organization maintain a secure and reliable network. In addition, one of the key tasks performed by AD DS is the replication of data between domain controllers.
+
+-   Logon/Logoff\\[Audit IPsec Extended Mode](audit-ipsec-extended-mode.md), Logon/Logoff\\[Audit IPsec Main Mode](audit-ipsec-main-mode.md), and Logon/Logoff\\[Audit IPsec Quick Mode](audit-ipsec-quick-mode.md). Many networks support large numbers of external users, including remote employees and partners. Because these users are outside the organization's network boundaries, IPsec is often used to help protect communications over the Internet by enabling network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and protection against replay attacks. You can use these settings to ensure that IPsec services are functioning properly.
+
+-   Logon/Logoff\\[Audit Network Policy Server](audit-network-policy-server.md). Organizations that use RADIUS (IAS) and Network Access Protection (NAP) to set and maintain security requirements for external users can use this policy setting to monitor the effectiveness of these policies and to determine whether anyone is attempting to circumvent these protections.
+
+-   **Policy Change**. These policy settings and events allow you to track changes to important security policies on a local computer or network. Because policies are typically established by administrators to help secure network resources, any changes or attempts to change these policies can be an important aspect of security management for a network.
+
+-   Policy Change\\[Audit Audit Policy Change](audit-audit-policy-change.md). This policy setting allows you to monitor changes to the audit policy. If malicious users obtain domain administrator credentials, they can temporarily disable essential security audit policy settings so that their other activities on the network cannot be detected.
+
+-   Policy Change\\[Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md). This policy setting can be used to monitor a large variety of changes to an organization's IPsec policies.
+
+-   Policy Change\\[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md). This policy setting determines if the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe), which is used by Windows Firewall. Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks.
+
+### Confirm operating system version compatibility
+
+Not all versions of Windows support advanced audit policy settings or the use of Group Policy to apply and manage these settings. For more info, see [Which editions of Windows support advanced audit policy configuration](which-editions-of-windows-support-advanced-audit-policy-configuration.md).
+
+The audit policy settings under **Local Policies\\Audit Policy** overlap with audit policy settings under **Security Settings\\Advanced Audit Policy Configuration**. However, the advanced audit policy categories and subcategories make it possible to focus your auditing efforts on the most critical activities while reducing the amount of audit data that is less important to your organization.
+
+For example, **Local Policies\\Audit Policy** contains a single setting called [Audit account logon events](http://technet.microsoft.com/library/cc787176.aspx). When this setting is configured, it generates at least 10 types of audit events.
+
+In comparison, the Account Logon category under **Security Settings\\Advanced Audit Policy Configuration** provides the following advanced settings, which allow you to focus your auditing:
+
+-   Credential Validation
+
+-   Kerberos Authentication Service
+
+-   Kerberos Service Ticket Operations
+
+-   Other Account Logon Events
+
+These settings allow you to exercise much tighter control over which activities or events generate event data. Some activities and events will be more important to your organization, so define the scope of your security audit policy as narrowly as possible.
+
+### Success, failure, or both
+
+Whichever event settings you include in your plan, you also have to decide whether you want to log an event when the activity fails, when an activity succeeds, or both successes and failures. This is an important question, and the answer will be based on the criticality of the event and the implications of the decision on event volume.
+
+For example, on a file server that is accessed frequently by legitimate users, you may be interested in logging an event only when an unsuccessful attempt to access data takes place, because this could be evidence of an unauthorized or malicious user. And in this instance, logging successful attempts to access the server would quickly fill the event log with benign events.
+
+On the other hand, if the file share has extremely sensitive and valuable information, such as trade secrets, you may want to log every access attempt, whether successful or unsuccessful, so that you have an audit trail of every user who accessed the resource.
+
+## <a href="" id="bkmk-4"></a>Planning for security audit monitoring and management
+
+
+Networks can contain hundreds of servers running critical services or storing critical data, all of which need to be monitored. The number of client computers on the network can easily range into the tens or even hundreds of thousands. This may not be an issue if the ratio of servers or client computers per administrator is low. Even if an administrator who is responsible for auditing security and performance issues has relatively few computers to monitor, you need to decide how an administrator will obtain event data to review. Following are some options for obtaining the event data.
+
+-   Will you keep event data on a local computer until an administrator logs on to review this data? If so, then the administrator needs to have physical or remote access to the Event Viewer on each client computer or server, and the remote access and firewall settings on each client computer or server need to be configured to enable this access. In addition, you need to decide how often an administrator can visit each computer, and adjust the size of the audit log so that critical information is not deleted if the log reaches its maximum capacity.
+
+-   Will you collect event data so that it can be reviewed from a central console? If so, there are a number of computer management products, such as the Audit Collection Services in Operations Manager 2007 and 2012, which can be used to collect and filter event data. Presumably this solution enables a single administrator to review larger amounts of data than using the local storage option. But in some cases, this can make it more difficult to detect clusters of related events that can occur on a single computer.
+
+In addition, whether you choose to leave audit data on an individual computer or consolidate it at a central location, you need to decide how large the log file should be and what should happen when the log reaches its maximum size. To configure these options, open Event Viewer, expand **Windows Logs**, right-click **Security**, and click **Properties**. You can configure the following properties:
+
+-   **Overwrite events as needed (oldest events first)**. This is the default option, which is an acceptable solution in most situations.
+
+-   **Archive the log when full, do not overwrite events**. This option can be used when all log data needs to be saved, but it also suggests that you may not be reviewing audit data frequently enough.
+
+-   **Do not overwrite events (Clear logs manually)**. This option stops the collection of audit data when the log file reaches its maximum size. Older data is retained at the expense of the most recent audit events. Use this option only if you do not want to lose any audit data, do not want to create an archive of the event log, and are committed to reviewing data before the maximum log size is reached.
+
+You can also configure the audit log size and other key management options by using Group Policy settings. You can configure the event log settings in the following locations within the GPMC: **Computer Configuration\\Administrative Templates\\Windows Components\\Event Log Service\\Security**. These options include:
+
+-   **Maximum Log Size (KB)**. This policy setting specifies the maximum size of the log files. The user interfaces in the Local Group Policy Editor and Event Viewer allow you to enter values as large as 2 TB. If this setting is not configured, event logs have a default maximum size of 20 megabytes.
+
+-   **Log Access**. This policy setting determines which user accounts have access to log files and what usage rights are granted.
+
+-   **Retain old events**. This policy setting controls event log behavior when the log file reaches its maximum size. When this policy setting is enabled and a log file reaches its maximum size, new events are not written to the log and are lost. When this policy setting is disabled and a log file reaches its maximum size, new events overwrite old events.
+
+-   **Backup log automatically when full**. This policy setting controls event log behavior when the log file reaches its maximum size and takes effect only if the **Retain old events** policy setting is enabled. If you enable these policy settings, the event log file is automatically closed and renamed when it is full. A new file is then started. If you disable or do not configure this policy setting and the **Retain old events** policy setting is enabled, new events are discarded and the old events are retained.
+
+In addition, a growing number of organizations are being required to store archived log files for a number of years. You should consult with regulatory compliance officers in your organization to determine whether such guidelines apply to your organization. For more information, see the [IT Compliance Management Guide](http://go.microsoft.com/fwlink/p/?LinkId=163435).
+
+## <a href="" id="bkmk-5"></a>Deploying the security audit policy
+
+
+Before deploying the audit policy in a production environment, it is critical that you determine the effects of the policy settings that you have configured.
+
+The first step in assessing your audit policy deployment is to create a test environment in a lab and use it to simulate the various use scenarios that you have identified to confirm that the audit settings you have selected are configured correctly and generate the type of results you intend.
+
+However, unless you are able to run fairly realistic simulations of network usage patterns, a lab setup cannot provide you with accurate information about the volume of audit data that the audit policy settings you selected will generate and how effective your plan for monitoring audit data will be. To provide this type of information, you need to conduct one or more pilot deployments. These pilot deployments could involve:
+
+-   A single OU that contains critical data servers or an OU that contains all desktop computers in a specified location.
+
+-   A limited set of security audit policy settings, such as **Logon/Logoff** and **Account Logon**.
+
+-   A combination of limited OUs and audit policy settings—for example, targeting servers in only the Accounting OU with **Object Access** policy settings.
+
+After you have successfully completed one or more limited deployments, you should confirm that the audit data that is collected is manageable with your management tools and administrators. When you have confirmed that the pilot deployment is effective, you need to confirm that you have the necessary tools and staff to expand the deployment to include additional OUs and sets of audit policy settings until the production deployment is complete.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
new file mode 100644
index 0000000000..e0d3c44e7e
--- /dev/null
+++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md
@@ -0,0 +1,122 @@
+---
+title: Prepare people to use Microsoft Passport (Windows 10)
+description: When you set a policy to require Microsoft Passport in the workplace, you will want to prepare people in your organization.
+ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B
+keywords: ["identity", "PIN", "biometric", "Hello"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Prepare people to use Microsoft Passport
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+When you set a policy to require Microsoft Passport in the workplace, you will want to prepare people in your organization by explaining how to use Passport.
+
+After enrollment in Passport, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device.
+
+Although the organization may require users to change their Active Directory or Azure Active Directory (AD) account password at regular intervals, changes to their passwords have no effect on Passport.
+
+People who are currently using virtual smart cards for authentication can use their virtual smart card to verify their identity when they set up Passport.
+
+## On devices owned by the organization
+
+
+When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**.
+
+![who owns this pc](images/corpown.png)
+
+Next, they select a way to connect. Tell the people in your enterprise which option they should pick here.
+
+![choose how you'll connect](images/connect.png)
+
+They sign in, and are then asked to verify their identity. People have options to choose from, such as a text message, phone call, or authentication app. After verification, they create their PIN. The **Create a work PIN** screen displays any complexity requirements that you have set, such as minimum length.
+
+After Passport is set up, people use their PIN to unlock the device, and that will automatically log them on.
+
+## On personal devices
+
+
+People who want to access work resources on their personal devices can add a work or school account in **Settings** &gt; **Accounts** &gt; **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials. (This work account gesture doesn't affect the device unlock PIN.)
+
+Assure people that their work credentials and personal credentials are stored in separate containers; the enterprise has no access to their personal credentials.
+
+People can go to **Settings** &gt; **Accounts** &gt; **Work or school**, select the work account, and then select **Unjoin** to remove the account from their device.
+
+## Using Windows Hello and biometrics
+
+
+If your policy allows it, people can add Windows Hello to their Passport. Windows Hello can be fingerprint, iris, and facial recognition, and is available to users only if the hardware supports it.
+
+![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png)
+
+## <a href="" id="bmk-remote"></a>Use a phone to sign in to a PC
+
+
+If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Microsoft Passport credentials.
+
+**Note**  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+
+ 
+
+**Prerequisites:**
+
+-   The PC must be joined to the Active Directory domain or Azure AD cloud domain.
+
+-   The PC must have Bluetooth connectivity.
+
+-   The phone must be joined to the Azure AD cloud domain, or the user must have added a work account to their personal phone.
+
+-   The free **Phone Sign-in** app must be installed on the phone.
+
+**Pair the PC and phone**
+
+1.  On the PC, go to **Settings** &gt; **Devices** &gt; **Bluetooth**. Tap the name of the phone and then tap **Pair** to begin pairing.
+
+    ![bluetooth pairing](images/btpair.png)
+
+2.  On the phone, go to **Settings** &gt; **Devices** &gt; **Bluetooth**, and verify that the passcode for **Pairing accessory** on the phone matches the passcode displayed on the PC, and then tap **ok**.
+
+    ![bluetooth pairing passcode](images/bt-passcode.png)
+
+3.  On the PC, tap **Yes**.
+
+**Sign in to PC using the phone**
+
+1.  Open the **Phone Sign-in** app and tap the name of the PC to sign in to.
+
+    **Note**  The first time that you run the Phone-Sign app, you must add an account.
+
+     
+
+2.  Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account.
+
+## Related topics
+
+
+[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+
+[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+
+[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
+
+[Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
+
+[Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
+
+[Event ID 300 - Passport successfully created](passport-event-300.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md
new file mode 100644
index 0000000000..2a4deccef8
--- /dev/null
+++ b/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -0,0 +1,454 @@
+---
+title: Prepare your organization for BitLocker Planning and policies (Windows 10)
+description: This topic for the IT professional explains how can you plan your BitLocker deployment.
+ms.assetid: 6e3593b5-4e8a-40ac-808a-3fdbc948059d
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Prepare your organization for BitLocker: Planning and policies
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional explains how can you plan your BitLocker deployment.
+
+When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following topics will help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems.
+
+-   [Audit your environment](#bkmk-audit)
+
+-   [Encryption keys and authentication](#bkk-encrypt)
+
+-   [TPM hardware configurations](#bkmk-tpmconfigurations)
+
+-   [Non-TPM hardware configurations](#bkmk-nontpm)
+
+-   [Disk configuration considerations](#bkmk-disk)
+
+-   [BitLocker provisioning](#bkmk-prov)
+
+-   [Used Disk Space Only encryption](#bkk-used)
+
+-   [Active Directory Domain Services considerations](#bkmk-addscons)
+
+-   [FIPS support for recovery password protector](#bkmk-fipssupport)
+
+-   [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
+
+## <a href="" id="bkmk-audit"></a>Audit your environment
+
+
+To plan your enterprise deployment of BitLocker, you must first understand your current environment. Conduct an informal audit to define your current policies, procedures, and hardware environment. Begin by reviewing your existing corporate security policies as they relate to disk encryption software. If your organization is not currently using disk encryption software, none of these policies will exist. If you are using disk encryption software, then you might need to modify your organization's policies to address the capabilities of BitLocker.
+
+Use the following questions to help you document your organization's current disk encryption security policies:
+
+1.  Are there policies to address which computers will use BitLocker and which computers will not use BitLocker?
+
+2.  What policies exist to control recovery password and recovery key storage?
+
+3.  What are the policies for validating the identity of users that need to perform BitLocker recovery?
+
+4.  What policies exist to control who in the organization has access to recovery data?
+
+5.  What policies exist to control computer decommissioning or retirement?
+
+## <a href="" id="bkk-encrypt"></a>Encryption keys and authentication
+
+
+BitLocker helps prevent unauthorized access to data on lost or stolen computers by:
+
+-   Encrypting the entire Windows operating system volume on the hard disk.
+
+-   Verifying the boot process integrity.
+
+The trusted platform module (TPM)is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
+
+In addition, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.
+
+On computers that do not have a TPM version 1.2 or higher, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM.
+
+**BitLocker key protectors**
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Key protector</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>TPM</p></td>
+<td align="left"><p>A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM version 1.2 or higher.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>PIN</p></td>
+<td align="left"><p>A user-entered numeric key protector that can only be used in addition to the TPM.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Enhanced PIN</p></td>
+<td align="left"><p>A user-entered alphanumeric key protector that can only be used in addition to the TPM.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Startup key</p></td>
+<td align="left"><p>An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Recovery password</p></td>
+<td align="left"><p>A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard, if the numbers on the normal keyboard are not responding you can always use the function keys (F1-F10) to input the numbers.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Recovery key</p></td>
+<td align="left"><p>An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**BitLocker authentication methods**
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Authentication method</th>
+<th align="left">Requires user interaction</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>TPM only</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>TPM validates early boot components.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>TPM + PIN</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM will enter lockout if the incorrect PIN is entered repeatedly to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>TPM + Network key</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>TPM + startup key</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Startup key only</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>The user is prompted to insert the USB flash drive that holds the recovery key and/or startup key and reboot the computer.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Will you support computers without TPM version 1.2 or higher?**
+
+Determine whether you will support computers that do not have a TPM version 1.2 or higher in your environment. If you choose to support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This requires additional support processes similar to multifactor authentication.
+
+**What areas of your organization need a baseline level of data protection?**
+
+The TPM-only authentication method will provide the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. It has the lowest total cost of ownership. TPM-only might also be more appropriate for computers that are unattended or that must reboot unattended.
+
+However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components, but the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker’s multifactor authentication methods significantly increase the overall level of data protection.
+
+**What areas of your organization need a more secure level of data protection?**
+
+If there are areas of your organization where data residing on user computers is considered highly-sensitive, consider the best practice of deploying BitLocker with multifactor authentication on those systems. Requiring the user to input a PIN significantly increases the level of protection for the system. You can also use BitLocker Network Unlock to allow these computers to automatically unlock when connected to a trusted wired network that can provide the Network Unlock key.
+
+**What multifactor authentication method does your organization prefer?**
+
+The protection differences provided by multifactor authentication methods cannot be easily quantified. Consider each authentication method's impact on Helpdesk support, user education, user productivity, and automated systems management processes.
+
+## <a href="" id="bkmk-tpmconfigurations"></a>TPM hardware configurations
+
+
+In your deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM of your choice, so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment.
+
+### TPM states of existence
+
+For each of the TPM states of existence, the TPM can transition into another state (for example, moving from disabled to enabled). The states are not exclusive.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">State</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Enabled</p></td>
+<td align="left"><p>Most features of the TPM are available.</p>
+<p>The TPM may be enabled and disabled multiple times within a boot period, if ownership is taken.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Disabled</p></td>
+<td align="left"><p>The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and to perform hashing and basic initialization.</p>
+<p>The TPM may be enabled and disabled multiple times within a boot period.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Activated</p></td>
+<td align="left"><p>Most features of the TPM are available. The TPM may be activated and deactivated only through physical presence which requires a reboot.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Deactivated</p></td>
+<td align="left"><p>Similar to disabled, with the exception that ownership can be taken while deactivated and enabled. The TPM may be activated and deactivated only through physical presence which requires a reboot.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Owned</p></td>
+<td align="left"><p>Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Un-owned</p></td>
+<td align="left"><p>The TPM does not have a storage root key and may or may not have an endorsement key.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Important**  
+BitLocker cannot use the TPM until it is in the following state: enabled, activated, and owned. When the TPM is in this state and only when it is in this state, all operations are available.
+
+ 
+
+The state of the TPM exists independent of the computer’s operating system. Once the TPM is enabled, activated, and owned, the state of the TPM is preserved if the operating system is reinstalled.
+
+### Endorsement keys
+
+For a TPM to be usable by BitLocker, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and is never revealed or accessible outside the TPM. If the TPM does not contain an endorsement key, BitLocker will force the TPM to generate one automatically as part of BitLocker setup.
+
+An endorsement key can be created at various points in the TPM’s lifecycle, but needs to be created only once for the lifetime of the TPM. If an endorsement key does not exist for the TPM, it must be created before TPM ownership can be taken.
+
+For more information about the TPM and the TCG, see the Trusted Computing Group: Trusted Platform Module (TPM) Specifications (<http://go.microsoft.com/fwlink/p/?linkid=69584>).
+
+## <a href="" id="bkmk-nontpm"></a>Non-TPM hardware configurations
+
+
+Devices that do not include a TPM can still be protected by drive encryption. Windows To Go workspaces can be BitLocker protected using a startup password and PCs without a TPM can use a startup key.
+
+Use the following questions to identify issues that might affect your deployment in a non-TPM configuration:
+
+-   Are password complexity rules in place?
+
+-   Do you have budget for USB flash drives for each of these computers?
+
+-   Do your existing non-TPM devices support USB devices at boot time?
+
+Test your individual hardware platforms with the BitLocker system check option while you are enabling BitLocker. The system check will ensure that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives cannot act as a block storage device and cannot be used to store the BitLocker recovery material.
+
+## <a href="" id="bkmk-disk"></a>Disk configuration considerations
+
+
+To function correctly, BitLocker requires a specific disk configuration. BitLocker requires two partitions that meet the following requirements:
+
+-   The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system
+
+-   The system partition (or boot partition) contains the files that are needed to load Windows after the BIOS or UEFI firware has prepared the system hardware. BitLocker is not enabled on this partition. For BitLocker to work, the system partition must not be encrypted and must be on a different partition than the operating system. On UEFI platforms the system partition must be formatted with the FAT 32 file system. On BIOS platforms the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size
+
+Windows setup will automatically configure the disk drives of your computer to support BitLocker encryption.
+
+Windows Recovery Environment (Windows RE) is an extensible recovery platform that is based on Windows Pre-installation Environment (Windows PE). When the computer fails to start, Windows automatically transitions into this environment, and the Startup Repair tool in Windows RE automates the diagnosis and repair of an unbootable Windows installation. Windows RE also contains the drivers and tools that are needed to unlock a volume protected by BitLocker by providing a recovery key or recovery password. To use Windows RE in conjunction with BitLocker, the Windows RE boot image must reside on a volume that is not protected by BitLocker.
+
+Windows RE can also be used from boot media other than the local hard disk. If you choose not to install Windows RE on the local hard disk of BitLocker-enabled computers, you can use alternate boot methods, such as Windows Deployment Services, CD-ROM, or USB flash drive, for recovery.
+
+## <a href="" id="bkmk-prov"></a>BitLocker provisioning
+
+
+In Windows Vista and Windows 7, BitLocker was provisioned post installation for system and data volumes through either the manage-bde command line interface or the Control Panel user interface. With newer operating systems, BitLocker can be easily provisioned before the operating system is installed. Preprovisioning requires that the computer have a TPM.
+
+To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet or Windows Explorer. A status of "Waiting For Activation" with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not protected and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the control panel options, manage-bde tool or WMI APIs to add an appropriate key protector and the volume status will be updated.
+
+When using the control panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then the drive security window is presented prior to changing the volume status.
+
+Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment (WinPE). This is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option this step takes only a few seconds and so incorporates well into regular deployment processes.
+
+## <a href="" id="bkk-used"></a>Used Disk Space Only encryption
+
+
+The BitLocker Setup wizard provides administrators the ability to choose the Used Disk Space Only or Full encryption method when enabling BitLocker for a volume. Administrators can use the new BitLocker Group Policy setting to enforce either Used Disk Space Only or Full disk encryption.
+
+Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, you are asked to choose the drive encryption type, either Used Disk Space Only or Full drive encryption.
+
+Used Disk Space Only means that only the portion of the drive that contains data will be encrypted, unused space will remain unencrypted. This causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method as data is added to the drive the portion of the drive used will be encrypted, so there is never unencrypted data stored on the drive.
+
+Full drive encryption means that the entire drive will be encrypted, regardless of whether data is stored on it or not. This is useful for drives that have been repurposed and may contain data remnants from their previous use.
+
+## <a href="" id="bkmk-addscons"></a>Active Directory Domain Services considerations
+
+
+BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure Group Policy settings to enable backup of BitLocker or TPM recovery information. Before configuring these settings verify that access permissions have been granted to perform the backup.
+
+By default, domain administrators are the only users that will have access to BitLocker recovery information. When you plan your support process, define what parts of your organization need access to BitLocker recovery information. Use this information to define how the appropriate rights will be delegated in your AD DS environment.
+
+It is a best practice to require backup of recovery information for both the TPM and BitLocker to AD DS. You can implement this practice by configuring the Group Policy settings below for your BitLocker-protected computers.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">BitLocker Group Policy setting</th>
+<th align="left">Configuration</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>BitLocker Drive Encryption: Turn on BitLocker backup to Active Directory Domain Services</p></td>
+<td align="left"><p>Require BitLocker backup to AD DS (Passwords and key packages)</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Trusted Platform Module Services: Turn on TPM backup to Active Directory Domain Services</p></td>
+<td align="left"><p>Require TPM backup to AD DS</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The following recovery data will be saved for each computer object:
+
+-   **Recovery password**
+
+    A 48-digit recovery password used to recover a BitLocker-protected volume. Users enter this password to unlock a volume when BitLocker enters recovery mode.
+
+-   **Key package data**
+
+    With this key package and the recovery password, you will be able decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package will only work with the volume it was created on, which can be identified by the corresponding volume ID.
+
+-   **TPM owner authorization password hash**
+
+    When ownership of the TPM is taken a hash of the ownership password can be taken and stored in AD DS. This information can then be used to reset ownership of the TPM.
+
+Starting in Windows 8, a change to how the TPM owner authorization value is stored in AD DS was implemented in the AD DS schema. The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 and later schemas.
+
+To take advantage of this integration, you must upgrade your domain controllers to Windows Server 2012 or extend the Active Directory schema and configure BitLocker-specific Group Policy objects.
+
+**Note**  
+The account that you use to update the Active Directory schema must be a member of the Schema Admins group.
+
+ 
+
+Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change.
+
+**To support Windows 8 and later computers that are managed by a Windows Server 2003 or Windows 2008 domain controller**
+
+There are two schema extensions that you can copy down and add to your AD DS schema:
+
+-   **TpmSchemaExtension.ldf**
+
+    This schema extension brings parity with the Windows Server 2012 schema. With this change, the TPM owner authorization information is stored in a separate TPM object linked to the corresponding computer object. Only the Computer object that has created the TPM object can update it. This means that any subsequent updates to the TPM objects will not succeed in dual boot scenarios or scenarios where the computer is reimaged resulting in a new AD computer object being created. To support such scenarios, an update to the schema was created.
+
+-   **TpmSchemaExtensionACLChanges.ldf**
+
+    This schema update modifies the ACLs on the TPM object to be less restrictive so that any subsequent operating system which takes ownership of the computer object can update the owner authorization value in AD DS. However, this is less secure as any computer in the domain can now update the OwnerAuth of the TPM object (although it cannot read the OwnerAuth) and DOS attacks can be made from within the enterprise. The recommended mitigation in such a scenario is to do regular backup of TPM objects and enable auditing to track changes for these objects.
+
+To download the schema extensions, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
+
+If you have a Windows Server 2012 domain controller in your environment, the schema extensions are already in place and do not need to be updated.
+
+**Caution**  
+To configure Group Policy objects to backup TPM and BitLocker information in AD DS at least one of the domain controllers in your forest must be running at least Windows Server 2008 R2.
+
+If Active Directory backup of the TPM owner authorization value is enabled in an environment without the required schema extensions, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8 and later.
+
+ 
+
+**Setting the correct permissions in AD DS**
+
+To initialize the TPM successfully so that you can turn on BitLocker requires that the correct permissions for the SELF account in be set in AD DS for the **ms-TPMOwnerInformation** attribute. The following steps detail setting these permissions as required by BitLocker:
+
+1.  Open **Active Directory Users and Computers**.
+
+2.  Select the organizational unit (OU) which contains the computer accounts that will have BitLocker turned on.
+
+3.  Right-click the OU and click **Delegate Control** to open the **Delegation of Control** wizard.
+
+4.  Click **Next** to go to the **Users or Groups** page and then click **Add**.
+
+5.  In the **Select Users, Computers, or Groups** dialog box, type **SELF** as the object name and then click **OK** Once the object has been validated you will be returned to the **Users or Groups** wizard page and the SELF account will be listed. Click **Next**.
+
+6.  On the **Tasks to Delegate** page, choose **Create a custom task to delegate** and then click **Next**.
+
+7.  On the **Active Directory Object Type** page, choose **Only the following objects in the folder** and then check **Computer Objects** and then click **Next**.
+
+8.  On the **Permissions** page, for **Show these permissions**, check **General**, **Property-specific**, and **Creation/deletion of specific child objects**. Scroll down the **Permissions** list and check both **Write msTPM-OwnerInformation** and **Write msTPM-TpmInformationForComputer** then click **Next**.
+
+9.  Click **Finish** to apply the permissions settings.
+
+## <a href="" id="bkmk-fipssupport"></a>FIPS support for recovery password protector
+
+
+Functionality introduced in Windows Server 2012 R2 and Windows 8.1, allows BitLocker to be fully functional in FIPS mode.
+
+**Note**  
+The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. federal government. The FIPS 140 standard defines approved cryptographic algorithms. The FIPS 140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS 140 standard. An implementation of a cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm. 
+
+ 
+
+Prior to these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [kb947249](http://support.microsoft.com/kb/947249).
+
+But on computers running these supported systems with BitLocker enabled:
+
+-   FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS 140 NIST SP800-132 algorithm.
+
+-   Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems.
+
+-   Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases that currently work for recovery passwords.
+
+-   When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode.
+
+-   FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode.
+
+The BitLocker Group Policy settings for recovery passwords work the same for all Windows versions that support BitLocker, whether in FIPs mode or not.
+
+However, you cannot use recovery passwords generated on a system in FIPS mode for systems earlier than Windows Server 2012 R2 and Windows 8.1. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 are incompatible with BitLocker on operating systems prior to Windows Server 2012 R2 and Windows 8.1; so recovery keys should be used instead.
+
+## More information
+
+
+[Trusted Platform Module](trusted-platform-module-overview.md)
+
+[TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
+
+[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
+
+[BitLocker](bitlocker-overview.md)
+
+[BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
+
+[BitLocker basic deployment](bitlocker-basic-deployment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/profile-single-process.md b/windows/keep-secure/profile-single-process.md
new file mode 100644
index 0000000000..5144e6d70c
--- /dev/null
+++ b/windows/keep-secure/profile-single-process.md
@@ -0,0 +1,142 @@
+---
+title: Profile single process (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Profile single process security policy setting.
+ms.assetid: c0963de4-4f5e-430e-bfcd-dfd68e66a075
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Profile single process
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Profile single process** security policy setting.
+
+## Reference
+
+
+This policy setting determines which users can view a sample performance of an application process. Typically, you do not need this user right to use the performance reporting tools included in the operating system. However, you do need this user right if the system’s monitor components are configured to collect data through Windows Management Instrumentation (WMI).
+
+Constant: SeProfileSingleProcessPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Administrators
+
+-   Not Defined
+
+### Best practices
+
+-   This right should not be granted to individual users. It should be granted only for trusted applications that monitor other programs.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default this setting is Administrators on domain controllers and on stand-alone servers.
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+The **Profile single process** user right presents a moderate vulnerability. Attackers with this user right could monitor a computer's performance to help identify critical processes that they might want to attack directly. Attackers may be able to determine what processes run on the computer so that they could identify countermeasures that they may need to avoid, such as anti-virus software or an intrusion-detection system. They could also identify other users who are logged on to a computer.
+
+### Countermeasure
+
+Ensure that only the local Administrators group is assigned the **Profile single process** user right.
+
+### Potential impact
+
+If you remove the **Profile single process** user right from the Power Users group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks are not negatively affected.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/profile-system-performance.md b/windows/keep-secure/profile-system-performance.md
new file mode 100644
index 0000000000..e9fdad2be0
--- /dev/null
+++ b/windows/keep-secure/profile-system-performance.md
@@ -0,0 +1,144 @@
+---
+title: Profile system performance (Windows 10)
+description: This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for the Profile system performance security policy setting.
+ms.assetid: ffabc3c5-9206-4105-94ea-84f597a54b2e
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Profile system performance
+
+
+**Applies to**
+
+-   Windows 10
+
+This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for the **Profile system performance** security policy setting.
+
+## Reference
+
+
+This security setting determines which users can use Windows performance monitoring tools to monitor the performance of system processes.
+
+Constant: SeSystemProfilePrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Administrators
+
+-   Not defined
+
+### Best practices
+
+-   Ensure that only the local Administrators group is assigned the **Profile system performance** user right.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default this setting is Administrators on domain controllers and on stand-alone servers.
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+Depending on your version of Windows and your environment, you might need to add this user right to the Local System account or the Local Service account if you encounter access errors when you use the Administrators account.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+The **Profile system performance** user right poses a moderate vulnerability. Attackers with this user right could monitor a computer's performance to help identify critical processes that they might want to attack directly. Attackers might also be able to determine what processes are active on the computer so that they could identify countermeasures to avoid, such as anti-virus software or an intrusion detection system.
+
+### Countermeasure
+
+Ensure that only the local Administrators group is assigned the **Profile system performance** user right.
+
+### Potential impact
+
+None. Restricting the **Profile system performance** user right to the local Administrators group is the default configuration.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md b/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md
new file mode 100644
index 0000000000..028698ebd6
--- /dev/null
+++ b/windows/keep-secure/protect-bitlocker-from-pre-boot-attacks.md
@@ -0,0 +1,53 @@
+---
+title: Protect BitLocker from pre-boot attacks (Windows 10)
+description: This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration.
+ms.assetid: 24d19988-fc79-4c45-b392-b39cba4ec86b
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Protect BitLocker from pre-boot attacks
+
+
+**Applies to**
+
+-   Windows 10
+
+This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration.
+
+BitLocker uses encryption to protect the data on your drive, but BitLocker security is only effective when the encryption key is protected. Many users have relied on pre-boot authentication to protect the operating system’s integrity, disk encryption solution (for example, encryption keys), and the PC’s data from offline attacks. With pre-boot authentication, users must provide some form of credential before unlocking encrypted volumes and starting Windows. Typically, they authenticate themselves using a PIN or a USB flash drive as a key.
+
+Full-volume encryption using BitLocker Drive Encryption is vital for protecting data and system integrity on devices running the Windows 10, Windows 8.1, Windows 8, or Windows 7 operating system. It is equally important to protect the BitLocker encryption key. On Windows 7 devices, sufficiently protecting that key often required pre-boot authentication, which many users find inconvenient and complicates device management.
+
+Pre-boot authentication provides excellent startup security, but it inconveniences users and increases IT management costs. Every time the PC is unattended, the device must be set to hibernate (in other words, shut down and powered off); when the computer restarts, users must authenticate before the encrypted volumes are unlocked. This requirement increases restart times and prevents users from accessing remote PCs until they can physically access the computer to authenticate, making pre-boot authentication unacceptable in the modern IT world, where users expect their devices to turn on instantly and IT requires PCs to be constantly connected to the network.
+
+If users lose their USB key or forget their PIN, they can’t access their PC without a recovery key. With a properly configured infrastructure, the organization’s support will be able to provide the recovery key, but doing so increases support costs, and users might lose hours of productive work time.
+
+Starting with Windows 8, Secure Boot and Windows Trusted Boot startup process ensures operating system integrity, allowing Windows to start automatically while minimizing the risk of malicious startup tools and rootkits. In addition, many modern devices are fundamentally physically resistant to sophisticated attacks against the computer’s memory, and now Windows authenticates the user before making devices that may represent a threat to the device and encryption keys available for use.
+
+## In this topic
+
+
+The sections that follow help you understand which PCs still need pre-boot authentication and which can meet your security requirements without the inconvenience of it.
+
+-   [Types of attacks for volume encryption keys](types-of-attacks-for-volume-encryption-keys.md)
+
+-   [BitLocker countermeasures](bitlocker-countermeasures.md)
+
+-   [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md)
+
+## See also
+
+
+-   [BitLocker overview](bitlocker-overview.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/protect-enterprise-data-using-edp.md b/windows/keep-secure/protect-enterprise-data-using-edp.md
new file mode 100644
index 0000000000..c1679e75fa
--- /dev/null
+++ b/windows/keep-secure/protect-enterprise-data-using-edp.md
@@ -0,0 +1,101 @@
+---
+title: Protect your enterprise data using enterprise data protection (EDP) (Windows 10)
+description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control.
+ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032
+keywords: ["EDP", "Enterprise Data Protection"]
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: eross-msft
+---
+
+# Protect your enterprise data using enterprise data protection (EDP)
+**Applies to:**
+
+-   Windows 10 Insider Preview
+-   Windows 10 Mobile Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
+
+With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info to a public Yammer group or tweet, or saves an in-progress sales report to their public cloud storage.
+
+Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside EDP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.
+
+## Prerequisites
+You’ll need this software to run EDP in your enterprise:
+
+|Operating system | Management solution |
+|-----------------|---------------------|
+|Windows 10 Insider Preview | Microsoft Intune<br>-OR-<br>System Center Configuration Manager (version 1511 or later)<br>-OR-<br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [Custom URI - Policy CSP](http://go.microsoft.com/fwlink/p/?LinkID=733963) documentation.|
+
+## How EDP works
+EDP helps address your everyday challenges in the enterprise. Including:
+
+-   Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down.
+
+-   Reducing employee frustrations because of restrictive data management policies on enterprise-owned devices.
+
+-   Helping to maintain the ownership and control of your enterprise data.
+
+-   Managing apps that aren’t enterprise aware, especially on mobile devices.
+
+### EDP-protection modes
+You can set EDP to 1 of 4 protection and management modes:
+
+|Mode|Description|
+|----|-----------|
+|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
+|Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
+|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything.|
+|Off |EDP is turned off and doesn't help to protect or audit your data.<p>After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives. |
+<p>**Note**<br>For more info about setting your EDP-protection modes, see either [Create an enterprise data protection (EDP) policy using Intune](create-edp-policy-using-intune.md) or [Create and deploy an enterprise data protection (EDP) policy using Configuration Manager](create-edp-policy-using-sccm.md), depending on your management solution.
+
+## Why use EDP?
+EDP gives you a new way to manage data security for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
+
+-   **Change the way you think about data security.** As an enterprise admin, you need to maintain the security and confidentiality of your enterprise data. EDP helps make sure that your enterprise data is protected on employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
+
+-   **Manage your enterprise documents, apps, and encryption modes.**
+
+    -   **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an EDP-protected device, EDP encrypts the data on the device.
+
+    -   **Using protected apps.** Managed apps (apps that you've included on the **Protected Apps** list in your EDP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if EDP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
+
+    -   **Managed apps and restrictions.** With EDP you can control which apps can access and use your enterprise data. After adding an app to your **Protected App** list, the app is trusted with enterprise data. All apps not on this list are potentially blocked from accessing your enterprise data, depending on your EDP management-mode.<p>
+    You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the **Protected App** list.
+
+    -   **Deciding your level of data access.** EDP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping it; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your **Protected App** list.
+
+    -   **Continuous data encryption.** EDP helps protect enterprise data when it leaves a device. For example, when an employee saves to public cloud storage, or synchronizes with another device.<p>
+    Apps such as Microsoft Word work with EDP to continue your data encryption across locations and services. These apps are being referred to as, *enterprise aware*. For example, if an employee opens EDP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies EDP to the new document, maintaining the encryption.
+
+    -   **Helping prevent accidental data disclosure to public spaces.** EDP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, file syncing apps not on your **Protected App** list, such as Dropbox™, won’t be able to sync encrypted files to the employee’s personal cloud storage. Instead, if an employee stores content in their Microsoft OneDrive for Business folder, which is automatically synced with OneDrive for Business (an app on your **Protected App** list), then the document maintains its encryption and can sync freely.
+
+    -   **Helping prevent accidental data disclosure to other devices.** EDP helps prevent enterprise data from leaking when it's copied or transferred to other devices. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
+
+-   **Remove access to enterprise data from enterprise-protected devices.** EDP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.<p>**Note**<br>System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
+
+## Current limitations with EDP
+EDP is still in development and is not yet integrated with Azure Rights Management. This means that while you can deploy an EDP-configured policy to a protected device, that protection is restricted to a single user on the device. Additionally, the EDP-protected data must be stored on NTFS, FAT, or ExFAT file systems.
+
+Use the following table to identify the scenarios that require Azure Rights Management, the behavior when Azure Rights Management is not used with EDP, and the recommended workarounds.
+
+|EDP scenario |Without Azure Rights Management |Workaround |
+|-------------|--------------------------------|-----------|
+|Saving enterprise data to USB drives |Data in the new location remains encrypted, but becomes inaccessible on other devices or for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.<p>We strongly recommend educating employees about how to limit or eliminate the need for this decryption. |
+|Sharing enterprise data through email attachments |The attachment is sent unprotected. |Store documents on enterprise cloud or network sites, and share links. |
+|Synchronizing data to other services or public cloud storage |Synchronized files aren't protected on additional services or as part of public cloud storage. |Stop the app from synchronizing or don't add the app to your **Protected App** list.<p>For more info about adding apps to the **Protected App** list, see either the [Create an enterprise data protection (EDP) policy using Intune](create-edp-policy-using-intune.md) or the [Create and deploy an enterprise data protection (EDP) policy using Configuration Manager](create-edp-policy-using-sccm.md) topic, depending on your management solution.
+
+## Next steps
+After deciding to use EDP in your enterprise, you need to:
+
+-   [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
new file mode 100644
index 0000000000..1d7eabec2a
--- /dev/null
+++ b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -0,0 +1,1009 @@
+---
+title: Control the health of Windows 10-based devices (Windows 10)
+description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.
+ms.assetid: 45DB1C41-C35D-43C9-A274-3AD5F31FE873
+keywords: ["security", "BYOD", "malware", "device health attestation", "mobile"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Control the health of Windows 10-based devices
+
+
+**Applies to**
+
+-   Windows 10
+
+This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.
+
+## Introduction
+
+
+In Bring Your Own Device (BYOD) scenarios, employees bring commercially available devices to access both work-related resources and their personal data. Users want to use the device of their choice to access the organization’s applications, data, and resources not only from the internal network but also from anywhere. This phenomenon is also known as the consumerization of IT.
+
+Users want to have the best productivity experience when accessing corporate applications and working on organization data from their devices. That means they will not tolerate being prompted to enter their work credentials each time they access an application or a file server. From a security perspective, it also means that users will manipulate corporate credentials and corporate data on unmanaged devices.
+
+With the increased use of BYOD, there will be more unmanaged and potentially unhealthy systems accessing corporate services, internal resources, and cloud apps.
+
+Even managed devices can be compromised and become harmful. Organizations need to detect when security has been breached and react as early as possible in order to protect high-value assets.
+
+As Microsoft moves forward, security investments are increasingly focused on security preventive defenses and also on detection and response capabilities.
+
+Windows 10 is an important component of an end-to-end security solution that focuses not only on the implementation of security preventive defenses, but adds device health attestation capabilities to the overall security strategy.
+
+## Description of a robust end-to-end security solution
+
+
+Today’s computing threat landscape is increasing at a speed never encountered before. The sophistication of criminal attacks is growing, and there is no doubt that malware now targets both consumers and professionals in all industries.
+
+During recent years, one particular category of threat has become prevalent: advanced persistent threats (APTs). The term APT is commonly used to describe any attack that seems to target individual organizations on an on-going basis. In fact, this type of attack typically involves determined adversaries who may use any methods or techniques necessary.
+
+With the BYOD phenomena, a poorly maintained device represents a target of choice. For an attacker, it’s an easy way to breach the security network perimeter, gain access to, and then steal high-value assets.
+
+The attackers target individuals, not specifically because of who they are, but because of who they work for. An infected device will bring malware into an organization, even if the organization has hardened the perimeter of networks or has invested in its defensive posture. A defensive strategy is not sufficient against these threats.
+
+### A different approach
+
+Rather than the traditional focus on the prevention of compromise, an effective security strategy assumes that determined adversaries will successfully breach any defenses. It means that it’s necessary to shift focus away from preventative security controls to detection of, and response to, security issues. The implementation of the risk management strategy, therefore, balances investment in prevention, detection, and response.
+
+Because mobile devices are increasingly being used to access corporate information, some way to evaluate device security or health is required. This section describes how to provision device health assessment in such a way that high-value assets can be protected from unhealthy devices.
+
+Devices that are used to access corporate resources must be trusted. An efficient end-to-end security approach is able to evaluate device health and use the current security state when granting access to a high-value asset.
+
+![figure 1](images/hva-fig1-endtoend1.png)
+
+A robust design needs to establish the user’s identity, strengthen the authentication method if needed, and learn behavior like the network location the user regularly connects from. Also, a modern approach must be able to release sensitive content only if user devices are determined to be healthy and secure.
+
+The following figure shows a solution built to assess device health from the cloud. The device authenticates the user through a connection to an identity provider in the cloud. If the managed asset contains highly confidential information, the conditional access engine of the identity provider may elect to verify the security compliance of the mobile device before access is granted. The user’s device is able to prove its health status that can be sent at any time or when mobile device management (MDM) requests it.
+
+![figure 2](images/hva-fig2-assessfromcloud2.png)
+
+Windows devices can be protected from low-level rootkits and bootkits by using low-level hardware technologies such as Unified Extensible Firmware Interface (UEFI) Secure Boot.
+
+Secure Boot is a firmware validation process that helps prevent rootkit attacks; it is part of the UEFI specification. The intent of UEFI is to define a standard way for the operating system to communicate with modern hardware, which can perform faster and with more efficient input/output (I/O) functions than older, software interrupt-driven BIOS systems.
+
+A device health attestation module can communicate measured boot data that is protected by a Trusted Platform Module (TPM) to a remote service. After the device successfully boots, boot process measurement data is sent to a trusted cloud service (Health Attestation Service) using a more secure and tamper-resistant communication channel.
+
+Remote health attestation service performs a series of checks on the measurements. It validates security related data points, including boot state (Secure Boot, Debug Mode, and so on), and the state of components that manage security (BitLocker, Device Guard, and so on). It then conveys the health state of the device by sending a health encrypted blob back to the device.
+
+An MDM solution typically applies configuration policies and deploys software to devices. MDM defines the security baseline and knows the level of compliance of the device with regular checks to see what software is installed and what configuration is enforced, as well as determining the health status of the device.
+
+An MDM solution asks the device to send device health information and forward the health encrypted blob to the remote health attestation service. The remote health attestation service verifies device health data, checks that MDM is communicating to the same device, and then issues a device health report back to the MDM solution.
+
+An MDM solution evaluates the health assertions and, depending on the health rules belonging to the organization, can decide if the device is healthy. If the device is healthy and compliant, MDM passes that information to the identity provider so the organization’s access control policy can be invoked to grant access.
+
+Access to content is then authorized to the appropriate level of trust for whatever the health status and other conditional elements indicate.
+
+Depending on the requirements and the sensitivity of the managed asset, device health status can be combined with user identity information when processing an access request. Access to content is then authorized to the appropriate level of trust. The Conditional Access engine may be structured to allow additional verification as needed by the sensitivity of the managed asset. For example, if access to high-value data is requested, additional security authentication may need to be established by querying the user to answer a phone call before access is granted.
+
+### <a href="" id="microsoft-s-security-investments-in-windows-10"></a>Microsoft’s security investments in Windows 10
+
+In Windows 10, there are three pillars of investments:
+
+-   **Secure identities.** Microsoft is part of the FIDO Alliance which aims to provide an interoperable method of secure authentication by moving away from the use of passwords for authentication, both on the local system as well as for services like on-premises resources and cloud resources.
+
+-   **Information protection.** Microsoft is making investments to allow organizations to have better control over who has access to important data and what they can do with that data. With Windows 10, organizations can take advantage of policies that specify which applications are considered to be corporate applications and can be trusted to access secure data.
+
+-   **Threat resistance.** Microsoft is helping organizations to better secure enterprise assets against the threats of malware and attacks by using security defenses relying on hardware.
+
+### Protect, control, and report on the security status of Windows 10-based devices
+
+This section is an overview that describes different parts of the end-to-end security solution that helps protect high-value assets and information from attackers and malware.
+
+![figure 3](images/hva-fig3-endtoendoverview3.png)
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Number</th>
+<th align="left">Part of the solution</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>1</strong></p></td>
+<td align="left"><p>Windows 10-based device</p></td>
+<td align="left"><p>The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.</p>
+<p>A Windows 10-based device with TPM 2.0 can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>2</strong></p></td>
+<td align="left"><p>Identity provider</p></td>
+<td align="left"><p>Azure AD contains users, registered devices, and registered application of organization’s tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status.</p>
+<p>Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that leverages the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>3</strong></p></td>
+<td align="left"><p>Mobile device management</p></td>
+<td align="left"><p>Windows 10 has MDM support that enables the device to be managed out-of-box without deploying any agent.</p>
+<p>MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows 10.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>4</strong></p></td>
+<td align="left"><p>Remote health attestation</p></td>
+<td align="left"><p>The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows 10 security features are enabled on the device.</p>
+<p>Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>5</strong></p></td>
+<td align="left"><p>Enterprise managed asset</p></td>
+<td align="left"><p>Enterprise managed asset is the resource to protect.</p>
+<p>For example, the asset can be Office 365, other cloud apps, on-premises web resources published by Azure AD, or even VPN access.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The combination of Windows 10-based devices, identity provider, MDM, and remote health attestation creates a robust end-to-end-solution that provides validation of health and compliance of devices that access high-value assets.
+
+## Protect devices and enterprise credentials against threats
+
+
+This section describes what Windows 10 offers in terms of security defenses and what control can be measured and reported to.
+
+### Windows 10 hardware-based security defenses
+
+The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the operating system early and prevent protection mechanisms and antimalware software from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal with low-level malware is to secure the boot process so that the device is protected from the very start.
+
+Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-req) section.
+
+![figure 4](images/hva-fig4-hardware.png)
+
+Windows 10 supports features to help prevent sophisticated low-level malware like rootkits and bootkits from loading during the startup process:
+
+-   **Trusted Platform Module.** A Trusted Platform Module (TPM) is a hardware component that provides unique security features.
+
+    Windows 10 leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
+
+    A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that are not compatible with each other:
+
+    -   The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
+
+    -   The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
+
+    Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Microsoft Passport, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=733948).
+
+    Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. TPM 2.0 is required for device health attestation.
+
+    TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
+
+    -   Update crypto strength to meet modern security needs
+
+        -   Support for SHA-256 for PCRs
+
+        -   Support for HMAC command
+
+    -   Cryptographic algorithms flexibility to support government needs
+
+        -   TPM 1.2 is severely restricted in terms of what algorithms it can support
+
+        -   TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents
+
+    -   Consistency across implementations
+
+        -   The TPM 1.2 specification allows vendors wide latitude when choosing implementation details
+
+        -   TPM 2.0 standardizes much of this behavior
+
+-   **Secure Boot.** Devices with UEFI firmware can be configured to load only trusted operating system bootloaders. Secure Boot does not require a TPM.
+
+    The most basic protection is the Secure Boot feature, which is a standard part of the UEFI 2.2+ architecture. On a PC with conventional BIOS, anyone who can take control of the boot process can boot by using an alternative OS loader, and potentially gain access to system resources. When Secure Boot is enabled, you can boot using only an OS loader that’s signed using a certificate stored in the UEFI Secure Boot DB. Naturally, the Microsoft certificate used to digitally sign the Windows 10 OS loaders are in that store, which allows UEFI to validate the certificate as part of its security policy. Secure Boot must be enabled by default on all computers that are certified for Windows 10 under the Windows Hardware Compatibility Program.
+
+    Secure Boot is a UEFI firmware-based feature, which allows for the signing and verification of critical boot files and drivers at boot time. Secure Boot checks signature values of the Windows Boot Manager, BCD store, Windows OS loader file, and other boot critical DLLs at boot time before the system is allowed to fully boot into a usable operating system by using policies that are defined by the OEM at build time. Secure Boot prevents many types of boot-based rootkit, malware, and other security-related attacks against the Windows platform. Secure Boot protects the operating system boot process whether booting from local hard disk, USB, PXE, or DVD, or into full Windows or Windows Recovery Environment (RE).
+
+    Secure Boot protects the boot environment of a Windows 10 installation by verifying the signatures of the critical boot components to confirm malicious activity did not compromise them. Secure Boot protection ends after the Windows kernel file (ntoskrnl.exe) has been loaded.
+
+    **Note**  
+    Secure Boot protects the platform until the Windows kernel is loaded. Then protections like ELAM take over.
+
+     
+
+-   **Secure Boot configuration policy.** Extends Secure Boot functionality to critical Windows 10 configuration.
+
+    Examples of protected configuration information include protecting Disable Execute bit (NX option) or ensuring that the test signing policy (code integrity) cannot be enabled. This ensures that the binaries and configuration of the computer can be trusted after the boot process has completed.
+
+    Secure Boot configuration policy does this with UEFI policy. These signatures for these policies are signed in the same way that operating system binaries are signed for use with Secure Boot.
+
+    The Secure Boot configuration policy must be signed by a private key that corresponds to one of the public keys stored in the Key Exchange Key (KEK) list. The Microsoft Certificate Authority (CA) will be present in the KEK list of all Windows certified Secure Boot systems. By default, a policy signed by the Microsoft KEK shall be work on all Secure Boot systems. BootMgr must verify the signature against the KEK list before applying a signed policy. With Windows 10, the default Secure Boot configuration policy is embedded in bootmgr.
+
+    The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and the ELAM component. This step is important and protects the rest of the boot process by verifying that all Windows boot components have integrity and can be trusted.
+
+-   **Early Launch Antimalware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading.
+
+    Traditional antimalware apps don’t start until after the boot drivers have been loaded, which gives a rootkit that is disguised as a driver the opportunity to work. ELAM is a Windows mechanism introduced in a previous version of Windows that allows antimalware software to run very early in the boot sequence. Thus, the antimalware component is the first third-party component to run and control the initialization of other boot drivers until the Windows operating system is operational. When the system is started with a complete runtime environment (network access, storage, and so on), then a full-featured antimalware is loaded.
+
+    ELAM can load a Microsoft or non-Microsoft antimalware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: Examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not trusted, Windows won’t load it.
+
+    **Note**  
+    Windows Defender, Microsoft's antimalware included by default in Windows 10, supports ELAM; it can be replaced with a third-party antimalware compatible solution. The name of the Windows Defender ELAM driver is WdBoot.sys. Windows Defender in Windows 10 uses its ELAM driver to roll back any malicious changes made to the Windows Defender driver at the next reboot. This prevents kernel mode malware making lasting changes to Windows Defender’s mini-filter driver before shutdown or reboot.
+
+     
+
+    The ELAM signed driver is loaded before any other third-party drivers or applications, which allows the antimalware software to detect and block any attempts to tamper with the boot process by trying to load unsigned or untrusted code.
+
+    The ELAM driver is a small driver with a small policy database that has a very narrow scope, focused on drivers that are loaded early at system launch. The policy database is stored in a registry hive that is also measured to the TPM, to record the operational parameters of the ELAM driver. An ELAM driver must be signed by Microsoft and the associated certificate must contain the complementary EKU (1.3.6.1.4.1.311.61.4.1).
+
+-   **Virtualization-based security (Hyper-V + Secure Kernel).** Virtualization-based security is a completely new enforced security boundary that allows you to protect critical parts of Windows 10.
+
+    Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate domain credentials from the rest of the Windows operating system. For more information, refer to the [Virtualization-based security](#virtual) section.
+
+-   **Hyper-V Code Integrity (HVCI).** Hyper-V Code Integrity is a feature of Device Guard that ensures only drivers, executables, and DLLs that comply with the Device Guard Code Integrity policy are allowed to run.
+
+    When enabled and configured, Windows 10 can start the Hyper-V virtualization-based security services, including Hyper-V Code Integrity (HVCI). HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware solutions, by preventing malware from running early in the boot process, or after startup.
+
+    HVCI uses virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification. This means that kernel memory pages can never be Writable and Executable (W+X) and executable code cannot be directly modified.
+
+    **Note**  
+    Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security must have compatible drivers. For additional information, please read the [Driver compatibility with Device Guard in Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=691612) blog post.
+
+     
+
+    The Device Guard Code Integrity feature lets organizations control what code is trusted to run into the Windows kernel and what applications are approved to run in user mode. It’s configurable by using a policy.
+
+    Device Guard Code Integrity policy is a binary file that Microsoft recommends you sign. The signing of the Code Integrity policy aids in the protection against a malicious user with Administrator privileges trying to modify or remove the current Code Integrity policy.
+
+-   **Credential Guard.** Credential Guard protects corporate credentials with hardware-based credential isolation.
+
+    In Windows 10, Credential Guard aims to protect domain corporate credentials from theft and reuse by malware. With Credential Guard, Windows 10 implemented an architectural change that fundamentally prevents the current forms of the pass-the-hash (PtH) attack.
+
+    This is accomplished by leveraging Hyper-V and the new virtualization-based security feature to create a protected container where trusted code and secrets are isolated from the Windows kernel. That means that even if the Windows kernel is compromised an attacker has no way to read and extract the data required to initiate a PtH attack. Credential Guard prevents this because the memory where secrets are stored is no longer accessible from the regular OS, even in kernel mode - the hypervisor controls who can access the memory.
+
+-   **Health attestation.** The device’s firmware logs the boot process, and Windows 10 can send it to a trusted server that can check and assess the device’s health.
+
+    Windows 10 takes measurements of the UEFI firmware and each of the Windows and antimalware components are made as they load during the boot process. Additionally, they are taken and measured sequentially, not all at once. When these measurements are complete, their values are digitally signed and stored securely in the TPM and cannot be changed unless the system is reset.
+
+    For more information, see [Secured Boot and Measured Boot: Hardening Early Boot Components Against Malware](http://go.microsoft.com/fwlink/p/?LinkId=733950).
+
+    During each subsequent boot, the same components are measured, which allows comparison of the measurements against an expected baseline. For additional security, the values measured by the TPM can be signed and transmitted to a remote server, which can then perform the comparison. This process, called *remote device health attestation*, allows the server to verify health status of the Windows device.
+
+    Health attestation requires the presence of TPM 2.0. On Windows 10, TPM 2.0 also requires UEFI firmware.
+
+    Although Secure Boot is a proactive form of protection, health attestation is a reactive form of boot protection. Health attestation ships disabled in Windows and is enabled by an antimalware or an MDM vendor. Unlike Secure Boot, health attestation will not stop the boot process and enter remediation when a measurement does not work. But with conditional access control, health attestation will help to prevent access to high-value assets.
+
+### <a href="" id="virtual"></a>Virtualization-based security
+
+Virtualization-based security provides a new trust boundary for Windows 10. leverages Hyper-V hypervisor technology to enhance platform security. Virtualization-based security provides a secure execution environment to run specific Windows trusted code (trustlet) and to protect sensitive data.
+
+Virtualization-based security helps to protect against a compromised kernel or a malicious user with Administrator privileges. Note that virtualization-based security is not trying to protect against a physical attacker.
+
+The following Windows 10 services are protected with virtualization-based security:
+
+-   **Credential Guard** (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft that happens by reading and dumping the content of lsass memory
+
+-   **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
+
+-   **Other isolated services**: for example, on Windows Server Technical Preview 2016, there is the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers.
+
+**Note**  
+Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended.
+
+ 
+
+The schema below is a high-level view of Windows 10 with virtualization-based security.
+
+![figure 5](images/hva-fig5-virtualbasedsecurity.png)
+
+### Credential Guard
+
+In Windows 10, when Credential Guard is enabled, Local Security Authority Subsystem Service (lsass.exe) runs sensitive code in an Isolated user mode to help protect data from malware that may be running in the normal user mode. This helps ensure that protected data is not stolen and reused on remote machines, which mitigates many PtH-style attacks.
+
+Credential Guard helps protect credentials by encrypting them with either a per-boot or persistent key:
+
+-   **The per-boot key** is used for any in-memory credentials that do not require persistence. An example of such a credential would be a ticket-granting ticket (TGT) session key. This key is negotiated with a Key Distribution Center (KDC) every time authentication occurs and is protected with a per-boot key.
+
+-   **The persistent key**, or some derivative, is used to help protect items that are stored and reloaded after a reboot. Such protection is intended for long-term storage, and must be protected with a consistent key.
+
+Credential Guard is activated by a registry key and then enabled by using an UEFI variable. This is done to protect against remote modifications of the configuration. The use of a UEFI variable implies that physical access is required to change the configuration. When lsass.exe detects that credential isolation is enabled, it then spawns LsaIso.exe as an isolated process, which ensures that it runs within isolated user mode. The startup of LsaIso.exe is performed before initialization of a security support provider, which ensures that the secure mode support routines are ready before any authentication begins.
+
+### Device Guard
+
+Device Guard is a new feature of Windows 10 Enterprise that allows organizations to lock down a device to help protect it from running untrusted software. In this configuration, the only applications allowed to run are those that are trusted by the organization.
+
+The trust decision to execute code is performed by using Hyper-V Code Integrity, which runs in virtualization-based security, a Hyper-V protected container that runs alongside regular Windows.
+
+Hyper-V Code Integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with Administrator privileges. On x64-based versions of Windows 10 kernel-mode drivers must be digitally signed.
+
+**Note**  
+Independently of activation of Device Guard Policy, [Windows 10 by default raises the bar for what runs in the kernel](http://go.microsoft.com/fwlink/p/?LinkId=691613). Windows 10 drivers must be signed by Microsoft, and more specifically, by the WHQL (Windows Hardware Quality Labs) portal. Additionally, starting in October 2015, the WHQL portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation (“EV”) Code Signing Certificate.
+
+ 
+
+With Device Guard in Windows 10, organizations are now able to define their own Code Integrity policy for use on x64 systems running Windows 10 Enterprise. Organizations have the ability to configure the policy that determines what is trusted to run. These include drivers and system files, as well as traditional desktop applications and scripts. The system is then locked down to only run applications that the organization trusts.
+
+Device Guard is a built-in feature of Windows 10 Enterprise that prevents the execution of unwanted code and applications. Device Guard can be configured using two rule actions - allow and deny:
+
+-   **Allow** limits execution of applications to an allowed list of code or trusted publisher and blocks everything else.
+
+-   **Deny** completes the allow trusted publisher approach by blocking the execution of a specific application.
+
+At the time of this writing, and according to Microsoft’s latest research, more than 90 percent of malware is unsigned completely. So implementing a basic Device Guard policy can simply and effectively help block the vast majority of malware. In fact, Device Guard has the potential to go further, and can also help block signed malware.
+
+Device Guard needs to be planned and configured to be truly effective. It is not just a protection that is enabled or disabled. Device Guard is a combination of hardware security features and software security features that, when configured together, can lock down a computer to help ensure the most secure and resistant system possible.
+
+There are three different parts that make up the Device Guard solution in Windows 10:
+
+-   The first part is a base **set of hardware security features** introduced with the previous version of Windows. TPM for hardware cryptographic operations and UEFI with modern firmware, along with Secure Boot, allows you to control what the device is running when the systems start.
+
+-   After the hardware security feature, there is the code integrity engine. In Windows 10, **Code Integrity is now fully configurable** and now resides in Isolated user mode, a part of the memory that is protected by virtualization-based security.
+
+-   The last part of Device Guard is **manageability**. Code Integrity configuration is exposed through specific Group Policy Objects, PowerShell cmdlets, and MDM configuration service providers (CSPs).
+
+For more information on how to deploy Device Guard in an enterprise, see the [Device Guard deployment guide](device-guard-deployment-guide.md).
+
+### Device Guard scenarios
+
+As previously described, Device Guard is a powerful way to lock down systems. Device Guard is not intended to be used broadly and it may not always be applicable, but there are some high-interest scenarios.
+
+Device Guard is useful and applicable on fixed workloads systems like cash registers, kiosk machines, Secure Admin Workstations (SAWs), or well managed desktops. Device Guard is highly relevant on systems that have very well-defined software that are expected to run and don’t change too frequently. It could also help protect Information Workers (IWs) beyond just SAWs, as long as what they need to run is known and the set of applications is not going to change on a daily basis.
+
+SAWs are computers that are built to help significantly reduce the risk of compromise from malware, phishing attacks, bogus websites, and PtH attacks, among other security risks. Although SAWs can’t be considered a “silver bullet” security solution to these attacks, these types of clients are helpful as part of a layered, defense-in-depth approach to security.
+
+To protect high-value assets, SAWs are used to make secure connections to those assets.
+
+Similarly, on corporate fully-managed workstations, where applications are installed by using a distribution tool like System Center Configuration Manager, Intune, or any third-party device management, then Device Guard is very applicable. In that type of scenario, the organization has a good idea of the software that an average user is running.
+
+It could be challenging to use Device Guard on corporate, lightly-managed workstations where the user is typically allowed to install software on their own. When an organization offers great flexibility, it’s quite difficult to run Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in Audit mode, organizations can get rich data about drivers and applications that users install and run.
+
+Before you can benefit from the protection included in Device Guard, Code Integrity policy must be created by using tools provided by Microsoft, but the policy can be deployed with common management tools, like Group Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10, along with restrictions on Windows 10 script hosts. Device Guard Code Integrity policy restricts what code can run on a device.
+
+**Note**  
+Device Guard policy can be signed in Windows 10, which adds additional protection against administrative users changing or removing this policy.
+
+ 
+
+Signed Device Guard policy offers stronger protection against a malicious local administrator trying to defeat Device Guard.
+
+When the policy is signed, the GUID of the policy is stored in a UEFI pre-OS secure variable which offers tampering protection. The only way to update the Device Guard policy subsequently is to provide a new version of the policy signed by the same signer or from a signer specified as part of the Device Guard policy into the UpdateSigner section.
+
+### The importance of signing applications
+
+On computers with Device Guard, Microsoft proposes to move from a world where unsigned apps can be run without restriction to a world where only signed and trusted code is allowed to run on Windows 10.
+
+With Windows 10, organizations will make line-of-business (LOB) apps available to members of the organization through the Windows Store infrastructure. More specifically, LOB apps will be available in a private store within the public Windows Store. Windows Store signs and distributes Universal Windows apps and Classic Windows apps. All apps downloaded from the Windows Store are signed.
+
+In organizations today, the vast majority of LOB applications are unsigned. Code signing is frequently viewed as a tough problem to solve for a variety of reasons, like the lack of code signing expertise. Even if code signing is a best practice, a lot of internal applications are not signed.
+
+Windows 10 includes tools that allow IT pros to take applications that have been already packaged and run them through a process to create additional signatures that can be distributed along with existing applications.
+
+### Why are antimalware and device management solutions still necessary?
+
+Although allow-list mechanisms are extremely efficient at ensuring that only trusted applications can be run, they cannot prevent the compromise of a trusted (but vulnerable) application by malicious content designed to exploit a known vulnerability. Device Guard doesn’t protect against user mode malicious code run by exploiting vulnerabilities.
+
+Vulnerabilities are weaknesses in software that could allow an attacker to compromise the integrity, availability, or confidentiality of the device. Some of the worst vulnerabilities allow attackers to exploit the compromised device by causing it to run malicious code without the user’s knowledge.
+
+It’s common to see attackers distributing specially crafted content in an attempt to exploit known vulnerabilities in user mode software like web browsers (and their plug-ins), Java virtual machines, PDF readers, or document editors. As of today, 90 percent of discovered vulnerabilities affect user mode applications compared to the operating system and kernel mode drivers that host them.
+
+To combat these threats, patching is the single most effective control, with antimalware software forming complementary layers of defense.
+
+Most application software has no facility for updating itself, so even if the software vendor publishes an update that fixes the vulnerability, the user may not know that the update is available or how to obtain it, and therefore remains vulnerable to attack. Organizations still need to manage devices and to patch vulnerabilities.
+
+MDM solutions are becoming prevalent as a light-weight device management technology. Windows 10 extends the management capabilities that have become available for MDMs. One key feature Microsoft has added to Windows 10 is the ability for MDMs to acquire a strong statement of device health from managed and registered devices.
+
+### Device health attestation
+
+Device health attestation leverages the TPM 2.0 to provide cryptographically strong and verifiable measurements of the chain of software used to boot the device.
+
+For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy.
+
+For more information on device health attestation, see the [Detect an unhealthy Windows 10-based device](#detect-unhealthy) section.
+
+### <a href="" id="hardware-req"></a>Hardware requirements
+
+The following table details the hardware requirements for both virtualization-based security services and the health attestation feature. For more information, see [Minimum hardware requirements](http://go.microsoft.com/fwlink/p/?LinkId=733951).
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Hardware</th>
+<th align="left">Motivation</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>UEFI 2.3.1 or later firmware with Secure Boot enabled</p></td>
+<td align="left"><p>Required to support UEFI Secure Boot.</p>
+<p>UEFI Secure Boot ensures that the device boots only authorized code.</p>
+<p>Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: “System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby”</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled</p></td>
+<td align="left"><p>Required to support virtualization-based security.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>Device Guard can be enabled without using virtualization-based security.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>X64 processor</p></td>
+<td align="left"><p>Required to support virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86).</p>
+<p>Direct Memory Access (DMA) protection can be enabled to provide additional memory protection but requires processors to include DMA protection technologies.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>IOMMU, such as Intel VT-d, AMD-Vi</p></td>
+<td align="left"><p>Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Trusted Platform Module (TPM) 2.0</p></td>
+<td align="left"><p>Required to support health attestation and necessary for additional key protections for virtualization-based security.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach helps to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them.
+
+## <a href="" id="detect-unhealthy"></a>Detect an unhealthy Windows 10-based device
+
+
+As of today, many organizations only consider devices to be compliant with company policy after they’ve passed a variety of checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with today’s systems, this form of reporting is not entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools.
+
+The biggest challenge with rootkits is that they can be undetectable to the client. Because they start before antimalware, and they have system-level privileges, they can completely disguise themselves while continuing to access system resources. As a result, traditional computers infected with rootkits appear to be healthy, even with antimalware running.
+
+As previously discussed, the health attestation feature of Windows 10 uses the TPM 2.0 hardware component to securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and even early boot drivers. Because, health attestation leverages the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware.
+
+By attesting a trusted boot state, devices can prove that they are not running low-level malware that could spoof later compliance checks. TPM-based health attestation provides a reliable anchor of trust for assets that contain high-value data.
+
+### What is the concept of device health?
+
+To understand the concept of device health, it’s important to know traditional measures that IT pros have taken to prevent the breach of malware. Malware control technologies are highly focused on the prevention of installation and distribution.
+
+However, the use of traditional malware prevention technologies like antimalware or patching solutions brings a new set of issues for IT pros: the ability to monitor and control the compliance of devices accessing organization’s resources.
+
+The definition of device compliance will vary based on an organization’s installed antimalware, device configuration settings, patch management baseline, and other security requirements. But health of the device is part of the overall device compliance policy.
+
+The health of the device is not binary and depends on the organization’s security implementation. The Health Attestation Service provides information back to the MDM on which security features are enabled during the boot of the device by leveraging trustworthy hardware TPM.
+
+But health attestation only provides information, which is why an MDM solution is needed to take and enforce a decision.
+
+### Remote device health attestation
+
+In Windows 10, health attestation refers to a feature where Measured Boot data generated during the boot process is sent to a remote device health attestation service operated by Microsoft.
+
+This is the most secure approach available for Windows 10-based devices to detect when security defenses are down. During the boot process, the TCG log and PCRs values are sent to a remote Microsoft cloud service. Logs are then checked by the Health Attestation Service to determine what changes have occurred on the device.
+
+A relying party like an MDM can inspect the report generated by the remote health attestation service.
+
+**Note**  
+To use the health attestation feature of Windows 10, the device must be equipped with a discrete or firmware TPM 2.0. There is no restriction on any particular edition of Windows 10.
+
+ 
+
+Windows 10 supports health attestation scenarios by allowing applications access to the underlying health attestation configuration service provider (CSP) so that applications can request a health attestation token. The measurement of the boot sequence can be checked at any time locally by an antimalware or an MDM agent.
+
+Remote device health attestation combined with an MDM provides a hardware-rooted method for reporting the current security status and detecting any changes, without having to trust the software running on the system.
+
+In the case where malicious code is running on the device, the use of a remote server is required. If a rootkit is present on the device, the antimalware is no longer reliable, and its behavior can be hijacked by a malicious code running early in the startup sequence. That's why it's important to use Secure Boot and Device Guard, to control which code is loaded during the boot sequence.
+
+The antimalware software can search to determine whether the boot sequence contains any signs of malware, such as a rootkit. It can also send the TCG log and the PCRs to a remote health attestation server to provide a separation between the measurement component and the verification component.
+
+Health attestation logs the measurements in various TPM Platform Configuration Registers (PCRs) and TCG logs during the boot process.
+
+![figure 6](images/hva-fig6-logs.png)
+
+When starting a device equipped with a TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log.
+
+![figure 7](images/hva-fig7-measurement.png)
+
+The health attestation process works as follows:
+
+1.  Hardware boot components are measured.
+
+2.  Operating system boot components are measured.
+
+3.  If Device Guard is enabled, current Device Guard policy is measured.
+
+4.  Windows kernel is measured.
+
+5.  Antivirus software is started as the first kernel mode driver.
+
+6.  Boot start drivers are measured.
+
+7.  MDM server through the MDM agent issues a health check command by leveraging the Health Attestation CSP.
+
+8.  Boot measurements are validated by the Health Attestation Service
+
+**Note**  
+By default, the last 100 system boot logs and all associated resume logs are archived in the %SystemRoot%\\logs\\measuredboot folder.
+
+The number of retained logs may be set with the registry **REG\_DWORD** value **PlatformLogRetention** under the **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM** key. A value of **0** will turn off log archival and a value of **0xffffffff** will keep all logs.
+
+ 
+
+The following process describes how health boot measurements are sent to the health attestation service:
+
+1.  The client (a Windows 10-based device with a TPM 2.0) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
+
+2.  The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information.
+
+3.  The remote device heath attestation service then:
+
+    1.  Verifies that the AIK certificate is issued by a known and trusted CA and the certificate is valid and not revoked.
+
+    2.  Verifies that the signature on the PCR quotes is correct and consistent with the TCG log value.
+
+    3.  Parses the properties in the TCG log.
+
+    4.  Issues the device health token that contains the health information, the AIK information, and the boot counter information. The health token also contains valid issuance time. The device health token is encrypted and signed, that means that the information is protected and only accessible to issuing health attestation service.
+
+4.  The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter.
+
+![figure 8](images/hva-fig8a-healthattest8a.png)
+
+### Device health attestation components
+
+The device health attestation solution involves different components that are TPM, Health Attestation CSP, and the Windows Health Attestation Service. Those components are described in this section.
+
+### <a href="" id="trusted-platform-module-"></a>Trusted Platform Module
+
+*It’s all about TPM 2.0 and endorsement certificates.* This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting.
+
+In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device.
+
+A TPM incorporates in a single component:
+
+-   A RSA 2048-bit key generator
+
+-   A random number generator
+
+-   Nonvolatile memory for storing EK, SRK, and AIK keys
+
+-   A cryptographic engine to encrypt, decrypt, and sign
+
+-   Volatile memory for storing the PCRs and RSA keys
+
+### Endorsement key
+
+The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits).
+
+The endorsement key public key is generally used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs.
+
+The endorsement key acts as an identity card for the TPM. For more information, see [Understand the TPM endorsement key](http://go.microsoft.com/fwlink/p/?LinkId=733952).
+
+The endorsement key is often accompanied by one or two digital certificates:
+
+-   One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it’s a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
+
+-   The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
+
+For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10.
+
+**Note**  
+Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted Boot, Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a signed certificate online from the manufacturer that has created the chip and then stores the signed certificate in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you must authorize the following URLs:
+
+-   For Intel firmware TPM: **https://ekop.intel.com/ekcertservice**
+
+-   For Qualcomm firmware TPM: **https://ekcert.spserv.microsoft.com/**
+
+ 
+
+### Attestation Identity Keys
+
+Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
+
+**Note**  
+Before the device can report its health using the TPM 2.0 attestation functions, an AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
+
+ 
+
+The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.
+
+Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10-based device.
+
+Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Microsoft Passport without TPM.
+
+In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate.
+
+### Storage root key
+
+The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is created when the ownership of the TPM is taken.
+
+### Platform Configuration Registers
+
+The TPM contains a set of registers that are designed to provide a cryptographic representation of the software and state of the system that booted. These registers are called Platform Configuration Registers (PCRs).
+
+The measurement of the boot sequence is based on the PCR and TCG log. To establish a static root of trust, when the device is starting, the device must be able to measure the firmware code before execution. In this case, the Core Root of Trust for Measurement (CRTM) is executed from the boot, calculates the hash of the firmware, then stores it by expanding the register PCR\[0\] and transfers execution to the firmware.
+
+PCRs are set to zero when the platform is booted, and it is the job of the firmware that boots the platform to measure components in the boot chain and to record the measurements in the PCRs. Typically, boot components take the hash of the next component that is to be run and record the measurements in the PCRs. The initial component that starts the measurement chain is implicitly trusted. This is the CRTM. Platform manufacturers are required to have a secure update process for the CRTM or not permit updates to it. The PCRs record a cumulative hash of the components that have been measured.
+
+The value of a PCR on its own is hard to interpret (it is just a hash value), but platforms typically keep a log with details of what has been measured, and the PCRs merely ensure that the log has not been tampered with. The logs are referred as a TCG log. Each time a register PCR is extended, an entry is added to the TCG log. Thus, throughout the boot process, a trace of the executable code and configuration data is created in the TCG log.
+
+### TPM provisioning
+
+For the TPM of a Windows 10-based device to be usable, it must first be provisioned. The process of provisioning differs somewhat based on TPM versions, but, when successful, it results in the TPM being usable and the owner authorization data (ownerAuth) for the TPM being stored locally on the registry.
+
+When the TPM is provisioned, Windows 10 will first attempt to determine the EK and locally stored **ownerAuth** values by looking in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Endorsement**
+
+During the provisioning process, the device may need to be restarted.
+
+Note that the **Get-TpmEndorsementKeyInfo PowerShell** cmdlet can be used with administrative privilege to get information about the endorsement key and certificates of the TPM.
+
+If the TPM ownership is not known but the EK exists, the client library will provision the TPM and will store the resulting **ownerAuth** value into the registry if the policy allows it will store the SRK public portion at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Admin\\SRKPub**
+
+As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub**
+
+**Note**  
+For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: **https://\*.microsoftaik.azure.net**
+
+ 
+
+### Windows 10 Health Attestation CSP
+
+Windows 10 contains a configuration service provider (CSP) specialized for interacting with the health attestation feature. A CSP is a component that plugs into the Windows MDM client and provides a published protocol for how MDM servers can configure settings and manage Windows-based devices. The management protocol is represented as a tree structure that can be specified as URIs with functions to perform on the URIs such as “get”, “set”, “delete”, and so on.
+
+The following is a list of functions performed by the Windows 10 Health Attestation CSP:
+
+-   Collects data that is used to verify a device’s health status
+
+-   Forwards the data to the Health Attestation Service
+
+-   Provisions the Health Attestation Certificate that it receives from the Health Attestation Service
+
+-   Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and related runtime information to the MDM server for verification
+
+During a health attestation session, the Health Attestation CSP forwards the TCG logs and PCRs values that are measured during the boot, by using a secure communication channel to the Health Attestation Service.
+
+When an MDM server validates that a device has attested to the Health Attestation Service, it will be given a set of statements and claims about how that device booted, with the assurance that the device did not reboot between the time that it attested its health and the time that the MDM server validated it.
+
+### Windows Health Attestation Service
+
+The role of Windows Health Attestation Service is essentially to evaluate a set of health data (TCG log and PCR values), make a series of detections (based on available health data) and generate encrypted health blob or produce report to MDM servers.
+
+**Note**  
+Both device and MDM servers must have access to **has.spserv.microsoft.com** using the TCP protocol on port 443 (HTTPS).
+
+ 
+
+Checking that a TPM attestation and the associated log are valid takes several steps:
+
+1.  First, the server must check that the reports are signed by **trustworthy AIKs**. This might be done by checking that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked.
+
+2.  After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it is a **valid signature over PCR values**.
+
+3.  Next the logs should be checked to ensure that they match the PCR values reported.
+
+4.  Finally, the logs themselves should be examined by an MDM solution to see whether they represent **known or valid security configurations**. For example, a simple check might be to see whether the measured early OS components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to determine whether or not the client should be granted access to a resource.
+
+The Health Attestation Service provides the following information to an MDM solution about the health of the device:
+
+-   Secure Boot enablement
+
+-   Boot and kernel debug enablement
+
+-   BitLocker enablement
+
+-   VSM enabled
+
+-   Signed or unsigned Device Guard Code Integrity policy measurement
+
+-   ELAM loaded
+
+-   Safe Mode boot, DEP enablement, test signing enablement
+
+-   Device TPM has been provisioned with a trusted endorsement certificate
+
+For completeness of the measurements, see [Health Attestation CSP](http://go.microsoft.com/fwlink/p/?LinkId=733949).
+
+The following table presents some key items that can be reported back to MDM depending on the type of Windows 10-based device.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">OS type</th>
+<th align="left">Key items that can be reported</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Windows 10 Mobile</p></td>
+<td align="left"><ul>
+<li><p>PCR0 measurement</p></li>
+<li><p>Secure Boot enabled</p></li>
+<li><p>Secure Boot db is default</p></li>
+<li><p>Secure Boot dbx is up to date</p></li>
+<li><p>Secure Boot policy GUID is default</p></li>
+<li><p>Device Encryption enabled</p></li>
+<li><p>Code Integrity revocation list timestamp/version is up to date</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows 10 for desktop editions</p></td>
+<td align="left"><ul>
+<li><p>PCR0 measurement</p></li>
+<li><p>Secure Boot Enabled</p></li>
+<li><p>Secure Boot db matches Expected</p></li>
+<li><p>Secure Boot dbx is up to date</p></li>
+<li><p>Secure Boot policy GUID matches Expected</p></li>
+<li><p>BitLocker enabled</p></li>
+<li><p>Virtualization-based security enabled</p></li>
+<li><p>ELAM was loaded</p></li>
+<li><p>Code Integrity version is up to date</p></li>
+<li><p>Code Integrity policy hash matches Expected</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Leverage MDM and the Health Attestation Service
+
+To make device health relevant, the MDM solution evaluates the device health report and is configured to the organization’s device health requirements.
+
+A solution that leverages MDM and the Health Attestation Service consists of three main parts:
+
+1.  A device with health attestation enabled. This will usually be done as a part of enrollment with an MDM provider (health attestation will be disabled by default).
+
+2.  After this is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return.
+
+3.  At any point after this, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it’s been attested.
+
+![figure 9](images/hva-fig8-evaldevicehealth8.png)
+
+Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as follows:
+
+1.  The client initiates a session with the MDM server. The URI for the MDM server would be part of the client app that initiates the request. The MDM server at this time could request the health attestation data by using the appropriate CSP URI.
+
+2.  The MDM server specifies a nonce along with the request.
+
+3.  The client then sends the AIK quoted nonce + the boot counter and the health blob information. This health blob is encrypted with a Health Attestation Service public key that only the Health Attestation Service can decrypt.
+
+4.  The MDM server:
+
+    1.  Verifies that the nonce is as expected.
+
+    2.  Passes the quoted data, the nonce and the encrypted health blob to the Health Attestation Service server.
+
+5.  The Health Attestation Service:
+
+    1.  Decrypts the health blob.
+
+    2.  Verifies that the boot counter in the quote is correct using the AIK in the health blob and matches the value in the health blob.
+
+    3.  Verifies that the nonce matches in the quote and the one that is passed from MDM.
+
+    4.  Because the boot counter and the nonce are quoted with the AIK from the health blob, it also proves that the device is the same one as the one for which the health blob has been generated.
+
+    5.  Sends data back to the MDM server including health parameters, freshness, and so on.
+
+**Note**  
+The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns.
+
+ 
+
+Setting the requirements for device compliance is the first step to ensure that registered devices that do not meet health and compliance requirements are detected, tracked, and have actions enforced by the MDM solution.
+
+Devices that attempt to connect to resources must have their health evaluated so that unhealthy and noncompliant devices can be detected and reported. To be fully efficient, an end-to-end security solution must impose a consequence for unhealthy devices like refusing access to high-value assets. That is the purpose of conditional access control, which is detailed in the next section.
+
+## Control the security of a Windows 10-based device before access is granted
+
+
+Today’s access control technology, in most cases, focuses on ensuring that the right people get access to the right resources. If users can authenticate, they get access to resources using a device that the organization’s IT staff and systems know very little about. Perhaps there is some check such as ensuring that a device is encrypted before giving access to email, but what if the device is infected with malware?
+
+The remote device health attestation process uses measured boot data to verify the health status of the device. The health of the device is then available for an MDM solution like Intune.
+
+**Note**  
+For the latest information on Intune and Windows 10 features support, see the [Microsoft Intune blog](http://go.microsoft.com/fwlink/p/?LinkId=691614) and [What's new in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=733956).
+
+ 
+
+The figure below shows how the Health Attestation Service is expected to work with Microsoft’s cloud-based Intune MDM service.
+
+![figure 10](images/hva-fig9-intune.png)
+
+An MDM solution can then leverage health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware free, its antimalware system is functional and up to date, the firewall is running, and the devices patch state is compliant.
+
+Finally, resources can be protected by denying access to endpoints that are unable to prove they’re healthy. This feature is much needed for BYOD devices that need to access organizational resources.
+
+### Built-in support of MDM in Windows 10
+
+Windows 10 has an MDM client that ships as part of the operating system. This enables MDM servers to manage Windows 10-based devices without requiring a separate agent.
+
+### Third-party MDM server support
+
+Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For additional information, see [Azure Active Directory integration with MDM](http://go.microsoft.com/fwlink/p/?LinkId=733954).
+
+**Note**  
+MDM servers do not need to create or download a client to manage Windows 10. For more information, see [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=733955).
+
+ 
+
+The third-party MDM server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users.
+
+### <a href="" id="management-of-windows-defender-by-third-party-mdm-"></a>Management of Windows Defender by third-party MDM
+
+This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren’t domain joined. IT pros will be able to manage and configure all of the actions and settings they are familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms.
+
+For more information on how to manage Windows 10 security and system settings with an MDM solution, see [Custom URI settings for Windows 10 devices](http://go.microsoft.com/fwlink/p/?LinkId=733953).
+
+### Conditional access control
+
+On most platforms, the Azure Active Directory (Azure AD) device registration happens automatically during enrollment. The device states are written by the MDM solution into Azure AD, and then read by Office 365 (or by any authorized Windows app that interacts with Azure AD) the next time the client tries to access an Office 365 compatible workload.
+
+If the device is not registered, the user will get a message with instructions on how to register (also known as enrolling). If the device is not compliant, the user will get a different message that redirects them to the MDM web portal where they can get more information on the compliance problem and how to resolve it.
+
+**Azure AD** authenticates the user and the device, **MDM** manages the compliance and conditional access policies, and the **Health Attestation Service** reports about the health of the device in an attested way.
+
+![figure 11](images/hva-fig10-conditionalaccesscontrol.png)
+
+### <a href="" id="office-365-conditional-access-control-"></a>Office 365 conditional access control
+
+Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company’s device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include additional target groups.
+
+When a user requests access to an Office 365 service from a supported device platform, Azure AD authenticates the user and device from which the user launches the request; and grants access to the service only when the user conforms to the policy set for the service. Users that do not have their device enrolled are given remediation instructions on how to enroll and become compliant to access corporate Office 365 services.
+
+When a user enrolls, the device is registered with Azure AD, and enrolled with a compatible MDM solution like Intune.
+
+**Note**  
+Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy based access checks. Steps to turn on auto-MDM enrollment with Azure AD and Intune are explained in the [Windows 10, Azure AD And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud!](http://go.microsoft.com/fwlink/p/?LinkId=691615) blog post.
+
+ 
+
+When a user enrolls a device successfully, the device becomes trusted. Azure AD provides single-sign-on to access company applications and enforces conditional access policy to grant access to a service not only the first time the user requests access, but every time the user requests to renew access.
+
+The user will be denied access to services when sign-in credentials are changed, a device is lost/stolen, or the compliance policy is not met at the time of request for renewal.
+
+Depending on the type of email application that employees use to access Exchange online, the path to establish secured access to email can be slightly different. However, the key components: Azure AD, Office 365/Exchange Online, and Intune, are the same. The IT experience and end-user experience also are similar.
+
+![figure 12](images/hva-fig11-office365.png)
+
+Clients that attempt to access Office 365 will be evaluated for the following properties:
+
+-   Is the device managed by an MDM?
+
+-   Is the device registered with Azure AD?
+
+-   Is the device compliant?
+
+To get to a compliant state, the Windows 10-based device needs to:
+
+-   Enroll with an MDM solution.
+
+-   Register with Azure AD.
+
+-   Be compliant with the device policies set by the MDM solution.
+
+**Note**  
+At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows 10 – Using the cloud to modernize enterprise mobility!](http://go.microsoft.com/fwlink/p/?LinkId=691616) blog post.
+
+ 
+
+### <a href="" id="cloud-and-on-premises-apps-conditional-access-control-"></a>Cloud and on-premises apps conditional access control
+
+Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's logon to make real-time decisions about which applications they should be allowed to access.
+
+IT pros can configure conditional access control policies for cloud SaaS applications secured by Azure AD and even on-premises applications. Access rules in Azure AD leverage the conditional access engine to check device health and compliance state reported by a compatible MDM solution like Intune in order to determine whether to allow access.
+
+For more information about conditional access, see [Azure Conditional Access Preview for SaaS Apps.](http://go.microsoft.com/fwlink/p/?LinkId=524807)
+
+**Note**  
+Conditional access control is an Azure AD Premium feature that's also available with EMS. If you don't have an Azure AD Premium subscription, you can get a trial from the [Microsoft Azure](http://go.microsoft.com/fwlink/p/?LinkId=691617) site.
+
+ 
+
+For on-premises applications there are two options to enable conditional access control based on a device's compliance state:
+
+-   For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more details, see the [Azure AD Conditional Access preview updated: Now supports On-Premises and Custom LOB apps](http://go.microsoft.com/fwlink/p/?LinkId=691618) blog post.
+
+-   Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server Technical Preview 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
+
+![figure 13](images/hva-fig12-conditionalaccess12.png)
+
+The following process describes how Azure AD conditional access works:
+
+1.  User has already enrolled with MDM through Workplace Access/Azure AD join which registers device with Azure AD.
+
+2.  When the device boots or resumes from hibernate, a task “Tpm-HASCertRetr” is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service.
+
+3.  Health Attestation Service validates device state and issues an encrypted blob to the device based on the health state with details on failed checks (if any).
+
+4.  User logs on and the MDM agent contacts the Intune/MDM server.
+
+5.  MDM server pushes down new policies if available and queries health blob state and other inventory state.
+
+6.  Device sends a health attestation blob previously acquired and also the value of the other state inventory requested by the Intune/MDM server.
+
+7.  Intune/MDM server sends the health attestation blob to Health Attestation Service to be validated.
+
+8.  Health Attestation Service validates that the device which sent the health attestation blob is healthy, and returns this result to Intune/MDM server.
+
+9.  Intune/MDM server evaluates compliance based on the compliance and the queried inventory/health attestation state from device.
+
+10. Intune/MDM server updates compliance state against device object in Azure AD.
+
+11. User opens app, attempts to access a corporate managed asset.
+
+12. Access gated by compliance claim in Azure AD.
+
+13. If the device is compliant and the user is authorized, an access token is generated.
+
+14. User can access the corporate managed asset.
+
+For more information about Azure AD join, see the [Azure AD & Windows 10: Better Together for Work or School](http://go.microsoft.com/fwlink/p/?LinkId=691619) white paper.
+
+Conditional access control is a topic that many organizations and IT pros may not know as well as they should. The different attributes that describe a user, a device, compliance, and context of access are very powerful when used with a conditional access engine. Conditional access control is an essential step that helps organizations secure their environment.
+
+## Takeaways and summary
+
+
+The following list contains high-level key take-aways to improve the security posture of any organization. However, the few take-aways presented in this section should not be interpreted as an exhaustive list of security best practices.
+
+-   **Understand that no solution is 100 percent secure**
+
+    If determined adversaries with malicious intent gain physical access to the device, they could eventually break through its security layers and control it.
+
+-   **Use health attestation with an MDM solution**
+
+    Devices that attempt to connect to high-value assets must have their health evaluated so that unhealthy and noncompliant devices can be detected, reported, and eventually blocked.
+
+-   **Use Credential Guard**
+
+    Credential Guard is a feature that greatly helps protect corporate domain credentials from pass-the-hash attacks.
+
+-   **Use Device Guard**
+
+    Device Guard is a real advance in security and an effective way to help protect against malware. The new Device Guard feature in Windows 10 blocks untrusted apps (apps not authorized by your organization).
+
+-   **Sign Device Guard policy**
+
+    Signed Device Guard policy helps protect against a user with administrator privileges trying to defeat the current policy. When a policy is signed, the only way to modify Device Guard subsequently is to provide a new version of the policy signed by the same signer or from a signer specify as part of the Device Guard policy.
+
+-   **Use virtualization-based security**
+
+    When you have Kernel Mode Code Integrity protected by virtualization-based security, the code integrity rules are still enforced even if a vulnerability allows unauthorized kernel mode memory access. Keep in mind that Device Guard devices that run Kernel Code Integrity with virtualization-based security must have compatible drivers.
+
+-   **Start to deploy Device Guard with Audit mode**
+
+    Deploy Device Guard policy to targeted computers and devices in Audit mode. Monitor the Code Integrity event log that indicates a program or a driver would have been blocked if Device Guard was configured in Enforcement mode. Adjust Device Guard rules until a high level of confidence has been reached. After the testing phase has been completed, Device Guard policy can be switched to Enforcement mode.
+
+-   **Build an isolated reference machine when deploying Device Guard**
+
+    Because the corporate network can contain malware, you should start to configure a reference environment that is isolated from your main corporate network. After that, you can create a code integrity policy that includes the trusted applications you want to run on your protected devices.
+
+-   **Use AppLocker when it makes sense**
+
+    Although AppLocker is not considered a new Device Guard feature, it complements Device Guard functionality for some scenarios like being able to deny a specific Universal Windows apps for a specific user or a group of users.
+
+-   **Lock down firmware and configuration**
+
+    After Windows 10 is installed, lock down firmware boot options access. This prevents a user with physical access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in order to protect against an administrator trying to disable Device Guard, add a rule in the current Device Guard policy that will deny and block execution of the **C:\\Windows\\System32\\SecConfig.efi** tool.
+
+Health attestation is a key feature of Windows 10 that includes client and cloud components to control access to high-value assets based on a user and their device’s identity and compliance with corporate governance policy. Organizations can choose to detect and report unhealthy devices, or to configure health enforcement rules based on their needs. Health attestation provides an end-to-end security model and integration points, which vendors and software developers can use to build and integrate a customized solution.
+
+## Related topics
+
+
+[Protect derived domain credentials with Credential Guard](credential-guard.md)
+
+[Device Guard deployment guide](device-guard-deployment-guide.md)
+
+[Trusted Platform Module technology overview](http://go.microsoft.com/fwlink/p/?LinkId=733957)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
new file mode 100644
index 0000000000..5ed8ed7a78
--- /dev/null
+++ b/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -0,0 +1,327 @@
+---
+title: Protecting cluster shared volumes and storage area networks with BitLocker (Windows 10)
+description: This topic for IT pros describes how to protect CSVs and SANs with BitLocker.
+ms.assetid: ecd25a10-42c7-4d31-8a7e-ea52c8ebc092
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Protecting cluster shared volumes and storage area networks with BitLocker
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT pros describes how to protect CSVs and SANs with BitLocker.
+
+BitLocker can protect both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive, highly available data. By adding additional protectors to the clustered volume, administrators can also add an additional barrier of security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume.
+
+## <a href="" id="configuring-bitlocker-on-cluster-shared-volumes-"></a>Configuring BitLocker on Cluster Shared Volumes
+
+
+### Using BitLocker with Clustered Volumes
+
+BitLocker on volumes within a cluster are managed based on how the cluster service "views" the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a storage area network (SAN) or network attached storage (NAS).
+
+**Important**  
+SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](https://msdn.microsoft.com/library/windows/hardware/dn930814.aspx).
+
+ 
+
+Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume will need to turn on BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete.
+
+Windows PowerShell or the manage-bde command line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item.
+
+**Note**  
+Mount points can be used to support remote mount points on SMB based network shares. This type of share is not supported for BitLocker encryption.
+
+ 
+
+For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde –WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This occurs because Full Encryption requires an end marker for the volume and dynamically expanding VHDs do not have a static end of volume marker.
+
+### Active Directory-based protector
+
+You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order:
+
+1.  Clear key
+
+2.  Driver-based auto-unlock key
+
+3.  ADAccountOrGroup protector
+
+    1.  Service context protector
+
+    2.  User protector
+
+4.  Registry-based auto-unlock key
+
+**Note**  
+A Windows Server 2012 or later domain controller is required for this feature to work properly.
+
+ 
+
+### Turning on BitLocker before adding disks to a cluster using Windows PowerShell
+
+BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster, do the following:
+
+1.  Install the BitLocker Drive Encryption feature if it is not already installed.
+
+2.  Ensure the disk is formatted NTFS and has a drive letter assigned to it.
+
+3.  Enable BitLocker on the volume using your choice of protector. A password protector is used in the Windows PowerShell script example below.
+
+    ``` syntax
+    Enable-BitLocker E: -PasswordProtector -Password $pw
+    ```
+
+4.  Identify the name of the cluster with Windows PowerShell.
+
+    ``` syntax
+    Get-Cluster
+    ```
+
+5.  Add an **ADAccountOrGroup**protector to the volume using the cluster name using a command such as:
+
+    ``` syntax
+    Add-BitLockerProtector E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
+    ```
+
+    **Warning**  
+    You must add an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to failover properly in a traditional failover cluster.
+
+     
+
+6.  Repeat steps 1-6 for each disk in the cluster.
+
+7.  Add the volume(s) to the cluster.
+
+### Turning on BitLocker for a clustered disk using Windows PowerShell
+
+When the cluster service owns a disk resource already, it needs to be set into maintenance mode before BitLocker can be enabled. Use the following steps for turning BitLocker on for a clustered disk:
+
+1.  Install the BitLocker Drive Encryption feature if it is not already installed.
+
+2.  Check the status of the cluster disk using Windows PowerShell.
+
+    ``` syntax
+    Get-ClusterResource "Cluster Disk 1"
+    ```
+
+3.  Put the physical disk resource into maintenance mode using Windows PowerShell.
+
+    ``` syntax
+    Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource
+    ```
+
+4.  Enable BitLocker on the volume using your choice of protector. A password protector is used in the example below.
+
+    ``` syntax
+    Enable-BitLocker E: -PasswordProtector -Password $pw
+    ```
+
+5.  Identify the name of the cluster with Windows PowerShell
+
+    ``` syntax
+    Get-Cluster
+    ```
+
+6.  Add an **ADAccountOrGroup** protector with the Cluster Name Object (CNO) to the volume using a command such as:
+
+    ``` syntax
+    Add-BitLockerProtector E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
+    ```
+
+    **Warning**  
+    You must add an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to failover properly in a traditional failover cluster.
+
+     
+
+7.  Repeat steps 1-6 for each disk in the cluster.
+
+8.  Add the volume(s) to the cluster
+
+### Adding BitLocker encrypted volumes to a cluster using manage-bde
+
+You can also use manage-bde to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster includes the following:
+
+1.  Verify the BitLocker Drive Encryption feature is installed on the computer.
+
+2.  Ensure new storage is formatted as NTFS.
+
+3.  Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using the manage-bde command line interface (see example):
+
+    -   `Manage-bde -on -used <drive letter> -RP -sid domain\CNO$ -sync`
+
+        1.  BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption will continue.
+
+        2.  Using the -sync parameter is optional. Using it ensures the command waits until the encryption for the volume is completed before releasing the volume for use in the cluster storage pool.
+
+4.  Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered
+
+    -   Once the disk is clustered it can also be enabled for CSV.
+
+5.  During the resource online operation, cluster will check to see if the disk is BitLocker encrypted.
+
+    1.  If the volume is not BitLocker enabled, traditional cluster online operations occur.
+
+    2.  If the volume is BitLocker enabled, the following check occurs:
+
+        -   If volume is **locked**, BitLocker will impersonate the CNO and unlock the volume using the CNO protector. If this operation fails an event will be logged that the volume could not be unlocked and the online operation will fail.
+
+6.  Once the disk is online in the storage pool, it can be added to a CSV by right clicking on the disk resource and choosing "**Add to cluster shared volumes**".
+
+CSVs can include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators can utilize the manage-bde -status command with a path to the volume inside the CSV namespace as seen in the example command line below.
+
+``` syntax
+manage-bde -status "C:\ClusterStorage\volume1"
+```
+
+### Physical Disk Resources
+
+Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This means that operations such as encrypting, decrypting, locking or unlocking volumes require context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available.
+
+### Restrictions on BitLocker actions with cluster volumes
+
+The following table contains information about both Physical Disk Resources (i.e. traditional failover cluster volumes) and Cluster Shared Volumes (CSV) and the actions that are allowed by BitLocker in each situation.
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Action</strong></p></td>
+<td align="left"><p><strong>On owner node of failover volume</strong></p></td>
+<td align="left"><p><strong>On Metadata Server (MDS) of CSV</strong></p></td>
+<td align="left"><p><strong>On (Data Server) DS of CSV</strong></p></td>
+<td align="left"><p><strong>Maintenance Mode</strong></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Manage-bde –on</strong></p></td>
+<td align="left"><p>Blocked</p></td>
+<td align="left"><p>Blocked</p></td>
+<td align="left"><p>Blocked</p></td>
+<td align="left"><p>Allowed</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Manage-bde –off</strong></p></td>
+<td align="left"><p>Blocked</p></td>
+<td align="left"><p>Blocked</p></td>
+<td align="left"><p>Blocked</p></td>
+<td align="left"><p>Allowed</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Manage-bde Pause/Resume</strong></p></td>
+<td align="left"><p>Blocked</p></td>
+<td align="left"><p>Blocked**</p></td>
+<td align="left"><p>Blocked</p></td>
+<td align="left"><p>Allowed</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Manage-bde –lock</strong></p></td>
+<td align="left"><p>Blocked</p></td>
+<td align="left"><p>Blocked</p></td>
+<td align="left"><p>Blocked</p></td>
+<td align="left"><p>Allowed</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>manage-bde –wipe</strong></p></td>
+<td align="left"><p>Blocked</p></td>
+<td align="left"><p>Blocked</p></td>
+<td align="left"><p>Blocked</p></td>
+<td align="left"><p>Allowed</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Unlock</strong></p></td>
+<td align="left"><p>Automatic via cluster service</p></td>
+<td align="left"><p>Automatic via cluster service</p></td>
+<td align="left"><p>Automatic via cluster service</p></td>
+<td align="left"><p>Allowed</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>manage-bde –protector –add</strong></p></td>
+<td align="left"><p>Allowed</p></td>
+<td align="left"><p>Allowed</p></td>
+<td align="left"><p>Blocked</p></td>
+<td align="left"><p>Allowed</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>manage-bde -protector -delete</strong></p></td>
+<td align="left"><p>Allowed</p></td>
+<td align="left"><p>Allowed</p></td>
+<td align="left"><p>Blocked</p></td>
+<td align="left"><p>Allowed</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>manage-bde –autounlock</strong></p></td>
+<td align="left"><p>Allowed (not recommended)</p></td>
+<td align="left"><p>Allowed (not recommended)</p></td>
+<td align="left"><p>Blocked</p></td>
+<td align="left"><p>Allowed (not recommended)</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Manage-bde -upgrade</strong></p></td>
+<td align="left"><p>Allowed</p></td>
+<td align="left"><p>Allowed</p></td>
+<td align="left"><p>Blocked</p></td>
+<td align="left"><p>Allowed</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Shrink</strong></p></td>
+<td align="left"><p>Allowed</p></td>
+<td align="left"><p>Allowed</p></td>
+<td align="left"><p>Blocked</p></td>
+<td align="left"><p>Allowed</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Extend</strong></p></td>
+<td align="left"><p>Allowed</p></td>
+<td align="left"><p>Allowed</p></td>
+<td align="left"><p>Blocked</p></td>
+<td align="left"><p>Allowed</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Note**  
+Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node
+
+ 
+
+In the case where a physical disk resource experiences a failover event during conversion, the new owning node will detect the conversion is not complete and will complete the conversion process.
+
+### Other considerations when using BitLocker on CSV2.0
+
+Some other considerations to take into account for BitLocker on clustered storage include the following:
+
+-   BitLocker volumes have to be initialized and beginning encryption before they are available to add to a CSV2.0 volume.
+
+-   If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete.
+
+-   If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it in maintenance mode.
+
+-   If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) will automatically resume conversion when the volume is online to the cluster.
+
+-   If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver will automatically resume conversion when the volume is online to the cluster.
+
+-   If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) will automatically resume conversion when moving the volume back from maintenance.
+
+-   If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver will automatically resume conversion when the volume is moved back from maintenance mode.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md b/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md
new file mode 100644
index 0000000000..c67329f99a
--- /dev/null
+++ b/windows/keep-secure/recovery-console-allow-automatic-administrative-logon.md
@@ -0,0 +1,140 @@
+---
+title: Recovery console Allow automatic administrative logon (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Recovery console Allow automatic administrative logon security policy setting.
+ms.assetid: be2498fc-48f4-43f3-ad09-74664e45e596
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Recovery console: Allow automatic administrative logon
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow automatic administrative logon** security policy setting.
+
+## Reference
+
+
+This policy setting determines whether the built-in Administrator account password must be provided before access to the device is granted. If you enable this setting, the built-in Administrator account is automatically logged on to the computer at the Recovery Console; no password is required.
+
+The Recovery Console can be very useful when troubleshooting and repairing systems that cannot be restarted. However, enabling this policy setting so a user can automatically log on to the console is dangerous. Anyone can walk up to the server, shut it down by disconnecting the power, reboot it, select **Recovery Console** from the **Restart** menu, and then assume full control of the server.
+
+### Possible values
+
+-   Enabled
+
+    The built-in Administrator account is automatically logged on to the computer at the Recovery Console; no password is required
+
+-   Disabled
+
+    Automatic administrative logon is not allowed.
+
+-   Not defined
+
+    Automatic administrative logon is not allowed.
+
+### Best practices
+
+-   Set **Recovery Console: Allow automatic administrative logon** to **Disabled**. This requires a user to enter a user name and password to access the Recovery Console account.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+Setting and deploying this policy using Group Policy takes precedence over the setting on the local device
+
+### Policy conflicts
+
+None.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+The Recovery Console can be very useful when you must troubleshoot and repair device that do not start. However, allowing automatic logon to the Recovery Console can make it possible for someone to assume full control of the server.
+
+### Countermeasure
+
+Disable the **Recovery console: Allow automatic administrative logon** setting.
+
+### Potential impact
+
+Users must enter a user name and password to access the Recovery Console.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
new file mode 100644
index 0000000000..f881d30d6d
--- /dev/null
+++ b/windows/keep-secure/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
@@ -0,0 +1,154 @@
+---
+title: Recovery console Allow floppy copy and access to all drives and folders (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Recovery console Allow floppy copy and access to all drives and folders security policy setting.
+ms.assetid: a5b4ac0c-f33d-42b5-a866-72afa7cbd0bd
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Recovery console: Allow floppy copy and access to all drives and folders
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow floppy copy and access to all drives and folders** security policy setting.
+
+## Reference
+
+
+This policy setting enables or disables the Recovery Console SET command, which allows you to set the following Recovery Console environment variables.
+
+-   **AllowWildCards**. Enables wildcard support for some commands, such as the DEL command.
+
+-   **AllowAllPaths**. Allows access to all files and folders on the device.
+
+-   **AllowRemovableMedia**. Allows files to be copied to removable media, such as a floppy disk.
+
+-   **NoCopyPrompt**. Suppresses the prompt that typically displays before an existing file is overwritten.
+
+You might forget to remove removable media, such as CD or floppy disk, with sensitive data or applications that a malicious user could then steal. Or you could accidentally leave a startup disk in the computer after using the Recovery Console. If the device is restarted for any reason and the BIOS has been configured to boot from the removable media before the hard disk drive, the server will start from the removable disk. This causes the server's network services to be unavailable.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+-   Set **Recovery Console: Allow floppy copy and access to drives and folders** to **Disabled**. Users who have started a server by using the Recovery Console and logged in with the built-in Administrator account will not be able to copy files and folders to a floppy disk.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+Setting and deploying this policy using Group Policy takes precedence over the setting on the local device.
+
+### Policy conflicts
+
+None.
+
+### Command-line tools
+
+Enabling this security option makes the Recovery Console SET command available, which allows you to set the following Recovery Console environment variables:
+
+-   AllowWildCards: Enable wildcard support for some commands (such as the DEL command).
+
+-   AllowAllPaths: Allow access to all files and folders on the device.
+
+-   AllowRemovableMedia: Allow files to be copied to removable media, such as a floppy disk.
+
+-   NoCopyPrompt: Do not prompt when overwriting an existing file.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+An attacker who can cause the system to restart into the Recovery Console could steal sensitive data and leave no audit or access trail.
+
+### Countermeasure
+
+Disable the **Recovery console: Allow floppy copy and access to drives and folders** setting.
+
+### Potential impact
+
+Users who have started a server through the Recovery Console and logged in with the built-in Administrator account cannot copy files and folders to a floppy disk.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/refresh-an-applocker-policy.md b/windows/keep-secure/refresh-an-applocker-policy.md
new file mode 100644
index 0000000000..f134252dff
--- /dev/null
+++ b/windows/keep-secure/refresh-an-applocker-policy.md
@@ -0,0 +1,74 @@
+---
+title: Refresh an AppLocker policy (Windows 10)
+description: This topic for IT professionals describes the steps to force an update for an AppLocker policy.
+ms.assetid: 3f24fcbc-3926-46b9-a1a2-dd036edab8a9
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Refresh an AppLocker policy
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes the steps to force an update for an AppLocker policy.
+
+If you update the rule collection on a local computer by using the Local Security Policy snap-in, the policy will take effect immediately. If Group Policy is used to distribute the AppLocker policy and you want to immediately implement the policy, you must manually refresh the policy. The Group Policy refresh might take several minutes, depending upon the number of policies within the Group Policy Object (GPO) and the number of target computers.
+
+To use Group Policy to distribute the AppLocker policy change, you need to retrieve the deployed AppLocker policy first. To prepare for the update and subsequent refresh, see [Edit an AppLocker policy](edit-an-applocker-policy.md)
+
+[Edit an AppLocker policy](edit-an-applocker-policy.md) and [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md).
+
+To complete this procedure, you must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
+
+**To manually refresh the AppLocker policy by using Group Policy**
+
+1.  From a command prompt, type **gpupdate /force**, and then press ENTER.
+
+2.  When the command finishes, close the command prompt window, and then verify that the intended rule behavior is correct. You can do this by checking the AppLocker event logs for events that include "policy applied."
+
+To change a policy on an individual computer, or to implement that policy on other computers, without using Group Policy, you first need to update the rule within the rule collection. For information about updating existing rules, see [Edit AppLocker rules](edit-applocker-rules.md). For information about creating a new rule for an existing policy, see:
+
+-   [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
+
+-   [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
+
+-   [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
+
+Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
+
+**To refresh the AppLocker policy on the local computer**
+
+-   Update the rule collection by using the Local Security Policy console with one of the following procedures:
+
+    -   [Edit AppLocker rules](edit-applocker-rules.md)
+
+    -   [Delete an AppLocker rule](delete-an-applocker-rule.md)
+
+    -   [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md)
+
+When finished, the policy is in effect.
+
+To make the same change on another device, you can use any of the following methods:
+
+-   From the device that you made the change on, export the AppLocker policy, and then import the policy onto the other device. To do this, use the AppLocker **Export Policy** and **Import Policy** features to copy the rules from the changed computer.
+
+    **Caution**  
+    When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied.
+
+     
+
+-   Merge AppLocker policies. For procedures to do this, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) and [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/registry-global-object-access-auditing.md b/windows/keep-secure/registry-global-object-access-auditing.md
new file mode 100644
index 0000000000..f544039c14
--- /dev/null
+++ b/windows/keep-secure/registry-global-object-access-auditing.md
@@ -0,0 +1,36 @@
+---
+title: Registry (Global Object Access Auditing) (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Registry (Global Object Access Auditing), which enables you to configure a global system access control list (SACL) on the registry of a computer.
+ms.assetid: 953bb1c1-3f76-43be-ba17-4aed2304f578
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Registry (Global Object Access Auditing)
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Advanced Security Audit policy setting, **Registry (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the registry of a computer.
+
+If you select the **Configure security** check box on this policy’s property page, you can add a user or group to the global SACL. This enables you to define computer system access control lists (SACLs) per object type for the registry. The specified SACL is then automatically applied to every registry object type.
+
+This policy setting must be used in combination with the **Registry** security policy setting under Object Access. For more info, see [Audit Registry](audit-registry.md).
+
+## Related topics
+
+
+[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/remove-computer-from-docking-station.md b/windows/keep-secure/remove-computer-from-docking-station.md
new file mode 100644
index 0000000000..10454b9cdd
--- /dev/null
+++ b/windows/keep-secure/remove-computer-from-docking-station.md
@@ -0,0 +1,150 @@
+---
+title: Remove computer from docking station (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Remove computer from docking station security policy setting.
+ms.assetid: 229a385a-a862-4973-899a-413b1b5b6c30
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Remove computer from docking station
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Remove computer from docking station** security policy setting.
+
+## Reference
+
+
+This security setting determines whether a user can undock a portable device from its docking station without logging on. This policy setting only affects scenarios that involve a portable computer and its docking station.
+
+If this user right is assigned to the user’s account (or if the user is a member of the assigned group), the user must log on before removing the portable device from its docking station. Otherwise, as a security measure, the user will not be able to log on after the device is removed from the docking station. If this policy is not assigned, the user may remove the portable device from its docking station without logging on, and then have the ability to start and log on to the device afterwards in its undocked state.
+
+Constant: SeUndockPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not Defined
+
+### Best practices
+
+-   Assign this user right to only those accounts that are permitted to use the portable device.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+Although this portable device scenario does not normally apply to servers, by default this setting is Administrators on domain controllers and on stand-alone servers.
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Anyone who has the **Remove computer from docking station** user right can log on and then remove a portable device from its docking station. If this setting is not defined, it has the same effect as if everyone was granted this right. However, the value of implementing this countermeasure is reduced by the following factors:
+
+-   If attackers can restart the device, they could remove it from the docking station after the BIOS starts but before the operating system starts.
+
+-   This setting does not affect servers because they typically are not installed in docking stations.
+
+-   An attacker could steal the device and the docking station together.
+
+-   Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality.
+
+### Countermeasure
+
+Ensure that only the local Administrators group and the user account to which the device is allocated are assigned the **Remove computer from docking station** user right.
+
+### Potential impact
+
+By default, only members of the local Administrators group are granted this right. Other user accounts must be explicitly granted this user right as necessary. If your organization's users are not members of the local Administrators groups on their portable devices, they cannot remove their portable devices from their docking stations if they do not first shut down the device. Therefore, you may want to assign the **Remove computer from docking station** privilege to the local Users group for portable devices.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/replace-a-process-level-token.md b/windows/keep-secure/replace-a-process-level-token.md
new file mode 100644
index 0000000000..e3a17bfad2
--- /dev/null
+++ b/windows/keep-secure/replace-a-process-level-token.md
@@ -0,0 +1,151 @@
+---
+title: Replace a process level token (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Replace a process level token security policy setting.
+ms.assetid: 5add02db-6339-489e-ba21-ccc3ccbe8745
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Replace a process level token
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Replace a process level token** security policy setting.
+
+## Reference
+
+
+This policy setting determines which parent processes can replace the access token that is associated with a child process.
+
+Specifically, the **Replace a process level token** setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another. An example of a process that uses this user right is Task Scheduler, where the user right is extended to any processes that can be managed by Task Scheduler.
+
+An access token is an object that describes the security context of a process or thread. The information in a token includes the identity and privileges of the user account that is associated with the process or thread. With this user right, every child process that runs on behalf of this user account would have its access token replaced with the process level token.
+
+Constant: SeAssignPrimaryTokenPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Defaults
+
+-   Not defined
+
+### Best practices
+
+-   For member servers, ensure that only the Local Service and Network Service accounts have the **Replace a process level token** user right.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default this setting is Network Service and Local Service on domain controllers and on stand-alone servers.
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Network Service</p>
+<p>Local Service</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Network Service</p>
+<p>Local Service</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Network Service</p>
+<p>Local Service</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Network Service</p>
+<p>Local Service</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Network Service</p>
+<p>Local Service</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Users with the **Replace a process level token** user right can start processes as another user if they know the user’s credentials.
+
+### Countermeasure
+
+For member servers, ensure that only the Local Service and Network Service accounts have the **Replace a process level token** user right.
+
+### Potential impact
+
+On most computers, restricting the **Replace a process level token** user right to the Local Service and the Network Service built-in accounts is the default configuration, and there is no negative impact. However, if you have installed optional components such as ASP.NET or IIS, you may need to assign the **Replace a process level token** user right to additional accounts. For example, IIS requires that the Service, Network Service, and IWAM\_*&lt;ComputerName&gt;* accounts be explicitly granted this user right.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/requirements-for-deploying-applocker-policies.md b/windows/keep-secure/requirements-for-deploying-applocker-policies.md
new file mode 100644
index 0000000000..c4f0103ef7
--- /dev/null
+++ b/windows/keep-secure/requirements-for-deploying-applocker-policies.md
@@ -0,0 +1,247 @@
+---
+title: Requirements for deploying AppLocker policies (Windows 10)
+description: This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies.
+ms.assetid: 3e55bda2-3cd7-42c7-bad3-c7dfbe193d48
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Requirements for deploying AppLocker policies
+
+
+**Applies to**
+
+-   Windows 10
+
+This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies.
+
+The following requirements must be met or addressed before you deploy your AppLocker policies:
+
+-   [Deployment plan](#bkmk-reqdepplan)
+
+-   [Supported operating systems](#bkmk-reqsupportedos)
+
+-   [Policy distribution mechanism](#bkmk-reqpolicydistmech)
+
+-   [Event collection and analysis system](#bkmk-reqeventcollectionsystem)
+
+### <a href="" id="bkmk-reqdepplan"></a>Deployment plan
+
+An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).
+
+<table style="width:100%;">
+<colgroup>
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Organizational unit</th>
+<th align="left">Implement AppLocker?</th>
+<th align="left">Apps</th>
+<th align="left">Installation path</th>
+<th align="left">Use default rule or define new rule condition</th>
+<th align="left">Allow or deny</th>
+<th align="left">GPO name</th>
+<th align="left">Support policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Teller-East and Teller-West</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Teller software</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p>Tellers</p></td>
+<td align="left"><p>Web help</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p>
+<p></p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Create a path exception to the default rule to exclude \Windows\Temp</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Help Desk</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Time Sheet Organizer</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p></td>
+<td align="left"><p>File is not signed; create a file hash condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Web help</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>HR-All</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Check Payout</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p>HR</p></td>
+<td align="left"><p>Web help</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Internet Explorer 7</p></td>
+<td align="left"><p>C:\Program Files\Internet Explorer\</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Deny</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Help Desk</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Use the default rule for the Windows path</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Help Desk</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Event processing policy**
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">AppLocker event collection location</th>
+<th align="left">Archival policy</th>
+<th align="left">Analyzed?</th>
+<th align="left">Security policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Forwarded to: srvBT093</p></td>
+<td align="left"><p>Standard</p></td>
+<td align="left"><p>None</p></td>
+<td align="left"><p>Standard</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>Do not forward</p>
+<p></p></td>
+<td align="left"><p>60 months</p></td>
+<td align="left"><p>Yes; summary reports monthly to managers</p></td>
+<td align="left"><p>Standard</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Policy maintenance policy**
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Rule update policy</th>
+<th align="left">App decommission policy</th>
+<th align="left">App version policy</th>
+<th align="left">App deployment policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Planned: Monthly through business office triage</p>
+<p>Emergency: Request through Help Desk</p></td>
+<td align="left"><p>Through business office triage; 30-day notice required</p></td>
+<td align="left"><p>General policy: Keep past versions for 12 months</p>
+<p>List policies for each application</p></td>
+<td align="left"><p>Coordinated through business office; 30-day notice required</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>Planned: Through HR triage</p>
+<p>Emergency: Request through Help Desk</p></td>
+<td align="left"><p>Through HR triage; 30-day notice required</p>
+<p></p></td>
+<td align="left"><p>General policy: Keep past versions for 60 months</p>
+<p>List policies for each application</p></td>
+<td align="left"><p>Coordinated through HR; 30-day notice required</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="bkmk-reqsupportedos"></a>Supported operating systems
+
+AppLocker is supported only on certain operating systems. Some features are not available on all operating systems. For more information, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
+
+### <a href="" id="bkmk-reqpolicydistmech"></a>Policy distribution mechanism
+
+You need a way to distribute the AppLocker policies throughout the targeted business groups. AppLocker uses Group Policy management architecture to effectively distribute application control policies. AppLocker policies can also be configured on individual computers by using the Local Security Policy snap-in.
+
+### <a href="" id="bkmk-reqeventcollectionsystem"></a>Event collection and analysis system
+
+Event processing is important to understand application usage. You must have a process in place to collect and analyze AppLocker events so that application usage is appropriately restricted and understood. For procedures to monitor AppLocker events, see:
+
+-   [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
+
+-   [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md)
+
+-   [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
+
+## See also
+
+
+[AppLocker deployment guide](applocker-policies-deployment-guide.md)
+
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/requirements-to-use-applocker.md b/windows/keep-secure/requirements-to-use-applocker.md
new file mode 100644
index 0000000000..2921b46a0e
--- /dev/null
+++ b/windows/keep-secure/requirements-to-use-applocker.md
@@ -0,0 +1,251 @@
+---
+title: Requirements to use AppLocker (Windows 10)
+description: This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
+ms.assetid: dc380535-071e-4794-8f9d-e5d1858156f0
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Requirements to use AppLocker
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
+
+## General requirements
+
+
+To use AppLocker, you need:
+
+-   A device running a supported operating system to create the rules. The computer can be a domain controller.
+
+-   For Group Policy deployment, at least one device with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules.
+
+-   Devices running a supported operating system to enforce the AppLocker rules that you create.
+
+**Note**  
+You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md).
+
+ 
+
+## Operating system requirements
+
+
+The following table show the on which operating systems AppLocker features are supported.
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Version</th>
+<th align="left">Can be configured</th>
+<th align="left">Can be enforced</th>
+<th align="left">Available rules</th>
+<th align="left">Notes</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Windows 10</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Packaged apps</p>
+<p>Executable</p>
+<p>Windows Installer</p>
+<p>Script</p>
+<p>DLL</p></td>
+<td align="left"><p>You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016 Technical Preview.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows Server 2012 R2</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Packaged apps</p>
+<p>Executable</p>
+<p>Windows Installer</p>
+<p>Script</p>
+<p>DLL</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows 8.1</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Packaged apps</p>
+<p>Executable</p>
+<p>Windows Installer</p>
+<p>Script</p>
+<p>DLL</p></td>
+<td align="left"><p>Only the Enterprise edition supports AppLocker</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows RT 8.1</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>N/A</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows Server 2012 Standard</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Packaged apps</p>
+<p>Executable</p>
+<p>Windows Installer</p>
+<p>Script</p>
+<p>DLL</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows Server 2012 Datacenter</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Packaged apps</p>
+<p>Executable</p>
+<p>Windows Installer</p>
+<p>Script</p>
+<p>DLL</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows 8 Pro</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>N/A</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows 8 Enterprise</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Packaged apps</p>
+<p>Executable</p>
+<p>Windows Installer</p>
+<p>Script</p>
+<p>DLL</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows RT</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>N/A</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows Server 2008 R2 Standard</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Executable</p>
+<p>Windows Installer</p>
+<p>Script</p>
+<p>DLL</p></td>
+<td align="left"><p>Packaged app rules will not be enforced.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows Server 2008 R2 Enterprise</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Executable</p>
+<p>Windows Installer</p>
+<p>Script</p>
+<p>DLL</p></td>
+<td align="left"><p>Packaged app rules will not be enforced.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows Server 2008 R2 Datacenter</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Executable</p>
+<p>Windows Installer</p>
+<p>Script</p>
+<p>DLL</p></td>
+<td align="left"><p>Packaged app rules will not be enforced.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows Server 2008 R2 for Itanium-Based Systems</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Executable</p>
+<p>Windows Installer</p>
+<p>Script</p>
+<p>DLL</p></td>
+<td align="left"><p>Packaged app rules will not be enforced.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows 7 Ultimate</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Executable</p>
+<p>Windows Installer</p>
+<p>Script</p>
+<p>DLL</p></td>
+<td align="left"><p>Packaged app rules will not be enforced.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows 7 Enterprise</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Executable</p>
+<p>Windows Installer</p>
+<p>Script</p>
+<p>DLL</p></td>
+<td align="left"><p>Packaged app rules will not be enforced.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows 7 Professional</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Executable</p>
+<p>Windows Installer</p>
+<p>Script</p>
+<p>DLL</p></td>
+<td align="left"><p>No AppLocker rules are enforced.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+AppLocker is not supported on versions of the Windows operating system not listed above. Software Restriction Policies can be used with those versions. However, the SRP Basic User feature is not supported on the above operating systems.
+
+## See also
+
+
+[Administer AppLocker](administer-applocker.md)
+
+
+[Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
+
+
+[Optimize AppLocker performance](optimize-applocker-performance.md)
+
+
+[Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md)
+
+
+[Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md)
+
+
+[AppLocker Design Guide](applocker-policies-design-guide.md)
+
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/reset-account-lockout-counter-after.md b/windows/keep-secure/reset-account-lockout-counter-after.md
new file mode 100644
index 0000000000..4267057664
--- /dev/null
+++ b/windows/keep-secure/reset-account-lockout-counter-after.md
@@ -0,0 +1,115 @@
+---
+title: Reset account lockout counter after (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Reset account lockout counter after security policy setting.
+ms.assetid: d5ccf6dd-5ba7-44a9-8e0b-c478d8b1442c
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Reset account lockout counter after
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting.
+
+## Reference
+
+
+The **Reset account lockout counter after** policy setting determines the number of minutes that must elapse from the time a user fails to log on before the failed logon attempt counter is reset to 0. If [Account lockout threshold](account-lockout-threshold.md) is set to a number greater than zero, this reset time must be less than or equal to the value of [Account lockout duration](account-lockout-duration.md).
+
+A disadvantage to setting this too high is that users lock themselves out for an inconveniently long period if they exceed the account lockout threshold through logon errors. Users may make excessive Help Desk calls.
+
+### Possible values
+
+-   A user-defined number of minutes from 1 through 99,999
+
+-   Not defined
+
+### Best practices
+
+-   You need to determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements.
+
+### Location
+
+**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**
+
+### Default values
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or Group Policy Object (GPO)</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client computer effective default settings</p></td>
+<td align="left"><p>Not applicable</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Users can accidentally lock themselves out of their accounts if they mistype their password multiple times.
+
+### Countermeasure
+
+Configure the **Reset account lockout counter after** policy setting to 30.
+
+### Potential impact
+
+If you do not configure this policy setting or if the value is configured to an interval that is too long, an attacker could attempt to log on to each user's account numerous times and lock out their accounts, a denial-of-service (DoS) attack might succeed, or administrators might have to manually unlock all locked-out accounts. If you configure this policy setting to a reasonable value, users can perform new attempts to log on after a failed logon within a reasonable time, without making brute force attacks feasible at high speeds. Be sure that you notify users of the values that are used for this policy setting so that they wait for the lockout timer to expire before they call the Help Desk.
+
+## Related topics
+
+
+[Account Lockout Policy](account-lockout-policy.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/restore-files-and-directories.md b/windows/keep-secure/restore-files-and-directories.md
new file mode 100644
index 0000000000..e0941e62be
--- /dev/null
+++ b/windows/keep-secure/restore-files-and-directories.md
@@ -0,0 +1,160 @@
+---
+title: Restore files and directories (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Restore files and directories security policy setting.
+ms.assetid: c673c0fa-6f49-4edd-8c1f-c5e8513f701d
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Restore files and directories
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Restore files and directories** security policy setting.
+
+## Reference
+
+
+This security setting determines which users can bypass file, directory, registry, and other persistent object permissions when they restore backed up files and directories, and it determines which users can set valid security principals as the owner of an object.
+
+Granting this user right to an account is similar to granting the account the following permissions to all files and folders on the system:
+
+-   **Traverse folder / execute file**
+
+-   **Write**
+
+Constant: SeRestorePrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Defaults
+
+-   Not Defined
+
+### Best practices
+
+-   Users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, so only assign this user right to trusted users.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default, this right is granted to the Administrators, Backup Operators, and Server Operators groups on domain controllers, and to the Administrators and Backup Operators groups on stand-alone servers.
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p>
+<p>Server Operators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p>
+<p>Server Operators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the computer is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+An attacker with the **Restore files and directories** user right could restore sensitive data to a computer and overwrite data that is more recent, which could lead to loss of important data, data corruption, or a denial-of-service condition. Attackers could overwrite executable files that are used by legitimate administrators or system services with versions that include malicious software to grant themselves elevated privileges, compromise data, or install programs that provide continued access to the device
+
+**Note**  
+Even if the following countermeasure is configured, an attacker could restore data to a computer in a domain that is controlled by the attacker. Therefore, it is critical that organizations carefully protect the media that are used to back up data.
+
+ 
+
+### Countermeasure
+
+Ensure that only the local Administrators group is assigned the **Restore files and directories** user right unless your organization has clearly defined roles for backup and for restore personnel.
+
+### Potential impact
+
+If you remove the **Restore files and directories** user right from the Backup Operators group and other accounts, users who are not members of the local Administrators group cannot load data backups. If restoring backups is delegated to a subset of IT staff in your organization, you should verify that this change does not negatively affect the ability of your organization's personnel to do their jobs.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/run-the-automatically-generate-rules-wizard.md b/windows/keep-secure/run-the-automatically-generate-rules-wizard.md
new file mode 100644
index 0000000000..63611e7155
--- /dev/null
+++ b/windows/keep-secure/run-the-automatically-generate-rules-wizard.md
@@ -0,0 +1,65 @@
+---
+title: Run the Automatically Generate Rules wizard (Windows 10)
+description: This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.
+ms.assetid: 8cad1e14-d5b2-437c-8f88-70cffd7b3d8e
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Run the Automatically Generate Rules wizard
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.
+
+AppLocker allows you to automatically generate rules for all files within a folder. It will scan the specified folder and create the condition types that you choose for each file in that folder.
+
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local device or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+
+**To automatically generate rules**
+
+1.  Open the AppLocker console.
+
+2.  Right-click the appropriate rule type for which you want to automatically generate rules. You can automatically generate rules for executable, Windows Installer, script and packaged app rules.
+
+3.  Click **Automatically Generate Rules**.
+
+4.  On the **Folder and Permissions** page, click **Browse** to choose the folder to be analyzed. By default, this is the Program Files folder.
+
+5.  Click **Select** to choose the security group in which the default rules should be applied. By default, this is the **Everyone** group.
+
+6.  The wizard provides a name in the **Name to identify this set of rules** box based on the name of the folder that you have selected. Accept the provided name or type a different name, and then click **Next**.
+
+7.  On the **Rule Preferences** page, choose the conditions that you want the wizard to use while creating rules, and then click **Next**. For more info about rule conditions, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md).
+
+    **Note**  
+    The **Reduce the number of rules created by grouping similar files** check box is selected by default. This helps you organize AppLocker rules and reduce the number of rules that you create by performing the following operations for the rule condition that you select:
+
+    -   One publisher condition is created for all files that have the same publisher and product name.
+
+    -   One path condition is created for the folder that you select. For example, if you select *C:\\Program Files\\ProgramName\\* and the files in that folder are not signed, the wizard creates a rule for *%programfiles%\\ProgramName\\\**.
+
+    -   One file hash condition is created that contains all of the file hashes. When rule grouping is disabled, the wizard creates a file hash rule for each file.
+
+     
+
+8.  Review the files that were analyzed and the rules that will be automatically created. To make changes, click **Previous** to return to the page where you can change your selections. After reviewing the rules, click **Create**.
+
+**Note**  
+If you are running the wizard to create your first rules for a GPO, you will be prompted to create the default rules, which allow critical system files to run, after completing the wizard. You may edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after replacing them with your custom rules.
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/script-rules-in-applocker.md b/windows/keep-secure/script-rules-in-applocker.md
new file mode 100644
index 0000000000..d1c18e6cfb
--- /dev/null
+++ b/windows/keep-secure/script-rules-in-applocker.md
@@ -0,0 +1,85 @@
+---
+title: Script rules in AppLocker (Windows 10)
+description: This topic describes the file formats and available default rules for the script rule collection.
+ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Script rules in AppLocker
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic describes the file formats and available default rules for the script rule collection.
+
+AppLocker defines script rules to include only the following file formats:
+
+-   .ps1
+
+-   .bat
+
+-   .cmd
+
+-   .vbs
+
+-   .js
+
+The following table lists the default rules that are available for the script rule collection.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Purpose</th>
+<th align="left">Name</th>
+<th align="left">User</th>
+<th align="left">Rule condition type</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Allows members of the local Administrators group to run all scripts</p></td>
+<td align="left"><p>(Default Rule) All scripts</p></td>
+<td align="left"><p>BUILTIN\Administrators</p></td>
+<td align="left"><p>Path: *</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Allow all users to run scripts in the Windows folder</p></td>
+<td align="left"><p>(Default Rule) All scripts located in the Windows folder</p></td>
+<td align="left"><p>Everyone</p></td>
+<td align="left"><p>Path: %windir%\*</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Allow all users to run scripts in the Program Files folder</p></td>
+<td align="left"><p>(Default Rule) All scripts located in the Program Files folder</p></td>
+<td align="left"><p>Everyone</p></td>
+<td align="left"><p>Path: %programfiles%\*</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Understanding AppLocker default rules](understanding-applocker-default-rules.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md b/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md
new file mode 100644
index 0000000000..6cc38ffbeb
--- /dev/null
+++ b/windows/keep-secure/secpol-advanced-security-audit-policy-settings.md
@@ -0,0 +1,41 @@
+---
+title: Advanced security audit policy settings (Windows 10)
+description: Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.
+ms.assetid: 6BF9A642-DBC3-4101-94A3-B2316C553CE3
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Advanced security audit policy settings
+
+
+**Applies to**
+
+-   Windows 10
+
+Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.
+
+The security audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as:
+
+-   A group administrator has modified settings or data on servers that contain finance information.
+
+-   An employee within a defined group has accessed an important file.
+
+-   The correct system access control list (SACL) is applied to every file and folder or registry key on a computer or file share as a verifiable safeguard against undetected access.
+
+You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local device or by using Group Policy.
+
+These Advanced Audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
+
+For more info, see [Advanced security audit policies](advanced-security-auditing.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/security-auditing-overview.md b/windows/keep-secure/security-auditing-overview.md
new file mode 100644
index 0000000000..bc9ff675c5
--- /dev/null
+++ b/windows/keep-secure/security-auditing-overview.md
@@ -0,0 +1,62 @@
+---
+title: Security auditing (Windows 10)
+description: Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.
+ms.assetid: 2d9b8142-49bd-4a33-b246-3f0c2a5f32d4
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Security auditing
+
+
+**Applies to**
+
+-   Windows 10
+
+Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.
+
+## <a href="" id="bkmk-over"></a>
+
+
+Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment.
+
+For info on the changes that were added in Windows 10, see [Security auditing](../whats-new/security-auditing.md).
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Basic security audit policies](basic-security-audit-policies.md)</p></td>
+<td align="left"><p>Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Advanced security audit policies](advanced-security-auditing.md)</p></td>
+<td align="left"><p>Advanced security audit policy settings are found in <strong>Security Settings\Advanced Audit Policy Configuration\System Audit Policies</strong> and appear to overlap with basic security audit policies, but they are recorded and applied differently.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/security-considerations-for-applocker.md b/windows/keep-secure/security-considerations-for-applocker.md
new file mode 100644
index 0000000000..0fddbefbdc
--- /dev/null
+++ b/windows/keep-secure/security-considerations-for-applocker.md
@@ -0,0 +1,62 @@
+---
+title: Security considerations for AppLocker (Windows 10)
+description: This topic for the IT professional describes the security considerations you need to address when implementing AppLocker.
+ms.assetid: 354a5abb-7b31-4bea-a442-aa9666117625
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Security considerations for AppLocker
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the security considerations you need to address when implementing AppLocker.
+
+The purpose of AppLocker is to restrict the access to software, and therefore, the data accessed by the software, to a specific group of users or within a defined business group. The following are security considerations for AppLocker:
+
+AppLocker is deployed within an enterprise and administered centrally by those in IT with trusted credentials. This makes its policy creation and deployment conform to similar policy deployment processes and security restrictions.
+
+AppLocker policies are distributed through known processes and by known means within the domain through Group Policy. But AppLocker policies can also be set on individual computers if the person has administrator privileges, and those policies might be contrary to the organization's written security policy. The enforcement settings for local policies are overridden by the same AppLocker policies in a Group Policy Object (GPO). However, because AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer.
+
+Microsoft does not provide a way to develop any extensions to AppLocker. The interfaces are not public. A user with administrator credentials can automate some AppLocker processes by using Windows PowerShell cmdlets. For info about the Windows PowerShell cmdlets for AppLocker, see the [AppLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/ee460962.aspx).
+
+AppLocker runs in the context of Administrator or LocalSystem, which is the highest privilege set. This security context has the potential of misuse. If a user with administrative credentials makes changes to an AppLocker policy on a local device that is joined to a domain, those changes could be overwritten or disallowed by the GPO that contains the AppLocker rule for the same file (or path) that was changed on the local device. However, because AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer. If the local computer is not joined to a domain and is not administered by Group Policy, a person with administrative credentials can alter the AppLocker policy.
+
+When securing files in a directory with a rule of the path condition type, whether using the allow or deny action on the rule, it is still necessary and good practice to restrict access to those files by setting the access control lists (ACLs) according to your security policy.
+
+AppLocker does not protect against running 16-bit DOS binaries in the Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or later when there is already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it is a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the executable rule collection for NTVDM.exe.
+
+You cannot use AppLocker (or Software Restriction Policies) to prevent code from running outside the Win32 subsystem. In particular, this applies to the (POSIX) subsystem in Windows NT. If it is a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem.
+
+AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example, Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To control interpreted code by using AppLocker, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision returned by AppLocker. Not all host processes call into AppLocker and, therefore, AppLocker cannot control every kind of interpreted code, such as Microsoft Office macros.
+
+**Important**  
+You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded.
+
+ 
+
+AppLocker rules either allow or prevent an application from launching. AppLocker does not control the behavior of applications after they are launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules.
+
+**Note**  
+Two flags that illustrate this condition are `SANDBOX_INERT`, which can be passed to `CreateRestrictedToken`, and `LOAD_IGNORE_CODE_AUTHZ_LEVEL`, which can be passed to `LoadLibraryEx`. Both of these flags signal AppLocker to circumvent the rules and allow a child .exe or .dll to be loaded.
+
+ 
+
+## Related topics
+
+
+[AppLocker technical reference](applocker-technical-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/security-options.md b/windows/keep-secure/security-options.md
new file mode 100644
index 0000000000..b6d6747c20
--- /dev/null
+++ b/windows/keep-secure/security-options.md
@@ -0,0 +1,440 @@
+---
+title: Security Options (Windows 10)
+description: Provides an introduction to the settings under Security Options of the local security policies and links to information about each setting.
+ms.assetid: 405ea253-8116-4e57-b08e-14a8dcdca92b
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Security Options
+
+
+**Applies to**
+
+-   Windows 10
+
+Provides an introduction to the settings under **Security Options** of the local security policies and links to information about each setting.
+
+The **Security Options** contain the following groupings of security policy settings that allow you to configure the behavior of the local computer. Some of these policies can be included in a Group Policy Object and distributed over your organization.
+
+If you edit policy settings locally on a device, you will affect the settings on only that one device. If you configure the settings in a Group Policy Object (GPO), the settings apply to all devices that are subject to that GPO.
+
+For info about setting security policies, see [Configure security policy settings](how-to-configure-security-policy-settings.md).
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Accounts: Administrator account status](accounts-administrator-account-status.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Accounts: Administrator account status</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, management, and security considerations for the <strong>Accounts: Block Microsoft accounts</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Accounts: Guest account status](accounts-guest-account-status.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Accounts: Guest account status</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Accounts: Limit local account use of blank passwords to console logon only](accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Accounts: Limit local account use of blank passwords to console logon only</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Accounts: Rename administrator account](accounts-rename-administrator-account.md)</p></td>
+<td align="left"><p>This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Accounts: Rename guest account](accounts-rename-guest-account.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Accounts: Rename guest account</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Audit: Audit the access of global system objects](audit-audit-the-access-of-global-system-objects.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Audit: Audit the access of global system objects</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Audit: Audit the use of Backup and Restore privilege](audit-audit-the-use-of-backup-and-restore-privilege.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Audit: Audit the use of Backup and Restore privilege</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](audit-force-audit-policy-subcategory-settings-to-override.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Audit: Shut down system immediately if unable to log security audits](audit-shut-down-system-immediately-if-unable-to-log-security-audits.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, management practices, and security considerations for the <strong>Audit: Shut down system immediately if unable to log security audits</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax</strong> policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Devices: Allow undock without having to log on](devices-allow-undock-without-having-to-log-on.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Devices: Allow undock without having to log on</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Devices: Allowed to format and eject removable media](devices-allowed-to-format-and-eject-removable-media.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Devices: Allowed to format and eject removable media</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Devices: Prevent users from installing printer drivers](devices-prevent-users-from-installing-printer-drivers.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Devices: Prevent users from installing printer drivers</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Devices: Restrict CD-ROM access to locally logged-on user only](devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Devices: Restrict CD-ROM access to locally logged-on user only</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Devices: Restrict floppy access to locally logged-on user only](devices-restrict-floppy-access-to-locally-logged-on-user-only.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Devices: Restrict floppy access to locally logged-on user only</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Domain controller: Allow server operators to schedule tasks](domain-controller-allow-server-operators-to-schedule-tasks.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Domain controller: Allow server operators to schedule tasks</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Domain controller: LDAP server signing requirements](domain-controller-ldap-server-signing-requirements.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Domain controller: LDAP server signing requirements</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Domain controller: Refuse machine account password changes](domain-controller-refuse-machine-account-password-changes.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Domain controller: Refuse machine account password changes</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Domain member: Digitally encrypt or sign secure channel data (always)</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Domain member: Digitally encrypt secure channel data (when possible)</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Domain member: Digitally sign secure channel data (when possible)</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Domain member: Disable machine account password changes</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Domain member: Maximum machine account password age</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Domain member: Require strong (Windows 2000 or later) session key</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Interactive logon: Display user information when the session is locked</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Interactive logon: Do not display last user name</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Interactive logon: Do not require CTRL+ALT+DEL</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, management, and security considerations for the <strong>Interactive logon: Machine account lockout threshold</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, management, and security considerations for the <strong>Interactive logon: Machine inactivity limit</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, management, and security considerations for the <strong>Interactive logon: Message text for users attempting to log on</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Interactive logon: Message title for users attempting to log on</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Interactive logon: Number of previous logons to cache (in case domain controller is not available)</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Interactive logon: Prompt user to change password before expiration](interactive-logon-prompt-user-to-change-password-before-expiration.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Interactive logon: Prompt user to change password before expiration</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management, and security considerations for the <strong>Interactive logon: Require Domain Controller authentication to unlock workstation</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Interactive logon: Require smart card](interactive-logon-require-smart-card.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Interactive logon: Require smart card</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Interactive logon: Smart card removal behavior](interactive-logon-smart-card-removal-behavior.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Interactive logon: Smart card removal behavior</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Microsoft network client: Digitally sign communications (always)</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Microsoft network client: Digitally sign communications (if server agrees)</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Microsoft network client: Send unencrypted password to third-party SMB servers</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Microsoft network server: Amount of idle time required before suspending session](microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Microsoft network server: Amount of idle time required before suspending session</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Microsoft network server: Attempt S4U2Self to obtain claim information](microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, management, and security considerations for the <strong>Microsoft network server: Attempt S4U2Self to obtain claim information</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Microsoft network server: Digitally sign communications (always)</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Microsoft network server: Digitally sign communications (if client agrees)</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Microsoft network server: Disconnect clients when logon hours expire](microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Microsoft network server: Disconnect clients when logon hours expire</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Microsoft network server: Server SPN target name validation level](microsoft-network-server-server-spn-target-name-validation-level.md)</p></td>
+<td align="left"><p>Describes the best practices, location, and values, policy management and security considerations for the <strong>Microsoft network server: Server SPN target name validation level</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Network access: Allow anonymous SID/Name translation](network-access-allow-anonymous-sidname-translation.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Network access: Allow anonymous SID/Name translation</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Network access: Do not allow anonymous enumeration of SAM accounts](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Network access: Do not allow anonymous enumeration of SAM accounts</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Network access: Do not allow anonymous enumeration of SAM accounts and shares](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Network access: Do not allow anonymous enumeration of SAM accounts and shares</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Network access: Do not allow storage of passwords and credentials for network authentication](network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Network access: Do not allow storage of passwords and credentials for network authentication</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Network access: Let Everyone permissions apply to anonymous users](network-access-let-everyone-permissions-apply-to-anonymous-users.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Network access: Let Everyone permissions apply to anonymous users</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Network access: Named Pipes that can be accessed anonymously](network-access-named-pipes-that-can-be-accessed-anonymously.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Network access: Named Pipes that can be accessed anonymously</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Network access: Remotely accessible registry paths](network-access-remotely-accessible-registry-paths.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Network access: Remotely accessible registry paths</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Network access: Remotely accessible registry paths and subpaths](network-access-remotely-accessible-registry-paths-and-subpaths.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Network access: Remotely accessible registry paths and subpaths</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Network access: Restrict anonymous access to Named Pipes and Shares</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Network access: Shares that can be accessed anonymously</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Network access: Sharing and security model for local accounts</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)</p></td>
+<td align="left"><p>Describes the location, values, policy management, and security considerations for the <strong>Network security: Allow Local System to use computer identity for NTLM</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>Network security: Allow LocalSystem NULL session fallback</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Network security: Allow PKU2U authentication requests to this computer to use online identities](network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md)</p></td>
+<td align="left"><p>Describes the best practices, location, and values for the <strong>Network Security: Allow PKU2U authentication requests to this computer to use online identities</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Network security: Configure encryption types allowed for Kerberos Win7 only](network-security-configure-encryption-types-allowed-for-kerberos.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values and security considerations for the <strong>Network security: Configure encryption types allowed for Kerberos Win7 only</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Network security: Do not store LAN Manager hash value on next password change](network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Network security: Do not store LAN Manager hash value on next password change</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Network security: Force logoff when logon hours expire](network-security-force-logoff-when-logon-hours-expire.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Network security: Force logoff when logon hours expire</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Network security: LAN Manager authentication level</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Network security: LDAP client signing requirements](network-security-ldap-client-signing-requirements.md)</p></td>
+<td align="left"><p>This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. This information applies to computers running at least the Windows Server 2008 operating system.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Network security: Minimum session security for NTLM SSP based (including secure RPC) clients</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Network security: Minimum session security for NTLM SSP based (including secure RPC) servers</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, management aspects, and security considerations for the <strong>Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, management aspects, and security considerations for the <strong>Network security: Restrict NTLM: Add server exceptions in this domain</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Network security: Restrict NTLM: Audit incoming NTLM traffic](network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, management aspects, and security considerations for the <strong>Network Security: Restrict NTLM: Audit incoming NTLM traffic</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Network security: Restrict NTLM: Audit NTLM authentication in this domain](network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, management aspects, and security considerations for the <strong>Network Security: Restrict NTLM: Audit NTLM authentication in this domain</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Network security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, management aspects, and security considerations for the <strong>Network Security: Restrict NTLM: Incoming NTLM traffic</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Network security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, management aspects, and security considerations for the <strong>Network Security: Restrict NTLM: NTLM authentication in this domain</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, management aspects, and security considerations for the <strong>Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Recovery console: Allow automatic administrative logon](recovery-console-allow-automatic-administrative-logon.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Recovery console: Allow automatic administrative logon</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Recovery console: Allow floppy copy and access to all drives and folders](recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Recovery console: Allow floppy copy and access to all drives and folders</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Shutdown: Allow system to be shut down without having to log on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Shutdown: Allow system to be shut down without having to log on</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Shutdown: Clear virtual memory pagefile](shutdown-clear-virtual-memory-pagefile.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>Shutdown: Clear virtual memory pagefile</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[System cryptography: Force strong key protection for user keys stored on the computer](system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>System cryptography: Force strong key protection for user keys stored on the computer</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)</p></td>
+<td align="left"><p>This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[System objects: Require case insensitivity for non-Windows subsystems](system-objects-require-case-insensitivity-for-non-windows-subsystems.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>System objects: Require case insensitivity for non-Windows subsystems</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](system-objects-strengthen-default-permissions-of-internal-system-objects.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[System settings: Optional subsystems](system-settings-optional-subsystems.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>System settings: Optional subsystems</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[System settings: Use certificate rules on Windows executables for Software Restriction Policies](system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>System settings: Use certificate rules on Windows executables for Software Restriction Policies</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[User Account Control: Admin Approval Mode for the Built-in Administrator account](user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>User Account Control: Admin Approval Mode for the Built-in Administrator account</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, and security considerations for the <strong>User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>User Account Control: Behavior of the elevation prompt for standard users</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[User Account Control: Detect application installations and prompt for elevation](user-account-control-detect-application-installations-and-prompt-for-elevation.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>User Account Control: Detect application installations and prompt for elevation</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[User Account Control: Only elevate executables that are signed and validated](user-account-control-only-elevate-executables-that-are-signed-and-validated.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>User Account Control: Only elevate executables that are signed and validated</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>User Account Control: Only elevate UIAccess applications that are installed in secure locations</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>User Account Control: Run all administrators in Admin Approval Mode</strong> security policy setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>User Account Control: Switch to the secure desktop when prompting for elevation</strong> security policy setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[User Account Control: Virtualize file and registry write failures to per-user locations](user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)</p></td>
+<td align="left"><p>Describes the best practices, location, values, policy management and security considerations for the <strong>User Account Control: Virtualize file and registry write failures to per-user locations</strong> security policy setting.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Security policy settings reference](security-policy-settings-reference.md)
+
+[Security policy settings](security-policy-settings.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/security-policy-settings-reference.md b/windows/keep-secure/security-policy-settings-reference.md
new file mode 100644
index 0000000000..62c40372cc
--- /dev/null
+++ b/windows/keep-secure/security-policy-settings-reference.md
@@ -0,0 +1,71 @@
+---
+title: Security policy settings reference (Windows 10)
+description: This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.
+ms.assetid: ef5a4579-15a8-4507-9a43-b7ccddcb0ed1
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Security policy settings reference
+
+
+**Applies to**
+
+-   Windows 10
+
+This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.
+
+This reference focuses on those settings that are considered security settings. This reference examines only the settings and features in the Windows operating systems that can help organizations secure their enterprises against malicious software threats. Management features and those security features that you cannot configure are not described in this reference.
+
+Each policy setting described contains referential content such as a detailed explanation of the settings, best practices, default settings, differences between operating system versions, policy management considerations, and security considerations that include a discussion of vulnerability, countermeasures, and potential impact of those countermeasures.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Account Policies](account-policies.md)</p></td>
+<td align="left"><p>An overview of account policies in Windows and provides links to policy descriptions.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Audit Policy](audit-policy.md)</p></td>
+<td align="left"><p>Provides information about basic audit policies that are available in Windows and links to information about each setting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Security Options](security-options.md)</p></td>
+<td align="left"><p>Provides an introduction to the settings under <strong>Security Options</strong> of the local security policies and links to information about each setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Advanced security audit policy settings](secpol-advanced-security-audit-policy-settings.md)</p></td>
+<td align="left"><p>Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[User Rights Assignment](user-rights-assignment.md)</p></td>
+<td align="left"><p>Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/security-policy-settings.md b/windows/keep-secure/security-policy-settings.md
new file mode 100644
index 0000000000..67592a65d4
--- /dev/null
+++ b/windows/keep-secure/security-policy-settings.md
@@ -0,0 +1,489 @@
+---
+title: Security policy settings (Windows 10)
+description: This reference topic describes the common scenarios, architecture, and processes for security settings.
+ms.assetid: e7ac5204-7f6c-4708-a9f6-6af712ca43b9
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Security policy settings
+
+
+**Applies to**
+
+-   Windows 10
+
+This reference topic describes the common scenarios, architecture, and processes for security settings.
+
+Security policy settings are rules that administrators configure on a computer or multiple devices for the purpose of protecting resources on a device or network. The Security Settings extension of the Local Group Policy Editor snap-in allows you to define security configurations as part of a Group Policy Object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, or organizational units, and they enable you to manage security settings for multiple devices from any device joined to the domain. Security settings policies are used as part of your overall security implementation to help secure domain controllers, servers, clients, and other resources in your organization.
+
+Security settings can control:
+
+-   User authentication to a network or device.
+
+-   The resources that users are permitted to access.
+
+-   Whether to record a user’s or group’s actions in the event log.
+
+-   Membership in a group.
+
+To manage security configurations for multiple devices, you can use one of the following options:
+
+-   Edit specific security settings in a GPO.
+
+-   Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, applied to a local device, or used to analyze security.
+
+For more info about managing security configurations, see [Administer security policy settings](administer-security-policy-settings.md).
+
+The Security Settings extension of the Local Group Policy Editor includes the following types of security policies:
+
+-   **Account Policies.** These polices are defined on devices; they affect how user accounts can interact with the computer or domain. Account policies include the following types of policies:
+
+    -   **Password Policy.** These policies determine settings for passwords, such as enforcement and lifetimes. Password policies are used for domain accounts.
+
+    -   **Account Lockout Policy.** These policies determine the conditions and length of time that an account will be locked out of the system. Account lockout policies are used for domain or local user accounts.
+
+    -   **Kerberos Policy.** These policies are used for domain user accounts; they determine Kerberos-related settings, such as ticket lifetimes and enforcement.
+
+-   **Local Policies.** These policies apply to a computer and include the following types of policy settings:
+
+    -   **Audit Policy.** Specify security settings that control the logging of security events into the Security log on the computer, and specifies what types of security events to log (success, failure, or both).
+
+        **Note**  
+        For devices running Windows 7 and later, we recommend to use the settings under Advanced Audit Policy Configuration rather than the Audit Policy settings under Local Policies.
+
+         
+
+    -   **User Rights Assignment.** Specify the users or groups that have logon rights or privileges on a device
+
+    -   **Security Options.** Specify security settings for the computer, such as Administrator and Guest Account names; access to floppy disk drives and CD-ROM drives; installation of drivers; logon prompts; and so on.
+
+-   **Windows Firewall with Advanced Security.** Specify settings to protect the device on your network by using a stateful firewall that allows you to determine which network traffic is permitted to pass between your device and the network.
+
+-   **Network List Manager Policies.** Specify settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices.
+
+-   **Public Key Policies.** Specify settings to control Encrypting File System, Data Protection, and BitLocker Drive Encryption in addition to certain certificate paths and services settings.
+
+-   **Software Restriction Policies.** Specify settings to identify software and to control its ability to run on your local device, organizational unit, domain, or site.
+
+-   **Application Control Policies.** Specify settings to control which users or groups can run particular applications in your organization based on unique identities of files.
+
+-   **IP Security Policies on Local Computer.** Specify settings to ensure private, secure communications over IP networks through the use of cryptographic security services. IPsec establishes trust and security from a source IP address to a destination IP address.
+
+-   **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under Local Policies.
+
+## Policy-based security settings management
+
+
+The Security Settings extension to Group Policy provides an integrated policy-based management infrastructure to help you manage and enforce your security policies.
+
+You can define and apply security settings policies to users, groups, and network servers and clients through Group Policy and Active Directory Domain Services (AD DS). A group of servers with the same functionality can be created (for example, a Microsoft Web (IIS) server), and then Group Policy Objects can be used to apply common security settings to the group. If more servers are added to this group later, many of the common security settings are automatically applied, reducing deployment and administrative labor.
+
+### Common scenarios for using security settings policies
+
+Security settings policies are used to manage the following aspects of security: accounts policy, local policy, user rights assignment, registry values, file and registry Access Control Lists (ACLs), service startup modes, and more.
+
+As part of your security strategy, you can create GPOs with security settings policies configured specifically for the various roles in your organization, such as domain controllers, file servers, member servers, clients, and so on.
+
+You can create an organizational unit (OU) structure that groups devices according to their roles. Using OUs is the best method for separating specific security requirements for the different roles in your network. This approach also allows you to apply customized security templates to each class of server or computer. After creating the security templates, you create a new GPO for each of the OUs, and then import the security template (.inf file) into the new GPO.
+
+Importing a security template to a GPO ensures that any accounts to which the GPO is applied automatically receive the template’s security settings when the Group Policy settings are refreshed. On a workstation or server, the security settings are refreshed at regular intervals (with a random offset of at most 30 minutes), and, on a domain controller, this process occurs every few minutes if changes have occurred in any of the GPO settings that apply. The settings are also refreshed every 16 hours, whether or not any changes have occurred.
+
+**Note**  
+These refresh settings vary between versions of the operating system and can be configured.
+
+ 
+
+By using Group Policy−based security configurations in conjunction with the delegation of administration, you can ensure that specific security settings, rights, and behavior are applied to all servers and computers within an OU. This approach makes it simple to update a number of servers with any additional changes required in the future.
+
+### Dependencies on other operating system technologies
+
+For devices that are members of a Windows Server 2008 or later domain, security settings policies depend on the following technologies:
+
+-   **Active Directory Domain Services (AD DS)**
+
+    The Windows-based directory service, AD DS, stores information about objects on a network and makes this information available to administrators and users. By using AD DS, you can view and manage network objects on the network from a single location, and users can access permitted network resources by using a single logon.
+
+-   **Group Policy**
+
+    The infrastructure within AD DS that enables directory-based configuration management of user and computer settings on devices running Windows Server. By using Group Policy, you can define configurations for groups of users and computers, including policy settings, registry-based policies, software installation, scripts, folder redirection, Remote Installation Services, Internet Explorer maintenance, and security.
+
+-   **Domain Name System (DNS)**
+
+    A hierarchical naming system used for locating domain names on the Internet and on private TCP/IP networks. DNS provides a service for mapping DNS domain names to IP addresses, and IP addresses to domain names. This allows users, computers, and applications to query DNS to specify remote systems by fully qualified domain names rather than by IP addresses.
+
+-   **Winlogon**
+
+    A part of the Windows operating system that provides interactive logon support. Winlogon is designed around an interactive logon model that consists of three components: the Winlogon executable, a credential provider, and any number of network providers.
+
+-   **Setup**
+
+    Security configuration interacts with the operating system setup process during a clean installation or upgrade from earlier versions of Windows Server.
+
+-   **Security Accounts Manager (SAM)**
+
+    A Windows service used during the logon process. SAM maintains user account information, including groups to which a user belongs.
+
+-   **Local Security Authority (LSA)**
+
+    A protected subsystem that authenticates and logs users onto the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system.
+
+-   **Windows Management Instrumentation (WMI)**
+
+    A feature of the Microsoft Windows operating system, WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI provides access to information about objects in a managed environment. Through WMI and the WMI application programming interface (API), applications can query for and make changes to static information in the Common Information Model (CIM) repository and dynamic information maintained by the various types of providers.
+
+-   **Resultant Set of Policy (RSoP)**
+
+    An enhanced Group Policy infrastructure that uses WMI in order to make it easier to plan and debug policy settings. RSoP provides public methods that expose what an extension to Group Policy would do in a what-if situation, and what the extension has done in an actual situation. This allows administrators to easily determine the combination of policy settings that apply to, or will apply to, a user or device.
+
+-   **Service Control Manager (SCM)**
+
+    Used for configuration of service startup modes and security.
+
+-   **Registry**
+
+    Used for configuration of registry values and security.
+
+-   **File system**
+
+    Used for configuration of security.
+
+-   **File system conversions**
+
+    Security is set when an administrator converts a file system from FAT to NTFS.
+
+-   **Microsoft Management Console (MMC)**
+
+    The user interface for the Security Settings tool is an extension of the Local Group Policy Editor MMC snap-in.
+
+### Security settings policies and Group Policy
+
+The Security Settings extension of the Local Group Policy Editor is part of the Security Configuration Manager tool set. The following components are associated with Security Settings: a configuration engine; an analysis engine; a template and database interface layer; setup integration logic; and the secedit.exe command-line tool. The security configuration engine is responsible for handling security configuration editor-related security requests for the system on which it runs. The analysis engine analyzes system security for a given configuration and saves the result. The template and database interface layer handles reading and writing requests from and to the template or database (for internal storage). The Security Settings extension of the Local Group Policy Editor handles Group Policy from a domain-based or local device. The security configuration logic integrates with setup and manages system security for a clean installation or upgrade to a more recent Windows operating system. Security information is stored in templates (.inf files) or in the Secedit.sdb database.
+
+The following diagram shows Security Settings and related features.
+
+**Security Settings Policies and Related Features**
+
+![components related to security policies](images/secpol-components.gif)
+
+-   **Scesrv.dll**
+
+    Provides the core security engine functionality.
+
+-   **Scecli.dll**
+
+    Provides the client-side interfaces to the security configuration engine and provides data to Resultant Set of Policy (RSoP).
+
+-   **Wsecedit.dll**
+
+    The Security Settings extension of Local Group Policy Editor. scecli.dll is loaded into wsecedit.dll to support the Security Settings user interface.
+
+-   **Gpedit.dll**
+
+    The Local Group Policy Editor MMC snap-in.
+
+## <a href="" id="w2k3tr-gpssp-how-ebls"></a>Security Settings extension architecture
+
+
+The Security Settings extension of the Local Group Policy Editor is part of the Security Configuration Manager tools, as shown in the following diagram.
+
+**Security Settings Architecture**
+
+![architecture of security policy settings](images/secpol-architecture.gif)
+
+The security settings configuration and analysis tools include a security configuration engine, which provides local computer (non-domain member) and Group Policy−based configuration and analysis of security settings policies. The security configuration engine also supports the creation of security policy files. The primary features of the security configuration engine are scecli.dll and scesrv.dll.
+
+The following list describes these primary features of the security configuration engine and other Security Settings−related features.
+
+-   **scesrv.dll**
+
+    This .dll is hosted in services.exe and runs under local system context. scesrv.dll provides core Security Configuration Manager functionality, such as import, configure, analyze, and policy propagation.
+
+    Scesrv.dll performs configuration and analysis of various security-related system parameters by calling corresponding system APIs, including LSA, SAM, and the registry.
+
+    Scesrv.dll exposes APIs such as import, export, configure, and analyze. It checks that the request is made over LRPC (Windows XP) and fails the call if it is not.
+
+    Communication between parts of the Security Settings extension occurs by using the following methods:
+
+    -   Component Object Model (COM) calls
+
+    -   Local Remote Procedure Call (LRPC)
+
+    -   Lightweight Directory Access Protocol (LDAP)
+
+    -   Active Directory Service Interfaces (ADSI)
+
+    -   Server Message Block (SMB)
+
+    -   Win32 APIs
+
+    -   Windows Management Instrumentation (WMI) calls
+
+    On domain controllers, scesrv.dll receives notifications of changes made to SAM and the LSA that need to be synchronized across domain controllers. Scesrv.dll incorporates those changes into the Default Domain Controller Policy GPO by using in-process scecli.dll template modification APIs.
+
+    Scesrv.dll also performs configuration and analysis operations.
+
+-   **Scecli.dll**
+
+    This is the client-side interface or wrapper to scesrv.dll. scecli.dll is loaded into Wsecedit.dll to support MMC snap-ins. It is used by Setup to configure default system security and security of files, registry keys, and services installed by the Setup API .inf files.
+
+    The command-line version of the security configuration and analysis user interfaces, secedit.exe, uses scecli.dll.
+
+    Scecli.dll implements the client-side extension for Group Policy.
+
+    Scesrv.dll uses scecli.dll to download applicable Group Policy files from SYSVOL in order to apply Group Policy security settings to the local device.
+
+    Scecli.dll logs application of security policy into WMI (RSoP).
+
+    Scesrv.dll policy filter uses scecli.dll to update Default Domain Controller Policy GPO when changes are made to SAM and LSA.
+
+-   **Wsecedit.dll**
+
+    The Security Settings extension of the Group Policy Object Editor snap-in. You use this tool to configure security settings in a Group Policy Object for a site, domain, or organizational unit. You can also use Security Settings to import security templates to a GPO.
+
+-   **Secedit.sdb**
+
+    This is a permanent system database used for policy propagation including a table of persistent settings for rollback purposes.
+
+-   **User databases**
+
+    A user database is any database other than the system database created by administrators for the purposes of configuration or analysis of security.
+
+-   **.Inf Templates**
+
+    These are text files that contain declarative security settings. They are loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they are downloaded (by using file copy) and merged into the system database during policy propagation.
+
+## <a href="" id="w2k3tr-gpssp-how-hjxe"></a>Security settings policy processes and interactions
+
+
+For a domain-joined device, where Group Policy is administered, security settings are processed in conjunction with Group Policy. Not all settings are configurable.
+
+### <a href="" id="bkmk-gpprocessing"></a>Group Policy processing
+
+When a computer starts and a user logs on, computer policy and user policy are applied according to the following sequence:
+
+1.  The network starts. Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) start.
+
+2.  An ordered list of Group Policy Objects is obtained for the device. The list might depend on these factors:
+
+    -   Whether the device is part of a domain and, therefore, subject to Group Policy through Active Directory.
+
+    -   The location of the device in Active Directory.
+
+    -   Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done.
+
+3.  Computer policy is applied. These are the settings under Computer Configuration from the gathered list. This is a synchronous process by default and occurs in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while computer policies are processed.
+
+4.  Startup scripts run. This is hidden and synchronous by default; each script must complete or time out before the next one starts. The default time-out is 600 seconds. You can use several policy settings to modify this behavior.
+
+5.  The user presses CTRL+ALT+DEL to log on.
+
+6.  After the user is validated, the user profile loads; it is governed by the policy settings that are in effect.
+
+7.  An ordered list of Group Policy Objects is obtained for the user. The list might depend on these factors:
+
+    -   Whether the user is part of a domain and, therefore, subject to Group Policy through Active Directory.
+
+    -   Whether loopback policy processing is enabled, and if so, the state (Merge or Replace) of the loopback policy setting.
+
+    -   The location of the user in Active Directory.
+
+    -   Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done.
+
+8.  User policy is applied. These are the settings under User Configuration from the gathered list. This is synchronous by default and in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while user policies are processed.
+
+9.  Logon scripts run. Group Policy−based logon scripts are hidden and asynchronous by default. The user object script runs last.
+
+10. The operating system user interface that is prescribed by Group Policy appears.
+
+### Group Policy Objects storage
+
+A Group Policy Object (GPO) is a virtual object that is identified by a Globally Unique Identifier (GUID) and stored at the domain level. The policy setting information of a GPO is stored in the following two locations:
+
+-   **Group Policy containers in Active Directory.**
+
+    The Group Policy container is an Active Directory container that contains GPO properties, such as version information, GPO status, plus a list of other component settings.
+
+-   **Group Policy templates in a domain’s system volume folder (SYSVOL).**
+
+    The Group Policy template is a file system folder that includes policy data specified by .admx files, security settings, script files, and information about applications that are available for installation. The Group Policy template is located in the SYSVOL folder in the domain\\Policies subfolder.
+
+The **GROUP\_POLICY\_OBJECT** structure provides information about a GPO in a GPO list, including the version number of the GPO, a pointer to a string that indicates the Active Directory portion of the GPO, and a pointer to a string that specifies the path to the file system portion of the GPO.
+
+### Group Policy processing order
+
+Group Policy settings are processed in the following order:
+
+1.  **Local Group Policy Object.**
+
+    Each device running a Windows operating system beginning with Windows XP has exactly one Group Policy Object that is stored locally.
+
+2.  **Site.**
+
+    Any Group Policy Objects that have been linked to the site are processed next. Processing is synchronous and in an order that you specify.
+
+3.  **Domain.**
+
+    Processing of multiple domain-linked Group Policy Objects is synchronous and in an order you speciy.
+
+4.  **Organizational units.**
+
+    Group Policy Objects that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then Group Policy Objects that are linked to its child organizational unit, and so on. Finally, the Group Policy Objects that are linked to the organizational unit that contains the user or device are processed.
+
+At the level of each organizational unit in the Active Directory hierarchy, one, many, or no Group Policy Objects can be linked. If several Group Policy Objects are linked to an organizational unit, their processing is synchronous and in an order that you specify.
+
+This order means that the local Group Policy Object is processed first, and Group Policy Objects that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites the earlier Group Policy Objects.
+
+This is the default processing order and administrators can specify exceptions to this order. A Group Policy Object that is linked to a site, domain, or organizational unit (not a local Group Policy Object) can be set to **Enforced** with respect to that site, domain, or organizational unit, so that none of its policy settings can be overridden. At any site, domain, or organizational unit, you can mark Group Policy inheritance selectively as **Block Inheritance**. Group Policy Object links that are set to **Enforced** are always applied, however, and they cannot be blocked.
+
+### <a href="" id="bkmk-secpolprocessing"></a>Security settings policy processing
+
+In the context of Group Policy processing, security settings policy is processed in the following order.
+
+1.  During Group Policy processing, the Group Policy engine determines which security settings policies to apply.
+
+2.  If security settings policies exist in a GPO, Group Policy invokes the Security Settings client-side extension.
+
+3.  The Security Settings extension downloads the policy from the appropriate location such as a specific domain controller.
+
+4.  The Security Settings extension merges all security settings policies according to precedence rules. The processing is according to the Group Policy processing order of local, site, domain, and organizational unit (OU), as described earlier in the “Group Policy processing order” section. If multiple GPOs are in effect for a given device and there are no conflicting policies, then the policies are cumulative and are merged.
+
+    This example uses the Active Directory structure shown in the following figure. A given computer is a member of OU2, to which the **GroupMembershipPolGPO** GPO is linked. This computer is also subject to the **UserRightsPolGPO** GPO, which is linked to OU1, higher in the hierarchy. In this case, no conflicting policies exist so the device receives all of the policies contained in both the **UserRightsPolGPO** and the **GroupMembershipPolGPO** GPOs.
+
+    **Multiple GPOs and Merging of Security Policy**
+
+    ![multiple gpos and merging of security policy](images/secpol-multigpomerge.gif)
+
+5.  The resultant security policies are stored in secedit.sdb, the security settings database. The security engine gets the security template files and imports them to secedit.sdb.
+
+6.  The security settings policies are applied to devices.
+
+The following figure illustrates the security settings policy processing.
+
+**Security Settings Policy Processing**
+
+![process and interactions of security policy settin](images/secpol-processes.gif)
+
+### Merging of security policies on domain controllers
+
+Password policies, Kerberos, and some security options are only merged from GPOs that are linked at the root level on the domain. This is done to keep those settings synchronized across all domain controllers in the domain. The following security options are merged:
+
+-   Network Security: Force logoff when logon hours expire
+
+-   Accounts: Administrator account status
+
+-   Accounts: Guest account status
+
+-   Accounts: Rename administrator account
+
+-   Accounts: Rename guest account
+
+Another mechanism exists that allows security policy changes made by administrators by using net accounts to be merged into the Default Domain Policy GPO. User rights changes that are made by using Local Security Authority (LSA) APIs are filtered into the Default Domain Controllers Policy GPO.
+
+### Special considerations for domain controllers
+
+If an application is installed on a primary domain controller (PDC) with operations master role (also known as flexible single master operations or FSMO) and the application makes changes to user rights or password policy, these changes must be communicated to ensure that synchronization across domain controllers occurs. Scesrv.dll receives a notification of any changes made to the security account manager (SAM) and LSA that need to be synchronized across domain controllers and then incorporates the changes into the Default Domain Controller Policy GPO by using scecli.dll template modification APIs.
+
+### When security settings are applied
+
+After you have edited the security settings policies, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object in the following instances:
+
+-   When a device is restarted.
+
+-   Every 90 minutes on a workstation or server and every 5 minutes on a domain controller. This refresh interval is configurable.
+
+-   By default, Security policy settings delivered by Group Policy are also applied every 16 hours (960 minutes) even if a GPO has not changed.
+
+### Persistence of security settings policy
+
+Security settings can persist even if a setting is no longer defined in the policy that originally applied it.
+
+Security settings might persist in the following cases:
+
+-   The setting has not been previously defined for the device.
+
+-   The setting is for a registry security object.
+
+-   The settings are for a file system security object.
+
+All settings applied through local policy or through a Group Policy Object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database then the setting does not revert to anything and remains defined as is. This behavior is sometimes referred to as “tattooing.”
+
+Registry and file security settings will maintain the values applied through Group Policy until that setting is set to other values.
+
+### Permissions required for policy to apply
+
+Both Apply Group Policy and Read permissions are required to have the settings from a Group Policy Object apply to users or groups, and computers.
+
+### Filtering security policy
+
+By default, all GPOs have Read and Apply Group Policy both Allowed for the Authenticated Users group. The Authenticated Users group includes both users and computers. Security settings policies are computer-based. To specify which client computers will or will not have a Group Policy Object applied to them, you can deny them either the Apply Group Policy or Read permission on that Group Policy Object. Changing these permissions allows you to limit the scope of the GPO to a specific set of computers within a site, domain, or OU.
+
+**Note**  
+Do not use security policy filtering on a domain controller as this would prevent security policy from applying to it.
+
+ 
+
+### Migration of GPOs containing security settings
+
+In some situations, you might want to migrate GPOs from one domain environment to another environment. The two most common scenarios are test-to-production migration, and production-to-production migration. The GPO copying process has implications for some types of security settings.
+
+Data for a single GPO is stored in multiple locations and in various formats; some data is contained in Active Directory and other data is stored on the SYSVOL share on the domain controllers. Certain policy data might be valid in one domain but might be invalid in the domain to which the GPO is being copied. For example, Security Identifiers (SIDs) stored in security policy settings are often domain-specific. So copying GPOs is not as simple as taking a folder and copying it from one device to another.
+
+The following security policies can contain security principals and might require some additional work to successfully move them from one domain to another.
+
+-   User rights assignment
+
+-   Restricted groups
+
+-   Services
+
+-   File system
+
+-   Registry
+
+-   The GPO DACL, if you choose to preserve it during a copy operation
+
+To ensure that data is copied correctly, you can use Group Policy Management Console (GPMC). When migrating a GPO from one domain to another, GPMC ensures that all relevant data is properly copied. GPMC also offers migration tables, which can be used to update domain-specific data to new values as part of the migration process. GPMC hides much of the complexity involved in the migrating GPO operations, and it provides simple and reliable mechanisms for performing operations such as copy and backup of GPOs.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Administer security policy settings](administer-security-policy-settings.md)</p></td>
+<td align="left"><p>This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Configure security policy settings](how-to-configure-security-policy-settings.md)</p></td>
+<td align="left"><p>Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Security policy settings reference](security-policy-settings-reference.md)</p></td>
+<td align="left"><p>This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/security-technologies.md b/windows/keep-secure/security-technologies.md
new file mode 100644
index 0000000000..81f5647bf1
--- /dev/null
+++ b/windows/keep-secure/security-technologies.md
@@ -0,0 +1,75 @@
+---
+title: Security technologies (Windows 10)
+description: Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile.
+ms.assetid: BFE2DE22-B0CE-465B-8CF6-28F64464DF08
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Security technologies
+
+
+Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[AppLocker](applocker-overview.md)</p></td>
+<td align="left"><p>This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[BitLocker](bitlocker-overview.md)</p></td>
+<td align="left"><p>This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Encrypted Hard Drive](encrypted-hard-drive.md)</p></td>
+<td align="left"><p>Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Security auditing](security-auditing-overview.md)</p></td>
+<td align="left"><p>Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Security policy settings](security-policy-settings.md)</p></td>
+<td align="left"><p>This reference topic describes the common scenarios, architecture, and processes for security settings.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Trusted Platform Module](trusted-platform-module-overview.md)</p></td>
+<td align="left"><p>This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[User Account Control](user-account-control-overview.md)</p></td>
+<td align="left"><p>User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Windows Defender in Windows 10](windows-defender-in-windows-10.md)</p></td>
+<td align="left"><p>This topic provides an overview of Windows Defender, including a list of system requirements and new features.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/select-types-of-rules-to-create.md b/windows/keep-secure/select-types-of-rules-to-create.md
new file mode 100644
index 0000000000..b40dc6855b
--- /dev/null
+++ b/windows/keep-secure/select-types-of-rules-to-create.md
@@ -0,0 +1,122 @@
+---
+title: Select the types of rules to create (Windows 10)
+description: This topic lists resources you can use when selecting your application control policy rules by using AppLocker.
+ms.assetid: 14751169-0ed1-47cc-822c-8c01a7477784
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Select the types of rules to create
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic lists resources you can use when selecting your application control policy rules by using AppLocker.
+
+When determining what types of rules to create for each of your groups, you should also determine what enforcement setting to use for each group. Different rule types are more applicable for some apps, depending on the way that the applications are deployed in a specific business group.
+
+The following topics provide additional information about AppLocker rules that can help you decide what rules to use for your applications:
+
+-   [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md)
+
+-   [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md)
+
+-   [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md)
+
+-   [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md)
+
+-   [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md)
+
+-   [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
+
+### Select the rule collection
+
+The rules you create will be in one of the following rule collections:
+
+-   Executable files: .exe and .com
+
+-   Windows Installer files: .msi, .msp, and .mst
+
+-   Scripts: .ps1, .bat, .cmd, .vbs, and .js
+
+-   Packaged apps and packaged app installers: .appx
+
+-   DLLs: .dll and .ocx
+
+By default, the rules will allow a file to run based upon user or group privilege. If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps. The DLL rule collection is not enabled by default.
+
+In the Woodgrove Bank example, the line-of-business app for the Bank Tellers business group is C:\\Program Files\\Woodgrove\\Teller.exe, and this app needs to be included in a rule. In addition, because this rule is part of a list of allowed applications, all the Windows files under C:\\Windows must be included as well.
+
+### Determine the rule condition
+
+A rule condition is criteria upon which an AppLocker rule is based and can only be one of the rule conditions in the following table.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Rule condition</th>
+<th align="left">Usage scenario</th>
+<th align="left">Resources</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Publisher</p></td>
+<td align="left"><p>To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate. Rules that are specified to the version level might have to be updated when a new version of the file is released.</p></td>
+<td align="left"><p>For more info about this rule condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Path</p></td>
+<td align="left"><p>Any file can be assigned this rule condition; however, because path rules specify locations within the file system, any subdirectory will also be affected by the rule (unless explicitly exempted).</p></td>
+<td align="left"><p>For more info about this rule condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>File hash</p></td>
+<td align="left"><p>Any file can be assigned this rule condition; however, the rule must be updated each time a new version of the file is released because the hash value is based in part upon the version.</p></td>
+<td align="left"><p>For more info about this rule condition, see [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md).</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+In the Woodgrove Bank example, the line-of-business app for the Bank Tellers business group is signed and is located at C:\\Program Files\\Woodgrove\\Teller.exe. Therefore, the rule can be defined with a publisher condition. If the rule is defined to a specific version and above (for example, Teller.exe version 8.0 and above), then this will allow any updates to this app to occur without interruption of access to the users if the app's name and signed attributes stay the same.
+
+### Determine how to allow system files to run
+
+Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it is denoted with "(Default rule)" in its name as it appears in the rule collection.
+
+You can also create a rule for the system files based on the path condition. In the preceding example, for the Bank Tellers group, all Windows files reside under C:\\Windows and can be defined with the path rule condition type. This will permit access to these files whenever updates are applied and the files change. If you require additional application security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions:
+
+-   Traverse Folder/Execute File
+
+-   Create Files/Write Data
+
+-   Create Folders/Append Data
+
+These permissions settings are applied to this folder for application compatibility. However, because any user can create files in this location, allowing apps to be run from this location might conflict with your organization's security policy.
+
+## Next steps
+
+
+After you have selected the types of rules to create, record your findings as explained in [Document your AppLocker rules](document-your-applocker-rules.md).
+
+After recording your findings for the AppLocker rules to create, you will need to consider how to enforce the rules. For info about how to do this, see [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/shut-down-the-system.md b/windows/keep-secure/shut-down-the-system.md
new file mode 100644
index 0000000000..146683721a
--- /dev/null
+++ b/windows/keep-secure/shut-down-the-system.md
@@ -0,0 +1,164 @@
+---
+title: Shut down the system (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Shut down the system security policy setting.
+ms.assetid: c8e8f890-153a-401e-a957-ba6a130304bf
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Shut down the system
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Shut down the system** security policy setting.
+
+## Reference
+
+
+This security setting determines if a user who is logged on locally to a device can shut down Windows.
+
+Shutting down domain controllers makes them unavailable to perform functions such as processing logon requests, processing Group Policy settings, and answering Lightweight Directory Access Protocol (LDAP) queries. Shutting down domain controllers that have been assigned operations master roles (also known as flexible single master operations or FSMO roles) can disable key domain functionality; for example, processing logon requests for new passwords, which is performed by the primary domain controller (PDC) emulator master.
+
+The **Shut down the system** user right is required to enable hibernation support, to set the power management settings, and to cancela shutdown.
+
+Constant: SeShutdownPrivilege
+
+### Possible values
+
+-   A user-defined list of accounts
+
+-   Defaults
+
+-   Not defined
+
+### Best practices
+
+1.  Ensure that only Administrators and Backup Operators have the **Shut down the system** user right on member servers, and that only Administrators have the user right on domain controllers. Removing these default groups might limit the abilities of users who are assigned to specific administrative roles in your environment. Ensure that their delegated tasks will not be negatively affected.
+
+2.  The ability to shut down domain controllers should be limited to a very small number of trusted administrators. Even though a system shutdown requires the ability to log on to the server, you should be very careful about the accounts and groups that you allow to shut down a domain controller.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default this setting is Administrators, Backup Operators, Server Operators, and Print Operators on domain controllers, and Administrators and Backup Operators on stand-alone servers.
+
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p>
+<p>Server Operators</p>
+<p>Print Operators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p>
+<p>Server Operators</p>
+<p>Print Operators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p>
+<p>Backup Operators</p>
+<p>Users</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the computer is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+This user right does not have the same effect as **Force shutdown from a remote system**. For more information, see [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md).
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+The ability to shut down domain controllers should be limited to a very small number of trusted administrators. Although the **Shut down the system** user right requires the ability to log on to the server, you should be very careful about which accounts and groups you allow to shut down a domain controller.
+
+When a domain controller is shut down, it is no longer available to process logon requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. If you shut down domain controllers that possess operations master roles, you can disable key domain functionality, such as processing logon requests for new passwords, which is performed by the PDC master.
+
+For other server roles, especially those where non-administrators have rights to log on to the server (such as RD Session Host servers), it is critical that this user right be removed from users that do not have a legitimate reason to restart the servers.
+
+### Countermeasure
+
+Ensure that only the Administrators and Backup Operators groups are assigned the **Shut down the system** user right on member servers, and ensure that only the Administrators group is assigned the user right on domain controllers.
+
+### Potential impact
+
+The impact of removing these default groups from the **Shut down the system** user right could limit the delegated abilities of assigned roles in your environment. You should confirm that delegated activities are not adversely affected.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
new file mode 100644
index 0000000000..90d093a627
--- /dev/null
+++ b/windows/keep-secure/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
@@ -0,0 +1,138 @@
+---
+title: Shutdown Allow system to be shut down without having to log on (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Allow system to be shut down without having to log on security policy setting.
+ms.assetid: f3964767-5377-4416-8eb3-e14d553a7315
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Shutdown: Allow system to be shut down without having to log on
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting.
+
+## Reference
+
+
+This policy setting determines whether a device can be shut down without having to log on to Windows. If you enable this policy setting, the **Shut Down** option is available on the logon screen in Windows. If you disable this policy setting, the **Shut Down** option is removed from the logon screen. This configuration requires that users are able to log on to the device successfully and that they have the **Shut down the system** user right before they can perform a shutdown.
+
+Users who can access the console locally can shut down the system. Attackers or misguided users can connect to the server by using Remote Desktop Services, and then shut it down or restart it without having to identify themselves. A malicious user might also cause a temporary denial-of-service condition by walking up to the local console and restarting the server, or shutting down the server and thus rendering unavailable all its applications and services.
+
+### Possible values
+
+-   Enabled
+
+    The shut down command is available on the logon screen.
+
+-   Disabled
+
+    The shut down option is removed from the logon screen and users must have the **Shut down the system** user right before they can perform a shutdown.
+
+-   Not defined
+
+### Best practices
+
+1.  On servers, set this policy to **Disabled**. You must log on to servers to shut them down or restart them.
+
+2.  On client devices, set this policy to **Enabled** and define the list of those with the right to shut them down or restart them with the User Rights Assignment policy **Shut down the system**.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+For info about the User Rights Assignment policy, **Shut down the system**, see [Shut down the system](shut-down-the-system.md).
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Users who can access the console locally could shut down the device
+
+Attackers who have access to the local console could restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable.
+
+### Countermeasure
+
+Disable the **Shutdown: Allow system to be shut down without having to log on** setting.
+
+### Potential impact
+
+You must log on to servers to shut them down or restart them.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md b/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md
new file mode 100644
index 0000000000..1076dedd2f
--- /dev/null
+++ b/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md
@@ -0,0 +1,133 @@
+---
+title: Shutdown Clear virtual memory pagefile (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Clear virtual memory pagefile security policy setting.
+ms.assetid: 31400078-6c56-4891-a6df-6dfb403c4bc9
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Shutdown: Clear virtual memory pagefile
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Clear virtual memory pagefile** security policy setting.
+
+## Reference
+
+
+This policy setting determines whether the virtual memory paging file is cleared when the device is shut down. Virtual memory support uses a system paging file to swap pages of memory to disk when they are not used. On a running device, this paging file is opened exclusively by the operating system, and it is well protected. However, devices that are configured to allow other operating systems to start should verify that the system paging file is cleared as the device shuts down. This confirmation ensures that sensitive information from process memory that might be placed in the paging file is not available to an unauthorized user who manages to directly access the paging file after shutdown.
+
+Important information that is kept in real memory might be written periodically to the paging file. This helps devices handle multitasking functions. A malicious user who has physical access to a server that has been shut down can view the contents of the paging file. The attacker can move the system volume into a different computer and then analyze the contents of the paging file. This is a time-consuming process, but it can expose data that is cached from RAM to the paging file. A malicious user who has physical access to the server can bypass this countermeasure by simply unplugging the server from its power source.
+
+### Possible values
+
+-   Enabled
+
+    The system paging file is cleared when the system shuts down normally. Also, this policy setting forces the computer to clear the hibernation file (hiberfil.sys) when hibernation is disabled on a portable device.
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+-   Set this policy to **Enabled**. This causes Windows to clear the paging file when the system is shut down. Depending on the size of the paging file, this process might take several minutes before the system completely shuts down. This delay in shutting down the server is especially noticeable on servers with large paging files. For a server with 2 gigabytes (GB) of RAM and a 2-GB paging file, this setting can add more than 30 minutes to the shutdown process. For some organizations, this downtime violates their internal service level agreements. Use caution when implementing this countermeasure in your environment.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Important information that is kept in real memory may be written periodically to the paging file to help Windows handle multitasking functions. An attacker who has physical access to a server that has been shut down could view the contents of the paging file. The attacker could move the system volume into a different device and then analyze the contents of the paging file. Although this process is time consuming, it could expose data that is cached from random access memory (RAM) to the paging file.
+
+**Caution**  
+An attacker who has physical access to the device could bypass this countermeasure by unplugging the computer from its power source.
+
+ 
+
+### Countermeasure
+
+Enable the **Shutdown: Clear virtual memory page file** setting. This configuration causes the operating system to clear the paging file when the device is shut down. The amount of time that is required to complete this process depends on the size of the page file. Because the process overwrites the storage area that is used by the page file several times, it could be several minutes before the device completely shuts down.
+
+### Potential impact
+
+It takes longer to shut down and restart the device, especially on devices with large paging files. For a device with 2 gigabytes (GB) of RAM and a 2-GB paging file, this policy setting could increase the shutdown process by more than 30 minutes. For some organizations this downtime violates their internal service level agreements. Therefore, use caution before you implement this countermeasure in your environment.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/store-passwords-using-reversible-encryption.md b/windows/keep-secure/store-passwords-using-reversible-encryption.md
new file mode 100644
index 0000000000..57c859368c
--- /dev/null
+++ b/windows/keep-secure/store-passwords-using-reversible-encryption.md
@@ -0,0 +1,122 @@
+---
+title: Store passwords using reversible encryption (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Store passwords using reversible encryption security policy setting.
+ms.assetid: 57f958c2-f1e9-48bf-871b-0a9b3299e238
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Store passwords using reversible encryption
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting.
+
+## Reference
+
+
+The **Store password using reversible encryption** policy setting provides support for applications that use protocols that require the user's password for authentication. Storing encrypted passwords in a way that is reversible means that the encrypted passwords can be decrypted. A knowledgeable attacker who is able to break this encryption can then log on to network resources by using the compromised account. For this reason, never enable **Store password using reversible encryption** for all users in the domain unless application requirements outweigh the need to protect password information.
+
+If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet Information Services (IIS) also requires that you enable this policy setting.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+Set the value for **Store password using reversible encryption** to Disabled. If you use CHAP through remote access or IAS, or Digest Authentication in IIS, you must set this value to **Enabled**. This presents a security risk when you apply the setting by using Group Policy on a user-by-user basis because it requires opening the appropriate user account object in Active Directory Users and Computers.
+
+**Note**  
+Do not enable this policy setting unless business requirements outweigh the need to protect password information.
+
+ 
+
+### Location
+
+**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\**
+
+### Default values
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or Group Policy Object (GPO)</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default domain policy</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default domain controller policy</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-alone server default settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain controller effective default settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member server effective default settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Effective GPO default settings on client computers</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Enabling this policy setting allows the operating system to store passwords in a format that can weaken your overall security.
+
+### Countermeasure
+
+Disable the **Store password using reversible encryption** policy setting.
+
+### Potential impact
+
+If your organization uses CHAP through remote access or IAS, or Digest Authentication in IIS, you must configure this policy setting to Enabled. This presents a security risk when you apply the setting through Group Policy on a user-by-user basis because it requires the appropriate user account object to be opened in Active Directory Users and Computers.
+
+## Related topics
+
+
+[Password Policy](password-policy.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md
new file mode 100644
index 0000000000..3da96de40b
--- /dev/null
+++ b/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -0,0 +1,56 @@
+---
+title: Switch PCR banks on TPM 2.0 devices (Windows 10)
+description: A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties.
+ms.assetid: 743FCCCB-99A9-4636-8F48-9ECB3A3D10DE
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Switch PCR banks on TPM 2.0 devices
+
+
+**Applies to**
+
+-   Windows 10
+
+A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. The size of the value that can be stored in a PCR is determined by the size of a digest generated by an associated hashing algorithm. A SHA-1 PCR can store 20 bytes – the size of a SHA-1 digest. Multiple PCRs associated with the same hashing algorithm are referred to as a PCR bank.
+
+To store a new value in a PCR, the existing value is extended with a new value as follows:
+
+PCR\[N\] = HASHalg( PCR\[N\] || ArgumentOfExtend )
+
+The existing value is concatenated with the argument of the TPM Extend operation. The resulting concatenation is then used as input to the associated hashing algorithm, which computes a digest of the input. This computed digest becomes the new value of the PCR.
+
+The [TCG PC Client Specific Platform TPM Profile for TPM 2.0](http://go.microsoft.com/fwlink/p/?LinkId=746577) defines the inclusion of at least one PCR bank with 24 registers. The only way to reset the first 16 PCRs is to reset the TPM itself. This restriction helps ensure that the value of those PCRs can only be modified via the TPM Extend operation.
+
+Some TPM PCRs are used as checksums of log events. The log events are extended in the TPM as the events occur. Later, an auditor can validate the logs by computing the expected PCR values from the log and comparing them to the PCR values of the TPM. Since the first 16 TPM PCRs cannot be modified arbitrarily, a match between an expected PCR value in that range and the actual TPM PCR value provides assurance of an unmodified log.
+
+## How does Windows 10 use PCRs?
+
+
+To bind the use of a TPM based key to a certain state of the PC, the key can be sealed to an expected set of PCR values. For instance, PCRs 0 through 7 have a well-defined value after the boot process – when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows 10 uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after.
+
+It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using SHA-256 PCR banks, even with the same system configuration otherwise, the PCR values will not match.
+
+## What happens when PCR banks are switched?
+
+
+When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. For the same input, each hash algorithm will return a different cryptographic signature for the same inputs.
+
+As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR banks to SHA-256, the banks wouldn’t match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows 10 will not be able to unseal it if the PCR banks are switched while BitLocker is enabled.
+
+## What can I do to switch PCRs when BitLocker is already active?
+
+
+Before switching PCR banks you should suspend or disable BitLocker – or have your recovery key ready. For steps on how to switch PCR banks on your PC, you should contact your OEM or UEFI vendor.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/synchronize-directory-service-data.md b/windows/keep-secure/synchronize-directory-service-data.md
new file mode 100644
index 0000000000..f27a3177b6
--- /dev/null
+++ b/windows/keep-secure/synchronize-directory-service-data.md
@@ -0,0 +1,140 @@
+---
+title: Synchronize directory service data (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Synchronize directory service data security policy setting.
+ms.assetid: 97b0aaa4-674f-40f4-8974-b4bfb12c232c
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Synchronize directory service data
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Synchronize directory service data** security policy setting.
+
+## Reference
+
+
+This policy setting determines which users and groups have authority to synchronize all directory service data, regardless of the protection for objects and properties. This privilege is required to use LDAP directory synchronization (dirsync) services. Domain controllers have this user right inherently because the synchronization process runs in the context of the **System** account on domain controllers.
+
+Constant: SeSyncAgentPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not defined
+
+### Best practices
+
+-   Ensure that no accounts are assigned the **Synchronize directory service data** user right. Only domain controllers need this privilege, which they inherently have.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default this setting is not defined on domain controllers and on stand-alone servers.
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+The **Synchronize directory service data** user right affects domain controllers (only domain controllers should be able to synchronize directory service data). Domain controllers have this user right inherently because the synchronization process runs in the context of the **System** account on domain controllers. Attackers who have this user right can view all information that is stored within the directory. They could then use some of that information to facilitate additional attacks or expose sensitive data, such as direct telephone numbers or physical addresses.
+
+### Countermeasure
+
+Ensure that no accounts are assigned the **Synchronize directory service data** user right.
+
+### Potential impact
+
+None. Not defined is the default configuration.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
new file mode 100644
index 0000000000..ccdb41c94f
--- /dev/null
+++ b/windows/keep-secure/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
@@ -0,0 +1,128 @@
+---
+title: System cryptography Force strong key protection for user keys stored on the computer (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the System cryptography Force strong key protection for user keys stored on the computer security policy setting.
+ms.assetid: 8cbff267-881e-4bf6-920d-b583a5ff7de0
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# System cryptography: Force strong key protection for user keys stored on the computer
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **System cryptography: Force strong key protection for user keys stored on the computer** security policy setting.
+
+## Reference
+
+
+This policy setting determines whether users can use private keys, such as their Secure/Multipurpose Internet Mail Extensions (S/MIME) key, without a password.
+
+Configuring this policy setting so that users must provide a password every time they use a key (in addition to their domain password) makes it more difficult for a malicious user to access locally-stored user keys, even if the attacker takes control of the user's device and determines their logon password.
+
+### Possible values
+
+-   **User input is not required when new keys are stored and used**
+
+-   **User is prompted when the key is first used**
+
+-   **User must enter a password each time they use a key**
+
+-   Not defined
+
+### Best practices
+
+-   Set this policy to **User must enter a password each time they use a key**. Users must enter their password every time they access a key that is stored on their computer. For example, if users use an S/MIME certificate to digitally sign their email, they will be forced to enter the password for that certificate every time they send a signed email message. For some organizations, the overhead that is caused by using this value might be too high, but they should set the value at a minimum to **User is prompted when the key is first used**.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+If a user's account is compromised or the user's device is inadvertently left unsecured, the malicious user can use the keys that are stored for the user to access protected resources.
+
+### Countermeasure
+
+Configure the **System cryptography: Force strong key protection for user keys stored on the computer** setting to **User must enter a password each time they use a key** so that users must provide a password that is distinct from their domain password every time they use a key. This configuration makes it more difficult for an attacker to access locally stored user keys, even if the attacker takes control of the user's computer and determines the logon password.
+
+### Potential impact
+
+Users must type their password every time they access a key that is stored on their device. For example, if users use an S/MIME certificate to digitally sign their email, they are forced to type the password for that certificate every time they send a signed email message. For some organizations, the overhead that is involved by using this configuration may be too high. At a minimum, this setting should be set to **User is prompted when the key is first used**.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
new file mode 100644
index 0000000000..8c2c61ba3e
--- /dev/null
+++ b/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
@@ -0,0 +1,185 @@
+---
+title: System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing (Windows 10)
+description: This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting.
+ms.assetid: 83988865-dc0f-45eb-90d1-ee33495eb045
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
+
+
+**Applies to**
+
+-   Windows 10
+
+This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting.
+
+## Reference
+
+
+The Federal Information Processing Standard (FIPS) 140 is a security implementation that is designed for certifying cryptographic software. Windows implements these certified algorithms to meet the requirements and standards for cryptographic modules for use by departments and agencies of the United States federal government.
+
+**TLS/SSL**
+
+This policy setting determines whether the TLS/SSL security provider supports only the FIPS-compliant strong cipher suite known as TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA, which means that the provider only supports the TLS protocol as a client computer and as a server, if applicable. It uses only the Triple Data Encryption Standard (3DES) encryption algorithm for the TLS traffic encryption, only the Rivest-Shamir-Adleman (RSA) public key algorithm for the TLS key exchange and authentication, and only the Secure Hash Algorithm version 1 (SHA-1) hashing algorithm for the TLS hashing requirements.
+
+**Encrypting File System (EFS)**
+
+For the EFS service, this policy setting supports the 3DES and Advanced Encryption Standard (AES) encryption algorithms for encrypting file data supported by the NTFS file system. To encrypt file data, by default EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key in the Windows Server 2003, Windows Vista, and later, and it uses a DESX algorithm in Windows XP.
+
+**Remote Desktop Services (RDS)**
+
+For encrypting Remote Desktop Services network communication, this policy setting supports only the Triple DES encryption algorithm.
+
+**BitLocker**
+
+For BitLocker, this policy setting needs to be enabled before any encryption key is generated.
+
+Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 and later when this policy is enabled are incompatible with BitLocker on operating systems prior to Windows Server 2012 R2 and Windows 8.1; BitLocker will prevent the creation or use of recovery passwords on these systems, so recovery keys should be used instead.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+-   For use with TLS, set this policy to **Enabled**. Client devices with this policy setting enabled will be unable to communicate through digitally encrypted or signed protocols with servers that do not support these algorithms. Client devices that are connected to the network and do not support these algorithms cannot use servers that require the algorithms for network communications. If you enable this policy setting, you must also configure Internet Explorer to use TLS.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Operating system version differences
+
+When this setting is enabled, the Encrypting File System (EFS) service supports only the Triple DES encryption algorithm for encrypting file data. By default, the Windows Vista and the Windows Server 2003 implementation of EFS uses the Advanced Encryption Standard (AES) with a 256-bit key. The Windows XP implementation uses DESX.
+
+When this setting is enabled, BitLocker generates recovery password or recovery keys applicable to versions listed in the following:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Operating systems</th>
+<th align="left">Applicability</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Windows 10, Windows 8.1, and Windows Server 2012 R2</p></td>
+<td align="left"><p>When created on these operating systems, the recovery password cannot be used on other systems listed in this table.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows Server 2012 and Windows 8</p></td>
+<td align="left"><p>When created on these operating systems, the recovery key can be used on other systems listed in this table as well.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows Server 2008 R2 and Windows 7</p></td>
+<td align="left"><p>When created on these operating systems, the recovery key can be used on other systems listed in this table as well.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows Server 2008 and Windows Vista</p></td>
+<td align="left"><p>When created on these operating systems, the recovery key can be used on other systems listed in this table as well.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+You can enable this policy setting to ensure that the device uses the most powerful algorithms that are available for digital encryption, hashing, and signing. Use of these algorithms minimize the risk of compromise of digitally encrypted or signed data by an unauthorized user.
+
+### Countermeasure
+
+Enable the **System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing** setting.
+
+### Potential impact
+
+Client devices that have this policy setting enabled cannot communicate by means of digitally encrypted or signed protocols with servers that do not support these algorithms. Network clients that do not support these algorithms cannot use servers that require them for network communications. For example, many Apache-based Web servers are not configured to support TLS. If you enable this setting, you must also configure Internet Explorer® to use TLS. This policy setting also affects the encryption level that is used for the Remote Desktop Protocol (RDP). The Remote Desktop Connection tool uses the RDP protocol to communicate with servers that run Terminal Services and client computers that are configured for remote control; RDP connections fail if both devices are not configured to use the same encryption algorithms.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
new file mode 100644
index 0000000000..d26e95bbce
--- /dev/null
+++ b/windows/keep-secure/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
@@ -0,0 +1,130 @@
+---
+title: System objects Require case insensitivity for non-Windows subsystems (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the System objects Require case insensitivity for non-Windows subsystems security policy setting.
+ms.assetid: 340d6769-8f33-4067-8470-1458978d1522
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# System objects: Require case insensitivity for non-Windows subsystems
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **System objects: Require case insensitivity for non-Windows subsystems** security policy setting.
+
+## Reference
+
+
+This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is not case sensitive; however, the kernel supports case sensitivity for other subsystems, such as Portable Operating System Interface for UNIX (POSIX). Enabling this policy setting enforces case insensitivity for all directory objects, symbolic links, and input/output (I/O) objects, including file objects. Disabling this policy setting does not allow the Win32 subsystem to become case sensitive.
+
+Because Windows is case insensitive but the POSIX subsystem will support case sensitivity, if this policy setting is not enforced, it is possible for a user of that subsystem to create a file with the same name as another file but with a different mix of capital letters. That might confuse users when they try to access these files by using normal Win32 tools, because only one of the files will be available.
+
+### Possible values
+
+-   Enabled
+
+    Case insensitivity is enforced for all directory objects, symbolic links, and IO objects, including file objects.
+
+-   Disabled
+
+    Will not allow the Win32 subsystem to become case sensitive.
+
+-   Not defined
+
+### Best practices
+
+-   Set this policy to **Enabled**. All subsystems will be forced to observe case insensitivity. However, this might confuse users who are familiar with one of the UNIX-based operating systems and are used to a case sensitive operating system.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Because Windows is case insensitive but the POSIX subsystem supports case sensitivity, failure to enable this policy setting makes it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of uppercase and lowercase letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files is available.
+
+### Countermeasure
+
+Enable the **System objects: Require case insensitivity for non-Windows subsystems** setting.
+
+### Potential impact
+
+All subsystems are forced to observe case insensitivity. This configuration may confuse users who are familiar with any UNIX-based operating systems that are case sensitive.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md
new file mode 100644
index 0000000000..3927b70a25
--- /dev/null
+++ b/windows/keep-secure/system-objects-strengthen-default-permissions-of-internal-system-objects.md
@@ -0,0 +1,124 @@
+---
+title: System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links) (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links) security policy setting.
+ms.assetid: 3a592097-9cf5-4fd0-a504-7cbfab050bb6
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)** security policy setting.
+
+## Reference
+
+
+This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Windows maintains a global list of shared system resources such as MS-DOS device names, mutexes, and semaphores. By using this list, processes can locate and share objects. Each type of object is created with a default DACL that specifies who can access the objects with what permissions. Enabling this policy setting strengthens the default DACL and allows users who are not administrators to read, but not to modify, shared objects that they did not create.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+-   It is advisable to set this policy to **Enabled**.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\ Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+This policy setting is enabled by default to protect against a known vulnerability that can be used with hard links or symbolic links. Hard links are actual directory entries in the file system. With hard links, the same data in a file system can be referred to by different file names. Symbolic links are text files that provide a pointer to the file that is interpreted and followed by the operating system as a path to another file or directory. Because symbolic links are a separate file, they can exist independently of the target location. If a symbolic link is deleted, its target location remains unaffected. When this setting is disabled, it is possible for a malicious user to destroy a data file by creating a link that looks like a temporary file that the system automatically creates, such as a sequentially named log file, but it points to the data file that the malicious user wants to eradicate. When the system writes the files with that name, the data is overwritten. Enabling **System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)** prevents an attacker from exploiting programs that create files with predictable names by not allowing them to write to objects that they did not create.
+
+### Countermeasure
+
+Enable the **System objects: Strengthen default permissions of global system objects (for example, Symbolic Links)** setting.
+
+### Potential impact
+
+None. This is the default configuration.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/system-settings-optional-subsystems.md b/windows/keep-secure/system-settings-optional-subsystems.md
new file mode 100644
index 0000000000..6dc7df6ae0
--- /dev/null
+++ b/windows/keep-secure/system-settings-optional-subsystems.md
@@ -0,0 +1,126 @@
+---
+title: System settings Optional subsystems (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the System settings Optional subsystems security policy setting.
+ms.assetid: 5cb6519a-4f84-4b45-8072-e2aa8a72fb78
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# System settings: Optional subsystems
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **System settings: Optional subsystems** security policy setting.
+
+## Reference
+
+
+This policy setting determines which subsystems support your applications. You can use this security setting to specify as many subsystems as your environment demands.
+
+The subsystem introduces a security risk that is related to processes that can potentially persist across logons. If a user starts a process and then logs out, the next user who logs on to the system might access the process that the previous user started. This is dangerous, because the process started by the first user can retain that user's system user rights; therefore, anything that the second user does using that process is performed with the user rights of the first user. This makes it difficult to trace who creates processes and objects, which is essential for post-security incident forensics.
+
+### Possible values
+
+-   User-defined list of subsystems
+
+-   Not defined
+
+### Best practices
+
+-   Set this policy setting to a null value. The default value is **POSIX**, so applications that rely on the POSIX subsystem will no longer run. For example, Microsoft Services for UNIX 3.0 installs an updated version of the POSIX subsystem. Reset this policy setting in Group Policy for any servers that use Services for UNIX 3.0.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>POSIX</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>POSIX</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>POSIX</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>POSIX</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+The POSIX subsystem is an Institute of Electrical and Electronic Engineers (IEEE) standard that defines a set of operating system services. The POSIX subsystem is required if the server supports applications that use that subsystem.
+
+The POSIX subsystem introduces a security risk that relates to processes that can potentially persist across logons. If a user starts a process and then logs out, there is a potential that the next user who logs on to the computer could access the previous user's process. This would allow the second user to take actions on the process by using the privileges of the first user.
+
+### Countermeasure
+
+Configure the **System settings: Optional subsystems setting** to a null value. The default value is POSIX.
+
+### Potential impact
+
+Applications that rely on the POSIX subsystem no longer operate. For example, Microsoft Services for UNIX (SFU) installs an updated version of the POSIX subsystem that is required, so you must reconfigure this setting in Group Policy for any servers that use SFU.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
new file mode 100644
index 0000000000..278033dbc8
--- /dev/null
+++ b/windows/keep-secure/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
@@ -0,0 +1,124 @@
+---
+title: System settings Use certificate rules on Windows executables for Software Restriction Policies (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the System settings Use certificate rules on Windows executables for Software Restriction Policies security policy setting.
+ms.assetid: 2380d93b-b553-4e56-a0c0-d1ef740d089c
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# System settings: Use certificate rules on Windows executables for Software Restriction Policies
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **System settings: Use certificate rules on Windows executables for Software Restriction Policies** security policy setting.
+
+## Reference
+
+
+This policy setting determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. This security setting enables or disables certificate rules (which are a type of software restriction policy). With a software restriction policy, you can create a certificate rule that allows or disallows Microsoft Authenticode®-signed software to run, based on the digital certificate that is associated with the software. For certificate rules to work in software restriction policies, you must enable this security setting.
+
+### Possible values
+
+-   Enabled
+
+-   Disabled
+
+-   Not defined
+
+### Best practices
+
+-   Set this policy to **Enabled**. Enabling certificate rules results in software restriction policies checking a certificate revocation list (CRL) to make sure that the software's certificate and signature are valid. When you start signed programs, this setting can decrease system performance. You can disable CRLs by editing the software restriction policies in the desired GPO. In the **Trusted Publishers Properties** dialog box, clear the **Publisher** and **Timestamp** check boxes.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Without the use of software restriction policies, users and device might be exposed to unauthorized software that could include malware.
+
+### Countermeasure
+
+Enable the **System settings: Use certificate rules on Windows executables for Software Restriction Policies** setting.
+
+### Potential impact
+
+If you enable certificate rules, software restriction policies check a certificate revocation list (CRL) to verify that the software's certificate and signature are valid. This checking process may negatively affect performance when signed programs start. To disable this feature, you can edit the software restriction policies in the appropriate GPO. In the **Trusted Publishers Properties** dialog box, clear the **Publisher** and **Timestamp** check boxes.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/take-ownership-of-files-or-other-objects.md b/windows/keep-secure/take-ownership-of-files-or-other-objects.md
new file mode 100644
index 0000000000..6ec1df5665
--- /dev/null
+++ b/windows/keep-secure/take-ownership-of-files-or-other-objects.md
@@ -0,0 +1,160 @@
+---
+title: Take ownership of files or other objects (Windows 10)
+description: Describes the best practices, location, values, policy management, and security considerations for the Take ownership of files or other objects security policy setting.
+ms.assetid: cb8595d1-74cc-4176-bb15-d97663eebb2d
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Take ownership of files or other objects
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management, and security considerations for the **Take ownership of files or other objects** security policy setting.
+
+## Reference
+
+
+This policy setting determines which users can take ownership of any securable object in the device, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.
+
+Every object has an owner, whether the object resides in an NTFS volume or Active Directory database. The owner controls how permissions are set on the object and to whom permissions are granted.
+
+By default, the owner is the person who or the process which created the object. Owners can always change permissions to objects, even when they are denied all access to the object.
+
+Constant: SeTakeOwnershipPrivilege
+
+### Possible values
+
+-   User-defined list of accounts
+
+-   Not defined
+
+### Best practices
+
+-   Assigning this user right can be a security risk. Because owners of objects have full control of them, only assign this user right to trusted users.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+
+### Default values
+
+By default this setting is Administrators on domain controllers and on stand-alone servers.
+
+The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Domain Controller Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Administrators</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features, tools, and guidance to help you manage this policy.
+
+A restart of the device is not required for this policy setting to be effective.
+
+Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+
+Ownership can be taken by:
+
+-   An administrator. By default, the Administrators group is given the **Take ownership of files or other objects** user right.
+
+-   Anyone or any group who has the **Take ownership** user right on the object.
+
+-   A user who has the **Restore files and directories** user right.
+
+Ownership can be transferred in the following ways:
+
+-   The current owner can grant the **Take ownership** user right to another user if that user is a member of a group defined in the current owner's access token. The user must take ownership to complete the transfer.
+
+-   An administrator can take ownership.
+
+-   A user who has the **Restore files and directories** user right can double-click **Other users and groups** and choose any user or group to assign ownership to.
+
+### Group Policy
+
+Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
+
+1.  Local policy settings
+
+2.  Site policy settings
+
+3.  Domain policy settings
+
+4.  OU policy settings
+
+When a local setting is greyed out, it indicates that a GPO currently controls that setting.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Any users with the **Take ownership of files or other objects user right** can take control of any object, regardless of the permissions on that object, and then make any changes that they want to make to that object. Such changes could result in exposure of data, corruption of data, or a denial-of-service condition.
+
+### Countermeasure
+
+Ensure that only the local Administrators group has the **Take ownership of files or other objects** user right.
+
+### Potential impact
+
+None. Restricting the **Take ownership of files or other objects** user right to the local Administrators group is the default configuration.
+
+## Related topics
+
+
+[User Rights Assignment](user-rights-assignment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md
new file mode 100644
index 0000000000..288b71b44d
--- /dev/null
+++ b/windows/keep-secure/test-an-applocker-policy-by-using-test-applockerpolicy.md
@@ -0,0 +1,53 @@
+---
+title: Test an AppLocker policy by using Test-AppLockerPolicy (Windows 10)
+description: This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.
+ms.assetid: 048bfa38-6825-4a9a-ab20-776cf79f402a
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Test an AppLocker policy by using Test-AppLockerPolicy
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.
+
+The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collections will be blocked on your reference computer or the computer on which you maintain policies. Perform the following steps on any computer where the AppLocker policies are applied.
+
+Any user account can be used to complete this procedure.
+
+**To test an AppLocker policy by using Test-AppLockerPolicy**
+
+1.  Export the effective AppLocker policy. To do this, you must use the **Get-AppLockerPolicy** Windows PowerShell cmdlet.
+
+    1.  Open a Windows PowerShell command prompt window as an administrator.
+
+    2.  Use the **Get-AppLockerPolicy** cmdlet to export the effective AppLocker policy to an XML file:
+
+        `Get-AppLockerPolicy –Effective –XML > <PathofFiletoExport.XML>`
+
+2.  Use the **Get-ChildItem** cmdlet to specify the directory that you want to test, specify the **Test-AppLockerPolicy** cmdlet with the XML file from the previous step to test the policy, and use the **Export-CSV** cmdlet to export the results to a file to be analyzed:
+
+    `Get-ChildItem <DirectoryPathtoReview> -Filter <FileExtensionFilter> -Recurse | Convert-Path | Test-AppLockerPolicy –XMLPolicy <PathToExportedPolicyFile> -User <domain\username> -Filter <TypeofRuletoFilterFor> | Export-CSV <PathToExportResultsTo.CSV>`
+
+The following shows example input for **Test-AppLockerPolicy**:
+
+`PS C:\ Get-AppLockerPolicy –Effective –XML > C:\Effective.xml`
+
+`PS C:\ Get-ChildItem 'C:\Program Files\Microsoft Office\' –filter *.exe –Recurse | Convert-Path | Test-AppLockerPolicy –XMLPolicy C:\Effective.xml –User contoso\zwie –Filter Denied,DeniedByDefault | Export-CSV C:\BlockedFiles.csv`
+
+In the example, the effective AppLocker policy is exported to the file C:\\Effective.xml. The **Get-ChildItem** cmdlet is used to recursively gather path names for the .exe files in C:\\Program Files\\Microsoft Office\\. The XMLPolicy parameter specifies that the C:\\Effective.xml file is an XML AppLocker policy file. By specifying the User parameter, you can test the rules for specific users, and the **Export-CSV** cmdlet allows the results to be exported to a comma-separated file. In the example, `-FilterDenied,DeniedByDefault` displays only those files that will be blocked for the user under the policy.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/test-and-update-an-applocker-policy.md b/windows/keep-secure/test-and-update-an-applocker-policy.md
new file mode 100644
index 0000000000..5157667a41
--- /dev/null
+++ b/windows/keep-secure/test-and-update-an-applocker-policy.md
@@ -0,0 +1,78 @@
+---
+title: Test and update an AppLocker policy (Windows 10)
+description: This topic discusses the steps required to test an AppLocker policy prior to deployment.
+ms.assetid: 7d53cbef-078c-4d20-8b00-e821e33b6ea1
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Test and update an AppLocker policy
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic discusses the steps required to test an AppLocker policy prior to deployment.
+
+You should test each set of rules to ensure that the rules perform as intended. If you use Group Policy to manage AppLocker policies, complete the following steps for each Group Policy Object (GPO) where you have created AppLocker rules. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules for simultaneous testing in all of your test GPOs.
+
+## Step 1: Enable the Audit only enforcement setting
+
+
+By using the **Audit only** enforcement setting, you can ensure that the AppLocker rules that you have created are properly configured for your organization. This setting can be enabled on the **Enforcement** tab of the **AppLocker Properties** dialog box. For the procedure to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md).
+
+## Step 2: Configure the Application Identity service to start automatically
+
+
+Because AppLocker uses the Application Identity service to verify the attributes of a file, you must configure it to start automatically in any one GPO that applies AppLocker rules. For the procedure to do this, see [Configure the Application Identity Service](configure-the-application-identity-service.md). For AppLocker policies that are not managed by a GPO, you must ensure that the service is running on each PC in order for the policies to be applied.
+
+## Step 3: Test the policy
+
+
+Test the AppLocker policy to determine if your rule collection needs to be modified. Because you have created AppLocker rules, enabled the Application Identity service, and enabled the **Audit only** enforcement setting, the AppLocker policy should be present on all client PC that are configured to receive your AppLocker policy.
+
+The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference PCs. For the procedure to do this, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).
+
+## Step 4: Analyze AppLocker events
+
+
+You can either manually analyze AppLocker events or use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to automate the analysis.
+
+**To manually analyze AppLocker events**
+
+You can view the events either in Event Viewer or a text editor and then sort those events to perform an analysis, such as looking for patterns in application usage events, access frequencies, or access by user groups. If you have not configured an event subscription, then you will have to review the logs on a sampling of computers in your organization. For more information about using Event Viewer, see [Monitor application usage with AppLocker](monitor-application-usage-with-applocker.md).
+
+**To analyze AppLocker events by using Get-AppLockerFileInformation**
+
+You can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to analyze AppLocker events from a remote computer. If an app is being blocked and should be allowed, you can use the AppLocker cmdlets to help troubleshoot the problem.
+
+For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** cmdlet to determine which files have been blocked or would have been blocked (if you are using the **Audit only** enforcement mode) and how many times the event has occurred for each file. For the procedure to do this, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md).
+
+After using **Get-AppLockerFileInformation** to determine how many times that a file would have been blocked from running, you should review your rule list to determine whether a new rule should be created for the blocked file or whether an existing rule is too strictly defined. Ensure that you check which GPO is currently preventing the file from running. To determine this, you can use the Group Policy Results Wizard to view rule names.
+
+## Step 5: Modify the AppLocker policy
+
+
+After you have identified which rules need to be edited or added to the policy, you can use the Group Policy Management Console to modify the AppLocker rules in the relevant GPOs. For AppLocker policies that are not managed by a GPO, you can use the Local Security Policy snap-in (secpol.msc). For info how to modify an AppLocker policy, see, [Edit an AppLocker policy](edit-an-applocker-policy.md).
+
+## Step 6: Repeat policy testing, analysis, and policy modification
+
+
+Repeat the previous steps 3–5 until all the rules perform as intended before applying enforcement.
+
+## Additional resources
+
+
+-   For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/testing-scenarios-for-edp.md b/windows/keep-secure/testing-scenarios-for-edp.md
new file mode 100644
index 0000000000..7b52b7889d
--- /dev/null
+++ b/windows/keep-secure/testing-scenarios-for-edp.md
@@ -0,0 +1,48 @@
+---
+title: Testing scenarios for enterprise data protection (EDP) (Windows 10)
+description: We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company.
+ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2
+keywords: ["EDP", "Enterprise Data Protection"]
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: eross-msft
+---
+
+# Testing scenarios for enterprise data protection (EDP)
+**Applies to:**
+
+-   Windows 10 Insider Preview
+-   Windows 10 Mobile Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
+
+We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company.
+
+## Testing scenarios
+You can try any of the processes included in these scenarios, but you should focus on the ones that you might encounter in your organization.
+
+|Scenario |Processes |
+|---------|----------|
+|Automatically encrypt files from enterprise apps |<ol><li>Start an unmodified (for example, EDP-unaware) line-of-business app that's on your **Protected Apps** list and then create, edit, write, and save files.</li><li>Make sure that all of the files you worked with from the EDP-unaware app are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li><li>Open File Explorer and make sure your modified files are appearing with a **Lock** icon.<p>**Note**<br>Some file types, like .exe and .dll, along with some file paths, like `%windir%` and `%programfiles%`, are excluded from automatic encryption.</li></ol> |
+|Block enterprise data from non-enterprise apps |<ol><li>Start an app that doesn't appear on your **Protected Apps** list, and then try to open an enterprise-encrypted file.<p>The app shouldn't be able to access the file.</li><li>Try double-clicking or tapping on the enterprise-encrypted file.<p>If your default app association is an app not your **Protected Apps** list, you should get an **Access Denied** error message.</li></ol> |
+|Copy and paste from enterprise apps to non-enterprise apps |<ol><li>Copy (CTRL+C) content from an app on your **Protected Apps** list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your **Protected Apps** list.<p>You should see an EDP-related warning box, asking you to click either **Got it** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't pasted into the non-enterprise app.</li><li>Repeat Step 1, but this time click **Got it**, and try to paste the content again.<p>The content is pasted into the non-enterprise app.</li><li>Try copying and pasting content between apps on your **Protected Apps** list.<p>The content should copy and paste between apps without any warning messages.</li></ol> |
+|Drag and drop from enterprise apps to non-enterprise apps |<ol><li>Drag content from an app on your **Protected Apps** list, and then try to drop the content into an app that doesn't appear on your **Protected Apps** list.<p>You should see an EDP-related warning box, asking you to click either **Drag Anyway** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't dropped into the non-enterprise app.</li><li>Repeat Step 1, but this time click **Drag Anyway**, and try to drop the content again.<p>The content is dropped into the non-enterprise app.</li><li>Try dragging and dropping content between apps on your **Protected Apps** list.<p>The content should move between the apps without any warning messages.</li></ol> |
+|Share between enterprise apps and non-enterprise apps |<ol><li>Open an app on your **Protected Apps** list, like Microsoft Photos, and try to share content with an app that doesn't appear on your **Protected Apps** list, like Facebook.<p>You should see an EDP-related warning box, asking you to click either **Share Anyway** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't shared into Facebook.</li><li>Repeat Step 1, but this time click **Share Anyway**, and try to share the content again.<p>The content is shared into Facebook.</li><li>Try sharing content between apps on your **Protected Apps** list.<p>The content should share between the apps without any warning messages.</li></ol> | 
+|Use the **Encrypt to** functionality |<ol><li>Open File Explorer on the desktop, right-click a decrypted file, and then click **Encrypt to** from the **Encrypt to** menu.<p>EDP should encrypt the file to your Enterprise Identity.</li><li>Make sure that the newly encrypted file has a **Lock** icon.</li><li>In the **Encrypted to** column of File Explorer on the desktop, look for the enterprise ID value.</li><li>Right-click the encrypted file, and then click **Not encrypted** from the **Encrypt to** menu.<p>The file should be decrypted and the **Lock** icon should disappear.</li></ol> |
+|Verify that Windows system components can use EDP |<ol><li>Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.</li><li>Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li><li>Open File Explorer and make sure your modified files are appearing with a **Lock** icon</li><li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the **Protected Apps** list.<p>**Note**<br>Most Windows-signed components like Windows Explorer (when running in the user’s context), should have access to enterprise data.<p>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your **Protected Apps** list.</li></ol> |
+|Use EDP on FAT/exFAT systems |<ol><li>Start an app that uses the FAT or exFAT file system and appears on your **Protected Apps** list.</li><li>Create, edit, write, save, and move files.<p>Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.</li><li>Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.</li></ol> |
+|Use EDP on NTFS systems |<ol><li>Start an app that uses the NTFS file system and appears on your **Protected Apps** list.</li><li>Create, edit, write, save, and move files.<p>Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.</li><li>Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.</li></ol> |
+|Unenroll client devices from EDP |<ul><li>Unenroll a device from EDP by going to **Settings**, click **Accounts**, click **Work**, click the name of the device you want to unenroll, and then click **Remove**.<p>The device should be removed and all of the enterprise content for that managed account should be gone.<p>**Important**<br>Unenrolling a device revokes and erases all of the enterprise data for the managed account.</li></ul> |
+|Verify that app content is protected when a Windows 10 Mobile phone is locked |<ul><li>Check that protected app data doesn't appear on the **Lock** screen of a Windows 10 Mobile phone</li></ul> |
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/tools-to-use-with-applocker.md b/windows/keep-secure/tools-to-use-with-applocker.md
new file mode 100644
index 0000000000..bef26fd57a
--- /dev/null
+++ b/windows/keep-secure/tools-to-use-with-applocker.md
@@ -0,0 +1,64 @@
+---
+title: Tools to use with AppLocker (Windows 10)
+description: This topic for the IT professional describes the tools available to create and administer AppLocker policies.
+ms.assetid: db2b7cb3-7643-4be5-84eb-46ba551e1ad1
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Tools to use with AppLocker
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the tools available to create and administer AppLocker policies.
+
+The following tools can help you administer the application control policies created by using AppLocker on the local device or by using Group Policy. For info about the basic requirements for using AppLocker, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
+
+-   **AppLocker Local Security Policy MMC snap-in**
+
+    The AppLocker rules can be maintained by using the Local Security Policy snap-in (secpol.msc) of the Microsoft Management Console (MMC). For procedures to create, modify, and delete AppLocker rules, see [Working with AppLocker rules](working-with-applocker-rules.md).
+
+-   **Generate Default Rules tool**
+
+    AppLocker includes default rules for each rule collection accessed through the Local Security Policy snap-in. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For info about how to use this tool, see [Create AppLocker default rules](create-applocker-default-rules.md).
+
+-   **Automatically Generate AppLocker Rules wizard**
+
+    By using the Local Security Policy snap-in, you can automatically generate rules for all files within a folder. The wizard will scan the specified folder and create the condition types that you choose for each file in that folder. For info about how to use this wizard, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md).
+
+-   **Group Policy**
+
+    You can edit an AppLocker policy by adding, changing, or removing rules by using the Group Policy Management Console (GPMC).
+
+    If you want additional features to manage AppLocker policies, such as version control, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack.
+
+-   **Remote Server Administration Tools (RSAT)**
+
+    You can use a device with a supported operating system that has the Remote Server Administration Tools (RSAT) installed to create and maintain AppLocker policies.
+
+-   **Event Viewer**
+
+    The AppLocker log contains information about applications that are affected by AppLocker rules. For info about using Event Viewer to review the AppLocker logs, see [Using Event Viewer with AppLocker](using-event-viewer-with-applocker.md), and [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
+
+-   **AppLocker PowerShell cmdlets**
+
+    The AppLocker Windows PowerShell cmdlets are designed to streamline the administration of AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the Local Security Policy snap-in and the GPMC. For information about the cmdlets, see the [AppLocker PowerShell Command Reference](http://technet.microsoft.com/library/hh847210.aspx).
+
+## Related topics
+
+
+[AppLocker technical reference](applocker-technical-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/tpm-fundamentals.md b/windows/keep-secure/tpm-fundamentals.md
new file mode 100644
index 0000000000..13e2bd4415
--- /dev/null
+++ b/windows/keep-secure/tpm-fundamentals.md
@@ -0,0 +1,312 @@
+---
+title: TPM fundamentals (Windows 10)
+description: This topic for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks.
+ms.assetid: ac90f5f9-9a15-4e87-b00d-4adcf2ec3000
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# TPM fundamentals
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks.
+
+A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer, and it communicates with the remainder of the system by using a hardware bus.
+
+Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called wrapping or binding a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself. The private portion of a storage root key or endorsement key that is created in a TPM is never exposed to any other component, software, process, or user.
+
+You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys cannot be migrated, the private portion of the key is never exposed outside the TPM.
+
+Computers that incorporate a TPM can also create a key that has not only been wrapped, but is also tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as “sealing the key to the TPM.” Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met.
+
+With a TPM, private portions of key pairs are kept separate from the memory that is controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system (assurances that define the trustworthiness of a system) can be made before the keys are unsealed and released for use. Because the TPM uses its own internal firmware and logic circuits to process instructions, it does not rely on the operating system, and it is not exposed to vulnerabilities that might exist in the operating system or application software.
+
+For info about which versions of Windows support which versions of the TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md). The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). For more info, see the Trusted Platform Module page on the Trusted Computing Group website: [Trusted Platform Module](http://www.trustedcomputinggroup.org/developers/trusted_platform_module).
+
+The following sections provide an overview of the technologies that support the TPM:
+
+-   [TPM-based Virtual Smart Card](#bkmk-vsc)
+
+-   [Measured Boot with support for attestation](#bkmk-measuredboot)
+
+-   [Automated provisioning and management of the TPM](#bkmk-autoprov)
+
+-   [TPM-based certificate storage](#bkmk-tpmcs)
+
+-   [Physical presence interface](#bkmk-physicalpresenceinterface)
+
+-   [TPM Cmdlets](#bkmk-tpmcmdlets)
+
+-   [TPM Owner Authorization Value](#bkmk-authvalue)
+
+-   [States of existence in a TPM](#bkmk-stateex)
+
+-   [Endorsement keys](#bkmk-endorsementkeys)
+
+-   [TPM Key Attestation](#bkmk-ketattestation)
+
+-   [How the TPM mitigates dictionary attacks](#bkmk-howtpmmitigates)
+
+-   [How do I check the state of my TPM?](#bkmk-checkstate)
+
+-   [What can I do if my TPM is in reduced functionality mode?](#bkmk-fixrfm)
+
+The following topic describes the TPM Services that can be controlled centrally by using Group Policy settings:
+
+[Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md)
+
+## <a href="" id="bkmk-autoprov"></a>Automated provisioning and management of the TPM
+
+
+TPM provisioning can be streamlined to make it easier to deploy systems that are ready for BitLocker and other TPM-dependent features. These enhancements include simplifying the TPM state model to report **Ready**, **Ready with reduced functionality**, or **Not ready**. You can also automatically provision TPMs in the **Ready** state, remote provisioning to remove the requirement for the physical presence of a technician for the initial deployment. In addition, the TPM stack is available in the Windows Preinstallation Environment (Windows PE).
+
+A number of management settings have been added for easier management and configuration of the TPM through Group Policy. The primary new settings include Active Directory-based backup of TPM owner authentication, the level of owner authentication that should be stored locally on the TPM, and the software-based TPM lockout settings for standard users. For more info about backing up owner authentication to Windows Server 2008 R2 AD DS domains, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
+
+## <a href="" id="bkmk-measuredboot"></a>Measured Boot with support for attestation
+
+
+The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components. Antimalware software can use the log to determine whether components that ran before it are trustworthy versus infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can initiate remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate.
+
+## <a href="" id="bkmk-vsc"></a>TPM-based Virtual Smart Card
+
+
+The Virtual Smart Card emulates the functionality of traditional smart cards, but Virtual Smart Cards use the TPM chip that is available on an organization’s computers, rather than requiring the use of a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user.
+
+## <a href="" id="bkmk-tpmcs"></a>TPM-based certificate storage
+
+
+The TPM can be used to protect certificates and RSA keys. The TPM key storage provider (KSP) provides easy, convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP can be used to generate keys when an organization enrolls for certificates, and the KSP is managed by templates in the UI. The TPM can also be used to protect certificates that are imported from an outside source. TPM-based certificates can be used exactly as standard certificates with the added functionality that the certificate can never leave the TPM from which the keys were generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](http://msdn.microsoft.com/library/windows/desktop/aa376210.aspx).
+
+## <a href="" id="bkmk-authvalue"></a>TPM Owner Authorization Value
+
+
+For Windows 8 a change to how the TPM owner authorization value is stored in AD DS was implemented in the AD DS schema. The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 schemas. Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change. If Active Directory backup of the TPM owner authorization value is enabled in a Windows Server 2008 R2 environment without extending the schema, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8.
+
+If your computer is not being joined to a domain the TPM owner authorization value will be stored in the local computer registry. Using BitLocker to encrypt the operating system drive will protect the owner authorization value from being disclosed when the computer is at rest, but there is a risk that a malicious user could obtain the TPM owner authorization value when the computer is unlocked. Therefore, we recommend that in this situation you configure your computer to automatically lock after 30 seconds of inactivity. If automatic locking is not used, then you should consider removing full owner authorization from the computer registry.
+
+**Registry information**
+
+Registry key: HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\TPM
+
+DWORD: OSManagedAuthLevel
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Value Data</th>
+<th align="left">Setting</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>0</p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>2</p></td>
+<td align="left"><p>Delegated</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4</p></td>
+<td align="left"><p>Full</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Note**  
+If the operating system managed TPM authentication setting is changed from "Full" to "Delegated" the full TPM owner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid. If you are backing up the TPM owner authorization value to AD DS, the new owner authorization value will be automatically backed up to AD DS when it is changed.
+
+ 
+
+## <a href="" id="bkmk-tpmcmdlets"></a>TPM Cmdlets
+
+
+If you are using PowerShell to script and manage your computers, you can now manage the TPM using Windows PowerShell as well. To install the TPM cmdlets use the following command:
+
+**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets**
+
+For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
+
+## <a href="" id="bkmk-physicalpresenceinterface"></a>Physical presence interface
+
+
+The TCG specifications for TPMs require physical presence to perform some TPM administrative functions, such as turning on and turning off the TPM. Physical presence means a person must physically interact with the system and the TPM interface to confirm or reject changes to TPM status. This typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them. Here are some are examples of TPM administrative tasks that require physical presence:
+
+-   Activating the TPM
+-   Clearing the existing owner information from the TPM without the owner’s password
+-   Deactivating the TPM
+-   Disabling the TPM temporarily without the owner’s password
+
+## <a href="" id="bkmk-stateex"></a>States of existence in a TPM
+
+
+For each of these TPM 1.2 states of existence, the TPM can transition into another state (for example, moving from disabled to enabled). The states are not exclusive.
+
+These states of existence do not apply for Trusted Platform Module 2.0 because it cannot be turned off from within the operating system environment.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">State</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Enabled</p></td>
+<td align="left"><p>Most features of the TPM are available.</p>
+<p>The TPM can be enabled and disabled multiple times within a boot period, if ownership is taken.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Disabled</p></td>
+<td align="left"><p>The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and perform hashing and basic initialization.</p>
+<p>The TPM can be enabled and disabled multiple times within a start-up period.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Activated</p></td>
+<td align="left"><p>Most features of the TPM are available. The TPM can be activated and deactivated only through physical presence, which requires a restart.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Deactivated</p></td>
+<td align="left"><p>Similar to the disabled state, with the exception that ownership can be taken when the TPM is deactivated and enabled. The TPM can be activated and deactivated only through physical presence, which requires a restart.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Owned</p></td>
+<td align="left"><p>Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Unowned</p></td>
+<td align="left"><p>The TPM does not have a storage root key, and it may or may not have an endorsement key.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Important**  
+Applications cannot use the TPM until the state is enabled, activated, and owned. All operations are available only when the TPM is in this state.
+
+ 
+
+The state of the TPM exists independently of the computer’s operating system. When the TPM is enabled, activated, and owned, the state of the TPM is preserved if the operating system is reinstalled.
+
+## <a href="" id="bkmk-endorsementkeys"></a>Endorsement keys
+
+
+For a TPM to be usable by a trusted application, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM, and it is never revealed or accessible outside the TPM. If the TPM does not contain an endorsement key, the application might cause the TPM to generate one automatically as part of the setup.
+
+An endorsement key can be created at various points in the TPM’s lifecycle, but it needs to be created only once for the lifetime of the TPM. The existence of an endorsement key is a requirement before TPM ownership can be taken.
+
+## <a href="" id="bkmk-ketattestation"></a>Key attestation
+
+
+TPM key attestation allows a certification authority to verify that a private key is actually protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys which have been proven valid can be used to bind the user identity to a device. Moreover, the user certificate with a TPM attested key provides higher security assurance backed up by the non-exportability, anti-hammering, and isolation of keys provided by a TPM.
+
+## <a href="" id="bkmk-howtpmmitigates"></a>How the TPM mitigates dictionary attacks
+
+
+When a TPM processes a command, it does so in a protected environment, for example, a dedicated microcontroller on a discrete chip or a special hardware-protected mode on the main CPU. A TPM can be used to create a cryptographic key that is not disclosed outside the TPM, but is able to be used in the TPM after the correct authorization value is provided.
+
+TPMs have dictionary attack logic that is designed to prevent brute force attacks that attempt to determine authorization values for using a key. The basic approach is for the TPM to allow only a limited number of authorization failures before it prevents more attempts to use keys and locks. Providing a failure count for individual keys is not technically practical, so TPMs have a global lockout when too many authorization failures occur.
+
+Because many entities can use the TPM, a single authorization success cannot reset the TPM’s dictionary attack logic. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM’s dictionary attack logic. Generally TPMs are designed to forget about authorization failures after a period of time so the TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM’s lockout logic.
+
+### TPM 2.0 dictionary attack behavior
+
+TPM 2.0 has well defined dictionary attack logic behavior. This is in contrast to TPM 1.2 for which the dictionary attack logic was set by the manufacturer, and the logic varied widely throughout the industry.
+
+**Warning**  
+For the purposes of this topic, Windows 8 Certified Hardware also pertains to Windows 8.1 systems. The following references to “Windows” include these supported Windows versions.
+
+ 
+
+For Windows 8 Certified Hardware systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
+
+Attempts to use a key with an authorization value for the next two hours would not return success or failure; instead the response indicates that the TPM is locked. After two hours, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next two hours. If a period of 64 hours elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again.
+
+Windows 8 Certification does not require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated. Windows does require that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for two hours.
+
+The dictionary attack logic for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators.
+
+In some enterprise situations, the TPM owner authorization value is configured to be stored centrally in Active Directory, and it is not stored on the local system. An administrator can launch the TPM MMC and choose to reset the TPM lockout time. If the TPM owner password is stored locally, it is used to reset the lockout time. If the TPM owner password is not available on the local system, the administrator needs to provide it. If an administrator attempts to reset the TPM lockout state with the wrong TPM owner password, the TPM does not allow another attempt to reset the lockout state for 24 hours.
+
+TPM 2.0 allows some keys to be created without an authorization value associated with them. These keys can be used when the TPM is locked. For example, BitLocker with a default TPM-only configuration is able to use a key in the TPM to start Windows, even when the TPM is locked.
+
+### Rationale behind the Windows 8.1 and Windows 8 defaults
+
+Windows relies on the TPM 2.0 dictionary attack protection for multiple features. The defaults that are selected for Windows 8 balance trade-offs for different scenarios.
+
+For example, when BitLocker is used with a TPM plus PIN configuration, it needs the number of PIN guesses to be limited over time. If the computer is lost, someone could make only 32 PIN guesses immediately, and then only one more guess every two hours. This totals about 4415 guesses per year. This makes a good standard for system administrators to determine how many PIN characters to use for BitLocker deployments.
+
+The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards:
+
+Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM’s dictionary attack is not reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors.
+
+Hardware manufacturers and software developers have the option to use the security features of the TPM to meet their requirements.
+
+The intent of selecting 32 failures as the lock-out threshold is so users rarely lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must to wait two hours or use some other credential to sign in, such as a user name and password.
+
+## <a href="" id="bkmk-checkstate"></a>How do I check the state of my TPM?
+
+
+You can check the state of the TPM on a PC by running the Trusted Platform Module snap-in (tpm.msc). The **Status** heading tells you the state of your TPM. The TPM can be in one of the following states: **Ready for use**, **Ready for use, with reduced functionality**, and **Not ready for use**. To take advantage of most of the TPM features in Windows 10, the TPM must be **Ready for use**.
+
+## <a href="" id="bkmk-fixrfm"></a>What can I do if my TPM is in reduced functionality mode?
+
+
+If your TPM is in reduced functionality mode, some features that rely on the TPM will not function correctly. This is most often caused by doing a clean installation of Windows 10 on a device where Windows 8.1, Windows 8, or Windows 7 had previously been installed on the same hardware. If your TPM is in reduced functionality mode, the Status heading in the Trusted Platform Module snap-in shows **The TPM is ready for use, with reduced functionality**. You can fix this by clearing the TPM.
+
+**To clear the TPM**
+
+1.  Open the Trusted Platform Module snap-in (tpm.msc).
+
+2.  Click **Clear TPM**, and then click **Restart.**
+
+3.  When the PC is restarting, you might be prompted to press a button on the keyboard to clear the TPM.
+
+4.  After the PC restarts, your TPM will be automatically prepared for use by Windows 10.
+
+**Note**  
+Clearing the TPM causes you to lose all TPM keys and data protected by those keys, such as a virtual smart card. You should not perform this procedure on a device you do not own, such as a work or school PC, without being instructed to do so by your IT administrator.
+
+ 
+
+## Additional resources
+
+
+[Trusted Platform Module Technology Overview](trusted-platform-module-overview.md)
+
+[Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md)
+
+[TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
+
+[Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients](ad-ds-schema-extensions-to-support-tpm-backup.md)
+
+[TPM WMI providers](http://go.microsoft.com/fwlink/p/?LinkId=93478)
+
+[Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md
new file mode 100644
index 0000000000..82168aa9c3
--- /dev/null
+++ b/windows/keep-secure/tpm-recommendations.md
@@ -0,0 +1,317 @@
+---
+title: TPM recommendations (Windows 10)
+description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10.
+ms.assetid: E85F11F5-4E6A-43E7-8205-672F77706561
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# TPM recommendations
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+-   Windows Server 2016 Technical Preview
+-   Windows 10 IoT Core (IoT Core)
+
+This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10.
+
+## Overview
+
+
+Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. It has a security-related crypto-processor that is designed to carry out cryptographic operations in a variety of devices and form factors. It includes multiple physical security mechanisms to help prevent malicious software from tampering with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
+
+1.  Generate, store, use, and protected cryptographic keys,
+2.  Use TPM technology for platform device authentication by using a unique endorsement key (EK), and
+3.  Help enhance platform integrity by taking and storing security measurements.
+
+The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.
+
+Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG).
+
+**Note**  
+Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+ 
+
+## TPM 1.2 vs. 2.0 comparison
+
+
+From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0. As indicated in the table below, TPM 2.0 has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM.
+
+## Why TPM 2.0?
+
+
+TPM 2.0 products and systems have important security advantages over TPM 1.2, including:
+
+-   The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
+-   For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
+-   TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms.
+    -   TPM 2.0 supports SHA-256 as well as ECC, the latter being critical to drive signing and key generation performance.
+    -   TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](http://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)).
+    -   Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
+-   TPM 2.0 offers a more **consistent experience** across different implementations.
+    -   TPM 1.2 implementations across both discrete and firmware vary in policy settings. This may result in support issues as lockout policies vary.
+    -   TPM 2.0 standardized policy requirement helps establish a consistent lockout experience across devices, as such, Windows can offer a better user experience end to end.
+-   While TPM 1.2 parts were discrete silicon components typically soldered on the motherboard, TPM 2.0 is available both as a **discrete (dTPM)** silicon component and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on the system’s main SoC:
+    -   On Intel chips, it is the Intel Management Engine (ME) or Converged Security Engine (CSE).
+    -   For AMD chips, it is the AMD Security Processor
+    -   For ARM chips, it is a Trustzone Trusted Application (TA).
+    -   In the case of firmware TPM for desktop Windows systems, the chip vendor provides the firmware TPM implementation along with the other chip firmware to OEMs.
+
+## Discrete or firmware TPM?
+
+
+Windows uses discrete and firmware TPM in the same way. Windows gains no functional advantage or disadvantage from either option.
+
+From a security standpoint, discrete and firmware share the same characteristics;
+
+-   Both use hardware based secure execution.
+-   Both use firmware for portions of the TPM functionality.
+-   Both are equipped with tamper resistance capabilities.
+-   Both have unique security limitations/risks.
+
+For more info, see [fTPM: A Firmware-based TPM 2.0 Implementation](http://research.microsoft.com/apps/pubs/?id=258236).
+
+## TPM 2.0 Compliance for Windows 10 in the future
+
+
+All shipping devices for Windows 10 across all SKU types must be using TPM 2.0 discrete or firmware from **July 28, 2016**. This requirement will be enforced through our Windows Hardware Certification program.
+
+### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
+
+-   With Windows 10 as with Windows 8, all connected standby systems are required to include TPM 2.0 support.
+-   For Windows 10 and later, if a SoC is chosen that includes an integrated fTPM2.0, the device must ship with the fTPM FW support or a discrete TPM 1.2 or 2.0.
+-   Starting **July 28th, 2016** all devices shipping with Windows 10 desktop must implement TPM 2.0 and ship with the TPM enabled.
+
+### Windows 10 Mobile
+
+-   All devices shipping with Windows 10 Mobile must implement TPM 2.0 and ship with the TPM enabled.
+
+### IoT Core
+
+-   TPM is optional on IoT Core.
+
+### Windows Server 2016 Technical Preview
+
+-   TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required.
+
+## TPM and Windows Features
+
+
+The following table defines which Windows features require TPM support. Some features are not applicable to Windows 7/8/8.1 and are noted accordingly.
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Windows Features</th>
+<th align="left">Windows 7/8/8.1 TPM 1.2</th>
+<th align="left">Windows 10 TPM 1.2</th>
+<th align="left">Windows 10 TPM 2.0</th>
+<th align="left">Details</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">Measure Boot</td>
+<td align="left">Required</td>
+<td align="left">Required</td>
+<td align="left">Required</td>
+<td align="left">Measured boot requires TPM 1.2 or 2.0 and UEFI Secure boot.</td>
+</tr>
+<tr class="even">
+<td align="left">Bitlocker</td>
+<td align="left">Required</td>
+<td align="left">Required</td>
+<td align="left">Required</td>
+<td align="left">TPM 1.2 or later required or a removable USB memory device such as a flash drive.</td>
+</tr>
+<tr class="odd">
+<td align="left">Passport: Domain AADJ Join</td>
+<td align="left">n/a</td>
+<td align="left">Required</td>
+<td align="left">Required</td>
+<td align="left">Supports both versions of TPM, but requires TPM with HMAC and EK certificate for key attestation support.</td>
+</tr>
+<tr class="even">
+<td align="left">Passport: MSA or Local Account</td>
+<td align="left">n/a</td>
+<td align="left">Not Required</td>
+<td align="left">Required</td>
+<td align="left">TPM 2.0 is required with HMAC and EK certificate for key attestation support.</td>
+</tr>
+<tr class="odd">
+<td align="left">Device Encryption</td>
+<td align="left">n/a</td>
+<td align="left">Not Required</td>
+<td align="left">Required</td>
+<td align="left">TPM 2.0 is required for all InstantGo devices.</td>
+</tr>
+<tr class="even">
+<td align="left">Device Guard / Configurable Code Integrity</td>
+<td align="left">n/a</td>
+<td align="left">Optional</td>
+<td align="left">Optional</td>
+<td align="left"></td>
+</tr>
+<tr class="odd">
+<td align="left">Credential Guard</td>
+<td align="left">n/a</td>
+<td align="left">Required</td>
+<td align="left">Required</td>
+<td align="left">For Windows 10, version 1511, TPM 1.2 or 2.0 is highly recommended. If you don't have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM.</td>
+</tr>
+<tr class="even">
+<td align="left">Device Health Attestation</td>
+<td align="left">n/a</td>
+<td align="left">Not Required</td>
+<td align="left">Required</td>
+<td align="left"></td>
+</tr>
+<tr class="odd">
+<td align="left">Windows Hello</td>
+<td align="left">n/a</td>
+<td align="left">Not Required</td>
+<td align="left">Not Required</td>
+<td align="left"></td>
+</tr>
+<tr class="even">
+<td align="left">UEFI Secure Boot</td>
+<td align="left">Not Required</td>
+<td align="left">Not Required</td>
+<td align="left">Not Required</td>
+<td align="left"></td>
+</tr>
+<tr class="odd">
+<td align="left">Platform Key Storage provider</td>
+<td align="left">n/a</td>
+<td align="left">Required</td>
+<td align="left">Required</td>
+<td align="left"></td>
+</tr>
+<tr class="even">
+<td align="left">Virtual Smart Card</td>
+<td align="left">n/a</td>
+<td align="left">Required</td>
+<td align="left">Required</td>
+<td align="left"></td>
+</tr>
+<tr class="odd">
+<td align="left">Certificate storage (TPM bound)</td>
+<td align="left">n/a</td>
+<td align="left">Required</td>
+<td align="left">Required</td>
+<td align="left"></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Chipset options for TPM 2.0
+
+
+There are a variety of TPM manufacturers for both discrete and firmware.
+
+### Discrete TPM
+
+<table>
+<colgroup>
+<col width="100%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Supplier</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><ul>
+<li>Infineon</li>
+<li>Nuvoton</li>
+<li>NationZ</li>
+<li>ST Micro</li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Firmware TPM
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Supplier</th>
+<th align="left">Chipset</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">AMD</td>
+<td align="left"><ul>
+<li>Mullins</li>
+<li>Beema</li>
+<li>Carrizo</li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left">Intel</td>
+<td align="left"><ul>
+<li>Clovertrail</li>
+<li>Haswell</li>
+<li>Broadwell</li>
+<li>Skylake</li>
+<li>Baytrail</li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left">Qualcomm</td>
+<td align="left"><ul>
+<li>MSM8994</li>
+<li>MSM8992</li>
+<li>MSM8952</li>
+<li>MSM8909</li>
+<li>MSM8208</li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## OEM Feedback and Status on TPM 2.0 system availability
+
+
+### Certified TPM parts
+
+Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. Discrete TPM 2.0 vendors have targeted completion of certification by the end of 2015.
+
+### Windows 7 32-bit support
+
+Even though Windows 7 shipped before the TPM 2.0 spec or products existed, Microsoft backported TPM 2.0 support to Windows 7 64-bit and released it in summer 2014 as a downloadable Windows hotfix for UEFI based Windows 7 systems. Microsoft is not currently planning to backport support to Windows 7 32-bit support.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
new file mode 100644
index 0000000000..d0774c6bba
--- /dev/null
+++ b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
@@ -0,0 +1,3303 @@
+---
+title: Troubleshoot Windows Defender in Windows 10 (Windows 10)
+description: IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take.
+ms.assetid: EE488CC1-E340-4D47-B50B-35BD23CB4D70
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Troubleshoot Windows Defender in Windows 10
+
+
+**Applies to**
+
+-   Windows 10
+
+IT professionals can review information about *event IDs* in Windows Defender for Windows 10 and see any relevant action they can take.
+
+## Windows Defender client *event IDs*
+
+
+This section provides the following information about Windows Defender client events:
+
+-   The text of the message as it appears in the event
+-   The name of the source of the message
+-   The symbolic name that identifies each message in the programming source code
+-   Additional information about the message
+
+Use the information in this table to help troubleshoot Windows Defender client events; these are located in the **Windows Event Viewer**, under **Windows Logs**.
+
+**To view a Windows Defender client event**
+
+1.  Open **Event Viewer**.
+2.  In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
+3.  Double-click on **Operational**.
+4.  In the details pane, view the list of individual events to find your event.
+5.  Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
+
+You can find a complete list of the Microsoft antimalware *event IDs*, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
+
+<table>
+<tr>
+<th rowspan="3">Event ID: 1000</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SCAN_STARTED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>An antimalware scan started.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>Scan Resources: &lt;Resources (such as files/directories/BHO) that were scanned.&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1001</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SCAN_COMPLETED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>An antimalware scan finished.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Scan Time: &lt;The duration of a scan.&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1002</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SCAN_CANCELLED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>An antimalware scan was stopped before it finished.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Scan Time: &lt;The duration of a scan.&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1003</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SCAN_PAUSED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>An antimalware scan was paused.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1004</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SCAN_RESUMED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>An antimalware scan was resumed.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 1005</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SCAN_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>An antimalware scan failed. 
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<dl>
+<dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
+<dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+</ul>
+</dt>
+<dt>Scan Parameters: &lt;Scan parameters&gt;, for example:<ul>
+<li>Full scan</li>
+<li>Quick scan</li>
+<li>Customer scan</li>
+</ul>
+</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>The Windows Defender client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.
+
+</p>
+<p>To troubleshoot this event:
+<ol>
+<li>Run the scan again.</li>
+<li>If it fails in the same way, go to the <a href="http://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
+<li>Contact <a href="http://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1006</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_MALWARE_DETECTED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine found malware or other potentially unwanted software.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>Status: &lt;Status&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1007</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_MALWARE_ACTION_TAKEN
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:</p>
+<dl>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Action: &lt;Action&gt;, for example:<ul>
+<li>Clean: The resource was cleaned</li>
+<li>Quarantine: The resource was quarantined</li>
+<li>Remove: The resource was deleted</li>
+<li>Allow: The resource was allowed to execute/exist</li>
+<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
+<li>No action: No action</li>
+<li>Block: The resource was blocked from executing</li>
+</ul>
+</dt>
+<dt>Status: &lt;Status&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1008</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_MALWARE_ACTION_FAILED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:</p>
+<dl>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Action: &lt;Action&gt;, for example:<ul>
+<li>Clean: The resource was cleaned</li>
+<li>Quarantine: The resource was quarantined</li>
+<li>Remove: The resource was deleted</li>
+<li>Allow: The resource was allowed to execute/exist</li>
+<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
+<li>No action: No action</li>
+<li>Block: The resource was blocked from executing</li>
+</ul>
+</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values. </dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Status: &lt;Status&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1009</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_QUARANTINE_RESTORE
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform restored an item from quarantine.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has restored an item from quarantine. For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1010</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform could not restore an item from quarantine.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to restore an item from quarantine. For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values. </dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1011</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_QUARANTINE_DELETE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform deleted an item from quarantine.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has deleted an item from quarantine.  
+For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1012</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_QUARANTINE_DELETE_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform could not delete an item from quarantine.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to delete an item from quarantine.  
+For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values. </dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1013</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform deleted history of malware and other potentially unwanted software.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has removed history of malware and other potentially unwanted software.</p>
+<dl>
+<dt>Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1014</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p>The antimalware platform could not delete history of malware and other potentially unwanted software.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software.</p>
+<dl>
+<dt>Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values. </dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 1015</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_BEHAVIOR_DETECTED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform detected suspicious behavior.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has detected a suspicious behavior.  
+For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:
+<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>Status: &lt;Status&gt;</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Signature ID: Enumeration matching severity.</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+<dt>Fidelity Label:</dt>
+<dt>Target File Name: &lt;File name&gt;
+Name of the file.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 1116</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_STATE_MALWARE_DETECTED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform detected malware or other potentially unwanted software.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has detected malware or other potentially unwanted software.  
+For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:
+<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>No action is required. Windows Defender can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender interface, click <b>Clean Computer</b>.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 1117</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has taken action to protect this machine from malware or other potentially unwanted software.  
+For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:
+<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Action: &lt;Action&gt;, for example:<ul>
+<li>Clean: The resource was cleaned</li>
+<li>Quarantine: The resource was quarantined</li>
+<li>Remove: The resource was deleted</li>
+<li>Allow: The resource was allowed to execute/exist</li>
+<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
+<li>No action: No action</li>
+<li>Block: The resource was blocked from executing</li>
+</ul>
+</dt>
+<dt>Action Status: &lt;Description of additional actions&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>No action is necessary. Windows Defender removed or quarantined a threat. </p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 1118</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered a non-critical error when taking action on malware or other potentially unwanted software.  
+For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:
+<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Action: &lt;Action&gt;, for example:<ul>
+<li>Clean: The resource was cleaned</li>
+<li>Quarantine: The resource was quarantined</li>
+<li>Remove: The resource was deleted</li>
+<li>Allow: The resource was allowed to execute/exist</li>
+<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
+<li>No action: No action</li>
+<li>Block: The resource was blocked from executing</li>
+</ul>
+</dt>
+<dt>Action Status: &lt;Description of additional actions&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>No action is necessary. Windows Defender failed to complete a task related to the malware remediation. This is not a critical failure.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 1119</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered a critical error when taking action on malware or other potentially unwanted software.  
+For more information please see the following:</p>
+<dl>
+<dt>Name: &lt;Threat name&gt;</dt>
+<dt>ID: &lt;Threat ID&gt;</dt>
+<dt>Severity: &lt;Severity&gt;, for example:<ul>
+<li>Low</li>
+<li>Moderate</li>
+<li>High</li>
+<li>Severe</li>
+</ul>
+</dt>
+<dt>Category: &lt;Category description&gt;, for example, any threat or malware type.</dt>
+<dt>Path: &lt;File path&gt;</dt>
+<dt>Detection Origin: &lt;Detection origin&gt;, for example:
+<ul>
+<li>Unknown</li>
+<li>Local computer</li>
+<li>Network share</li>
+<li>Internet</li>
+<li>Incoming traffic</li>
+<li>Outgoing traffic</li>
+</ul>
+</dt>
+<dt>Detection Type: &lt;Detection type&gt;, for example:<ul>
+<li>Heuristics</li>
+<li>Generic</li>
+<li>Concrete</li>
+<li>Dynamic signature</li>
+</ul>
+</dt>
+<dt>Detection Source: &lt;Detection source&gt; for example:<ul>
+<li>User: user initiated</li>
+<li>System: system initiated</li>
+<li>Real-time: real-time component initiated</li>
+<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li>
+<li>NIS: Network inspection system</li>
+<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li>
+<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li>
+<li>Remote attestation</li>
+</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
+UAC</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Process Name: &lt;Process in the PID&gt;</dt>
+<dt>Action: &lt;Action&gt;, for example:<ul>
+<li>Clean: The resource was cleaned</li>
+<li>Quarantine: The resource was quarantined</li>
+<li>Remove: The resource was deleted</li>
+<li>Allow: The resource was allowed to execute/exist</li>
+<li>User defined: User defined action which is normally one from this list of actions that the user has specified</li>
+<li>No action: No action</li>
+<li>Block: The resource was blocked from executing</li>
+</ul>
+</dt>
+<dt>Action Status: &lt;Description of additional actions&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>The Windows Defender client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant <b>User action</b> steps below.</p>
+<table>
+<tr>
+<th>Action</th>
+<th>User action</th>
+</tr>
+<tr>
+<td>
+<p><b>Remove</b></p>
+</td>
+<td>
+<p>Update the definitions then verify that the removal was successful.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><b>Clean</b></p>
+</td>
+<td>
+<p>Update the definitions then verify that the remediation was successful.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><b>Quarantine</b></p>
+</td>
+<td>
+<p>Update the definitions and verify that the user has permission to access the necessary resources.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><b>Allow</b></p>
+</td>
+<td>
+<p>Verify that the user has permission to access the necessary resources.</p>
+</td>
+</tr>
+</table>
+<p> </p>
+<p>If this event persists:<ol>
+<li>Run the scan again.</li>
+<li>If it fails in the same way, go to the <a href="http://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
+<li>Contact <a href="http://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 1120</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_THREAT_HASH</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Windows Defender has deduced the hashes for a threat resource.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender client is up and running in a healthy state.</p>
+<dl>
+<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
+<dt>Threat Resource Path: &lt;Path&gt;</dt>
+<dt>Hashes: &lt;Hashes&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td></td>
+<td colspan="2">
+<div class="alert"><b>Note</b>  This event will only be logged if the following policy is set: <b>ThreatFileHashLogging 	unsigned</b>.</div>
+<div> </div>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 1150</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SERVICE_HEALTHY</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender client is up and running in a healthy state.</p>
+<dl>
+<dt>Platform Version: &lt;Current platform version&gt;</dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>No action is necessary. The Windows Defenderclient is in a healthy state. This event is reported on an hourly basis.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2000</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SIGNATURE_UPDATED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware definitions updated successfully.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender signature version has been updated.</p>
+<dl>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
+<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Update Type: &lt;Update type&gt;, either Full or Delta.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>No action is necessary. The Windows Defender client is in a healthy state. This event is reported when signatures are successfully updated.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2001</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware definition update failed. 
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to update signatures.</p>
+<dl>
+<dt>New Signature Version: &lt;New version number&gt;</dt>
+<dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
+<dt>Update Source: &lt;Update source&gt;, for example:
+<ul>
+<li>Signature update folder</li>
+<li>Internal definition update server</li>
+<li>Microsoft Update Server</li>
+<li>File share</li>
+<li>Microsoft Malware Protection Center (MMPC)</li>
+</ul>
+</dt>
+<dt>Update Stage: &lt;Update stage&gt;, for example:
+<ul>
+<li>Search</li>
+<li>Download</li>
+<li>Install</li>
+</ul>
+</dt>
+<dt>Source Path: File share name for Universal Naming Convention (UNC), server name for Windows Server Update Services (WSUS)/Microsoft Update/ADL.</dt>
+<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Update Type: &lt;Update type&gt;, either Full or Delta.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>This error occurs when there is a problem updating definitions.</p>
+<p>To troubleshoot this event:
+<ol>
+<li>Update the definitions. Either:<ol>
+<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
+</li>
+<li>Download the latest definitions from the <a href="http://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
+
+<p>Note: The size of the definitions file downloaded from the <a href="http://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
+</li>
+</ol>
+</li>
+<li>Review the entries in the %Windir%\WindowsUpdate.log file for more information about this error.</li>
+<li>Contact <a href="http://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2002</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ENGINE_UPDATED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine updated successfully.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender engine version has been updated.</p>
+<dl>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
+<dt>Engine Type: &lt;Engine type&gt;, either antimalware engine or Network Inspection System engine.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the antimalware engine is successfully updated.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2003</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ENGINE_UPDATE_FAILED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine update failed.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to update the engine.</p>
+<dl>
+<dt>New Engine Version:</dt>
+<dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
+<dt>Engine Type: &lt;Engine type&gt;, either antimalware engine or Network Inspection System engine.</dt>
+<dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>The Windows Defender client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.</p>
+<p>To troubleshoot this event:
+<ol>
+<li>Update the definitions. Either:<ol>
+<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
+</li>
+<li>Download the latest definitions from the <a href="http://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
+
+<p>Note: The size of the definitions file downloaded from the <a href="http://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
+</li>
+</ol>
+</li>
+<li>Contact <a href="http://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2004</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SIGNATURE_REVERSION</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.</p>
+<dl>
+<dt>Signatures Attempted:</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Signature Version: &lt;Definition version&gt;</dt>
+<dt>Engine Version: &lt;Antimalware engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>The Windows Defender client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender will attempt to revert back to a known-good set of definitions.</p>
+<p>To troubleshoot this event:
+<ol>
+<li>Restart the computer and try again.</li>
+<li>Download the latest definitions from the <a href="http://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
+
+<p>Note: The size of the definitions file downloaded from the <a href="http://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
+</li>
+<li>Contact <a href="http://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2005</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender could not load antimalware engine because current platform version is not supported. Windows Defender will revert back to the last known-good engine and a platform update will be attempted.</p>
+<dl>
+<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2006</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_PLATFORM_UPDATE_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The platform update failed.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to update the platform.</p>
+<dl>
+<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2007</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The platform will soon be out of date. Download the latest platform to maintain up-to-date protection.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender platform to maintain the best level of protection available.</p>
+<dl>
+<dt>Current Platform Version: &lt;Current platform version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2010</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine used the Dynamic Signature Service to get additional definitions.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender used <i>Dynamic Signature Service</i> to retrieve additional signatures to help protect your machine.</p>
+<dl>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Dynamic Signature Type: &lt;Dynamic signature type&gt;, for example:
+<ul>
+<li>Version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+<li>Duration</li>
+</ul>
+</dt>
+<dt>Persistence Path: &lt;Path&gt;</dt>
+<dt>Dynamic Signature Version: &lt;Version number&gt;</dt>
+<dt>Dynamic Signature Compilation Timestamp: &lt;Timestamp&gt;</dt>
+<dt>Persistence Limit Type: &lt;Persistence limit type&gt;, for example:
+<ul>
+<li>VDM version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+</ul>
+</dt>
+<dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2011</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The Dynamic Signature Service deleted the out-of-date dynamic definitions.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender used <i>Dynamic Signature Service</i> to discard obsolete signatures.</p>
+<dl>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Dynamic Signature Type: &lt;Dynamic signature type&gt;, for example:
+<ul>
+<li>Version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+<li>Duration</li>
+</ul>
+</dt>
+<dt>Persistence Path: &lt;Path&gt;</dt>
+<dt>Dynamic Signature Version: &lt;Version number&gt;</dt>
+<dt>Dynamic Signature Compilation Timestamp: &lt;Timestamp&gt;</dt>
+<dt>Removal Reason:</dt>
+<dt>Persistence Limit Type: &lt;Persistence limit type&gt;, for example:
+<ul>
+<li>VDM version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+</ul>
+</dt>
+<dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2012</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine encountered an error when trying to use the Dynamic Signature Service.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to use <i>Dynamic Signature Service</i>.</p>
+<dl>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
+<li>Antivirus</li>
+<li>Antispyware</li>
+<li>Antimalware</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Dynamic Signature Type: &lt;Dynamic signature type&gt;, for example:
+<ul>
+<li>Version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+<li>Duration</li>
+</ul>
+</dt>
+<dt>Persistence Path: &lt;Path&gt;</dt>
+<dt>Dynamic Signature Version: &lt;Version number&gt;</dt>
+<dt>Dynamic Signature Compilation Timestamp: &lt;Timestamp&gt;</dt>
+<dt>Persistence Limit Type: &lt;Persistence limit type&gt;, for example:
+<ul>
+<li>VDM version</li>
+<li>Timestamp</li>
+<li>No limit</li>
+</ul>
+</dt>
+<dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>Check your Internet connectivity settings.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2013</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The Dynamic Signature Service deleted all dynamic definitions.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender discarded all <i>Dynamic Signature Service</i> signatures.</p>
+<dl>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2020</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine downloaded a clean file.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender downloaded a clean file.</p>
+<dl>
+<dt>Filename: &lt;File name&gt;
+Name of the file.</dt>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 2021</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine failed to download a clean file.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to download a clean file.</p>
+<dl>
+<dt>Filename: &lt;File name&gt;
+Name of the file.</dt>
+<dt>Current Signature Version: &lt;Current signature version&gt;</dt>
+<dt>Current Engine Version: &lt;Current engine version&gt;</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>Check your Internet connectivity settings.
+</p>
+<p>The Windows Defender client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. 
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2030</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine was downloaded and is configured to run offline on the next system restart.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>Windows Defender downloaded and configured Windows Defender Offline to run on the next reboot.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2031</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine was unable to download and configure an offline scan.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender has encountered an error trying to download and configure Windows Defender Offline.</p>
+<dl>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2040</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_OS_EXPIRING
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Antimalware support for this operating system version will soon end.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>The support for your operating system will expire shortly. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2041</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_OS_EOL
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Antimalware support for this operating system has ended. You must upgrade the operating system for continued support.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>The support for your operating system has expired. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 2042</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_PROTECTION_EOL
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 3002</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_RTP_FEATURE_FAILURE
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Real-time protection encountered an error and failed.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender Real-Time Protection feature has encountered an error and failed.</p>
+<dl>
+<dt>Feature: &lt;Feature&gt;, for example:
+<ul>
+<li>On Access</li>
+<li>Internet Explorer downloads and Microsoft Outlook Express attachments</li>
+<li>Behavior monitoring</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+<dt>Reason: The reason Windows Defender real-time protection has restarted a feature.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>You should restart the system then run a full scan because it’s possible the system was not protected for some time.
+</p>
+<p>The Windows Defender client’s real-time protection feature encountered an error because one of the services failed to start. 
+</p>
+<p>If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure. 
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="4">Event ID: 3007</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_RTP_FEATURE_RECOVERED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Real-time protection recovered from a failure. We recommend running a full system scan when you see this error.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.</p>
+<dl>
+<dt>Feature: &lt;Feature&gt;, for example:
+<ul>
+<li>On Access</li>
+<li>IE downloads and Outlook Express attachments</li>
+<li>Behavior monitoring</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Reason: The reason Windows Defender real-time protection has restarted a feature.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>The real-time protection feature has restarted. If this event happens again, contact <a href="http://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>. </p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5000</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_RTP_ENABLED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Real-time protection is enabled.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was enabled.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5001</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_RTP_DISABLED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Real-time protection is disabled.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled. </p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5004</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_RTP_FEATURE_CONFIGURED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The real-time protection configuration changed.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender Real-time Protection feature configuration has changed.</p>
+<dl>
+<dt>Feature: &lt;Feature&gt;, for example:
+<ul>
+<li>On Access</li>
+<li>IE downloads and Outlook Express attachments</li>
+<li>Behavior monitoring</li>
+<li>Network Inspection System</li>
+</ul>
+</dt>
+<dt>Configuration: </dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5007</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_CONFIG_CHANGED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform configuration changed.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.</p>
+<dl>
+<dt>Old value: &lt;Old value number&gt;
+Old Windows Defender configuration value.</dt>
+<dt>New value: &lt;New value number&gt;
+New Windows Defender configuration value.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="5">Event ID: 5008</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ENGINE_FAILURE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware engine encountered an error and failed.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender  engine has been terminated due to an unexpected error.</p>
+<dl>
+<dt>Failure Type: &lt;Failure type&gt;, for example:
+Crash
+or Hang</dt>
+<dt>Exception Code: &lt;Error code&gt;</dt>
+<dt>Resource: &lt;Resource&gt;</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>To troubleshoot this event:<ol>
+<li>Try to restart the service.<ul>
+<li>For antimalware, antivirus and spyware, at an elevated command prompt, type <b>net stop msmpsvc</b>, and then type <b>net start msmpsvc</b> to restart the antimalware engine.</li>
+<li>For the <i>Network Inspection System</i>, at an elevated command prompt, type <b>net start nissrv</b>, and then type <b>net start nissrv</b> to restart the <i>Network Inspection System</i> engine by using the NiSSRV.exe file.
+
+
+
+</li>
+</ul>
+</li>
+<li>If it fails in the same way, look up the error code by accessing the <a href="http://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support Site</a>  and entering the error number in the <b>Search</b> box, and contact <a href="http://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>User action:</p>
+</td>
+<td colspan="2">
+<p>The Windows Defender client engine stopped due to an unexpected error.</p>
+<p>To troubleshoot this event:
+<ol>
+<li>Run the scan again.</li>
+<li>If it fails in the same way, go to the <a href="http://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
+<li>Contact <a href="http://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
+</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5009</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ANTISPYWARE_ENABLED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Scanning for malware and other potentially unwanted software is enabled.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>Windows Defender scanning for malware and other potentially unwanted software has been enabled.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5010</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ANTISPYWARE_DISABLED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Scanning for malware and other potentially unwanted software is disabled.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>Windows Defender scanning for malware and other potentially unwanted software is disabled.</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5011</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ANTIVIRUS_ENABLED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Scanning for viruses is enabled.</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>Windows Defender scanning for viruses has been enabled. </p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5012</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_ANTIVIRUS_DISABLED
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>Scanning for viruses is disabled.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>Windows Defender scanning for viruses is disabled. </p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5100</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_EXPIRATION_WARNING_STATE
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform will expire soon.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description:</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender  has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.</p>
+<dl>
+<dt>Expiration Reason: The reason Windows Defender will expire.</dt>
+<dt>Expiration Date: The date Windows Defender will expire.</dt>
+</dl>
+</p>
+</td>
+</tr>
+<tr>
+<th rowspan="3">Event ID: 5101</th>
+<td>
+<p>Symbolic name:</p>
+</td>
+<td colspan="2">
+<p><b>MALWAREPROTECTION_DISABLED_EXPIRED_STATE
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Message:</p>
+</td>
+<td colspan="2">
+<p><b>The antimalware platform is expired.
+</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Description::</p>
+</td>
+<td colspan="2">
+<p>
+<p>Windows Defender  grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.</p>
+<dl>
+<dt>Expiration Reason:</dt>
+<dt>Expiration Date: </dt>
+<dt>Error Code: &lt;Error code&gt;
+Result code associated with threat status. Standard HRESULT values.</dt>
+<dt>Error Description: &lt;Error description&gt;
+Description of the error. </dt>
+</dl>
+</p>
+</td>
+</tr>
+</table>
+
+## Windows Defender client error codes
+
+
+If Windows Defender experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
+
+This section provides the following information about Windows Defender client errors.
+
+-   The error code
+-   The possible reason for the error
+-   Advice on what to do now
+
+Use the information in these tables to help troubleshoot Windows Defender error codes.
+
+<table>
+<tr>
+<th colspan="4">External error codes</th>
+</tr>
+<tr>
+<th>Error code</th>
+<th>Message displayed</th>
+<th>Possible reason for error</th>
+<th>What to do now</th>
+</tr>
+<tr>
+<td>
+<p>0x80508007 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_NO_MEMORY 
+</b></p>
+</td>
+<td>
+<p>This error indicates that you might have run out of memory. 
+</p>
+</td>
+<td>
+<p>
+<ol>
+<li>Check the available memory on your device.</li>
+<li>Close any unused applications that are running to free up memory on your device.</li>
+<li>Restart the device and run the scan again. 
+</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050800C</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_INPUT_DATA</b></p>
+</td>
+<td>
+<p>This error indicates that there might be a problem with your security product.</p>
+</td>
+<td rowspan="4">
+<p>
+<ol>
+<li>Update the definitions. Either:<ol>
+<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
+</li>
+<li>Download the latest definitions from the <a href="http://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
+
+<p>Note: The size of the definitions file downloaded from the <a href="http://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
+</li>
+</ol>
+</li>
+<li>Run a full scan.
+</li>
+<li>Restart the device and try again.</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508020</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_CONFIGURATION 
+</b></p>
+</td>
+<td>
+<p>This error indicates that there might be an engine configuration error; commonly, this is related to input 
+data that does not allow the engine to function properly. 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x805080211 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_QUARANTINE_FAILED 
+</b></p>
+</td>
+<td>
+<p>This error indicates that Windows Defender failed to quarantine a threat. 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508022 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_REBOOT_REQUIRED 
+</b></p>
+</td>
+<td>
+<p>This error indicates that a reboot is required to complete threat removal. 
+</p>
+</td>
+</tr>
+<tr>
+<td rowspan="2">
+<p>0x80508023 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_THREAT_NOT_FOUND 
+</b></p>
+</td>
+<td>
+<p>This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device. 
+</p>
+</td>
+<td>
+<p>Run the <a href="https://www.microsoft.com/security/scanner/default.aspx">Microsoft Safety Scanner</a> then update your security software and try again. 
+</p>
+</td>
+</tr>
+<tr>
+<td rowspan="2">
+<p><b>ERR_MP_FULL_SCAN_REQUIRED 
+</b></p>
+</td>
+<td rowspan="2">
+<p>This error indicates that a full system scan might be required. 
+</p>
+</td>
+<td rowspan="2">
+<p>Run a full system scan. 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508024 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508025 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_MANUAL_STEPS_REQUIRED 
+</b></p>
+</td>
+<td>
+<p>This error indicates that manual steps are required to complete threat removal. 
+</p>
+</td>
+<td>
+<p>Follow the manual remediation steps outlined in the <a href="https://www.microsoft.com/security/portal/threat/Threats.aspx">Microsoft Malware Protection Encyclopedia</a>. You can find a threat-specific link in the event history.  
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508026 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_REMOVE_NOT_SUPPORTED 
+</b></p>
+</td>
+<td>
+<p>This error indicates that removal inside the container type might not be not supported. 
+</p>
+</td>
+<td>
+<p>Windows Defender is not able to remediate threats detected inside the archive. Consider manually removing the detected resources. 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508027 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_REMOVE_LOW_MEDIUM_DISABLED 
+</b></p>
+</td>
+<td>
+<p>This error indicates that removal of low and medium threats might be disabled. 
+</p>
+</td>
+<td>
+<p>Check the detected threats and resolve them as required. 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508029 
+</p>
+</td>
+<td>
+<p><b>ERROR_MP_RESCAN_REQUIRED 
+</b></p>
+</td>
+<td>
+<p>This error indicates a rescan of the threat is required. 
+</p>
+</td>
+<td>
+<p>Run a full system scan. 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508030 
+</p>
+</td>
+<td>
+<p><b>ERROR_MP_CALLISTO_REQUIRED 
+</b></p>
+</td>
+<td>
+<p>This error indicates that an offline scan is required. 
+</p>
+</td>
+<td>
+<p>Run Windows Defender Offline. You can read about how to do this in the <a href="http://windows.microsoft.com/windows/what-is-windows-defender-offline">Windows Defender Offline 
+article</a>.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508031 
+</p>
+</td>
+<td>
+<p><b>ERROR_MP_PLATFORM_OUTDATED  
+</b></p>
+</td>
+<td>
+<p>This error indicates that Windows Defender does not support the current version of the platform and requires a new version of the platform. 
+</p>
+</td>
+<td>
+<p>You can only use Windows Defender in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use <a href="https://www.microsoft.com/server-cloud/system-center/endpoint-protection-2012.aspx">System Center Endpoint Protection</a>.  
+</p>
+</td>
+</tr>
+</table>
+<p> </p>
+<table>
+<tr>
+<th colspan="4">Internal error codes</th>
+</tr>
+<tr>
+<th>Error code</th>
+<th>Message displayed</th>
+<th>Possible reason for error</th>
+<th>What to do now</th>
+</tr>
+<tr>
+<td>
+<p>0x80501004</p>
+</td>
+<td>
+<p><b>ERROR_MP_NO_INTERNET_CONN 
+</b></p>
+</td>
+<td>
+<p>Check your Internet connection, then run the scan again.</p>
+</td>
+<td>
+<p>Check your Internet connection, then run the scan again.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501000</p>
+</td>
+<td>
+<p><b>ERROR_MP_UI_CONSOLIDATION_BAS</b>E</p>
+</td>
+<td rowspan="34">
+<p>This is an internal error. The cause is not clearly defined.</p>
+</td>
+<td rowspan="36">
+<p>
+<ol>
+<li>Update the definitions. Either:<ol>
+<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
+</li>
+<li>Download the latest definitions from the <a href="http://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
+
+<p>Note: The size of the definitions file downloaded from the <a href="http://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
+</li>
+</ol>
+</li>
+<li>Run a full scan.
+</li>
+<li>Restart the device and try again.</li>
+</ol>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501001</p>
+</td>
+<td>
+<p><b>ERROR_MP_ACTIONS_FAILED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501002</p>
+</td>
+<td>
+<p><b>ERROR_MP_NOENGINE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501003</p>
+</td>
+<td>
+<p><b>ERROR_MP_ACTIVE_THREATS</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x805011011</p>
+</td>
+<td>
+<p><b>MP_ERROR_CODE_LUA_CANCELLED </b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501101</p>
+</td>
+<td>
+<p><b>ERROR_LUA_CANCELLATION </b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501102</p>
+</td>
+<td>
+<p><b>MP_ERROR_CODE_ALREADY_SHUTDOWN</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501103</p>
+</td>
+<td>
+<p><b>MP_ERROR_CODE_RDEVICE_S_ASYNC_CALL_PENDING </b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501104</p>
+</td>
+<td>
+<p><b>MP_ERROR_CODE_CANCELLED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501105</p>
+</td>
+<td>
+<p><b>MP_ERROR_CODE_NO_TARGETOS</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501106</p>
+</td>
+<td>
+<p><b>MP_ERROR_CODE_BAD_REGEXP</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501107</p>
+</td>
+<td>
+<p><b>MP_ERROR_TEST_INDUCED_ERROR</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80501108</p>
+</td>
+<td>
+<p><b>MP_ERROR_SIG_BACKUP_DISABLED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508001</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_INIT_MODULES</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508002</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_DATABASE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508004</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_UFS </b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050800C</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_INPUT_DATA</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050800D</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_GLOBAL_STORAGE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050800E</p>
+</td>
+<td>
+<p><b>ERR_MP_OBSOLETE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050800F</p>
+</td>
+<td>
+<p><b>ERR_MP_NOT_SUPPORTED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050800F
+0x80508010
+</p>
+</td>
+<td>
+<p><b>ERR_MP_NO_MORE_ITEMS </b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508011</p>
+</td>
+<td>
+<p><b>ERR_MP_DUPLICATE_SCANID</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508012</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_SCANID</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508013</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_USERDB_VERSION</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508014</p>
+</td>
+<td>
+<p><b>ERR_MP_RESTORE_FAILED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508016</p>
+</td>
+<td>
+<p><b>ERR_MP_BAD_ACTION</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508019</p>
+</td>
+<td>
+<p><b>ERR_MP_NOT_FOUND</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80509001</p>
+</td>
+<td>
+<p><b>ERR_RELO_BAD_EHANDLE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80509003</p>
+</td>
+<td>
+<p><b>ERR_RELO_KERNEL_NOT_LOADED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050A001</p>
+</td>
+<td>
+<p><b>ERR_MP_BADDB_OPEN</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050A002</p>
+</td>
+<td>
+<p><b>ERR_MP_BADDB_HEADER</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050A003</p>
+</td>
+<td>
+<p><b>ERR_MP_BADDB_OLDENGINE</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050A004</p>
+</td>
+<td>
+<p><b>ERR_MP_BADDB_CONTENT </b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050A005</p>
+</td>
+<td>
+<p><b>ERR_MP_BADDB_NOTSIGNED</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x8050801</p>
+</td>
+<td>
+<p><b>ERR_MP_REMOVE_FAILED</b></p>
+</td>
+<td>
+<p>This is an internal error. It might be triggered when malware removal is not successful. 
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>0x80508018 
+</p>
+</td>
+<td>
+<p><b>ERR_MP_SCAN_ABORTED 
+</b></p>
+</td>
+<td>
+<p>This is an internal error. It might have triggered when a scan fails to complete. 
+</p>
+</td>
+</tr>
+</table>
+
+## Related topics
+
+[Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
+
+[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/trusted-platform-module-overview.md b/windows/keep-secure/trusted-platform-module-overview.md
new file mode 100644
index 0000000000..8d48e9a658
--- /dev/null
+++ b/windows/keep-secure/trusted-platform-module-overview.md
@@ -0,0 +1,130 @@
+---
+title: Trusted Platform Module Technology Overview (Windows 10)
+description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.
+ms.assetid: face8932-b034-4319-86ac-db1163d46538
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Trusted Platform Module Technology Overview
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.
+
+## <a href="" id="bkmk-over"></a>Feature description
+
+
+Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
+
+-   Generate, store, and limit the use of cryptographic keys.
+
+-   Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself.
+
+-   Help ensure platform integrity by taking and storing security measurements.
+
+The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.
+
+TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent further authorization value guesses.
+
+Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, consult the TCG Web site (<http://www.trustedcomputinggroup.org/developers/trusted_platform_module>).
+
+Windows can automatically provision and manage the TPM. Group Policy settings can be configured to control whether the TPM owner authorization value is backed up in Active Directory. Because the TPM state persists across operating system installations, TPM information is stored in a location in Active Directory that is separate from computer objects. Depending on an enterprise’s security goals, Group Policy can be configured to allow or prevent local administrators from resetting the TPM’s dictionary attack logic. Standard users can use the TPM, but Group Policy controls limit how many authorization failures standard users can attempt so that one user is unable to prevent other users or the administrator from using the TPM. TPM technology can also be used as a virtual smart card and for secure certificate storage. With BitLocker Network Unlock, domain-joined computers are not prompted for a BitLocker PIN.
+
+## <a href="" id="bkmk-app"></a>Practical applications
+
+
+Certificates can be installed or created on computers that are using the TPM. After a computer is provisioned, the RSA private key for a certificate is bound to the TPM and cannot be exported. The TPM can also be used as a replacement for smart cards, which reduces the costs associated with creating and disbursing smart cards.
+
+Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process.
+
+Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
+
+The TPM has several Group Policy settings that can be used to manage how it is used. These settings can be used to manage the owner authorization value, the blocked TPM commands, the standard user lockout, and the backup of the TPM to AD DS. For more info, see [Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
+
+## <a href="" id="bkmk-new"></a>New and changed functionality
+
+
+For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](../whats-new/trusted-platform-module.md).
+
+## <a href="" id="bkmk-dha"></a>Device health attestation
+
+
+Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
+
+Some things that you can check on the device are:
+
+-   Is Data Execution Prevention supported and enabled?
+-   Is BitLocker Drive Encryption supported and enabled?
+-   Is SecureBoot supported and enabled?
+
+**Note**  The device must be running Windows 10 and it must support at least TPM 2.0.
+
+ 
+
+## <a href="" id="bkmk-supportedversions"></a>Supported versions
+
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">TPM version</th>
+<th align="left">Windows 10</th>
+<th align="left">Windows Server 2012 R2, Windows 8.1, and Windows RT</th>
+<th align="left">Windows Server 2012, Windows 8, and Windows RT</th>
+<th align="left">Windows Server 2008 R2 and Windows 7</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>TPM 1.2</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>TPM 2.0</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="bkmk-additionalresources"></a>Additional Resources
+
+
+[TPM Fundamentals](tpm-fundamentals.md)
+
+[TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
+
+[TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
+
+[AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md)
+
+[Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
new file mode 100644
index 0000000000..e03f0a8624
--- /dev/null
+++ b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
@@ -0,0 +1,339 @@
+---
+title: TPM Group Policy settings (Windows 10)
+description: This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
+ms.assetid: 54ff1c1e-a210-4074-a44e-58fee26e4dbd
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# TPM Group Policy settings
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
+
+## <a href="" id="bkmk-version-table"></a>
+
+
+The TPM Services Group Policy settings are located at:
+
+**Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
+
+<table style="width:100%;">
+<colgroup>
+<col width="16%" />
+<col width="16%" />
+<col width="16%" />
+<col width="16%" />
+<col width="16%" />
+<col width="16%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Windows 10</th>
+<th align="left">Windows Server 2012 R2, Windows 8.1 and Windows RT</th>
+<th align="left">Windows Server 2012, Windows 8 and Windows RT</th>
+<th align="left">Windows Server 2008 R2 and Windows 7</th>
+<th align="left">Windows Server 2008 and Windows Vista</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Turn on TPM backup to Active Directory Domain Services](#bkmk-tpmgp-addsbu)</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Configure the list of blocked TPM commands](#bkmk-tpmgp-clbtc)</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb)</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb)</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Configure the level of TPM owner authorization information available to the operating system](#bkmk-tpmgp-oauthos)</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Standard User Lockout Duration](#bkmk-tpmgp-suld)</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Standard User Individual Lockout Threshold](#bkmk-tpmgp-suilt)</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Standard User Total Lockout Threshold](#bkmk-tpmgpsutlt)</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="bkmk-tpmgp-addsbu"></a>Turn on TPM backup to Active Directory Domain Services
+
+This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of TPM owner information.
+
+**Note**  
+This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
+
+ 
+
+TPM owner information includes a cryptographic hash of the TPM owner password. Certain TPM commands can be run only by the TPM owner. This hash authorizes the TPM to run these commands.
+
+**Important**  
+To back up TPM owner information from a computer running Windows 10, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. Windows Server 2012 R2 and Windows Server 2012 include the required schema extensions by default. For more information, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
+
+ 
+
+The TPM cannot be used to provide enhanced security features for BitLocker Drive Encryption and other applications without first setting an owner. To take ownership of the TPM with an owner password, on a local computer at the command prompt, type **tpm.msc** to open the TPM Management Console and select the action to **Initialize TPM**. If the TPM owner information is lost or is not available, limited TPM management is possible by running **tpm.msc**.
+
+If you enable this policy setting, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TPM owner password. When this policy setting is enabled, a TPM owner password cannot be set or changed unless the computer is connected to the domain and the AD DS backup succeeds.
+
+If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS.
+
+### <a href="" id="bkmk-tpmgp-clbtc"></a>Configure the list of blocked TPM commands
+
+This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands that are blocked by Windows.
+
+**Note**  
+This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
+
+ 
+
+If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is **TPM\_OwnerReadInternalPub**, and command number 170 is **TPM\_FieldUpgrade**. To find the command number that is associated with each TPM command, at the command prompt, type **tpm.msc**to open the TPM Management Console and navigate to the **Command Management** section.
+
+If you disable or do not configure this policy setting, only those TPM commands that are specified through the default or local lists can be blocked by Windows. The default list of blocked TPM commands is preconfigured by Windows.
+
+-   You can view the default list by typing **tpm.msc** at the command prompt, navigating to the **Command Management** section, and exposing the **On Default Block List** column.
+
+-   The local list of blocked TPM commands is configured outside of Group Policy by running the TPM Management Console or scripting using the **Win32\_Tpm** interface.
+
+For information how to enforce or ignore the default and local lists of blocked TPM commands, see
+
+-   [Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb)
+
+-   [Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb)
+
+### <a href="" id="bkmk-tpmgp-idlb"></a>Ignore the default list of blocked TPM commands
+
+This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands.
+
+**Note**  
+This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
+
+ 
+
+The default list of blocked TPM commands is preconfigured by Windows. You can view the default list by typing **tpm.msc** at the command prompt to open the TPM Management Console, navigating to the **Command Management** section, and exposing the **On Default Block List** column. Also see the related policy setting, [Configure the list of blocked TPM commands](#bkmk-tpmgp-clbtc).
+
+If you enable this policy setting, the Windows operating system will ignore the computer's default list of blocked TPM commands, and it will block only those TPM commands that are specified by Group Policy or the local list.
+
+If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to the commands that are specified by Group Policy and the local list of blocked TPM commands.
+
+### <a href="" id="bkmk-tpmgp-illb"></a>Ignore the local list of blocked TPM commands
+
+This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands.
+
+**Note**  
+This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
+
+ 
+
+The local list of blocked TPM commands is configured outside of Group Policy by typing **tpm.msc** at the command prompt to open the TPM Management Console, or scripting using the **Win32\_Tpm** interface. (The default list of blocked TPM commands is preconfigured by Windows.) Also see the related policy setting to **Configure the list of blocked TPM commands**.
+
+If you enable this policy setting, the Windows operating system will ignore the computer's local list of blocked TPM commands, and it will block only those TPM commands that are specified by Group Policy or the default list.
+
+If you disable or do not configure this policy setting, Windows will block the TPM commands in the local list, in addition to the commands that are specified in Group Policy and the default list of blocked TPM commands.
+
+### <a href="" id="bkmk-tpmgp-oauthos"></a>Configure the level of TPM owner authorization information available to the operating system
+
+This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information that is stored locally, the Windows operating system and TPM-based applications can perform certain actions in the TPM that require TPM owner authorization without requiring the user to enter the TPM owner password.
+
+**Note**  
+This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
+
+ 
+
+There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**.
+
+-   **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used.
+
+-   **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. When you use this setting, we recommend using external or remote storage for the full TPM owner authorization value—for example, backing up the value in Active Directory Domain Services (AD DS).
+
+-   **None**   This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications.
+
+**Note**  
+If the operating system managed TPM authentication setting is changed from **Full** to **Delegated**, the full TPM owner authorization value will be regenerated, and any copies of the previously set TPM owner authorization value will be invalid. If you are backing up the TPM owner authorization value to AD DS, the new owner authorization value is automatically backed up to AD DS when it is changed.
+
+ 
+
+**Registry information**
+
+Registry key: HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\TPM
+
+DWORD: OSManagedAuthLevel
+
+The following table shows the TPM owner authorization values in the registry.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Value Data</th>
+<th align="left">Setting</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>0</p></td>
+<td align="left"><p>None</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>2</p></td>
+<td align="left"><p>Delegated</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>4</p></td>
+<td align="left"><p>Full</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+If you enable this policy setting, the Windows operating system will store the TPM owner authorization in the registry of the local computer according to the TPM authentication setting you choose.
+
+If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry.
+
+### <a href="" id="bkmk-tpmgp-suld"></a>Standard User Lockout Duration
+
+This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, a standard user is prevented from sending commands that require authorization to the TPM.
+
+**Note**  
+This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
+
+ 
+
+The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it is global for all users (including administrators) and for Windows features such as BitLocker Drive Encryption.
+
+The number of authorization failures that a TPM allows and how long it stays locked vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time, with fewer authorization failures, depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require that the system is on so enough clock cycles elapse before the TPM exits the lockout mode.
+
+This setting helps administrators prevent the TPM hardware from entering a lockout mode by slowing the speed at which standard users can send commands that require authorization to the TPM.
+
+For each standard user, two thresholds apply. Exceeding either threshold prevents the user from sending a command that requires authorization to the TPM. Use the following policy settings to set the lockout duration:
+
+-   [Standard User Individual Lockout Threshold](#bkmk-individual)   This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM.
+
+-   [Standard User Total Lockout Threshold](#bkmk-total)   This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM.
+
+An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
+
+If you do not configure this policy setting, a default value of 480 minutes (8 hours) is used.
+
+### <a href="" id="bkmk-individual"></a>Standard User Individual Lockout Threshold
+
+This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM. If the number of authorization failures for the user within the duration that is set for the **Standard User Lockout Duration** policy setting equals this value, the standard user is prevented from sending commands that require authorization to the Trusted Platform Module (TPM).
+
+**Note**  
+This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
+
+ 
+
+This setting helps administrators prevent the TPM hardware from entering a lockout mode by slowing the speed at which standard users can send commands that require authorization to the TPM.
+
+An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored.
+
+An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
+
+If you do not configure this policy setting, a default value of 4 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure.
+
+### <a href="" id="bkmk-total"></a>Standard User Total Lockout Threshold
+
+This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration that is set for the **Standard User Lockout Duration** policy equals this value, all standard users are prevented from sending commands that require authorization to the Trusted Platform Module (TPM).
+
+**Note**  
+This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
+
+ 
+
+This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM.
+
+An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored.
+
+For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization.
+
+1.  The standard user individual lockout value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM.
+
+2.  The standard user total lockout threshold value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM.
+
+The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it is global for all users (including administrators) and for Windows features such as BitLocker Drive Encryption..
+
+The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode.
+
+An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
+
+If you do not configure this policy setting, a default value of 9 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure.
+
+## Additional resources
+
+
+[Trusted Platform Module Technology Overview](trusted-platform-module-overview.md)
+
+[TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
+
+[Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md b/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md
new file mode 100644
index 0000000000..b9da17ac68
--- /dev/null
+++ b/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md
@@ -0,0 +1,160 @@
+---
+title: Types of attacks for volume encryption keys (Windows 10)
+description: There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) secure boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts.
+ms.assetid: 405060a9-2009-44fc-9f84-66edad32c6bc
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Types of attacks for volume encryption keys
+
+
+**Applies to**
+
+-   Windows 10
+
+There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) secure boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts.
+
+The next few sections describe each type of attack that could be used to compromise a volume encryption key, whether for BitLocker or a non-Microsoft encryption solution. After an attacker has compromised a volume encryption key, the attacker can read data from your system drive or even install malware while Windows is offline. Each section begins with a graphical overview of the attack’s strengths and weaknesses as well as suggested mitigations.
+
+### Bootkit and rootkit attacks
+
+Rootkits are a sophisticated and dangerous type of malware that runs in kernel mode, using the same privileges as the operating system. Because rootkits have the same or possibly even more rights than the operating system, they can completely hide themselves from Windows and even an antimalware solution. Often, rootkits are part of an entire suite of malware that can bypass local logins, record passwords, transfer private files, and capture cryptography keys.
+
+Different types of bootkits and rootkits load at different software levels:
+
+-   **Kernel level.** Rootkits running at the kernel level have the highest privilege in the operating system. They may be able to inject malicious code or replace portions of the core operating system, including both the kernel and device drivers.
+
+-   **Application level.** These rootkits are aimed to replace application binaries with malicious code, such as a Trojan, and can even modify the behavior of existing applications.
+
+-   **Library level.** The purpose of library-level rootkits is to hook, patch, or replace system calls with malicious code that can hide the malware’s presence.
+
+-   **Hypervisor level.** Hypervisor rootkits target the boot sequence. Their primary purpose is to modify the boot sequence to load themselves as a hypervisor.
+
+-   **Firmware level.** These rootkits overwrite the PC’s BIOS firmware, giving the malware low-level access and potentially the ability to install or hide malware, even if it’s cleaned or removed from the hard disk.
+
+Regardless of the operating system or encryption method, rootkits have access to confidential data once installed. Application-level rootkits can read any files the user can access, bypassing volume-level encryption. Kernel-, library-, hypervisor-, and firmware-level rootkits have direct access to system files on encrypted volumes and can also retrieve an encryption key from memory.
+
+Windows offers substantial protection from bootkits and rootkits, but it is possible to bypass operating system security when an attacker has physical access to the device and can install the malware to the device while Windows is offline. For example, an attacker might boot a PC from a USB flash drive containing malware that starts before Windows. The malware can replace system files or the PC’s firmware or simply start Windows under its control.
+
+To sufficiently protect a PC from boot and rootkits, devices must use pre-boot authentication or Secure Boot, or the encryption solution must use the device’s Trusted Platform Module (TPM) as a means of monitoring the integrity of the end-to-end boot process. Pre-boot authentication is available for any device, regardless of the hardware, but because it is inconvenient to users, it should be used only to mitigate threats that are applicable to the device. On devices with Secure Boot enabled, you do not need to use pre-boot authentication to protect against boot and rootkit attacks.
+
+Although password protection of the UEFI configuration is important for protecting a device’s configuration and preventing an attacker from disabling Secure Boot, use of a TPM and its Platform Configuration Register (PCR) measurements (PCR7) to ensure that the system’s bootloader (whether a Windows or non-Microsoft encryption solution) is tamper free and the first code to start on the device is critical. An encryption solution that doesn’t use a device’s TPM to protect its components from tampering may be unable to protect itself from bootkit-level infections that could log a user’s password or acquire encryption keys.
+
+For this reason, when BitLocker is configured on devices that include a TPM, the TPM and its PCRs are always used to secure and confirm the integrity of the pre–operating system environment before making encrypted volumes accessible.
+
+Any changes to the UEFI configuration invalidates the PCR7 and require the user to enter the BitLocker recovery key. Because of this feature, it’s not critical to password-protect your UEFI configuration. If an attacker successfully turns off Secure Boot or otherwise changes the UEFI configuration, they will need to enter the BitLocker recovery key, but UEFI password protection is a best practice and is still required for systems not using a TPM (such as non-Microsoft alternatives).
+
+### Brute-force Sign-in Attacks
+
+Attackers can find any password if you allow them to guess enough times. The process of trying millions of different passwords until you find the right one is known as a *brute-force sign-in attack*. In theory, an attacker could obtain any password by using this method.
+
+Three opportunities for brute-force attacks exist:
+
+-   **Against the pre-boot authenticator.** An attacker could attack the device directly by attempting to guess the user’s BitLocker PIN or an equivalent authenticator. The TPM mitigates this approach by invoking an anti-hammering lockout capability that requires the user to wait until the lockout period ends or enter the BitLocker recovery key.
+
+-   **Against the recovery key.** An attacker could attempt to guess the 48-digit BitLocker recovery key. Even without a lockout period, the key is long enough to make brute-force attacks impractical. Specifically, the BitLocker recovery key has 128 bits of entropy; thus, the average brute-force attack would succeed after 18,446,744,073,709,551,616 guesses. If an attacker could guess 1 million passwords per second, the average brute-force attack would require more than 580,000 years to be successful.
+
+-   **Against the operating system sign-in authenticator.** An attacker can attempt to guess a valid user name and password. Windows implements a delay between password guesses, slowing down brute-force attacks. In addition, all recent versions of Windows allow administrators to require complex passwords and password lockouts. Similarly, administrators can use Microsoft Exchange ActiveSync policy or Group Policy to configure Windows 8.1 and Windows 8 to automatically restart and require the user to enter the BitLocker 48-digit recovery key after a specified number of invalid password attempts. When these settings are enabled and users follow best practices for complex passwords, brute-force attacks against the operating system sign-in are impractical.
+
+In general, brute-force sign-in attacks are not practical against Windows when administrators enforce complex passwords and account lockouts.
+
+### Direct Memory Access Attacks
+
+Direct memory access (DMA) allows certain types of hardware devices to communicate directly with a device’s system memory. For example, if you use Thunderbolt to connect another device to your computer, the second device automatically has Read and Write access to the target computer’s memory.
+
+Unfortunately, DMA ports don’t use authentication and access control to protect the contents of the computer’s memory. Whereas Windows can often prevent system components and apps from reading and writing to protected parts of memory, a device can use DMA to read any location in memory, including the location of any encryption keys.
+
+DMA attacks are relatively easy to execute and require little technical skills. Anyone can download a tool from the Internet, such as those made by [Passware](http://www.lostpassword.com/), [ElcomSoft](http://elcomsoft.com/), and others, and then use a DMA attack to read confidential data from a PC’s memory. Because encryption solutions store their encryption keys in memory, they can be accessed by a DMA attack.
+
+Not all port types are vulnerable to DMA attacks. USB in particular does not allow DMA, but devices that have any of the following port types are vulnerable:
+
+-   FireWire
+
+-   Thunderbolt
+
+-   ExpressCard
+
+-   PCMCIA
+
+-   PCI
+
+-   PCI-X
+
+-   PCI Express
+
+To perform a DMA attack, attackers typically connect a second PC that is running a memory-scanning tool (for example, Passware, ElcomSoft) to the FireWire or Thunderbolt port of the target computer. When connected, the software scans the system memory of the target and locates the encryption key. Once acquired, the key can be used to decrypt the drive and read or modify its contents.
+
+A much more efficient form of this attack exists in theory: An attacker crafts a custom FireWire or Thunderbolt device that has the DMA attack logic programmed on it. Now, the attacker simply needs to physically connect the device. If the attacker does not have physical access, they could disguise it as a free USB flash drive and distribute it to employees of a target organization. When connected, the attacking device could use a DMA attack to scan the PC’s memory for the encryption key. It could then transmit the key (or any data in the PC’s memory) using the PC’s Internet connection or its own wireless connection. This type of attack would require an extremely high level of sophistication, because it requires that the attacker create a custom device (devices of these types are not readily available in the marketplace at this time).
+
+Today, one of the most common uses for DMA ports on Windows devices is for developer debugging, a task that some developers need to perform and one that few consumers will ever perform. Because USB; DisplayPort; and other, more secure port types satisfy consumers, most new mobile PCs do not include DMA ports. Microsoft’s view is that because of the inherent security risks of DMA ports, they do not belong on mobile devices, and Microsoft has prohibited their inclusion on any InstantGo-certified devices. InstantGo devices offer mobile phone–like power management and instant-on capabilities; at the time of writing, they are primarily found in Windows tablets.
+
+DMA-based expansion slots are another avenue of attack, but these slots generally appear only on desktop PCs that are designed for expansion. Organizations can use physical security to prevent outside attacks against their desktop PCs. In addition, a DMA attack on the expansion slot would require a custom device; as a result, an attacker would most likely insert an interface with a traditional DMA port (for example, FireWire) into the slot to attack the PC.
+
+To mitigate a port-based DMA attack an administrator can configure policy settings to disable FireWire and other device types that have DMA. Also, many PCs allow those devices to be disabled by using firmware settings. Although the need for pre-boot authentication can be eliminated at the device level or through Windows configuration, the BitLocker pre-boot authentication feature is still available when needed. When used, it successfully mitigates all types of DMA port and expansion slot attacks on any type of device.
+
+### Hyberfil.sys Attacks
+
+The hyberfil.sys file is the Windows hibernation file. It contains a snapshot of system memory that is generated when a device goes into hibernation and includes the encryption key for BitLocker and other encryption technologies. Attackers have claimed that they have successfully extracted encryption keys from the hyberfil.sys file.
+
+Like the DMA port attack discussed in the previous section, tools are available that can scan the hyberfile.sys file and locate the encryption key, including a tool made by [Passware](http://www.lostpassword.com/). Microsoft does not consider Windows to be vulnerable to this type of attack, because Windows stores the hyberfil.sys file within the encrypted system volume. As a result, the file would be accessible only if the attacker had both physical and sign-in access to the PC. When an attacker has sign-in access to the PC, there are few reasons for the attacker to decrypt the drive, because they would already have full access to the data within it.
+
+In practice, the only reason an attack on hyberfil.sys would grant an attacker additional access is if an administrator had changed the default Windows configuration and stored the hyberfil.sys file on an unencrypted drive. By default, Windows 10 is designed to be secure against this type of attack.
+
+### Memory Remanence Attacks
+
+A memory remanence attack is a side-channel attack that reads the encryption key from memory after restarting a PC. Although a PC’s memory is often considered to be cleared when the PC is restarted, memory chips don’t immediately lose their memory when you disconnect power. Therefore, an attacker who has physical access to the PC’s memory might be able to read data directly from the memory—including the encryption key.
+
+When performing this type of cold boot attack, the attacker accesses the PC’s physical memory and recovers the encryption key within a few seconds or minutes of disconnecting power. This type of attack was demonstrated by researchers at [Princeton University](http://www.youtube.com/watch?v=JDaicPIgn9U). With the encryption key, the attacker would be able to decrypt the drive and access its files.
+
+To acquire the keys, attackers follow this process:
+
+1.  Freeze the PC’s memory. For example, an attacker can freeze the memory to −50°C by spraying it with aerosol air duster spray.
+
+2.  Restart the PC.
+
+3.  Instead of restarting Windows, boot to another operating system. Typically, this is done by connecting a bootable flash drive or loading a bootable DVD.
+
+4.  The bootable media loads the memory remanence attack tools, which the attacker uses to scan the system memory and locate the encryption keys.
+
+5.  The attacker uses the encryption keys to access the drive’s data.
+
+If the attacker is unable to boot the device to another operating system (for example, if bootable flash drives have been disabled or Secure Boot is enabled), the attacker can attempt to physically remove the frozen memory from the device and attach it to a different, possibly identical device. Fortunately, this process has proven extremely unreliable, as evidenced by the Defence Research and Development Canada (DRDC) Valcartier group’s analysis (see [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078)). On an increasing portion of modern devices, this type of attack is not even possible, because memory is soldered directly to the motherboard.
+
+Although Princeton’s research proved that this type of attack was possible on devices that have removable memory, device hardware has changed since the research was published in 2008:
+
+-   Secure Boot prevents the malicious tools that the Princeton attack depends on from running on the target device.
+
+-   Windows systems with BIOS or UEFI can be locked down with a password, and booting to a USB drive can be prevented.
+
+-   If booting to USB is required on the device, it can be limited to starting trusted operating systems by using Secure Boot.
+
+-   The discharge rates of memory are highly variable among devices, and many devices have memory that is completely immune to memory remanence attacks.
+
+-   Increased density of memory diminishes their remanence properties and reduces the likelihood that the attack can be successfully executed, even when memory is physically removed and placed in an identical system where the system’s configuration may enable booting to the malicious tools.
+
+Because of these factors, this type of attack is rarely possible on modern devices. Even in cases where the risk factors exist on legacy devices, attackers will find the attack unreliable. For detailed info about the practical uses for forensic memory acquisition and the factors that make a computer vulnerable or resistant to memory remanence attacks, read [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078).
+
+The BitLocker pre-boot authentication feature can successfully mitigate memory remanence attacks on most devices, but you can also mitigate such attacks by protecting the system UEFI or BIOS and prevent the PC from booting from external media (such as a USB flash drive or DVD). The latter option is often a better choice, because it provides sufficient protection without inconveniencing users with pre-boot authentication.
+
+## See also
+
+
+-   [BitLocker countermeasures](bitlocker-countermeasures.md)
+
+-   [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md)
+
+-   [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)
+
+-   [BitLocker overview](bitlocker-overview.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/understand-applocker-enforcement-settings.md b/windows/keep-secure/understand-applocker-enforcement-settings.md
new file mode 100644
index 0000000000..7b977fc57a
--- /dev/null
+++ b/windows/keep-secure/understand-applocker-enforcement-settings.md
@@ -0,0 +1,62 @@
+---
+title: Understand AppLocker enforcement settings (Windows 10)
+description: This topic describes the AppLocker enforcement settings for rule collections.
+ms.assetid: 48773007-a343-40bf-8961-b3ff0a450d7e
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Understand AppLocker enforcement settings
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic describes the AppLocker enforcement settings for rule collections.
+
+Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. For more info about rule collections, see [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md). By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. The following table details the three AppLocker rule enforcement settings in Group Policy for each rule collection.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Enforcement setting</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Not configured</p></td>
+<td align="left"><p>By default, enforcement is not configured in a rule collection. If rules are present in the corresponding rule collection, they are enforced. If rule enforcement is configured in a higher-level linked Group Policy object (GPO), that enforcement value overrides the <strong>Not configured</strong> value.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Enforce rules</p></td>
+<td align="left"><p>Rules are enforced for the rule collection, and all rule events are audited.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Audit only</p></td>
+<td align="left"><p>Rule events are audited only. Use this value when planning and testing AppLocker rules.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For the AppLocker policy to be enforced on a device, the Application Identity service must be running. For more info about the Application Identity service, see [Configure the Application Identity service](configure-the-application-identity-service.md).
+
+When AppLocker policies from various GPOs are merged, the enforcement modes are merged by using the standard Group Policy order of inheritance, which is local, domain, site, and organizational unit (OU). The Group Policy setting that was last written or applied by order of inheritance is used for the enforcement mode, and all rules from linked GPOs are applied.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/understand-applocker-policy-design-decisions.md b/windows/keep-secure/understand-applocker-policy-design-decisions.md
new file mode 100644
index 0000000000..d34824f7d7
--- /dev/null
+++ b/windows/keep-secure/understand-applocker-policy-design-decisions.md
@@ -0,0 +1,519 @@
+---
+title: Understand AppLocker policy design decisions (Windows 10)
+description: This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment.
+ms.assetid: 3475def8-949a-4b51-b480-dc88b5c1e6e6
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Understand AppLocker policy design decisions
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment.
+
+When you begin the design and planning process, you should consider the ramifications of your design choices. The resulting decisions will affect your policy deployment scheme and subsequent application control policy maintenance.
+
+You should consider using AppLocker as part of your organization's application control policies if all the following are true:
+
+-   You have deployed or plan to deploy the supported versions of Windows in your organization. For specific operating system version requirements, see [Requirements to Use AppLocker](requirements-to-use-applocker.md).
+
+-   You need improved control over the access to your organization's applications and the data your users access.
+
+-   The number of applications in your organization is known and manageable.
+
+-   You have resources to test policies against the organization's requirements.
+
+-   You have resources to involve Help Desk or to build a self-help process for end-user application access issues.
+
+-   The group's requirements for productivity, manageability, and security can be controlled by restrictive policies.
+
+The following questions are not in priority or sequential order. They should be considered when you deploy application control policies (as appropriate for your targeted environment).
+
+### Which apps do you need to control in your organization?
+
+You might need to control a limited number of apps because they access sensitive data, or you might have to exclude all applications except those that are sanctioned for business purposes. There might be certain business groups that require strict control, and others that promote independent application usage.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Possible answers</th>
+<th align="left">Design considerations</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Control all apps</p></td>
+<td align="left"><p>AppLocker policies control applications by creating an allowed list of applications by file type. Exceptions are also possible. AppLocker policies can only be applied to applications installed on computers running one of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Control specific apps</p></td>
+<td align="left"><p>When you create AppLocker rules, a list of allowed apps are created. All apps on that list will be allowed to run (except those on the exception list). Apps that are not on the list will be prevented from running. AppLocker policies can only be applied to apps installed on computers running any of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Control only Classic Windows applications, only Universal Windows apps, or both</p></td>
+<td align="left"><p>AppLocker policies control apps by creating an allowed list of apps by file type. Because Universal Windows apps are categorized under the Publisher condition, Classic Windows applications and Universal Windows apps can be controlled together. AppLocker policies for Universal Windows apps can be applied only to apps that are installed on PCs that support the Windows Store, but Classic Windows applications can be controlled with AppLocker on all supported versions of Windows. The rules you currently have configured for Classic Windows applications can remain, and you can create new ones for Universal Windows apps.</p>
+<p>For a comparison of Classic Windows applications and Universal Windows apps, see [Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions](#bkmk-compareclassicmetro) in this topic.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Control apps by business group and user</p></td>
+<td align="left"><p>AppLocker policies can be applied through a Group Policy Object (GPO) to computer objects within an organizational unit (OU). Individual AppLocker rules can be applied to individual users or to groups of users.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Control apps by computer, not user</p></td>
+<td align="left"><p>AppLocker is a computer-based policy implementation. If your domain or site organizational structure is not based on a logical user structure, such as an OU, you might want to set up that structure before you begin your AppLocker planning. Otherwise, you will have to identify users, their computers, and their app access requirements.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Understand app usage, but there is no need to control any apps yet</p></td>
+<td align="left"><p>AppLocker policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the AppLocker event log to create AppLocker policies.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Important**  
+The following list contains files or types of files that cannot be managed by AppLocker:
+
+-   AppLocker does not protect against running 16-bit DOS binaries in a NT Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or higher when there is already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it is a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the Executable rule collection for NTVDM.exe.
+
+-   You cannot use AppLocker to prevent code from running outside the Win32 subsystem. In particular, this applies to the (POSIX) subsystem in Windows NT. If it is a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem.
+
+-   AppLocker can only control VBScript, JScript, .bat files, .cmd files and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To use AppLocker to control interpreted code, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision that is returned by AppLocker. Not all host processes call into AppLocker. Therefore, AppLocker cannot control every kind of interpreted code, for example Microsoft Office macros.
+
+    **Important**  
+    You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded.
+
+     
+
+-   AppLocker rules allow or prevent an app from launching. AppLocker does not control the behavior of apps after they are launched. Applications could contain flags that are passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll file to be loaded. In practice, an app that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must follow a process that best suits your needs to thoroughly vet each app before allowing them to run using AppLocker rules.
+
+    For more info, see [Security considerations for AppLocker](security-considerations-for-applocker.md).
+
+ 
+
+### <a href="" id="bkmk-compareclassicmetro"></a>Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions
+
+AppLocker policies for Universal Windows apps can only be applied to apps that are installed on computers running Windows operating systems that support Windows Store apps. However, Classic Windows applications can be controlled in Windows Server 2008 R2 and Windows 7, in addition to those computers that support Universal Windows apps. The rules for Classic Windows applications and Universal Windows apps can be enforced together. The differences you should consider for Universal Windows apps are:
+
+-   All Universal Windows apps can be installed by a standard user, whereas a number of Classic Windows applications require administrative credentials to install. So in an environment where most of the users are standard users, you might not need numerous exe rules, but you might want more explicit policies for packaged apps.
+
+-   Classic Windows applications can be written to change the system state if they run with administrative credentials. Most Universal Windows apps cannot change the system state because they run with limited permissions. When you design your AppLocker policies, it is important to understand whether an app that you are allowing can make system-wide changes.
+
+-   Universal Windows apps can be acquired through the Store, or they can be side-loaded by using Windows PowerShell cmdlets. If you use Windows PowerShell cmdlets, a special Enterprise license is required to acquire Universal Windows apps. Classic Windows applications can be acquired through traditional means, such as through software vendors or retail distribution.
+
+AppLocker controls Universal Windows apps and Classic Windows applications by using different rule collections. You have the choice to control Universal Windows apps, Classic Windows applications, or both.
+
+For more info, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md).
+
+### How do you currently control app usage in your organization?
+
+Most organizations have evolved app control policies and methods over time. With heightened security concerns and an emphasis on tighter IT control over desktop use, your organization might decide to consolidate app control practices or design a comprehensive application control scheme. AppLocker includes improvements over SRP in the architecture and management of application control policies.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Possible answers</th>
+<th align="left">Design considerations</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Security polices (locally set or through Group Policy)</p></td>
+<td align="left"><p>Using AppLocker requires increased effort in planning to create correct policies, but this results in a simpler distribution method.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Non-Microsoft app control software</p></td>
+<td align="left"><p>Using AppLocker requires a complete app control policy evaluation and implementation.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Managed usage by group or OU</p></td>
+<td align="left"><p>Using AppLocker requires a complete app control policy evaluation and implementation.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Authorization Manager or other role-based access technologies</p></td>
+<td align="left"><p>Using AppLocker requires a complete app control policy evaluation and implementation.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Other</p></td>
+<td align="left"><p>Using AppLocker requires a complete app control policy evaluation and implementation.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Which Windows desktop and server operating systems are running in your organization?
+
+If your organization supports multiple Windows operating systems, app control policy planning becomes more complex. Your initial design decisions should consider the security and management priorities of applications that are installed on each version of the operating system.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Possible answers</th>
+<th align="left">Design considerations</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Your organization's computers are running a combination of the following operating systems:</p>
+<ul>
+<li><p>Windows 10</p></li>
+<li><p>Windows 8</p></li>
+<li><p>Windows 7</p></li>
+<li><p>Windows Vista</p></li>
+<li><p>Windows XP</p></li>
+<li><p>Windows Server 2012</p></li>
+<li><p>Windows Server 2008 R2</p></li>
+<li><p>Windows Server 2008</p></li>
+<li><p>Windows Server 2003</p></li>
+</ul></td>
+<td align="left"><p>AppLocker rules are only applied to computers running the supported versions of Windows, but SRP rules can be applied to all versions of Windows beginning with Windows XP and Windows Server 2003. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.</p>
+</div>
+<div>
+ 
+</div>
+<p>AppLocker policies as applied through a GPO take precedence over SRP policies in the same or linked GPO. SRP policies can be created and maintained the same way.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Your organization's computers are running only the following operating systems:</p>
+<ul>
+<li><p>Windows 10</p></li>
+<li><p>Windows 8.1</p></li>
+<li><p>Windows 8</p></li>
+<li><p>Windows 7</p></li>
+<li><p>Windows Server 2012 R2</p></li>
+<li><p>Windows Server 2012</p></li>
+<li><p>Windows Server 2008 R2</p></li>
+</ul></td>
+<td align="left"><p>Use AppLocker to create your application control policies.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Are there specific groups in your organization that need customized application control policies?
+
+Most business groups or departments have specific security requirements that pertain to data access and the applications used to access that data. You should consider the scope of the project for each group and the group’s priorities before you deploy application control policies for the entire organization.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Possible answers</th>
+<th align="left">Design considerations</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Yes</p>
+<p></p></td>
+<td align="left"><p>For each group, you need to create a list that includes their application control requirements. Although this may increase the planning time, it will most likely result in a more effective deployment.</p>
+<p>If your GPO structure is not currently configured so that you can apply different policies to specific groups, you can alternatively apply AppLocker rules in a GPO to specific user groups.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>No</p></td>
+<td align="left"><p>AppLocker policies can be applied globally to applications that are installed on PCs running the supported versions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Does your IT department have resources to analyze application usage, and to design and manage the policies?
+
+The time and resources that are available to you to perform the research and analysis can affect the detail of your plan and processes for continuing policy management and maintenance.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Possible answers</th>
+<th align="left">Design considerations</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as simply constructed as possible.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>No</p></td>
+<td align="left"><p>Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Does your organization have Help Desk support?
+
+Preventing your users from accessing known, deployed, or personal applications will initially cause an increase in end-user support. It will be necessary to address the various support issues in your organization so security policies are followed and business workflow is not hampered.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Possible answers</th>
+<th align="left">Design considerations</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Involve the support department early in the planning phase because your users may inadvertently be blocked from using their applications, or they may seek exceptions to use specific applications.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>No</p></td>
+<td align="left"><p>Invest time in developing online support processes and documentation before deployment.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Do you know what applications require restrictive policies?
+
+Any successful application control policy implementation is based on your knowledge and understanding of app usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the apps that access that data.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Possible answers</th>
+<th align="left">Design considerations</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>You should determine the application control priorities for a business group and then attempt to design the simplest scheme for their application control policies.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>No</p></td>
+<td align="left"><p>You will have to perform an audit and requirements gathering project to discover the application usage. AppLocker provides the means to deploy policies in <strong>Audit only</strong> mode, and tools to view the event logs.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### How do you deploy or sanction applications (upgraded or new) in your organization?
+
+Implementing a successful application control policy is based on your knowledge and understanding of application usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the applications that access that data. Understanding the upgrade and deployment policy will help shape the construction of the application control policies.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Possible answers</th>
+<th align="left">Design considerations</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Ad hoc</p></td>
+<td align="left"><p>You need to gather requirements from each group. Some groups might want unrestricted access or installation, while other groups might want strict controls.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Strict written policy or guidelines to follow</p></td>
+<td align="left"><p>You need to develop AppLocker rules that reflect those policies, and then test and maintain the rules.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>No process in place</p></td>
+<td align="left"><p>You need to determine if you have the resources to develop an application control policy, and for which groups.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Does your organization already have SRP deployed?
+
+Although SRP and AppLocker have the same goal, AppLocker is a major revision of SRP.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Possible answers</th>
+<th align="left">Design considerations</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>You cannot use AppLocker to manage SRP settings, but you can use SRP to manage application control policies on computers running on any of the supported operating systems listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). In addition, if AppLocker and SRP settings are configured in the same GPO, only the AppLocker settings will be enforced on computers running those supported operating systems.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>If you are using the Basic User security level as assigned in SRP, those permissions are not supported on computers running the supported operating systems.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>No</p></td>
+<td align="left"><p>Policies that are configured for AppLocker can only be applied to computers running the supported operating systems, but SRP is also available on those operating systems.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### What are your organization's priorities when implementing application control policies?
+
+Some organizations will benefit from application control policies as shown by an increase in productivity or conformance, while others will be hindered in performing their duties. Prioritize these aspects for each group to allow you to evaluate the effectiveness of AppLocker.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Possible answers</th>
+<th align="left">Design considerations</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Productivity: The organization assures that tools work and required applications can be installed.</p></td>
+<td align="left"><p>To meet innovation and productivity goals, some groups require the ability to install and run a variety of software from different sources, including software that they developed. Therefore, if innovation and productivity is a high priority, managing application control policies through an allowed list might be time consuming and an impediment to progress.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Management: The organization is aware of and controls the apps it supports.</p></td>
+<td align="left"><p>In some business groups, application usage can be managed from a central point of control. AppLocker policies can be built into a GPO for that purpose. This shifts the burden of app access to the IT department, but it also has the benefit of controlling the number of apps that can be run and controlling the versions of those apps</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Security: The organization must protect data in part by ensuring that only approved apps are used.</p></td>
+<td align="left"><p>AppLocker can help protect data by allowing a defined set of users access to apps that access the data. If security is the top priority, the application control policies will be the most restrictive.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### How are apps currently accessed in your organization?
+
+AppLocker is very effective for organizations that have application restriction requirements if they have environments with a simple topography and application control policy goals that are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers that are connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is to achieve a detailed level of control on the desktop computers with a relatively small number of applications to manage, or when the applications are manageable with a small number of rules.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Possible answers</th>
+<th align="left">Design considerations</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Users run without administrative rights.</p>
+<p>Apps are installed by using an installation deployment technology.</p></td>
+<td align="left"><p>AppLocker can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using AppLocker to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>AppLocker can also be effective in helping create standardized desktops in organizations where users run as administrators. However, it is important to note that users with administrative credentials can add new rules to the local AppLocker policy.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Users must be able to install applications as needed.</p>
+<p>Users currently have administrator access, and it would be difficult to change this.</p></td>
+<td align="left"><p>Enforcing AppLocker rules is not suited for business groups that must be able to install apps as needed and without approval from the IT department. If one or more OUs in your organization has this requirement, you can choose not to enforce application rules in those OUs by using AppLocker or to implement the <strong>Audit only</strong> enforcement setting through AppLocker.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Is the structure in Active Directory Domain Services based on the organization's hierarchy?
+
+Designing application control policies based on an organizational structure that is already built into Active Directory Domain Services (AD DS) is easier than converting the existing structure to an organizational structure. Because the effectiveness of application control policies is dependent on the ability to update policies, consider what organizational work needs to be accomplished before deployment begins.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Possible answers</th>
+<th align="left">Design considerations</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>AppLocker rules can be developed and implemented through Group Policy, based on your AD DS structure.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>No</p></td>
+<td align="left"><p>The IT department must create a scheme to identify how application control policies can be applied to the correct user or computer.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Record your findings
+
+
+The next step in the process is to record and analyze your answers to the preceding questions. If AppLocker is the right solution for your goals, tyou can set your application control policy objectives and plan your AppLocker rules. This process culminates in creating your planning document.
+
+-   For info about setting your policy goals, see [Determine your application control objectives](determine-your-application-control-objectives.md).
+
+-   For info about creating your planning document, see [Create your AppLocker planning document](create-your-applocker-planning-document.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
new file mode 100644
index 0000000000..ac54fef39f
--- /dev/null
+++ b/windows/keep-secure/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
@@ -0,0 +1,64 @@
+---
+title: Understand AppLocker rules and enforcement setting inheritance in Group Policy (Windows 10)
+description: This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.
+ms.assetid: c1c5a3d3-540a-4698-83b5-0dab5d27d871
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Understand AppLocker rules and enforcement setting inheritance in Group Policy
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.
+
+Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into the following collections: executable files, Windows Installer files, scripts, packaged apps and packaged app installers, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy.
+
+Group Policy merges AppLocker policy in two ways:
+
+-   **Rules.** Group Policy does not overwrite or replace rules that are already present in a linked Group Policy Object (GPO). For example, if the current GPO has 12 rules and a linked GPO has 50 rules, 62 rules are applied to all computers that receive the AppLocker policy.
+
+    **Important**  
+    When determining whether a file is permitted to run, AppLocker processes rules in the following order:
+
+    1.  **Explicit deny.** An administrator created a rule to deny a file.
+
+    2.  **Explicit allow.** An administrator created a rule to allow a file.
+
+    3.  **Implicit deny.** This is also called the default deny because all files that are not affected by an allow rule are automatically blocked.
+
+     
+
+-   **Enforcement settings.** The last write to the policy is applied. For example, if a higher-level GPO has the enforcement setting configured to **Enforce rules** and the closest GPO has the setting configured to **Audit only**, **Audit only** is enforced. If enforcement is not configured on the closest GPO, the setting from the closest linked GPO will be enforced.
+
+Because a computer's effective policy includes rules from each linked GPO, duplicate rules or conflicting rules could be enforced on a user's computer. Therefore, you should carefully plan your deployment to ensure that only rules that are necessary are present in a GPO.
+
+The following figure demonstrates how AppLocker rule enforcement is applied through linked GPOs.
+
+![applocker rule enforcement inheritance chart](images/applocker-plan-inheritance.gif)
+
+In the preceding illustration, note that all GPOs linked to Contoso are applied in order as configured. The rules that are not configured are also applied. For example, the result of the Contoso and Human Resources GPOs is 33 rules enforced, as shown in the client HR-Term1. The Human Resources GPO contains 10 non-configured rules. When the rule collection is configured for **Audit only**, no rules are enforced.
+
+When constructing the Group Policy architecture for applying AppLocker policies, it is important to remember:
+
+-   Rule collections that are not configured will be enforced.
+
+-   Group Policy does not overwrite or replace rules that are already present in a linked GPO.
+
+-   AppLocker processes the explicit deny rule configuration before the allow rule configuration.
+
+-   For rule enforcement, the last write to the GPO is applied.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/understand-the-applocker-policy-deployment-process.md b/windows/keep-secure/understand-the-applocker-policy-deployment-process.md
new file mode 100644
index 0000000000..71a486b003
--- /dev/null
+++ b/windows/keep-secure/understand-the-applocker-policy-deployment-process.md
@@ -0,0 +1,46 @@
+---
+title: Understand the AppLocker policy deployment process (Windows 10)
+description: This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies.
+ms.assetid: 4cfd95c1-fbd3-41fa-8efc-d23c1ea6fb16
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Understand the AppLocker policy deployment process
+
+
+**Applies to**
+
+-   Windows 10
+
+This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies.
+
+To successfully deploy AppLocker policies, you need to identify your application control objectives and construct the policies for those objectives. The key to the process is taking an accurate inventory of your organization's applications, which requires investigation of all the targeted business groups. With an accurate inventory, you can create rules and set enforcement criteria that will allow the organization to use the required applications and allow the IT department to manage a controlled set of applications.
+
+The following diagram shows the main points in the design, planning, and deployment process for AppLocker.
+
+![applocker quick reference guide](images/applocker-plandeploy-quickreference.gif)
+
+## Resources to support the deployment process
+
+
+The following topics contain information about designing, planning, deploying, and maintaining AppLocker policies:
+
+-   For info about the AppLocker policy design and planning requirements and process, see [AppLocker Design Guide](applocker-policies-design-guide.md).
+
+-   For info about the AppLocker policy deployment requirements and process, see [AppLocker deployment guide](applocker-policies-deployment-guide.md).
+
+-   For info about AppLocker policy maintenance and monitoring, see [Administer AppLocker](administer-applocker.md).
+
+-   For info about AppLocker policy architecture, components, and processing, see [AppLocker technical reference](applocker-technical-reference.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md
new file mode 100644
index 0000000000..aba279a4c9
--- /dev/null
+++ b/windows/keep-secure/understanding-applocker-allow-and-deny-actions-on-rules.md
@@ -0,0 +1,77 @@
+---
+title: Understanding AppLocker allow and deny actions on rules (Windows 10)
+description: This topic explains the differences between allow and deny actions on AppLocker rules.
+ms.assetid: ea0370fa-2086-46b5-a0a4-4a7ead8cbed9
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Understanding AppLocker allow and deny actions on rules
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic explains the differences between allow and deny actions on AppLocker rules.
+
+## Allow action versus deny action on rules
+
+
+Unlike Software Restriction Policies (SRP), each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection are allowed to run. This configuration makes it easier to determine what will occur when an AppLocker rule is applied.
+
+You can also create rules that use the deny action. When applying rules, AppLocker first checks whether any explicit deny actions are specified in the rule list. If you have denied a file from running in a rule collection, the deny action will take precedence over any allow action, regardless of which Group Policy Object (GPO) the rule was originally applied in. Because AppLocker functions as an allowed list by default, if no rule explicitly allows or denies a file from running, AppLocker's default deny action will block the file.
+
+### Deny rule considerations
+
+Although you can use AppLocker to create a rule to allow all files to run and then use rules to deny specific files, this configuration is not recommended. The deny action is generally less secure than the allow action because a malicious user could modify the file to invalidate the rule. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path. The following table details security concerns for different rule conditions with deny actions.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Rule condition</th>
+<th align="left">Security concern with deny action</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Publisher</p></td>
+<td align="left"><p>A user could modify the properties of a file (for example, re-signing the file with a different certificate).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>File hash</p></td>
+<td align="left"><p>A user could modify the hash for a file.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Path</p></td>
+<td align="left"><p>A user could move the denied file to a different location and run it from there.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Important**  
+If you choose to use the deny action on rules, you must ensure that you first create rules that allow the Windows system files to run. AppLocker enforces rules for allowed applications by default, so after one or more rules have been created for a rule collection (affecting the Windows system files), only the apps that are listed as being allowed will be permitted to run. Therefore, creating a single rule in a rule collection to deny a malicious file from running will also deny all other files on the computer from running.
+
+ 
+
+## Related topics
+
+
+[How AppLocker works](how-applocker-works-techref.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/understanding-applocker-default-rules.md b/windows/keep-secure/understanding-applocker-default-rules.md
new file mode 100644
index 0000000000..8cfd4ceadc
--- /dev/null
+++ b/windows/keep-secure/understanding-applocker-default-rules.md
@@ -0,0 +1,89 @@
+---
+title: Understanding AppLocker default rules (Windows 10)
+description: This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied.
+ms.assetid: bdb03d71-05b7-41fb-96e3-a289ce1866e1
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Understanding AppLocker default rules
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied.
+
+AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection.
+
+**Important**  
+You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run.
+
+ 
+
+If you require additional app security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions:
+
+-   Traverse Folder/Execute File
+
+-   Create Files/Write Data
+
+-   Create Folders/Append Data
+
+These permissions settings are applied to this folder for app compatibility. However, because any user can create files in this location, allowing applications to be run from this location might conflict with your organization's security policy.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Executable rules in AppLocker](executable-rules-in-applocker.md)</p></td>
+<td align="left"><p>This topic describes the file formats and available default rules for the executable rule collection.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md)</p></td>
+<td align="left"><p>This topic describes the file formats and available default rules for the Windows Installer rule collection.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Script rules in AppLocker](script-rules-in-applocker.md)</p></td>
+<td align="left"><p>This topic describes the file formats and available default rules for the script rule collection.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[DLL rules in AppLocker](dll-rules-in-applocker.md)</p></td>
+<td align="left"><p>This topic describes the file formats and available default rules for the DLL rule collection.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md)</p></td>
+<td align="left"><p>This topic explains the AppLocker rule collection for packaged app installers and packaged apps.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[How AppLocker works](how-applocker-works-techref.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/understanding-applocker-rule-behavior.md b/windows/keep-secure/understanding-applocker-rule-behavior.md
new file mode 100644
index 0000000000..e641befe4b
--- /dev/null
+++ b/windows/keep-secure/understanding-applocker-rule-behavior.md
@@ -0,0 +1,45 @@
+---
+title: Understanding AppLocker rule behavior (Windows 10)
+description: This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker.
+ms.assetid: 3e2738a3-8041-4095-8a84-45c1894c97d0
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Understanding AppLocker rule behavior
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker.
+
+If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For example, if you create an executable rule that allows .exe files in *%SystemDrive%\\FilePath* to run, only executable files located in that path are allowed to run.
+
+A rule can be configured to use either an allow or deny action:
+
+-   **Allow**. You can specify which files are allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
+
+-   **Deny**. You can specify which files are not allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
+
+**Important**  
+You can use a combination of allow actions and deny actions. However, we recommend using allow actions with exceptions because deny actions override allow actions in all cases. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path.
+
+ 
+
+## Related topics
+
+
+[How AppLocker works](how-applocker-works-techref.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/understanding-applocker-rule-collections.md b/windows/keep-secure/understanding-applocker-rule-collections.md
new file mode 100644
index 0000000000..a6f772c351
--- /dev/null
+++ b/windows/keep-secure/understanding-applocker-rule-collections.md
@@ -0,0 +1,53 @@
+---
+title: Understanding AppLocker rule collections (Windows 10)
+description: This topic explains the five different types of AppLocker rules used to enforce AppLocker policies.
+ms.assetid: 03c05466-4fb3-4880-8d3c-0f6f59fc5579
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Understanding AppLocker rule collections
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic explains the five different types of AppLocker rules used to enforce AppLocker policies.
+
+An AppLocker rule collection is a set of rules that apply to one of five types:
+
+-   Executable files: .exe and .com
+
+-   Windows Installer files: .msi, mst, and .msp
+
+-   Scripts: .ps1, .bat, .cmd, .vbs, and .js
+
+-   DLLs: .dll and .ocx
+
+-   Packaged apps and packaged app installers: .appx
+
+If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps.
+
+**Important**  
+Each app can load several DLLs, and AppLocker must check each DLL before it is allowed to run. Therefore, creating DLL rules might cause performance problems on some computers. Denying some DLLs from running can also create app compatibility problems. As a result, the DLL rule collection is not enabled by default.
+
+ 
+
+For info about how to enable the DLL rule collection, see [Enable the DLL rule collection](enable-the-dll-rule-collection.md).
+
+## Related topics
+
+
+[How AppLocker works](how-applocker-works-techref.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/understanding-applocker-rule-condition-types.md b/windows/keep-secure/understanding-applocker-rule-condition-types.md
new file mode 100644
index 0000000000..6969952dce
--- /dev/null
+++ b/windows/keep-secure/understanding-applocker-rule-condition-types.md
@@ -0,0 +1,74 @@
+---
+title: Understanding AppLocker rule condition types (Windows 10)
+description: This topic for the IT professional describes the three types of AppLocker rule conditions.
+ms.assetid: c21af67f-60a1-4f7d-952c-a6f769c74729
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Understanding AppLocker rule condition types
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the three types of AppLocker rule conditions.
+
+Rule conditions are criteria that the AppLocker rule is based on. Primary conditions are required to create an AppLocker rule. The three primary rule conditions are publisher, path, and file hash.
+
+**Publisher**
+
+To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate. Rules that are specified to the version level might have to be updated when a new version of the file is released. For more info about this rule condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md).
+
+**Path**
+
+Any file can be assigned this rule condition; however, because path rules specify locations within the file system, any subdirectory will also be affected by the rule (unless explicitly exempted). For more info about this rule condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).
+
+**File hash**
+
+Any file can be assigned this rule condition; however, the rule must be updated each time a new version of the file is released because the hash value is unique to that the version of the file. For more info about this rule condition, see [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md).
+
+### Considerations
+
+Selecting the appropriate condition for each rule depends on the overall application control policy goals of the organization, the AppLocker rule maintenance goals, and the condition of the existing (or planned) application deployment. The following questions can help you decide which rule condition to use.
+
+1.  Is the file digitally signed by a software publisher?
+
+    If the file is signed by a software publisher, we recommend that you create rules with publisher conditions. You may still create file hash and path conditions for signed files. However, if the file is not digitally signed by a software publisher, you can:
+
+    -   Sign the file by using an internal certificate.
+
+    -   Create a rule by using a file hash condition.
+
+    -   Create a rule by using a path condition.
+
+        **Note**  
+        To determine how many applications on a reference computer are digitally signed, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet for a directory of files. For example, `Get-AppLockerFileInformation –Directory C:\Windows\ -FileType EXE -recurse` displays the properties for all .exe and .com files within the Windows directory.
+
+         
+
+2.  What rule condition type does your organization prefer?
+
+    If your organization is already using Software Restriction Policies (SRP) to restrict what files users can run, rules using file hash or path conditions are probably already in place.
+
+    **Note**  
+    For a list of supported operating system versions and editions to which SRP and AppLocker rules can be applied, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
+
+     
+
+## Related topics
+
+
+[How AppLocker works](how-applocker-works-techref.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/understanding-applocker-rule-exceptions.md b/windows/keep-secure/understanding-applocker-rule-exceptions.md
new file mode 100644
index 0000000000..a5a24f0b8f
--- /dev/null
+++ b/windows/keep-secure/understanding-applocker-rule-exceptions.md
@@ -0,0 +1,36 @@
+---
+title: Understanding AppLocker rule exceptions (Windows 10)
+description: This topic describes the result of applying AppLocker rule exceptions to rule collections.
+ms.assetid: e6bb349f-ee60-4c8d-91cd-6442f2d0eb9c
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Understanding AppLocker rule exceptions
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic describes the result of applying AppLocker rule exceptions to rule collections.
+
+You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset.
+
+For example, the rule "Allow Everyone to run Windows except Registry Editor" allows everyone in the organization to run Windows but does not allow anyone to run Registry Editor. The effect of this rule would prevent users such as help desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Helpdesk user group: "Allow Helpdesk to run Registry Editor." If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Helpdesk user group to run Registry Editor.
+
+## Related topics
+
+
+[How AppLocker works](how-applocker-works-techref.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md
new file mode 100644
index 0000000000..d014968a92
--- /dev/null
+++ b/windows/keep-secure/understanding-the-file-hash-rule-condition-in-applocker.md
@@ -0,0 +1,57 @@
+---
+title: Understanding the file hash rule condition in AppLocker (Windows 10)
+description: This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied.
+ms.assetid: 4c6d9af4-2b1a-40f4-8758-1a6f9f147756
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Understanding the file hash rule condition in AppLocker
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied.
+
+File hash rules use a system-computed cryptographic hash of the identified file. For files that are not digitally signed, file hash rules are more secure than path rules. The following table describes the advantages and disadvantages of the file hash condition.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">File hash condition advantages</th>
+<th align="left">File hash condition disadvantages</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Because each file has a unique hash, a file hash condition applies to only one file.</p></td>
+<td align="left"><p>Each time that the file is updated (such as a security update or upgrade), the file's hash will change. As a result, you must manually update file hash rules.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For an overview of the three types of AppLocker rule conditions and explanations of the advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md).
+
+## Related topics
+
+
+[How AppLocker works](how-applocker-works-techref.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md b/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md
new file mode 100644
index 0000000000..80c9494b0b
--- /dev/null
+++ b/windows/keep-secure/understanding-the-path-rule-condition-in-applocker.md
@@ -0,0 +1,120 @@
+---
+title: Understanding the path rule condition in AppLocker (Windows 10)
+description: This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied.
+ms.assetid: 3fa54ded-4466-4f72-bea4-2612031cad43
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Understanding the path rule condition in AppLocker
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied.
+
+The path condition identifies an application by its location in the file system of the computer or on the network.
+
+When creating a rule that uses a deny action, path conditions are less secure than publisher and file hash conditions for preventing access to a file because a user could easily copy the file to a different location than the location specified in the rule. Because path rules specify locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file under that location will be allowed to run, including within users' profiles. The following table describes the advantages and disadvantages of the path condition.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Path condition advantages</th>
+<th align="left">Path condition disadvantages</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><ul>
+<li><p>You can easily control many folders or a single file.</p></li>
+<li><p>You can use the asterisk (*) as a wildcard character within path rules.</p></li>
+</ul></td>
+<td align="left"><ul>
+<li><p>It might be less secure if a rule that is configured to use a folder path contains subfolders that are writable by non-administrators.</p></li>
+<li><p>You must specify the full path to a file or folder when creating path rules so that the rule will be properly enforced.</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+AppLocker does not enforce rules that specify paths with short names. You should always specify the full path to a file or folder when creating path rules so that the rule will be properly enforced.
+
+The asterisk (\*) wildcard character can be used within **Path** field. The asterisk (\*) character used by itself represents any path. When combined with any string value, the rule is limited to the path of the file and all the files under that path. For example, %ProgramFiles%\\Internet Explorer\\\* indicates that all files and subfolders within the Internet Explorer folder will be affected by the rule.
+
+AppLocker uses path variables for well-known directories in Windows. Path variables are not environment variables. The AppLocker engine can only interpret AppLocker path variables. The following table details these path variables.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Windows directory or drive</th>
+<th align="left">AppLocker path variable</th>
+<th align="left">Windows environment variable</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Windows</p></td>
+<td align="left"><p>%WINDIR%</p></td>
+<td align="left"><p>%SystemRoot%</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>System32</p></td>
+<td align="left"><p>%SYSTEM32%</p></td>
+<td align="left"><p>%SystemDirectory%</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows installation directory</p></td>
+<td align="left"><p>%OSDRIVE%</p></td>
+<td align="left"><p>%SystemDrive%</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Program Files</p></td>
+<td align="left"><p>%PROGRAMFILES%</p></td>
+<td align="left"><p>%ProgramFiles% and %ProgramFiles(x86)%</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Removable media (for example, CD or DVD)</p></td>
+<td align="left"><p>%REMOVABLE%</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Removable storage device (for example, USB flash drive)</p></td>
+<td align="left"><p>%HOT%</p></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For an overview of the three types of AppLocker rule conditions and explanations of the advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md).
+
+## Related topics
+
+
+[How AppLocker works](how-applocker-works-techref.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md b/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md
new file mode 100644
index 0000000000..263db51284
--- /dev/null
+++ b/windows/keep-secure/understanding-the-publisher-rule-condition-in-applocker.md
@@ -0,0 +1,145 @@
+---
+title: Understanding the publisher rule condition in AppLocker (Windows 10)
+description: This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied.
+ms.assetid: df61ed8f-a97e-4644-9d0a-2169f18c1c4f
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Understanding the publisher rule condition in AppLocker
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied.
+
+Publisher conditions can be made only for files that are digitally signed; this condition identifies an app based on its digital signature and extended attributes. The digital signature contains information about the company that created the app (the publisher). The extended attributes, which are obtained from the binary resource, contain the name of the product that the app is part of and the version number of the app. The publisher may be a software development company, such as Microsoft, or the Information Technology department of your organization.
+
+Publisher conditions are easier to maintain than file hash conditions and are generally more secure than path conditions. Rules that are specified to the version level might have to be updated when a new version of the file is released. The following table describes the advantages and disadvantages of the publisher condition.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Publisher condition advantages</th>
+<th align="left">Publisher condition disadvantages</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><ul>
+<li><p>Frequent updating is not required.</p></li>
+<li><p>You can apply different values within a certificate.</p></li>
+<li><p>A single rule can be used to allow an entire product suite.</p></li>
+<li><p>You can use the asterisk (*) wildcard character within a publisher rule to specify that any value should be matched.</p></li>
+</ul></td>
+<td align="left"><ul>
+<li><p>The file must be signed.</p></li>
+<li><p>Although a single rule can be used to allow an entire product suite, all files in the suite must be signed uniformly.</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+Wildcard characters can be used as values in the publisher rule fields according to the following specifications:
+
+-   **Publisher**
+
+    The asterisk (\*) character used by itself represents any publisher. When combined with any string value, the rule is limited to the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk is not treated as a wildcard character if used with other characters in this field. For example, using the characters "M\*" limits the publisher name to only a publisher with the name "M\*." Using the characters "\*x\*" limits the publisher name only to the name “\*x\*”. A question mark (?) is not a valid wildcard character in this field.
+
+-   **Product name**
+
+    The asterisk (\*) character used by itself represents any product name. When combined with any string value, the rule is limited to the product of the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk is not treated as a wildcard character if used with other characters in this field. A question mark (?) is not a valid wildcard character in this field.
+
+-   **File name**
+
+    Either the asterisk (\*) or question mark (?) characters used by themselves represent any and all file names. When combined with any string value, the string is matched with any file name containing that string.
+
+-   **File version**
+
+    The asterisk (\*) character used by itself represents any file version. If you want to limit the file version to a specific version or as a starting point, you can state the file version and then use the following options to apply limits:
+
+    -   **Exactly**. The rule applies only to this version of the app
+
+    -   **And above**. The rule applies to this version and all later versions.
+
+    -   **And Below**. The rule applies to this version and all earlier versions.
+
+The following table describes how a publisher condition is applied.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Option</th>
+<th align="left">The publisher condition allows or denies…</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>All signed files</strong></p></td>
+<td align="left"><p>All files that are signed by a publisher.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Publisher only</strong></p></td>
+<td align="left"><p>All files that are signed by the named publisher.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Publisher and product name</strong></p></td>
+<td align="left"><p>All files for the specified product that are signed by the named publisher.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Publisher, product name, and file name</strong></p></td>
+<td align="left"><p>Any version of the named file for the named product that is signed by the publisher.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Publisher, product name, file name, and file version</strong></p></td>
+<td align="left"><p><strong>Exactly</strong></p>
+<p>The specified version of the named file for the named product that is signed by the publisher.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Publisher, product name, file name, and file version</strong></p></td>
+<td align="left"><p><strong>And above</strong></p>
+<p>The specified version of the named file and any new releases for the product that are signed by the publisher.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Publisher, product name, file name, and file version</strong></p></td>
+<td align="left"><p><strong>And below</strong></p>
+<p>The specified version of the named file and any older versions for the product that are signed by the publisher.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Custom</strong></p></td>
+<td align="left"><p>You can edit the <strong>Publisher</strong>, <strong>Product name</strong>, <strong>File name</strong>, and <strong>Version</strong> fields to create a custom rule.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For an overview of the three types of AppLocker rule conditions and explanations of the advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md).
+
+## Related topics
+
+
+[How AppLocker works](how-applocker-works-techref.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
new file mode 100644
index 0000000000..070851aa6b
--- /dev/null
+++ b/windows/keep-secure/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
@@ -0,0 +1,126 @@
+---
+title: Use a reference device to create and maintain AppLocker policies (Windows 10)
+description: This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer.
+ms.assetid: 10c3597f-f44c-4c8e-8fe5-105d4ac016a6
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Use a reference device to create and maintain AppLocker policies
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer.
+
+## Background and prerequisites
+
+
+An AppLocker reference device is a baseline device you can use to configure policies and can subsequently be used to maintain AppLocker policies. For the procedure to configure a reference device, see [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md).
+
+An AppLocker reference device that is used to create and maintain AppLocker policies should contain the corresponding apps for each organizational unit (OU) to mimic your production environment.
+
+**Important**  
+The reference device must be running one of the supported editions of Windows. For information about operating system requirements for AppLocker, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
+
+ 
+
+You can perform AppLocker policy testing on the reference device by using the **Audit only** enforcement setting or Windows PowerShell cmdlets. You can also use the reference device as part of a testing configuration that includes policies that are created by using Software Restriction Policies.
+
+## Step 1: Automatically generate rules on the reference device
+
+
+With AppLocker, you can automatically generate rules for all files within a folder. AppLocker scans the specified folder and creates the condition types that you choose for each file in that folder. For the procedure to do this, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md).
+
+**Note**  
+If you run this wizard to create your first rules for a Group Policy Object (GPO), after you complete the wizard, you will be prompted to create the default rules, which allow critical system files to run. You can edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after you replace them with your custom rules.
+
+ 
+
+## Step 2: Create the default rules on the reference device
+
+
+AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You must run the default rules for each rule collection. For info about default rules and considerations for using them, see [Understanding AppLocker default rules](understanding-applocker-default-rules.md). For the procedure to create default rules, see [Create AppLocker default rules](create-applocker-default-rules.md).
+
+**Important**  
+You can use the default rules as a template when you create your own rules. This allows files within the Windows directory to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules.
+
+ 
+
+## Step 3: Modify rules and the rule collection on the reference device
+
+
+If AppLocker policies are currently running in your production environment, export the policies from the corresponding GPOs and save them to the reference device. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md). If no AppLocker policies have been deployed, create the rules and develop the policies by using the following procedures:
+
+-   [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
+
+-   [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
+
+-   [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
+
+-   [Edit AppLocker rules](edit-applocker-rules.md)
+
+-   [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md)
+
+-   [Delete an AppLocker rule](delete-an-applocker-rule.md)
+
+-   [Enable the DLL rule collection](enable-the-dll-rule-collection.md)
+
+-   [Enforce AppLocker rules](enforce-applocker-rules.md)
+
+## Step 4: Test and update AppLocker policy on the reference device
+
+
+You should test each set of rules to ensure that they perform as intended. The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference device. Perform the steps on each reference device that you used to define the AppLocker policy. Ensure that the reference device is joined to the domain and that it is receiving the AppLocker policy from the appropriate GPO. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules to simultaneously test all of your test GPOs. Use the following procedures to complete this step:
+
+-   [Test an AppLocker Policy with Test-AppLockerPolicy](http://technet.microsoft.com/library/ee791772(WS.10).aspx)
+
+-   [Discover the Effect of an AppLocker Policy](http://technet.microsoft.com/library/ee791823(WS.10).aspx)
+
+**Caution**  
+If you have set the enforcement setting on the rule collection to **Enforce rules** or you have not configured the rule collection, the policy will be implemented when the GPO is updated in the next step. If you have set the enforcement setting on the rule collection to **Audit only**, application access events are written to the AppLocker log, and the policy will not take effect.
+
+ 
+
+## Step 5: Export and import the policy into production
+
+
+When the AppLocker policy has been tested successfully, it can be imported into the GPO (or imported into individual computers that are not managed by Group Policy) and checked for its intended effectiveness. To do this, perform the following procedures:
+
+-   [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md)
+
+-   [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) or
+
+-   [Discover the Effect of an AppLocker Policy](http://technet.microsoft.com/library/ee791823(WS.10).aspx)
+
+If the AppLocker policy enforcement setting is **Audit only** and you are satisfied that the policy is fulfilling your intent, you can change it to **Enforce rules**. For info about how to change the enforcement setting, see [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md).
+
+## Step 6: Monitor the effect of the policy in production
+
+
+If additional refinements or updates are necessary after a policy is deployed, use the appropriate following procedures to monitor and update the policy:
+
+-   [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
+
+-   [Edit an AppLocker policy](edit-an-applocker-policy.md)
+
+-   [Refresh an AppLocker policy](refresh-an-applocker-policy.md)
+
+## See also
+
+
+[Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
+
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md
new file mode 100644
index 0000000000..973405d6cf
--- /dev/null
+++ b/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md
@@ -0,0 +1,170 @@
+---
+title: Use AppLocker and Software Restriction Policies in the same domain (Windows 10)
+description: This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.
+ms.assetid: 2b7e0cec-df62-49d6-a2b7-6b8e30180943
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Use AppLocker and Software Restriction Policies in the same domain
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.
+
+## Using AppLocker and Software Restriction Policies in the same domain
+
+
+AppLocker is supported on systems running Windows 7 and above. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running Windows Server 2008 R2, Windows 7 and later. It is recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, Windows 7 and later, the SRP policies are ignored.
+
+The following table compares the features and functions of Software Restriction Policies (SRP) and AppLocker.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Application control function</th>
+<th align="left">SRP</th>
+<th align="left">AppLocker</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Scope</p></td>
+<td align="left"><p>SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.</p></td>
+<td align="left"><p>AppLocker policies apply only to Windows Server 2008 R2, Windows 7, and later.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Policy creation</p></td>
+<td align="left"><p>SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.</p></td>
+<td align="left"><p>AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.</p>
+<p>AppLocker permits customization of error messages to direct users to a Web page for help.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Policy maintenance</p></td>
+<td align="left"><p>SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).</p></td>
+<td align="left"><p>AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Policy application</p></td>
+<td align="left"><p>SRP policies are distributed through Group Policy.</p></td>
+<td align="left"><p>AppLocker policies are distributed through Group Policy.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Enforcement mode</p></td>
+<td align="left"><p>SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file are allowed to run by default.</p>
+<p>SRP can also be configured in the “allow list mode” such that the by default all files are blocked and administrators need to create allow rules for files that they want to allow.</p></td>
+<td align="left"><p>AppLocker by default works in the “allow list mode” where only those files are allowed to run for which there is a matching allow rule.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>File types that can be controlled</p></td>
+<td align="left"><p>SRP can control the following file types:</p>
+<ul>
+<li><p>Executables</p></li>
+<li><p>Dlls</p></li>
+<li><p>Scripts</p></li>
+<li><p>Windows Installers</p></li>
+</ul>
+<p>SRP cannot control each file type separately. All SRP rules are in a single rule collection.</p></td>
+<td align="left"><p>AppLocker can control the following file types:</p>
+<ul>
+<li><p>Executables</p></li>
+<li><p>Dlls</p></li>
+<li><p>Scripts</p></li>
+<li><p>Windows Installers</p></li>
+<li><p>Packaged apps and installers</p></li>
+</ul>
+<p>AppLocker maintains a separate rule collection for each of the five file types.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Designated file types</p></td>
+<td align="left"><p>SRP supports an extensible list of file types that are considered executable. Administrators can add extensions for files that should be considered executable.</p></td>
+<td align="left"><p>AppLocker currently supports the following file extensions:</p>
+<ul>
+<li><p>Executables (.exe, .com)</p></li>
+<li><p>Dlls (.ocx, .dll)</p></li>
+<li><p>Scripts (.vbs, .js, .ps1, .cmd, .bat)</p></li>
+<li><p>Windows Installers (.msi, .mst, .msp)</p></li>
+<li><p>Packaged app installers (.appx)</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Rule types</p></td>
+<td align="left"><p>SRP supports four types of rules:</p>
+<ul>
+<li><p>Hash</p></li>
+<li><p>Path</p></li>
+<li><p>Signature</p></li>
+<li><p>Internet zone</p></li>
+</ul></td>
+<td align="left"><p>AppLocker supports three types of rules:</p>
+<ul>
+<li><p>File hash</p></li>
+<li><p>Path</p></li>
+<li><p>Publisher</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Editing the hash value</p></td>
+<td align="left"><p>In Windows XP, you could use SRP to provide custom hash values.</p>
+<p>Beginning with Windows 7 and Windows Server 2008 R2, you can only select the file to hash, not provide the hash value.</p></td>
+<td align="left"><p>AppLocker computes the hash value itself. Internally, it uses the SHA2 Authenticode hash for Portable Executables (exe and dll) and Windows Installers and a SHA2 flat file hash for the rest.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Support for different security levels</p></td>
+<td align="left"><p>With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.</p>
+<p>SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).</p></td>
+<td align="left"><p>AppLocker does not support security levels.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Manage Packaged apps and Packaged app installers.</p></td>
+<td align="left"><p>Not supported</p></td>
+<td align="left"><p>.appx is a valid file type which AppLocker can manage.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Targeting a rule to a user or a group of users</p></td>
+<td align="left"><p>SRP rules apply to all users on a particular computer.</p></td>
+<td align="left"><p>AppLocker rules can be targeted to a specific user or a group of users.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Support for rule exceptions</p></td>
+<td align="left"><p>SRP does not support rule exceptions.</p></td>
+<td align="left"><p>AppLocker rules can have exceptions which allow you to create rules such as “Allow everything from Windows except for regedit.exe”.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Support for audit mode</p></td>
+<td align="left"><p>SRP does not support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.</p></td>
+<td align="left"><p>AppLocker supports audit mode which allows you to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Support for exporting and importing policies</p></td>
+<td align="left"><p>SRP does not support policy import/export.</p></td>
+<td align="left"><p>AppLocker supports the importing and exporting of policies. This allows you to create AppLocker policy on a sample device, test it out and then export that policy and import it back into the desired GPO.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Rule enforcement</p></td>
+<td align="left"><p>Internally, SRP rules enforcement happens in the user-mode which is less secure.</p></td>
+<td align="left"><p>Internally, AppLocker rules for .exe and .dll files are enforced in the kernel-mode which is more secure than enforcing them in the user-mode.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md b/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md
new file mode 100644
index 0000000000..22eddb11d1
--- /dev/null
+++ b/windows/keep-secure/use-the-applocker-windows-powershell-cmdlets.md
@@ -0,0 +1,59 @@
+---
+title: Use the AppLocker Windows PowerShell cmdlets (Windows 10)
+description: This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.
+ms.assetid: 374e029c-5c0a-44ab-a57a-2a9dd17dc57d
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Use the AppLocker Windows PowerShell cmdlets
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.
+
+## AppLocker Windows PowerShell cmdlets
+
+
+The five AppLocker cmdlets are designed to streamline the administration of an AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the Microsoft Management Console (MMC) snap-in extension to the Local Security Policy snap-in and Group Policy Management Console.
+
+To edit or update a Group Policy Object (GPO) by using the AppLocker cmdlets, you must have Edit Setting permission. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. To perform tasks by using the Local Security policy snap-in, you must be a member of the local **Administrators** group, or equivalent, on the computer.
+
+### Retrieve application information
+
+The [Get-AppLockerFileInformation](http://technet.microsoft.com/library/hh847209.aspx) cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information.
+
+### Set AppLocker policy
+
+The [Set-AppLockerPolicy](http://technet.microsoft.com/library/hh847212.aspx) cmdlet sets the specified GPO to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default.
+
+### Retrieve an AppLocker policy
+
+The [Get-AppLockerPolicy](http://technet.microsoft.com/library/hh847214.aspx) cmdlet gets the AppLocker policy from the local GPO, from a specified GPO, or from the effective AppLocker policy on the device. The output of the AppLocker policy is an AppLockerPolicy object or an XML-formatted string.
+
+### Generate rules for a given user or group
+
+The [New-AppLockerPolicy](http://technet.microsoft.com/library/hh847211.aspx) cmdlet uses a list of file information to automatically generate rules for a given user or group. It can generate rules based on publisher, hash, or path information. Use **Get-AppLockerFileInformation** to create the list of file information.
+
+### Test the AppLocker Policy against a file set
+
+The [Test-AppLockerPolicy](http://technet.microsoft.com/library/hh847213.aspx) cmdlet uses the specified AppLocker policy to test whether a specified list of files are allowed to run or not on the local device for a specific user.
+
+## Additional resources
+
+
+-   For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md b/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md
new file mode 100644
index 0000000000..ef5fe8f433
--- /dev/null
+++ b/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection.md
@@ -0,0 +1,715 @@
+---
+title: Use Windows Event Forwarding to help with intrusion detection (Windows 10)
+description: Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected.
+ms.assetid: 733263E5-7FD1-45D2-914A-184B9E3E6A3F
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Use Windows Event Forwarding to help with intrusion detection
+
+
+**Applies to**
+
+-   Windows 10
+
+Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected.
+
+Windows Event Forwarding (WEF) reads any operational or administrative event log on a device in your organization and forwards the events you choose to a Windows Event Collector (WEC) server.
+
+To accomplish this, there are two different of subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The Suspect subscription collects additional events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations.
+
+This implementation helps differentiate where events are ultimately stored. Baseline events can be sent to devices with online analytical capability, such as Security Event Manager (SEM), while also sending events to a MapReduce system, such as HDInsight or Hadoop, for long-term storage and deeper analysis. Events from the Suspect subscription are sent directly to a MapReduce system due to volume and lower signal/noise ratio, they are largely used for host forensic analysis.
+
+An SEM’s strength lies in being able to inspect, correlate events, and generate alerts for known patterns manner and alert security staff at machine speed.
+
+A MapReduce system has a longer retention time (years versus months for an SEM), larger ingress ability (hundreds of terabytes per day), and the ability to perform more complex operations on the data like statistical and trend analysis, pattern clustering analysis, or apply Machine Learning algorithms.
+
+Here's an approximate scaling guide for WEF events:
+
+| Events/second range | Data store                 |
+|---------------------|----------------------------|
+| 0 - 5,000           | SQL or SEM                 |
+| 5,000 - 50,000      | SEM                        |
+| 50,000+             | Hadoop/HDInsight/Data Lake |
+
+ 
+
+Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF implementation, including enabling of disabled event logs and setting channel permissions. For more info, see [Appendix C - Event channel settings (enable and channel access) methods](#bkmk-appendixc). This is because WEF is a passive system with regards to the event log. It cannot change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events. Additionally, having event generation already occurring on a device allows for more complete event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling additional event channels and expanding the size of event log files has not resulted in noticeable performance differences.
+
+For the minimum recommended audit policy and registry system ACL settings, see [Appendix A - Minimum recommended minimum audit policy](#bkmk-appendixa) and [Appendix B - Recommended minimum registry system ACL policy](#bkmk-appendixb).
+
+**Note**  
+These are only minimum values need to meet what the WEF subscription selects.
+
+ 
+
+From a WEF subscription management perspective, the event queries provided should be used in two separate subscriptions for ease of maintenance; only machines meeting specific criteria would be allowed access to the targeted subscription, this access would be determined by an algorithm or an analysts’ direction. All devices should have access to the Baseline subscription.
+
+This means you would create two base subscriptions:
+
+-   **Baseline WEF subscription**. Events collected from all hosts, this includes some role-specific events, which will only be emitted by those machines.
+-   **Targeted WEF subscription**. Events collected from a limited set of hosts due to unusual activity and/or heightened awareness for those systems.
+
+Each using the respective event query below. Note that for the Targeted subscription enabling the “read existing events” option should be set to true to allow collection of existing events from systems. By default, WEF subscriptions will only forward events generated after the WEF subscription was received by the client.
+
+In [Appendix E – Annotated Baseline Subscription Event Query](#bkmk-appendixe) and [Appendix F – Annotated Suspect Subscription Event Query](#bkmk-appendixf), the event query XML is included when creating WEF subscriptions. These are annotated for query purpose and clarity. Individual &lt;Query&gt; element can be removed or edited without affecting the rest of the query.
+
+### Common WEF questions
+
+This section addresses common questions from IT pros and customers.
+
+### Will the user notice if their machine is enabled for WEF or if WEF encounters an error?
+
+The short answer is: No.
+
+The longer answer is: The **Eventlog-forwardingPlugin/Operational** event channel logs the success, warning, and error events related to WEF subscriptions present on the device. Unless the user opens Event Viewer and navigates to that channel, they will not notice WEF either through resource consumption or Graphical User Interface pop-ups. Even if there is an issue with the WEF subscription, there is no user interaction or performance degradation. All success, warning, and failure events are logged to this operational event channel.
+
+### Is WEF Push or Pull?
+
+A WEF subscription can be configured to be push or pull, but not both. The simplest, most flexible IT deployment with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF clients are configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated, the subscription on the WEC server is pre-configured with the names of the WEF Client devices from which events are to be selected. Those clients also have to be configured ahead of time to allow the credentials used in the subscription to access their event logs remotely (normally by adding the credential to the **Event Log Readers** built-in local security group.) A useful scenario: closely monitoring a specific set of machines.
+
+### Will WEF work over VPN or RAS?
+
+WEF handles VPN, RAS, and DirectAccess scenarios well and will reconnect and send any accumulated backlog of events when the connection to the WEF Collector is re-established.
+
+### How is client progress tracked?
+
+The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source for each WEF subscription. When an event source re-connects to a WEC server, the last bookmark position is sent to the device to use as a starting point to resume forwarding events. If a WEF client has no events to send, the WEF client will connect periodically to send a Heartbeat to the WEC server to indicate it is active. This heartbeat value can be individually configured for each subscription.
+
+### Will WEF work in an IPv4, IPv6, or mixed IPv4/IPv6 environment?
+
+Yes. WEF is transport agnostic and will work over IPv4 or IPv6.
+
+### Are WEF events encrypted? I see an HTTP/HTTPS option!
+
+In a domain setting, the connection used to transmit WEF events is encrypted using Kerberos, by default (with NTLM as a fallback option, which can be disabled by using a GPO). Only the WEF collector can decrypt the connection. Additionally, the connection between WEF client and WEC server is mutually authenticated regardless of authentication type (Kerberos or NTLM.) There are GPO options to force Authentication to use Kerberos Only.
+
+This authentication and encryption is performed regardless if HTTP or HTTPS is selected.
+
+The HTTPS option is available if certificate based authentication is used, in cases where the Kerberos based mutual authentication is not an option. The SSL certificate and provisioned client certificates are used to provide mutual authentication.
+
+### Do WEF Clients have a separate buffer for events?
+
+The WEF client machines local event log is the buffer for WEF for when the connection to the WEC server is lost. To increase the “buffer size”, increase the maximum file size of the specific event log file where events are being selected. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc).
+
+When the event log overwrites existing events (resulting in data loss if the device is not connected to the Event Collector), there is no notification sent to the WEF collector that events are lost from the client. Neither is there an indicator that there was a gap encountered in the event stream.
+
+### What format is used for forwarded events?
+
+WEF has two modes for forwarded events. The default is “Rendered Text” which includes the textual description of the event as you would see it in Event Viewer. This means that the event size is effectively doubled or tripled depending on the size of the rendered description. The alternative mode is “Events” (also sometimes referred to as “Binary” format) – which is just the event XML itself sent in binary XML format (as it would be written to the evtx file.) This is very compact and can more than double the event volume a single WEC server can accommodate.
+
+A subscription “testSubscription” can be configured to use the Events format through the WECUTIL utility:
+
+``` syntax
+@rem required to set the DeliveryMaxItems or DeliveryMaxLatencyTime
+Wecutil ss “testSubscription” /cf:Events
+```
+
+### How frequently are WEF events delivered?
+
+Event delivery options are part of the WEF subscription configuration parameters – There are three built-in subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called “Custom” is available but cannot be selected or configured through the WEF UI by using Event Ciewer. The Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All subscription options define a maximum event count and maximum event age, if either limit is exceeded then the accumulated events are sent to the event collector.
+
+This table outlines the built-in delivery options:
+
+| Event delivery optimization options | Description                                                                                                                                                                                                                                                                                                                            |
+|-------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Normal                              | This option ensures reliable delivery of events and does not attempt to conserve bandwidth. It is the appropriate choice unless you need tighter control over bandwidth usage or need forwarded events delivered as quickly as possible. It uses pull delivery mode, batches 5 items at a time and sets a batch timeout of 15 minutes. |
+| Minimize bandwidth                  | This option ensures that the use of network bandwidth for event delivery is strictly controlled. It is an appropriate choice if you want to limit the frequency of network connections made to deliver events. It uses push delivery mode and sets a batch timeout of 6 hours. In addition, it uses a heartbeat interval of 6 hours.   |
+| Minimize latency                    | This option ensures that events are delivered with minimal delay. It is an appropriate choice if you are collecting alerts or critical events. It uses push delivery mode and sets a batch timeout of 30 seconds.                                                                                                                      |
+
+ 
+
+For more info about delivery options, see [Configure Advanced Subscription Settings](http://technet.microsoft.com/library/cc749167.aspx).
+
+The primary difference is in the latency which events are sent from the client. If none of the built-in options meet your requirements you can set Custom event delivery options for a given subscription from an elevated command prompt:
+
+``` syntax
+@rem required to set the DeliveryMaxItems or DeliveryMaxLatencyTime
+Wecutil ss “SubscriptionNameGoesHere” /cm:Custom
+
+@rem set DeliveryMaxItems to 1 event
+Wecutil ss “SubscriptionNameGoesHere” /dmi:1
+
+@rem set DeliveryMaxLatencyTime to 10 ms
+Wecutil ss “SubscriptionNameGoesHere” /dmlt:10
+```
+
+### How do I control which devices have access to a WEF Subscription?
+
+For source initiated subscriptions: Each WEF subscription on a WEC server has its own ACL for machine accounts or security groups containing machine accounts (not user accounts) that are explicitly allowed to participate in that subscription or are explicitly denied access. This ACL applies to only a single WEF subscription (since there can be multiple WEF subscriptions on a given WEC server), other WEF Subscriptions have their own separate ACL.
+
+For collector initiated subscriptions: The subscription contains the list of machines from which the WEC server is to collect events. This list is managed at the WEC server, and the credentials used for the subscription must have access to read event logs from the WEF Clients – the credentials can be either the machine account or a domain account.
+
+### Can a client communicate to multiple WEF Event Collectors?
+
+Yes. If you desire a High-Availability environment, simply configure multiple WEC servers with the same subscription configuration and publish both WEC Server URIs to WEF clients. WEF Clients will forward events simultaneously to the configured subscriptions on the WEC servers, if they have the appropriate access.
+
+### <a href="" id="what-are-the-wec-server-s-limitations-"></a>What are the WEC server’s limitations?
+
+There are three factors that limit the scalability of WEC servers. The general rule for a stable WEC server on commodity hardware is “10k x 10k” – meaning, no more than 10,000 concurrently active WEF Clients per WEC server and no more than 10,000 events/second average event volume.
+
+-   **Disk I/O**. The WEC server does not process or validate the received event, but rather buffers the received event and then logs it to a local event log file (EVTX file). The speed of logging to the EVTX file is limited by the disk write speed. Isolating the EVTX file to its own array or using high speed disks can increase the number of events per second that a single WEC server can receive.
+
+-   **Network Connections**. While a WEF source does not maintain a permanent, persistent connection to the WEC server, it does not immediately disconnect after sending its events. This means that the number of WEF sources that can simultaneously connect to the WEC server is limited to the open TCP ports available on the WEC server.
+
+-   **Registry size**. For each unique device that connects to a WEF subscription, there is a registry key (corresponding to the FQDN of the WEF Client) created to store bookmark and source heartbeat information. If this is not pruned to remove inactive clients this set of registry keys can grow to an unmanageable size over time.
+
+    -   When a subscription has &gt;1000 WEF sources connect to it over its operational lifetime, also known as lifetime WEF sources, Event Viewer can become unresponsive for a few minutes when selecting the **Subscriptions** node in the left-navigation, but will function normally afterwards.
+
+    -   At &gt;50,000 lifetime WEF sources, Event Viewer is no longer an option and wecutil.exe (included with Windows) must be used to configure and manage subscriptions.
+
+    -   At &gt;100,000 lifetime WEF sources, the registry will not be readable and the WEC server will likely have to be rebuilt.
+
+## Subscription information
+
+
+Below lists all of the items that each subscription collects, the actual subscription XML is available in an Appendix. These are separated out into Baseline and Targeted. The intent is to subscribe all hosts to Baseline, and then enroll (and remove) hosts on an as needed basis to the Targeted subscription.
+
+### Baseline subscription
+
+While this appears to be the largest subscription, it really is the lowest volume on a per-device basis. (Exceptions should be allowed for unusual devices – a device performing complex developer related tasks can be expected to create an unusually high volume of process create and AppLocker events.) This subscription does not require special configuration on client devices to enable event channels or modify channel permissions.
+
+The subscription is essentially a collection of query statements applied to the Event Log. This means that it is modular in nature and a given query statement can be removed or changed without impacting other query statement in the subscription. Additionally, suppress statements which filter out specific events, only apply within that query statement and are not to the entire subscription.
+
+### Baseline subscription requirements
+
+To gain the most value out of the baseline subscription we recommend to have the following requirements set on the device to ensure that the clients are already generating the required events to be forwarded off the system.
+
+-   Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more info, see [Appendix A – Minimum Recommended minimum Audit Policy](#bkmk-appendixa). This ensures that the security event log is generating the required events.
+
+-   Apply at least an Audit-Only AppLocker policy to devices.
+
+    -   If you are already whitelisting or blacklisting events by using AppLocker, then this requirement is met.
+
+    -   AppLocker events contain extremely useful information, such as file hash and digital signature information for executables and scripts.
+
+-   Enable disabled event channels and set the minimum size for modern event files.
+
+-   Currently, there is no GPO template for enabling or setting the maximum size for the modern event files. This must be done by using a GPO. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc).
+
+The annotated event query can be found in the following. For more info, see [Appendix F – Annotated Baseline Subscription Event Query](#bkmk-appendixf).
+
+-   Anti-malware events from Microsoft Antimalware or Windows Defender. This can be configured for any given anti-malware product easily if it writes to the Windows event log.
+
+-   Security event log Process Create events.
+
+-   AppLocker Process Create events (EXE, script, packaged App installation and execution).
+
+-   Registry modification events. For more info, see [Appendix B – Recommended minimum Registry System ACL Policy](#bkmk-appendixb).
+
+-   OS startup and shutdown
+
+    -   Startup event include operating system version, service pack level, QFE version, and boot mode.
+
+-   Service install
+
+    -   Includes what the name of the service, the image path, and who installed the service.
+
+-   Certificate Authority audit events
+
+    -   This is only applicable on systems with the Certificate Authority role installed.
+
+    -   Logs certificate requests and responses.
+
+-   User profile events
+
+    -   Use of a temporary profile or unable to create a user profile may indicate an intruder is interactively logging into a device but not wanting to leave a persistent profile behind.
+
+-   Service start failure
+
+    -   Failure codes are localized, so you have to check the message DLL for values.
+
+-   Network share access events
+
+    -   Filter out IPC$ and /NetLogon file shares, which are expected and noisy.
+
+-   System shutdown initiate requests
+
+    -   Find out what initiated the restart of a device.
+
+-   User initiated interactive logoff event
+
+-   Remote Desktop Services session connect, reconnect, or disconnect.
+
+-   EMET events, if EMET is installed.
+
+-   Event forwarding plugin events
+
+    -   For monitoring WEF subscription operations, particularly Partial Success events. This is useful for diagnosing deployment issues.
+
+-   Network share create and delete
+
+    -   Enables detection of unauthorized share creation.
+
+        **Note**  All shares are re-created when the device starts.
+
+         
+
+-   Logon sessions
+
+    -   Logon success for interactive (local and Remote Interactive/Remote Desktop)
+
+    -   Logon success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so on.
+
+    -   Logon success for batch sessions
+
+    -   Logon session close, which are logoff events for non-network sessions.
+
+-   Windows Error Reporting (Application crash events only)
+
+    -   This can help detect early signs of intruder not familiar with enterprise environment using targeted malware.
+-   Event log service events
+
+    -   Errors, start events, and stop events for the Windows Event Log service.
+
+-   Event log cleared (including the Security Event Log)
+
+    -   This could indicate an intruder that are covering their tracks.
+
+-   Special privileges assigned to new logon
+
+    -   This indicates that at the time of logon a user is either an Administrator or has the sufficient access to make themselves Administrator.
+
+-   Outbound Remote Desktop Services session attempts
+
+    -   Visibility into potential beachhead for intruder
+
+-   System time changed
+
+-   SMB Client (mapped drive connections)
+
+-   Account credential validation
+
+    -   Local accounts or domain accounts on domain controllers
+
+-   A user was added or removed from the local Administrators security group.
+
+-   Crypto API private key accessed
+
+    -   Associated with signing objects using the locally stored private key.
+
+-   Task Scheduler task creation and delete
+
+    -   Task Scheduler allows intruders to run code at specified times as LocalSystem.
+
+-   Logon with explicit credentials
+
+    -   Detect credential use changes by intruders to access additional resources.
+
+-   Smartcard card holder verification events
+
+    -   This detects when a smartcard is being used.
+
+### Suspect subscription
+
+This adds some possible intruder-related activity to help analyst further refine their determinations about the state of the device.
+
+-   Logon session creation for network sessions
+
+    -   Enables time-series analysis of network graphs.
+
+-   RADIUS and VPN events
+
+    -   Useful if you use a Microsoft IAS RADIUS/VPN implementation. It shows user-&gt; IP address assignment with remote IP address connecting to the enterprise.
+
+-   Crypto API X509 object and build chain events
+
+    -   Detects known bad certificate, CA, or sub-CA
+
+    -   Detects unusual process use of CAPI
+
+-   Groups assigned to local logon
+
+    -   Gives visibility to groups which enable account wide access
+
+    -   Allows better planning for remediation efforts
+
+    -   Excludes well known, built-in system accounts.
+
+-   Logon session exit
+
+    -   Specific for network logon sessions.
+
+-   Client DNS lookup events
+
+    -   Returns what process performed a DNS query and the results returned from the DNS server.
+
+-   Process exit
+
+    -   Enables checking for processes terminating unexpectedly.
+
+-   Local credential validation or logon with explicit credentials
+
+    -   Generated when the local SAM is authoritative for the account credentials being authenticated.
+
+    -   Noisy on domain controllers
+
+    -   On client devices this is only generated when local accounts log on.
+
+-   Registry modification audit events
+
+    -   Only when a registry value is being created, modified, or deleted.
+
+-   Wireless 802.1x authentication
+
+    -   Detect wireless connection with a peer MAC address
+
+-   Windows PowerShell logging
+
+    -   Covers Windows PowerShell 2.0 and later and includes the Windows PowerShell 5.0 logging improvements for in-memory attacks using Windows PowerShell.
+
+    -   Includes Windows PowerShell remoting logging
+
+-   User Mode Driver Framework “Driver Loaded” event
+
+    -   Can possibly detect a USB device loading multiple device drivers. For example, a USB\_STOR device loading the keyboard or network driver.
+
+## <a href="" id="bkmk-appendixa"></a>Appendix A - Minimum recommended minimum audit policy
+
+
+If your organizational audit policy enables additional auditing to meet its needs, that is fine. The policy below is the minimum audit policy settings needed to enable events collected by both baseline and targeted subscriptions.
+
+| Category           | Subcategory                     | Audit settings      |
+|--------------------|---------------------------------|---------------------|
+| Account Logon      | Credential Validation           | Success and Failure |
+| Account Management | Security Group Management       | Success and Failure |
+| Account Management | User Account Management         | Success and Failure |
+| Account Management | Computer Account Management     | Success and Failure |
+| Account Management | Other Account Management Events | Success and Failure |
+| Detailed Tracking  | Process Creation                | Success             |
+| Detailed Tracking  | Process Termination             | Success             |
+| Logon/Logoff       | User/Device Claims              | Not configured      |
+| Logon/Logoff       | IPsec Extended Mode             | Not configured      |
+| Logon/Logoff       | IPsec Quick Mode                | Not configured      |
+| Logon/Logoff       | Logon                           | Success and Failure |
+| Logon/Logoff       | Logoff                          | Success             |
+| Logon/Logoff       | Other Logon/Logoff Events       | Success and Failure |
+| Logon/Logoff       | Special Logon                   | Success and Failure |
+| Logon/Logoff       | Account Lockout                 | Success             |
+| Object Access      | Application Generated           | Not configured      |
+| Object Access      | File Share                      | Success             |
+| Object Access      | File System                     | Not configured      |
+| Object Access      | Other Object Access Events      | Not configured      |
+| Object Access      | Registry                        | Not configured      |
+| Object Access      | Removable Storage               | Success             |
+| Policy Change      | Audit Policy Change             | Success and Failure |
+| Policy Change      | MPSSVC Rule-Level Policy Change | Success and Failure |
+| Policy Change      | Other Policy Change Events      | Success and Failure |
+| Policy Change      | Authentication Policy Change    | Success and Failure |
+| Policy Change      | Authorization Policy Change     | Success and Failure |
+| Privilege Use      | Sensitive Privilege Use         | Not configured      |
+| System             | Security State Change           | Success and Failure |
+| System             | Security System Extension       | Success and Failure |
+| System             | System Integrity                | Success and Failure |
+
+ 
+
+## <a href="" id="bkmk-appendixb"></a>Appendix B - Recommended minimum registry system ACL policy
+
+
+The Run and RunOnce keys are useful for intruders and malware persistence. It allows code to be run (or run only once then removed, respectively) when a user logs into the system.
+
+This can easily be extended to other Auto-Execution Start Points keys in the registry.
+
+Use the following figures to see how you can configure those registry keys.
+
+![default acl for run key](images/runkey.png)![default acl for runonce key](images/runoncekey.png)
+
+## <a href="" id="bkmk-appendixc"></a>Appendix C - Event channel settings (enable and channel access) methods
+
+
+Some channels are disabled by default and have to be enabled. Others, such as Microsoft-Windows-CAPI2/Operational must have the channel access modified to allow the Event Log Readers built-in security group to read from it.
+
+The recommended and most effective way to do this is to configure the baseline GPO to run a scheduled task to configure the event channels (enable, set maximum size, and adjust channel access.) This will take effect at the next GPO refresh cycle and has minimal impact on the client device.
+
+The following GPO snippet performs the following:
+
+-   Enables the **Microsoft-Windows-Capi2/Operational** event channel.
+
+-   Sets the maximum file size for **Microsoft-Windows-Capi2/Operational** to 100MB.
+
+-   Sets the maximum file size for **Microsoft-Windows-AppLocker/EXE and DLL** to 100MB.
+
+-   Sets the maximum channel access for **Microsoft-Windows-Capi2/Operational** to include the built-in Event Log Readers security group.
+
+-   Enables the **Microsoft-Windows-DriverFrameworks-UserMode/Operational** event channel.
+
+-   Sets the maximum file size for **Microsoft-Windows-DriverFrameworks-UserMode/Operational** to 50MB.
+
+![configure event channels](images/capi-gpo.png)
+
+## <a href="" id="bkmk-appendixd"></a>Appendix D - Minimum GPO for WEF Client configuration
+
+
+Here are the minimum steps for WEF to operate:
+
+1.  Configure the collector URI(s).
+
+2.  Start the WinRM service.
+
+3.  Add the Network Service account to the built-in Event Log Readers security group. This allows reading from secured event channel, such as the security event channel.
+
+![configure the wef client](images/wef-client-config.png)
+
+## <a href="" id="bkmk-appendixe"></a>Appendix E – Annotated baseline subscription event query
+
+
+``` syntax
+<QueryList>
+  <Query Id="0" Path="System">
+    <!-- Anti-malware *old* events, but only detect events (cuts down noise) -->
+    <Select Path="System">*[System[Provider[@Name='Microsoft Antimalware'] and (EventID &gt;= 1116 and EventID &lt;= 1119)]]</Select>
+  </Query>
+  <!-- AppLocker EXE events or Script events -->
+  <Query Id="1" Path="Microsoft-Windows-AppLocker/EXE and DLL">
+    <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*[UserData[RuleAndFileData[PolicyName="EXE"]]]</Select>
+    <Select Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select>
+  </Query>
+  <Query Id="2" Path="Security">
+    <!-- Wireless Lan 802.1x authentication events with Peer MAC address -->
+    <Select Path="Security">*[System[(EventID=5632)]]</Select>
+  </Query>
+  <Query Id="3" Path="Microsoft-Windows-TaskScheduler/Operational">
+    <!-- Task scheduler Task Registered (106),  Task Registration Deleted (141), Task Deleted (142) -->
+    <Select Path="Microsoft-Windows-TaskScheduler/Operational">*[System[Provider[@Name='Microsoft-Windows-TaskScheduler'] and (EventID=106 or EventID=141 or EventID=142 )]]</Select>
+    <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-TaskScheduler'] and (EventID=106 or EventID=141 or EventID=142 )]]</Select>
+  </Query>
+  <Query Id="4" Path="System">
+    <!-- System startup (12 - includes OS/SP/Version) and shutdown -->
+    <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Kernel-General'] and (EventID=12 or EventID=13)]]</Select>
+  </Query>
+  <Query Id="5" Path="System">
+    <!-- Service Install (7000), service start failure (7045), new service (4697) -->
+    <Select Path="System">*[System[Provider[@Name='Service Control Manager'] and (EventID = 7000 or EventID=7045)]]</Select>
+<Select Path="Security">*[System[(EventID=4697)]]</Select>
+  </Query>
+  <Query Id="6" Path="Security">
+    <!-- TS Session reconnect (4778), TS Session disconnect (4779) -->
+    <Select Path="Security">*[System[(EventID=4778 or EventID=4779)]]</Select>
+  </Query>
+  <Query Id="7" Path="Security">
+    <!-- Network share object access without IPC$ and Netlogon shares -->
+    <Select Path="Security">*[System[(EventID=5140)]] and (*[EventData[Data[@Name="ShareName"]!="\\*\IPC$"]]) and (*[EventData[Data[@Name="ShareName"]!="\\*\NetLogon"]])</Select>
+  </Query>
+  <Query Id="8" Path="Security">
+    <!-- System Time Change (4616)  -->
+    <Select Path="Security">*[System[(EventID=4616)]]</Select>
+  </Query>
+  <Query Id="9" Path="System">
+    <!-- Shutdown initiate requests, with user, process and reason (if supplied) -->
+    <Select Path="System">*[System[Provider[@Name='USER32'] and (EventID=1074)]]</Select>
+  </Query>
+  <!-- AppLocker packaged (Modern UI) app execution -->
+  <Query Id="10" Path="Microsoft-Windows-AppLocker/Packaged app-Execution">
+    <Select Path="Microsoft-Windows-AppLocker/Packaged app-Execution">*</Select>
+  </Query>
+  <!-- AppLocker packaged (Modern UI) app installation -->
+  <Query Id="11" Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">
+    <Select Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">*</Select>
+  </Query>
+  <Query Id="12" Path="Application">
+    <!-- EMET events -->
+    <Select Path="Application">*[System[Provider[@Name='EMET']]]</Select>
+  </Query>
+  <Query Id="13" Path="System">
+    <!-- Event log service events -->
+    <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Eventlog']]]</Select>
+  </Query>
+  <Query Id="14" Path="Security">
+    <!-- Local logons without network or service events -->
+    <Select Path="Security">*[System[(EventID=4624)]] and (*[EventData[Data[@Name="LogonType"]!="3"]]) and (*[EventData[Data[@Name="LogonType"]!="5"]])</Select>
+  </Query>
+  <Query Id="15" Path="Application">
+    <!-- WER events for application crashes only -->
+    <Select Path="Application">*[System[Provider[@Name='Windows Error Reporting']]] and (*[EventData[Data[3] ="APPCRASH"]])</Select>
+  </Query>
+  <Query Id="16" Path="Security">
+    <!-- Security Log cleared events (1102), EventLog Service shutdown (1100)-->
+    <Select Path="Security">*[System[(EventID=1102 or EventID = 1100)]]</Select>
+  </Query>
+  <Query Id="17" Path="System">
+    <!-- Other Log cleared events (104)-->
+    <Select Path="System">*[System[(EventID=104)]]</Select>
+  </Query>
+  <Query Id="18" Path="Security">
+    <!--  user initiated logoff -->
+    <Select Path="Security">*[System[(EventID=4647)]]</Select>
+  </Query>
+  <Query Id="19" Path="Security">
+    <!-- user logoff for all non-network logon sessions-->
+    <Select Path="Security">*[System[(EventID=4634)]] and (*[EventData[Data[@Name="LogonType"] != "3"]])</Select>
+  </Query>
+  <Query Id="20" Path="Security">
+    <!-- Service logon events if the user account isn't LocalSystem, NetworkService, LocalService -->
+    <Select Path="Security">*[System[(EventID=4624)]] and (*[EventData[Data[@Name="LogonType"]="5"]]) and (*[EventData[Data[@Name="TargetUserSid"] != "S-1-5-18"]]) and (*[EventData[Data[@Name="TargetUserSid"] != "S-1-5-19"]]) and (*[EventData[Data[@Name="TargetUserSid"] != "S-1-5-20"]])</Select>
+  </Query>
+  <Query Id="21" Path="Security">
+    <!-- Network Share create (5142), Network Share Delete (5144)  -->
+    <Select Path="Security">*[System[(EventID=5142 or EventID=5144)]]</Select>
+  </Query>
+  <Query Id="22" Path="Security">
+    <!-- Process Create (4688) -->
+    <Select Path="Security">*[System[EventID=4688]]</Select>
+  </Query>
+  <Query Id="23" Path="Security">
+    <!-- Event log service events specific to Security channel -->
+    <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Eventlog']]]</Select>
+  </Query>
+  <Query Id="26" Path="Security">
+    <!-- Special Privileges (Admin-equivalent Access) assigned to new logon, excluding LocalSystem-->
+    <Select Path="Security">*[System[(EventID=4672)]]</Select>
+    <Suppress Path="Security">*[EventData[Data[1]="S-1-5-18"]]</Suppress>
+  </Query>
+  <Query Id="27" Path="Security">
+    <!-- New user added to local security group-->
+    <Select Path="Security">*[System[(EventID=4732)]]</Select>
+  </Query>
+  <Query Id="28" Path="Security">
+    <!-- New user added to global security group-->
+    <Select Path="Security">*[System[(EventID=4728)]]</Select>
+  </Query>
+  <Query Id="29" Path="Security">
+    <!-- New user added to universal security group-->
+    <Select Path="Security">*[System[(EventID=4756)]]</Select>
+  </Query>
+  <Query Id="30" Path="Security">
+    <!-- User removed from local Administrators group-->
+    <Select Path="Security">*[System[(EventID=4733)]] and (*[EventData[Data[@Name="TargetUserName"]="Administrators"]])</Select>
+  </Query>
+  <Query Id="31" Path="Microsoft-Windows-TerminalServices-RDPClient/Operational">
+    <!-- Log attempted TS connect to remote server -->
+    <Select Path="Microsoft-Windows-TerminalServices-RDPClient/Operational">*[System[(EventID=1024)]]</Select>
+  </Query>
+  <Query Id="32" Path="Security">
+    <!-- Certificate Services received certificate request (4886), Approved and Certificate issued (4887), Denied request (4888) -->
+    <Select Path="Security">*[System[(EventID=4886 or EventID=4887 or EventID=4888)]]</Select>
+  </Query>
+  <Query Id="34" Path="Security">
+    <!-- New User Account Created(4720), User Account Enabled (4722), User Account Disabled (4725), User Account Deleted (4726) -->
+    <Select Path="Security">*[System[(EventID=4720 or EventID=4722 or EventID=4725 or EventID=4726)]]</Select>
+  </Query>
+  <Query Id="35" Path="Microsoft-Windows-SmartCard-Audit/Authentication">
+    <!-- Gets all Smart-card Card-Holder Verification (CHV) events (success and failure) performed on the host. -->
+    <Select Path="Microsoft-Windows-SmartCard-Audit/Authentication">*</Select>
+  </Query>
+  <Query Id="36" Path="Microsoft-Windows-SMBClient/Operational">
+    <!-- get all UNC/mapped drive successful connection -->
+    <Select Path="Microsoft-Windows-SMBClient/Operational">*[System[(EventID=30622 or EventID=30624)]]</Select>
+  </Query>
+  <Query Id="37" Path="Application">
+    <!-- User logging on with Temporary profile (1511), cannot create profile, using temporary profile (1518)-->
+    <Select Path="Application">*[System[Provider[@Name='Microsoft-Windows-User Profiles Service'] and (EventID=1511 or EventID=1518)]]</Select>
+  </Query>
+  <Query Id="39" Path="Microsoft-Windows-Sysmon/Operational">
+    <!-- Modern SysMon event provider-->
+    <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
+  </Query>
+  <Query Id="40" Path="Application">
+    <!-- Application crash/hang events, similar to WER/1001. These include full path to faulting EXE/Module.-->
+    <Select Path="Application">*[System[Provider[@Name='Application Error'] and (EventID=1000)]]</Select>
+    <Select Path="Application">*[System[Provider[@Name='Application Hang'] and (EventID=1002)]]</Select>
+  </Query>
+  <Query Id="41" Path="Microsoft-Windows-Windows Defender/Operational">
+    <!-- Modern Windows Defender event provider Detection events (1006-1009) and (1116-1119) -->
+    <Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[( (EventID &gt;= 1006 and EventID &lt;= 1009) )]]</Select>
+    <Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[( (EventID &gt;= 1116 and EventID &lt;= 1119) )]]</Select>
+  </Query>
+</QueryList>
+```
+
+## <a href="" id="bkmk-appendixf"></a>Appendix F – Annotated Suspect Subscription Event Query
+
+
+``` syntax
+<QueryList>
+  <Query Id="0" Path="Security">
+    <!-- Network logon events-->
+    <Select Path="Security">*[System[(EventID=4624)]] and (*[EventData[Data[@Name="LogonType"]="3"]])</Select>
+  </Query>
+  <Query Id="1" Path="System">
+    <!-- RADIUS authentication events User Assigned IP address (20274), User successfully authenticated (20250), User Disconnected (20275)  -->
+    <Select Path="System">*[System[Provider[@Name='RemoteAccess'] and (EventID=20274 or EventID=20250 or EventID=20275)]]</Select>
+  </Query>
+  <Query Id="2" Path="Microsoft-Windows-CAPI2/Operational">
+    <!-- CAPI events Build Chain (11), Private Key accessed (70), X509 object (90)-->
+    <Select Path="Microsoft-Windows-CAPI2/Operational">*[System[(EventID=11 or EventID=70 or EventID=90)]]</Select>
+  </Query>
+  <Query Id="3" Path="Security">
+    <!-- CA stop/Start events CA Service Stopped (4880), CA Service Started (4881), CA DB row(s) deleted (4896), CA Template loaded (4898) -->
+    <Select Path="Security">*[System[(EventID=4880 or EventID = 4881 or EventID = 4896 or EventID = 4898)]]</Select>
+  </Query>
+  <Query Id="4" Path="Microsoft-Windows-LSA/Operational">
+    <!-- Groups assigned to new login (except for well known, built-in accounts)-->
+    <Select Path="Microsoft-Windows-LSA/Operational">*[System[(EventID=300)]] and (*[EventData[Data[@Name="TargetUserSid"] != "S-1-5-20"]]) and (*[EventData[Data[@Name="TargetUserSid"] != "S-1-5-18"]]) and (*[EventData[Data[@Name="TargetUserSid"] != "S-1-5-19"]])</Select>
+  </Query>
+  <Query Id="5" Path="Security">
+    <!-- Logoff events - for Network Logon events-->
+    <Select Path="Security">*[System[(EventID=4634)]] and (*[EventData[Data[@Name="LogonType"] = "3"]])</Select>
+  </Query>
+  <Query Id="6" Path="Security">
+    <!-- RRAS events – only generated on Microsoft IAS server -->
+    <Select Path="Security">*[System[( (EventID &gt;= 6272 and EventID &lt;= 6280) )]]</Select>
+  </Query>
+  <Query Id="7" Path="Microsoft-Windows-DNS-Client/Operational">
+    <!-- DNS Client events Query Completed (3008) -->
+    <Select Path="Microsoft-Windows-DNS-Client/Operational">*[System[(EventID=3008)]]</Select>
+<!—suppresses local machine name resolution events-->
+<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryOptions"]="140737488355328"]]</Suppress>
+<!—suppresses empty name resolution events -->
+<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryResults"]=""]]</Suppress>
+  </Query>
+  <Query Id="8" Path="Security">
+    <!-- Process Terminate (4689) -->
+    <Select Path="Security">*[System[(EventID = 4689)]]</Select>
+  </Query>
+  <Query Id="9" Path="Security">
+    <!-- Local credential authentication events (4776), Logon with explicit credentials (4648) -->
+    <Select Path="Security">*[System[(EventID=4776 or EventID=4648)]]</Select>
+  </Query>
+  <Query Id="10" Path="Security">
+    <!-- Registry modified events for Operations: New Registry Value created (%%1904), Existing Registry Value modified (%%1905), Registry Value Deleted (%%1906) -->
+    <Select Path="Security">*[System[(EventID=4657)]] and ((*[EventData[Data[@Name="OperationType"] = "%%1904"]]) or (*[EventData[Data[@Name="OperationType"] = "%%1905"]]) or (*[EventData[Data[@Name="OperationType"] = "%%1906"]]))</Select>
+  </Query>
+  <Query Id="11" Path="Security">
+    <!-- Request made to authenticate to Wireless network (including Peer MAC (5632) -->
+    <Select Path="Security">*[System[(EventID=5632)]]</Select>
+  </Query>
+  <Query Id="12" Path="Microsoft-Windows-PowerShell/Operational">
+    <!-- PowerShell execute block activity (4103), Remote Command(4104), Start Command(4105), Stop Command(4106) -->
+    <Select Path="Microsoft-Windows-PowerShell/Operational">*[System[(EventID=4103 or EventId=4104 or EventId=4105 or EventId=4106)]]</Select>
+  </Query>
+  <Query Id="13" Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">
+    <!-- Detect User-Mode drivers loaded - for potential BadUSB detection. -->
+    <Select Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">*[System[(EventID=2004)]]</Select>
+  </Query>
+<Query Id="14" Path=" Windows PowerShell">
+    <!—Legacy PowerShell pipeline execution details (800) -->
+    <Select Path=" Windows PowerShell">*[System[(EventID=800)]]</Select>
+  </Query>
+</QueryList> 
+```
+
+## <a href="" id="bkmk-appendixg"></a>Appendix G - Online resources
+
+
+You can get more info with the following links:
+
+-   [Event Selection](http://msdn.microsoft.com/library/aa385231(VS.85).aspx)
+
+-   [Event Queries and Event XML](http://msdn.microsoft.com/library/bb399427(VS.90).aspx)
+
+-   [Event Query Schema](http://msdn.microsoft.com/library/aa385760(VS.85).aspx)
+
+-   [Windows Event Collector](http://msdn.microsoft.com/library/windows/desktop/bb427443.aspx)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
new file mode 100644
index 0000000000..84909d2ff2
--- /dev/null
+++ b/windows/keep-secure/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
@@ -0,0 +1,137 @@
+---
+title: User Account Control Admin Approval Mode for the Built-in Administrator account (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Admin Approval Mode for the Built-in Administrator account security policy setting.
+ms.assetid: d465fc27-1cd2-498b-9cf6-7ad2276e5998
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# User Account Control: Admin Approval Mode for the Built-in Administrator account
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Admin Approval Mode for the Built-in Administrator account** security policy setting.
+
+## Reference
+
+
+This policy setting determines the behavior of Admin Approval Mode for the built-in administrator account.
+
+When the Admin Approval Mode is enabled, the local administrator account functions like a standard user account, but it has the ability to elevate privileges without logging on by using a different account. In this mode, any operation that requires elevation of privilege displays a prompt that allows the administrator to permit or deny the elevation of privilege. If Admin Approval Mode is not enabled, the built-in Administrator account logs on in Windows XP Mode, and it runs all applications by default with full administrative privileges. By default, this setting is set to **Disabled**.
+
+**Note**  
+If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled.
+
+ 
+
+### Possible values
+
+-   Enabled
+
+    The built-in administrator account logs on in Admin Approval Mode so that any operation that requires elevation of privilege displays a prompt that provides the administrator the option to permit or deny the elevation of privilege.
+
+-   Disabled
+
+    The built-in administrator account logs on in Windows XP Mode, and it runs all applications by default with full administrative privileges.
+
+### Best practices
+
+-   Do not enable the built-in administrator account on the client computer, but use the standard user account and User Account Control (UAC).
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+One of the risks of the User Account Control (UAC) feature is that it is intended to mitigate malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for malicious programs is to discover the password of the administrator account because that user account was created for all installations of the Windows. To address this risk, the built-in administrator account is disabled in computers running at least Windows Vista. In computers running at least Windows Server 2008, the administrator account is enabled, and the password must be changed the first time the Administrator logs on. In a default installation of a computer running at least Windows Vista, accounts with administrative control over the computer are initially set up in one of two ways:
+
+-   If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator.
+
+-   If the computer is joined to a domain, no local administrator accounts are created. The enterprise or domain administrator must log on to the computer and create a local administrator account if one is warranted.
+
+### Countermeasure
+
+Enable the **User Account Control: Admin Approval Mode for the Built-in Administrator account** setting if you have the built-in Administrator account enabled.
+
+### Potential impact
+
+Users who log on by using the local administrator account are prompted for consent whenever a program requests an elevation in privilege.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
new file mode 100644
index 0000000000..3dea249901
--- /dev/null
+++ b/windows/keep-secure/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
@@ -0,0 +1,171 @@
+---
+title: User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop security policy setting.
+ms.assetid: fce20472-3c93-449d-b520-13c4c74a9892
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, and security considerations for the **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** security policy setting.
+
+## Reference
+
+
+This security setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts that are used by a standard user.
+
+**Note**  
+This setting does not change the behavior of the UAC elevation prompt for administrators.
+
+ 
+
+**Background**
+
+User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI does not interfere with or change the behavior of messages between applications at the same privilege (or integrity) level.
+
+Microsoft UI Automation is the current model to support accessibility requirements in the Windows operating systems. Applications that are designed to support an accessible user experience control the behavior of other Windows applications on behalf of the user. When all applications on the automation client computer and server are running as a standard user (that is, at a medium integrity level), the UIPI restrictions do not interfere with the Microsoft UI automation model.
+
+However, there might be times when an administrative user runs an application with elevated privilege based on UAC in Admin Approval Mode. Microsoft UI Automation cannot drive the UI graphics of elevated applications on the desktop without the ability to bypass the restrictions that UIPI implements. The ability to bypass UIPI restrictions across privilege levels is available for UI automation programs by using UIAccess.
+
+If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy checks before starting an application with UIAccess privilege.
+
+1.  The application must have a digital signature that can be verified by using a digital certificate that is associated with the Trusted Root Certification Authorities store on the local computer.
+
+2.  The application must be installed in a local folder that is writeable only by administrators, such as the Program Files directory. The allowed directories for UI automation applications are:
+
+    1.  %ProgramFiles% and its subdirectories.
+
+    2.  %WinDir% and its subdirectories, except a few subdirectories that are excluded because standard users have write access.
+
+**Resulting behavior**
+
+When this setting is enabled, UIAccess programs (including Windows Remote Assistance) can automatically disable the secure desktop for elevation prompts. Unless you have also disabled elevation prompts, the prompts appear on the interactive user's desktop instead of on the secure desktop. The prompts also appear on the remote administrator's view of the desktop during a Windows Remote Assistance session, and the remote administrator can provide the appropriate credentials for elevation.
+
+If you disable this setting, the secure desktop can only be disabled by the user of the interactive desktop or by disabling the [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md) setting, which by default is enabled.
+
+### Possible values
+
+-   Enabled
+
+    UIA programs can automatically disable the secure desktop for elevation prompts, and unless you have also disabled elevation prompts, the prompts appear on the interactive user's desktop instead of on the secure desktop. Prompts will also appear on the remote administrator's view of the desktop during a Windows Remote Assistance session, and the remote administrator can provide the appropriate credentials for elevation.
+
+-   Disabled
+
+    The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting.
+
+### Best practices
+
+-   Best practices are dependent on your security policies and your remote operational requirements.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
+
+### Policy interactions
+
+If you plan to enable this setting, you should also review the effect of the [User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md) setting. If it is configured as **Automatically deny elevation requests**, elevation requests are not presented to the user. If you disable this setting, the secure desktop can only be disabled by the user of the interactive desktop or by disabling the [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md) setting, which by default is enabled.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+UIA programs are designed to interact with Windows and application programs on behalf of a user. This setting allows UIA programs to bypass the secure desktop to increase usability in certain cases, but it allows elevation requests to appear on the regular interactive desktop instead of on the secure desktop. This increases the risk that a malicious program could intercept data that is being transferred between the UI and the application. Because UIA programs must be able to respond to prompts regarding security issues, such as the UAC elevation prompt, UIA programs must be highly trusted. To be considered trusted, a UIA program must be digitally signed. By default, UIA programs can be run only from the following protected paths:
+
+-   ..\\Program Files\\ (and subfolders)
+
+-   ..\\Program Files (x86)\\ (and subfolders, in 64-bit versions of Windows only)
+
+-   ..\\Windows\\System32\\
+
+The requirement to be in a protected path can be disabled by the [User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md) setting. Although this setting applies to any UIA program, it is used primarily in certain Windows Remote Assistance scenarios.
+
+### Countermeasure
+
+Disable the **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** setting.
+
+### Potential impact
+
+If a user requests remote assistance from an administrator and the remote assistance session is established, elevation prompts appear on the interactive user's secure desktop and the administrator's remote session is paused. To avoid pausing the remote administrator’s session during elevation requests, the user can select the "Allow IT Expert to respond to User Account Control prompts" check box when setting up the remote assistance session. However, selecting this check box requires that the interactive user respond to an elevation prompt on the secure desktop. If the interactive user is a standard user, the user does not have the required credentials to allow elevation.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
new file mode 100644
index 0000000000..d60ccc6dc6
--- /dev/null
+++ b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
@@ -0,0 +1,151 @@
+---
+title: User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode security policy setting.
+ms.assetid: 46a3c3a2-1d2e-4a6f-b5e6-29f9592f535d
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** security policy setting.
+
+## Reference
+
+
+This policy setting determines the behavior of the elevation prompt for accounts that have administrative credentials.
+
+### Possible values
+
+-   **Elevate without prompting**
+
+    Assumes that the administrator will permit an operation that requires elevation, and additional consent or credentials are not required.
+
+    **Note**  
+    Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure.
+
+     
+
+-   **Prompt for credentials on the secure desktop**
+
+    When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
+
+-   **Prompt for consent on the secure desktop**
+
+    When an operation requires elevation of privilege, the user is prompted on the secure desktop to select **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
+
+-   **Prompt for credential**s
+
+    An operation that requires elevation of privilege prompts the administrator to type the user name and password. If the administrator enters valid credentials, the operation continues with the applicable privilege.
+
+-   **Prompt for consent**
+
+    An operation that requires elevation of privilege prompts the administrator to select **Permit** or **Deny**. If the administrator selects **Permit**, the operation continues with the administrator's highest available privilege.
+
+-   **Prompt for consent for non-Windows binaries**
+
+    This is the default. When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
+
+### Best practices
+
+-   Selecting the option **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Prompt for consent for non-Windows binaries</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Prompt for consent for non-Windows binaries</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Prompt for consent for non-Windows binaries</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Prompt for consent for non-Windows binaries</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+One of the risks that the UAC feature tries to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations, and it permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so.
+
+### Countermeasure
+
+Configure the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** setting to **Prompt for consent**.
+
+### Potential impact
+
+Administrators should be made aware that they will be prompted for consent when all binaries attempt to run.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
new file mode 100644
index 0000000000..38d421d5f1
--- /dev/null
+++ b/windows/keep-secure/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
@@ -0,0 +1,136 @@
+---
+title: User Account Control Behavior of the elevation prompt for standard users (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Behavior of the elevation prompt for standard users security policy setting.
+ms.assetid: 1eae7def-8f6c-43b6-9474-23911fdc01ba
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# User Account Control: Behavior of the elevation prompt for standard users
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for standard users** security policy setting.
+
+## Reference
+
+
+This policy setting determines the behavior of the elevation prompt for standard users.
+
+### Possible values
+
+-   **Automatically deny elevation requests**
+
+    This option returns an “Access denied” error message to standard users when they try to perform an operation that requires elevation of privilege. Most organizations that run desktops as standard users configure this policy to reduce Help Desk calls.
+
+-   **Prompt for credentials on the secure desktop**
+
+    This is the default. When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+-   **Prompt for credentials**
+
+    An operation that requires elevation of privilege prompts the user to type an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+### Best practices
+
+1.  Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to log on with an administrative account to run programs that require elevation of privilege.
+
+2.  As a security best practice, standard users should not have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, set **Prompt for credentials** so that the users do not choose to always log on with their administrator accounts, and they shift their behavior to use the standard user account.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Prompt for credentials on the secure desktop</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Prompt for credentials on the secure desktop</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Prompt for credentials on the secure desktop</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Prompt for credentials on the secure desktop</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+One of the risks that the UAC feature tries to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations, and it requires that the user supply administrative credentials for the program to run.
+
+### Countermeasure
+
+Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to log on with an administrative account to run programs that require elevation of privilege. As a security best practice, standard users should not have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, we recommend setting **Prompt for credentials** so that the users do not choose to always log on with their administrator accounts, and they shift their behavior to use the standard user account.
+
+### Potential impact
+
+Users must provide administrative passwords to run programs with elevated privileges. This could cause an increased load on IT staff while the programs that are affected are identified and standard operating procedures are modified to support least privilege operations.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md
new file mode 100644
index 0000000000..53b4161dd7
--- /dev/null
+++ b/windows/keep-secure/user-account-control-detect-application-installations-and-prompt-for-elevation.md
@@ -0,0 +1,130 @@
+---
+title: User Account Control Detect application installations and prompt for elevation (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Detect application installations and prompt for elevation security policy setting.
+ms.assetid: 3f8cb170-ba77-4c9f-abb3-c3ed1ef264fc
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# User Account Control: Detect application installations and prompt for elevation
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Detect application installations and prompt for elevation** security policy setting.
+
+## Reference
+
+
+This policy setting determines the behavior of application installation detection for the entire system.
+
+Some software might attempt to install itself after being given permission to run. The user may give permission for the program to run because the program is trusted. Then the user is prompted to install an unknown component. This security policy provides another way to identify and stop these attempted software installations before they can do damage.
+
+### Possible values
+
+-   **Enabled**
+
+    Application installation packages that require an elevation of privilege to install are detected and the user is prompted for administrative credentials.
+
+-   **Disabled**
+
+    Application installation packages that require an elevation of privilege to install are not detected and the user is not prompted for administrative credentials.
+
+### Best practices
+
+1.  Installer detection is unnecessary when enterprises run standard user desktops that capitalize on delegated installation technologies like Group Policy Software Install (GPSI) or Configuration Manager. Therefore you can set this security policy to **Disabled**.
+
+2.  Enable the **User Account Control: Detect application installations and prompt for elevation** setting so standard users must provide administrative credentials before software is installed.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Some malicious software might attempt to install itself after being given permission to run, for example, malicious software with a trusted application shell. The user may give permission for the program to run because the program is trusted. Then the user is prompted to install an unknown component. This policy provides another way to trap the software before it can do damage.
+
+### Countermeasure
+
+Enable the **User Account Control: Detect application installations and prompt for elevation** setting.
+
+### Potential impact
+
+Users must provide administrative passwords to install programs.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
new file mode 100644
index 0000000000..94fac9972b
--- /dev/null
+++ b/windows/keep-secure/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
@@ -0,0 +1,138 @@
+---
+title: User Account Control Only elevate executables that are signed and validated (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Only elevate executables that are signed and validated security policy setting.
+ms.assetid: 64950a95-6985-4db6-9905-1db18557352d
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# User Account Control: Only elevate executables that are signed and validated
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate executables that are signed and validated** security policy setting.
+
+## Reference
+
+
+This policy setting enforces public key infrastructure (PKI) signature checks on any interactive application that requests elevation of privilege. You can control the apps that are allowed to run through the population of certificates in the local computer's Trusted Publishers store.
+
+A trusted publisher is a certificate issuer that the computer’s user has chosen to trust and that has certificate details that have been added to the store of trusted publishers.
+
+Windows maintains certificates in certificate stores. These stores can be represented by containers in the file system or the registry, or they can be implemented as physical stores such as smart cards. Certificate stores are associated with the computer object or they are owned by a distinct user who has a security context and profile on that computer. In addition, services can have certificate stores. A certificate store will often contain numerous certificates, possibly issued from a number of different certification authorities (CAs).
+
+When certificate path discovery is initiated, Windows attempts to locate the issuing CA for the certificates, and it builds a certificate path to the trusted root certificate. Intermediate certificates are included as part of the application protocol or are picked up from Group Policy or through URLs that are specified in the Authority Information Access (AIA) extension. When the path is built, each certificate in the path is verified for validity with respect to various parameters, such as name, time, signature, revocation status, and other constraints.
+
+### Possible values
+
+-   **Enabled**
+
+    Enforces the PKI certificate chain validation of a given executable file before it is permitted to run.
+
+-   **Disabled**
+
+    Does not enforce PKI certificate chain validation before a given executable file is permitted to run.
+
+### Best practices
+
+-   Best practices are dependent on your security and performance goals.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Intellectual property, personally identifiable information, and other confidential data are normally manipulated by applications on the computer, and elevated credentials are required to access the information. Users and administrators inherently trust applications that are used with these information sources, and they provide their credentials. If one of these applications is replaced by a rogue application that appears identical to the trusted application, the confidential data could be compromised and the user's administrative credentials would also be compromised.
+
+### Countermeasure
+
+Enable the **User Account Control: Only elevate executables that are signed and validated**.
+
+### Potential impact
+
+Enabling this setting requires that you have a PKI infrastructure and that your enterprise administrators have populated the Trusted Publishers store with the certificates for the allowed applications. Some older applications are not signed, and they cannot be used in an environment that is hardened with this setting. You should carefully test your applications in a preproduction environment before implementing this setting.
+
+Control over the applications that are installed on the desktops and the hardware that joins your domain should provide similar protection from the vulnerability that is addressed by this setting. Additionally, the level of protection that is provided by this setting is not an assurance that all rogue applications will be found.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
new file mode 100644
index 0000000000..c6776e5433
--- /dev/null
+++ b/windows/keep-secure/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
@@ -0,0 +1,169 @@
+---
+title: User Account Control Only elevate UIAccess applications that are installed in secure locations (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Only elevate UIAccess applications that are installed in secure locations security policy setting.
+ms.assetid: 4333409e-a5be-4f2f-8808-618f53abd22c
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# User Account Control: Only elevate UIAccess applications that are installed in secure locations
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate UIAccess applications that are installed in secure locations** security policy setting.
+
+## Reference
+
+
+This policy setting enforces the requirement that apps that request running with a UIAccess integrity level (by means of a marking of UIAccess=true in their app manifest), must reside in a secure location on the file system. Relatively secure locations are limited to the following directories:
+
+-   \\Program Files\\ including subdirectories
+
+-   \\Windows\\system32\\
+
+-   \\Program Files (x86)\\ including subdirectories for 64-bit versions of Windows
+
+**Note**  
+Windows enforces a PKI signature check on any interactive application that requests running with a UIAccess integrity level, regardless of the state of this security setting.
+
+ 
+
+**Background**
+
+User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI does not interfere with or change the behavior of messages between applications at the same privilege (or integrity) level.
+
+Microsoft UI Automation is the current model to support accessibility requirements in the Windows operating systems. Applications that are designed to support an accessible user experience control the behavior of other Windows applications on behalf of the user. When all applications on the automation client computer and server are running as a standard user (that is, at a medium integrity level), the UIPI restrictions do not interfere with the Microsoft UI automation model.
+
+However, there might be times when an administrative user runs an application with elevated privilege based on UAC in Admin Approval Mode. Microsoft UI Automation cannot drive the UI graphics of elevated applications on the desktop without the ability to bypass the restrictions that UIPI implements. The ability to bypass UIPI restrictions across privilege levels is available for UI automation programs by using UIAccess.
+
+If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy checks before starting an application with UIAccess privilege.
+
+1.  The application must have a digital signature that can be verified by using a digital certificate that is associated with the Trusted Root Certification Authorities store on the local device
+
+2.  The application must be installed in a local folder that is writeable only by administrators, such as the Program Files directory. The allowed directories for UI automation applications are:
+
+    1.  %ProgramFiles% and its subdirectories.
+
+    2.  %WinDir% and its subdirectories, except a few subdirectories that are excluded because standard users have write access.
+
+### Possible values
+
+-   **Enabled**
+
+    An application can start with UIAccess integrity only if it resides in a secure location in the file system.
+
+-   **Disabled**
+
+    An application can start with UIAccess integrity even if it does not reside in a secure location in the file system.
+
+### Best practices
+
+-   Set this policy to **Enabled** to permit applications that are located in one of the designated secure directories to run with UIAccess integrity.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they aresaved locally or distributed through Group Policy.
+
+### Group Policy
+
+All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+UIAccess integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. When this setting is enabled, an application that has the UIAccess flag set to true in its manifest can interchange information with applications that are running at a higher privilege level, such as logon prompts and privilege elevation prompts. This ability is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms, but it is not required by most applications. A process that is started with UIAccess rights has the following abilities:
+
+-   Set the foreground window.
+
+-   Drive any application window by using the SendInput function.
+
+-   Use read input for all integrity levels by using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput.
+
+-   Set journal hooks.
+
+-   Use AttachThreadInput to attach a thread to a higher integrity input queue.
+
+### Countermeasure
+
+Enable the **User Account Control: Only elevate UIAccess applications that are installed in secure locations** setting.
+
+### Potential impact
+
+If the application that requests UIAccess meets the UIAccess setting requirements, computers running at least the Windows Vista operating system start the application with the ability to bypass most of the UIPI restrictions. If the application does not meet the security restrictions, the application is started without UIAccess rights, and it can interact only with applications at the same or lower privilege level.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/user-account-control-overview.md b/windows/keep-secure/user-account-control-overview.md
new file mode 100644
index 0000000000..71d4e00483
--- /dev/null
+++ b/windows/keep-secure/user-account-control-overview.md
@@ -0,0 +1,74 @@
+---
+title: User Account Control (Windows 10)
+description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop.
+ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# User Account Control
+
+
+**Applies to**
+
+-   Windows 10
+
+User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
+
+## <a href="" id="bkmk-over"></a>
+
+
+UAC allows all users to log on to their computers using a standard user account. Processes launched using a standard user token may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. Many apps, including those that are included with the operating system itself, are designed to work properly in this way.
+
+Other apps, especially those that were not specifically designed with security settings in mind, often require additional permissions to run successfully. These types of apps are referred to as legacy apps. Additionally, actions such as installing new software and making configuration changes to the Windows Firewall, require more permissions than what is available to a standard user account.
+
+When an app needs to run with more than standard user rights, UAC can restore additional user groups to the token. This enables the user to have explicit control of apps that are making system level changes to their computer or device.
+
+## <a href="" id="bkmk-app"></a>Practical applications
+
+
+Admin Approval Mode in UAC helps prevent malware from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process.
+
+## <a href="" id="bkmk-new"></a>New and changed functionality
+
+
+To find out what's new in UAC for Windows 10, see [User Account Control](../whats-new/user-account-control.md).
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[How User Account Control works](how-user-account-control-works.md)</p></td>
+<td align="left"><p>User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[User Account Control security policy settings](user-account-control-security-policy-settings.md)</p></td>
+<td align="left"><p>You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md
new file mode 100644
index 0000000000..9219e967ee
--- /dev/null
+++ b/windows/keep-secure/user-account-control-run-all-administrators-in-admin-approval-mode.md
@@ -0,0 +1,135 @@
+---
+title: User Account Control Run all administrators in Admin Approval Mode (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Run all administrators in Admin Approval Mode security policy setting.
+ms.assetid: b838c561-7bfc-41ef-a7a5-55857259c7bf
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# User Account Control: Run all administrators in Admin Approval Mode
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting.
+
+## Reference
+
+
+This policy setting determines the behavior of all User Account Control (UAC) policies for the entire system. This is the setting that turns UAC on or off.
+
+### Possible values
+
+-   **Enabled**
+
+    Admin Approval Mode and all other UAC policies are dependent on this option being enabled. Changing this setting requires restarting the system.
+
+-   **Disabled**
+
+    Admin Approval Mode and all related UAC policies are disabled.
+
+    **Note**  
+    If this security setting is configured to **Disabled**, the Security Center notifies the user that the overall security of the operating system has been reduced.
+
+     
+
+### Best practices
+
+-   Enable this policy to allow all other UAC features and policies to function.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+A restart of the computer is required before this policy will be effective when changes to this policy are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+This is the setting that turns UAC on or off. If this setting is disabled, UAC is not used, and any security benefits and risk mitigations that are dependent on UAC are not present on the computer.
+
+### Countermeasure
+
+Enable the **User Account Control: Run all users, including administrators, as standard users** setting.
+
+### Potential impact
+
+Users and administrators must learn to work with UAC prompts and adjust their work habits to use least privilege operations.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/user-account-control-security-policy-settings.md b/windows/keep-secure/user-account-control-security-policy-settings.md
new file mode 100644
index 0000000000..4b14dad1b3
--- /dev/null
+++ b/windows/keep-secure/user-account-control-security-policy-settings.md
@@ -0,0 +1,138 @@
+---
+title: User Account Control security policy settings (Windows 10)
+description: You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy.
+ms.assetid: 3D75A9AC-69BB-4EF2-ACB3-1769791E1B98
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# User Account Control security policy settings
+
+
+**Applies to**
+
+-   Windows 10
+
+You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy.
+
+## User Account Control: Admin Approval Mode for the Built-in Administrator account
+
+
+This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
+
+-   **Enabled** The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
+
+-   **Disabled** (Default) The built-in Administrator account runs all applications with full administrative privilege.
+
+## User Account Control: Allow UIAccess application to prompt for elevation without using the secure desktop
+
+
+This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
+
+-   **Enabled** UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
+
+-   **Disabled** (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
+
+## User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
+
+
+This policy setting controls the behavior of the elevation prompt for administrators.
+
+-   **Elevate without prompting** Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.
+
+    **Note**  Use this option only in the most constrained environments.
+
+     
+
+-   **Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
+
+-   **Prompt for consent on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+-   **Prompt for credentials** When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+-   **Prompt for consent** When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+-   **Prompt for consent for non-Windows binaries** (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+## User Account Control: Behavior of the elevation prompt for standard users
+
+
+This policy setting controls the behavior of the elevation prompt for standard users.
+
+-   **Prompt for credentials** (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+-   **Automatically deny elevation requests** When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
+
+-   **Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+## User Account Control: Detect application installations and prompt for elevation
+
+
+This policy setting controls the behavior of application installation detection for the computer.
+
+-   **Enabled** (Default) When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+<!-- -->
+
+-   **Disabled** App installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or System Center Configuration Manager should disable this policy setting. In this case, installer detection is unnecessary.
+
+## User Account Control: Only elevate executable files that are signed and validated
+
+
+This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
+
+-   **Enabled** Enforces the certificate certification path validation for a given executable file before it is permitted to run.
+
+-   **Disabled** (Default) Does not enforce the certificate certification path validation before a given executable file is permitted to run.
+
+## User Account Control: Only elevate UIAccess applications that are installed in secure locations
+
+
+This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\\Program Files\\, including subfolders - …\\Windows\\system32\\ - …\\Program Files (x86)\\, including subfolders for 64-bit versions of Windows
+
+**Note**  
+Windows enforces a digital signature check on any interactive app that requests to run with a UIAccess integrity level regardless of the state of this security setting.
+
+ 
+
+-   **Enabled** (Default) If an app resides in a secure location in the file system, it runs only with UIAccess integrity.
+
+-   **Disabled** An app runs with UIAccess integrity even if it does not reside in a secure location in the file system.
+
+## User Account Control: Turn on Admin Approval Mode
+
+
+This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
+
+-   **Enabled** (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
+
+-   **Disabled** Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
+
+## User Account Control: Switch to the secure desktop when prompting for elevation
+
+
+This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
+
+-   **Enabled** (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
+
+-   **Disabled** All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
+
+## User Account Control: Virtualize file and registry write failures to per-user locations
+
+
+This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software.
+
+-   **Enabled** (Default) App write failures are redirected at run time to defined user locations for both the file system and registry.
+
+-   **Disabled** Apps that write data to protected locations fail.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
new file mode 100644
index 0000000000..e5bebae839
--- /dev/null
+++ b/windows/keep-secure/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
@@ -0,0 +1,134 @@
+---
+title: User Account Control Switch to the secure desktop when prompting for elevation (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Switch to the secure desktop when prompting for elevation security policy setting.
+ms.assetid: 77a067db-c70d-4b02-9861-027503311b8b
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# User Account Control: Switch to the secure desktop when prompting for elevation
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Switch to the secure desktop when prompting for elevation** security policy setting.
+
+## Reference
+
+
+This policy setting determines whether the elevation request prompts on the interactive user desktop or on the secure desktop.
+
+The secure desktop presents the logon UI and restricts functionality and access to the system until the logon requirements are satisfied.
+
+The secure desktop’s primary difference from the user desktop is that only trusted processes running as SYSTEM are allowed to run here (that is, nothing is running at the user’s privilege level). The path to get to the secure desktop from the user desktop must also be trusted through the entire chain.
+
+### Possible values
+
+-   **Enabled**
+
+    All elevation requests by default go to the secure desktop.
+
+-   **Disabled**
+
+    All elevation requests go to the interactive user desktop.
+
+### Best practices
+
+-   Enable the **User Account Control: Switch to the secure desktop when prompting for elevation setting**. The secure desktop helps protect against input and output spoofing by presenting the credentials dialog box in a protected section of memory that is accessible only by trusted system processes.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Elevation prompt dialog boxes can be spoofed, causing users to disclose their passwords to malicious software. Mouse cursors can be spoofed by hiding the real cursor and replacing it with an offset so the cursor is actually pointing to the **Allow** button.
+
+### Countermeasure
+
+Enable the **User Account Control: Switch to the secure desktop when prompting for elevation setting**. The secure desktop helps protect against input and output spoofing by presenting the credentials dialog box in a protected section of memory that is accessible only by trusted system processes.
+
+### Potential impact
+
+None. This is the default configuration.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
new file mode 100644
index 0000000000..72e15ea4d5
--- /dev/null
+++ b/windows/keep-secure/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
@@ -0,0 +1,134 @@
+---
+title: User Account Control Virtualize file and registry write failures to per-user locations (Windows 10)
+description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Virtualize file and registry write failures to per-user locations security policy setting.
+ms.assetid: a7b47420-cc41-4b1c-b03e-f67a05221261
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# User Account Control: Virtualize file and registry write failures to per-user locations
+
+
+**Applies to**
+
+-   Windows 10
+
+Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Virtualize file and registry write failures to per-user locations** security policy setting.
+
+## Reference
+
+
+This policy setting enables or disables the redirection of the write failures of earlier applications to defined locations in the registry and the file system. This feature mitigates applications that historically ran as administrator and wrote runtime application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKEY\_LOCAL\_MACHINE\\Software\\.
+
+This feature can be disabled for applications on devices running at least Windows Vista because it is unnecessary.
+
+### Possible values
+
+-   **Enabled**
+
+    Setting this value facilitates the runtime redirection of application write failures to defined user locations for the file system and the registry.
+
+-   **Disabled**
+
+    Applications that write data to protected locations fail.
+
+### Best practices
+
+1.  If you run applications that are not Windows Vista-compliant, enable this security policy to prevent the possibility that these older applications could write data to unsecure locations.
+
+2.  If you only run at least Windows Vista–compliant applications, this feature is unnecessary so you can disable this policy.
+
+### Location
+
+\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Server type or GPO</th>
+<th align="left">Default value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Default Domain Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default Domain Controller Policy</p></td>
+<td align="left"><p>Not defined</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Stand-Alone Server Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DC Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Member Server Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Client Computer Effective Default Settings</p></td>
+<td align="left"><p>Enabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Policy management
+
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Group Policy
+
+All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
+
+## Security considerations
+
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Earlier applications might not write data to secure locations.
+
+### Countermeasure
+
+Enable the **User Account Control: Virtualize file and registry write failures to per-user locations** setting.
+
+### Potential impact
+
+None. This is the default configuration.
+
+## Related topics
+
+
+[Security Options](security-options.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/user-rights-assignment.md b/windows/keep-secure/user-rights-assignment.md
new file mode 100644
index 0000000000..7b4f1dff2f
--- /dev/null
+++ b/windows/keep-secure/user-rights-assignment.md
@@ -0,0 +1,233 @@
+---
+title: User Rights Assignment (Windows 10)
+description: Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.
+ms.assetid: 99340252-60be-4c79-b0a5-56fbe1a9b0c5
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# User Rights Assignment
+
+
+**Applies to**
+
+-   Windows 10
+
+Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.
+
+User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the **User Rights Assignment** item.
+
+Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment**, or on the local device by using the Local Group Policy Editor (gpedit.msc).
+
+For information about setting security policies, see [Configure security policy settings](how-to-configure-security-policy-settings.md).
+
+The following table links to each security policy setting and provides the constant name for each. Setting descriptions contain reference information, best practices for configuring the policy setting, default values, differences between operating system versions, and considerations for policy management and security.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Group Policy Setting</th>
+<th align="left">Constant Name</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Access Credential Manager as a trusted caller](access-credential-manager-as-a-trusted-caller.md)</p></td>
+<td align="left"><p>SeTrustedCredManAccessPrivilege</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Access this computer from the network](access-this-computer-from-the-network.md)</p></td>
+<td align="left"><p>SeNetworkLogonRight</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Act as part of the operating system](act-as-part-of-the-operating-system.md)</p></td>
+<td align="left"><p>SeTcbPrivilege</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Add workstations to domain](add-workstations-to-domain.md)</p></td>
+<td align="left"><p>SeMachineAccountPrivilege</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md)</p></td>
+<td align="left"><p>SeIncreaseQuotaPrivilege</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Allow log on locally](allow-log-on-locally.md)</p></td>
+<td align="left"><p>SeInteractiveLogonRight</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md)</p></td>
+<td align="left"><p>SeRemoteInteractiveLogonRight</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Back up files and directories](back-up-files-and-directories.md)</p></td>
+<td align="left"><p>SeBackupPrivilege</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Bypass traverse checking](bypass-traverse-checking.md)</p></td>
+<td align="left"><p>SeChangeNotifyPrivilege</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Change the system time](change-the-system-time.md)</p></td>
+<td align="left"><p>SeSystemtimePrivilege</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Change the time zone](change-the-time-zone.md)</p></td>
+<td align="left"><p>SeTimeZonePrivilege</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Create a pagefile](create-a-pagefile.md)</p></td>
+<td align="left"><p>SeCreatePagefilePrivilege</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Create a token object](create-a-token-object.md)</p></td>
+<td align="left"><p>SeCreateTokenPrivilege</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Create global objects](create-global-objects.md)</p></td>
+<td align="left"><p>SeCreateGlobalPrivilege</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Create permanent shared objects](create-permanent-shared-objects.md)</p></td>
+<td align="left"><p>SeCreatePermanentPrivilege</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Create symbolic links](create-symbolic-links.md)</p></td>
+<td align="left"><p>SeCreateSymbolicLinkPrivilege</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Debug programs](debug-programs.md)</p></td>
+<td align="left"><p>SeDebugPrivilege</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Deny access to this computer from the network](deny-access-to-this-computer-from-the-network.md)</p></td>
+<td align="left"><p>SeDenyNetworkLogonRight</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Deny log on as a batch job](deny-log-on-as-a-batch-job.md)</p></td>
+<td align="left"><p>SeDenyBatchLogonRight</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Deny log on as a service](deny-log-on-as-a-service.md)</p></td>
+<td align="left"><p>SeDenyServiceLogonRight</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Deny log on locally](deny-log-on-locally.md)</p></td>
+<td align="left"><p>SeDenyInteractiveLogonRight</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)</p></td>
+<td align="left"><p>SeDenyRemoteInteractiveLogonRight</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)</p></td>
+<td align="left"><p>SeEnableDelegationPrivilege</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Force shutdown from a remote system](force-shutdown-from-a-remote-system.md)</p></td>
+<td align="left"><p>SeRemoteShutdownPrivilege</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Generate security audits](generate-security-audits.md)</p></td>
+<td align="left"><p>SeAuditPrivilege</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Impersonate a client after authentication](impersonate-a-client-after-authentication.md)</p></td>
+<td align="left"><p>SeImpersonatePrivilege</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Increase a process working set](increase-a-process-working-set.md)</p></td>
+<td align="left"><p>SeIncreaseWorkingSetPrivilege</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Increase scheduling priority](increase-scheduling-priority.md)</p></td>
+<td align="left"><p>SeIncreaseBasePriorityPrivilege</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Load and unload device drivers](load-and-unload-device-drivers.md)</p></td>
+<td align="left"><p>SeLoadDriverPrivilege</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Lock pages in memory](lock-pages-in-memory.md)</p></td>
+<td align="left"><p>SeLockMemoryPrivilege</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Log on as a batch job](log-on-as-a-batch-job.md)</p></td>
+<td align="left"><p>SeBatchLogonRight</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Log on as a service](log-on-as-a-service.md)</p></td>
+<td align="left"><p>SeServiceLogonRight</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Manage auditing and security log](manage-auditing-and-security-log.md)</p></td>
+<td align="left"><p>SeSecurityPrivilege</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Modify an object label](modify-an-object-label.md)</p></td>
+<td align="left"><p>SeRelabelPrivilege</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Modify firmware environment values](modify-firmware-environment-values.md)</p></td>
+<td align="left"><p>SeSystemEnvironmentPrivilege</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Perform volume maintenance tasks](perform-volume-maintenance-tasks.md)</p></td>
+<td align="left"><p>SeManageVolumePrivilege</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Profile single process](profile-single-process.md)</p></td>
+<td align="left"><p>SeProfileSingleProcessPrivilege</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Profile system performance](profile-system-performance.md)</p></td>
+<td align="left"><p>SeSystemProfilePrivilege</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Remove computer from docking station](remove-computer-from-docking-station.md)</p></td>
+<td align="left"><p>SeUndockPrivilege</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Replace a process level token](replace-a-process-level-token.md)</p></td>
+<td align="left"><p>SeAssignPrimaryTokenPrivilege</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Restore files and directories](restore-files-and-directories.md)</p></td>
+<td align="left"><p>SeRestorePrivilege</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Shut down the system](shut-down-the-system.md)</p></td>
+<td align="left"><p>SeShutdownPrivilege</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Synchronize directory service data](synchronize-directory-service-data.md)</p></td>
+<td align="left"><p>SeSyncAgentPrivilege</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md)</p></td>
+<td align="left"><p>SeTakeOwnershipPrivilege</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Security policy settings reference](security-policy-settings-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
new file mode 100644
index 0000000000..30c91a3be8
--- /dev/null
+++ b/windows/keep-secure/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
@@ -0,0 +1,96 @@
+---
+title: Using advanced security auditing options to monitor dynamic access control objects (Windows 10)
+description: This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
+ms.assetid: 0d2c28ea-bdaf-47fd-bca2-a07dce5fed37
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Using advanced security auditing options to monitor dynamic access control objects
+
+
+**Applies to**
+
+-   Windows 10
+
+This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
+
+These procedures can be deployed with the advanced security auditing capabilities described in [Deploy Security Auditing with Central Audit Policies (Demonstration Steps)](http://technet.microsoft.com/library/hh831542.aspx).
+
+## In this guide
+
+
+Domain administrators can create and deploy expression-based security audit policies by using file classification information (resource attributes), user claims, and device claims to target specific users and resources to monitor potentially significant activities on one or more computers. These policies can be deployed centrally by using Group Policy, or directly on a computer, in a folder, or in individual files.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md)</p></td>
+<td align="left"><p>This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. Central access policies are created on a domain controller and then applied to file servers through Group Policy management.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Monitor the use of removable storage devices](monitor-the-use-of-removable-storage-devices.md)</p></td>
+<td align="left"><p>This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Monitor resource attribute definitions](monitor-resource-attribute-definitions.md)</p></td>
+<td align="left"><p>This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Monitor central access policy and rule definitions](monitor-central-access-policy-and-rule-definitions.md)</p></td>
+<td align="left"><p>This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Monitor user and device claims during sign-in](monitor-user-and-device-claims-during-sign-in.md)</p></td>
+<td align="left"><p>This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md)</p></td>
+<td align="left"><p>This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Monitor the central access policies associated with files and folders](monitor-the-central-access-policies-associated-with-files-and-folders.md)</p></td>
+<td align="left"><p>This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Monitor claim types](monitor-claim-types.md)</p></td>
+<td align="left"><p>This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Important**  
+This procedure can be configured on computers running any of the supported Windows operating systems. The other monitoring procedures can be configured only as part of a functioning dynamic access control deployment.
+
+ 
+
+## Related topics
+
+
+[Security auditing](security-auditing-overview.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/using-event-viewer-with-applocker.md b/windows/keep-secure/using-event-viewer-with-applocker.md
new file mode 100644
index 0000000000..ae4dc7e8a1
--- /dev/null
+++ b/windows/keep-secure/using-event-viewer-with-applocker.md
@@ -0,0 +1,175 @@
+---
+title: Using Event Viewer with AppLocker (Windows 10)
+description: This topic lists AppLocker events and describes how to use Event Viewer with AppLocker.
+ms.assetid: 109abb10-78b1-4c29-a576-e5a17dfeb916
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Using Event Viewer with AppLocker
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic lists AppLocker events and describes how to use Event Viewer with AppLocker.
+
+The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains detailed info about:
+
+-   Which file is affected and the path of that file
+
+-   Which packaged app is affected and the package identifier of the app
+
+-   Whether the file or packaged app is allowed or blocked
+
+-   The rule type (path, file hash, or publisher)
+
+-   The rule name
+
+-   The security identifier (SID) for the user or group identified in the rule
+
+Review the entries in the Event Viewer to determine if any applications are not included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example: %SystemDrive%).
+
+For info about what to look for in the AppLocker event logs, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
+
+**To review the AppLocker log in Event Viewer**
+
+1.  Open Event Viewer.
+
+2.  In the console tree under **Application and Services Logs\\Microsoft\\Windows**, click **AppLocker**.
+
+The following table contains information about the events that you can use to determine which apps are affected by AppLocker rules.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Event ID</th>
+<th align="left">Level</th>
+<th align="left">Event message</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>8000</p></td>
+<td align="left"><p>Error</p></td>
+<td align="left"><p>Application Identity Policy conversion failed. Status <em>&lt;%1&gt;</em></p></td>
+<td align="left"><p>Indicates that the policy was not applied correctly to the computer. The status message is provided for troubleshooting purposes.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>8001</p></td>
+<td align="left"><p>Information</p></td>
+<td align="left"><p>The AppLocker policy was applied successfully to this computer.</p></td>
+<td align="left"><p>Indicates that the AppLocker policy was successfully applied to the computer.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>8002</p></td>
+<td align="left"><p>Information</p></td>
+<td align="left"><p><em>&lt;File name&gt;</em> was allowed to run.</p></td>
+<td align="left"><p>Specifies that the .exe or .dll file is allowed by an AppLocker rule.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>8003</p></td>
+<td align="left"><p>Warning</p></td>
+<td align="left"><p><em>&lt;File name&gt;</em> was allowed to run but would have been prevented from running if the AppLocker policy were enforced.</p></td>
+<td align="left"><p>Applied only when the <strong>Audit only</strong> enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the <strong>Enforce rules</strong> enforcement mode were enabled.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>8004</p></td>
+<td align="left"><p>Error</p></td>
+<td align="left"><p><em>&lt;File name&gt;</em> was not allowed to run.</p></td>
+<td align="left"><p>Access to <em>&lt;file name&gt;</em> is restricted by the administrator. Applied only when the <strong>Enforce rules</strong> enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>8005</p></td>
+<td align="left"><p>Information</p></td>
+<td align="left"><p><em>&lt;File name&gt;</em> was allowed to run.</p></td>
+<td align="left"><p>Specifies that the script or .msi file is allowed by an AppLocker rule.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>8006</p></td>
+<td align="left"><p>Warning</p></td>
+<td align="left"><p><em>&lt;File name&gt;</em> was allowed to run but would have been prevented from running if the AppLocker policy were enforced.</p></td>
+<td align="left"><p>Applied only when the <strong>Audit only</strong> enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the <strong>Enforce rules</strong> enforcement mode were enabled.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>8007</p></td>
+<td align="left"><p>Error</p></td>
+<td align="left"><p><em>&lt;File name&gt;</em> was not allowed to run.</p></td>
+<td align="left"><p>Access to <em>&lt;file name&gt;</em> is restricted by the administrator. Applied only when the <strong>Enforce rules</strong> enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>8007</p></td>
+<td align="left"><p>Error</p></td>
+<td align="left"><p>AppLocker disabled on the SKU.</p></td>
+<td align="left"><p>Added in Windows Server 2012 and Windows 8.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>8020</p></td>
+<td align="left"><p>Information</p></td>
+<td align="left"><p>Packaged app allowed.</p></td>
+<td align="left"><p>Added in Windows Server 2012 and Windows 8.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>8021</p></td>
+<td align="left"><p>Information</p></td>
+<td align="left"><p>Packaged app audited.</p></td>
+<td align="left"><p>Added in Windows Server 2012 and Windows 8.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>8022</p></td>
+<td align="left"><p>Information</p></td>
+<td align="left"><p>Packaged app disabled.</p></td>
+<td align="left"><p>Added in Windows Server 2012 and Windows 8.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>8023</p></td>
+<td align="left"><p>Information</p></td>
+<td align="left"><p>Packaged app installation allowed.</p></td>
+<td align="left"><p>Added in Windows Server 2012 and Windows 8.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>8024</p></td>
+<td align="left"><p>Information</p></td>
+<td align="left"><p>Packaged app installation audited.</p></td>
+<td align="left"><p>Added in Windows Server 2012 and Windows 8.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>8025</p></td>
+<td align="left"><p>Warning</p></td>
+<td align="left"><p>Packaged app installation disabled.</p></td>
+<td align="left"><p>Added in Windows Server 2012 and Windows 8.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>8027</p></td>
+<td align="left"><p>Warning</p></td>
+<td align="left"><p>No Packaged app rule configured.</p></td>
+<td align="left"><p>Added in Windows Server 2012 and Windows 8.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Tools to use with AppLocker](tools-to-use-with-applocker.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md b/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md
new file mode 100644
index 0000000000..ce10693cfd
--- /dev/null
+++ b/windows/keep-secure/using-software-restriction-policies-and-applocker-policies.md
@@ -0,0 +1,117 @@
+---
+title: Use Software Restriction Policies and AppLocker policies (Windows 10)
+description: This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment.
+ms.assetid: c3366be7-e632-4add-bd10-9df088f74c6d
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Use Software Restriction Policies and AppLocker policies
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment.
+
+## Understand the difference between SRP and AppLocker
+
+
+You might want to deploy application control policies in Windows operating systems earlier than Windows Server 2008 R2 or Windows 7. You can use AppLocker policies only on the supported versions and editions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). However, you can use SRP on those supported editions of Windows plus Windows Server 2003 and Windows XP. To compare features and functions in SRP and AppLocker so that you can determine when to use each technology to meet your application control objectives, see [Determine your application control objectives](determine-your-application-control-objectives.md).
+
+## Use SRP and AppLocker in the same domain
+
+
+SRP and AppLocker use Group Policy for domain management. However, when policies are generated by SRP and AppLocker exist in the same domain, and they are applied through Group Policy, AppLocker policies take precedence over policies generated by SRP on computers that are running an operating system that supports AppLocker. For info about how inheritance in Group Policy applies to AppLocker policies and policies generated by SRP, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md).
+
+**Important**  
+As a best practice, use separate Group Policy Objects to implement your SRP and AppLocker policies. To reduce troubleshooting issues, do not combine them in the same GPO.
+
+ 
+
+The following scenario provides an example of how each type of policy would affect a bank teller software app, where the app is deployed on different Windows desktop operating systems and managed by the Tellers GPO.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Operating system</th>
+<th align="left">Tellers GPO with AppLocker policy</th>
+<th align="left">Tellers GPO with SRP</th>
+<th align="left">Tellers GPO with AppLocker policy and SRP</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Windows 10, Windows 8.1, Windows 8,and Windows 7</p></td>
+<td align="left"><p>AppLocker policies in the GPO are applied, and they supersede any local AppLocker policies.</p></td>
+<td align="left"><p>Local AppLocker policies supersede policies generated by SRP that are applied through the GPO.</p></td>
+<td align="left"><p>AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the GPO and local AppLocker policies or policies generated by SRP.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Windows Vista</p></td>
+<td align="left"><p>AppLocker policies are not applied.</p></td>
+<td align="left"><p>Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP.AppLocker policies are not applied.</p></td>
+<td align="left"><p>Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows XP</p></td>
+<td align="left"><p>AppLocker policies are not applied.</p></td>
+<td align="left"><p>Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies are not applied.</p></td>
+<td align="left"><p>Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Note**  
+For info about supported versions and editions of the Windows operating system, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
+
+ 
+
+## Test and validate SRPs and AppLocker policies that are deployed in the same environment
+
+
+Because SRPs and AppLocker policies function differently, they should not be implemented in the same GPO. This makes testing the result of the policy straightforward, which is critical to successfully controlling application usage in the organization. Configuring a testing and policy distribution system can help you understand the result of a policy. The effects of policies generated by SRP and AppLocker policies need to be tested separately and by using different tools.
+
+### Step 1: Test the effect of SRPs
+
+You can use the Group Policy Management Console (GPMC) or the Resultant Set of Policy (RSoP) snap-in to determine the effect of applying SRPs by using GPOs.
+
+### Step 2: Test the effect of AppLocker policies
+
+You can test AppLocker policies by using Windows PowerShell cmdlets. For info about investigating the result of a policy, see:
+
+-   [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md)
+
+-   [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
+
+Another method to use when determining the result of a policy is to set the enforcement mode to **Audit only**. When the policy is deployed, events will be written to the AppLocker logs as if the policy was enforced. For info about using the **Audit only** mode, see:
+
+[Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)
+
+[Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
+
+## See also
+
+
+[AppLocker deployment guide](applocker-policies-deployment-guide.md)
+
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/view-the-security-event-log.md b/windows/keep-secure/view-the-security-event-log.md
new file mode 100644
index 0000000000..2ec26e4bc2
--- /dev/null
+++ b/windows/keep-secure/view-the-security-event-log.md
@@ -0,0 +1,33 @@
+---
+title: View the security event log (Windows 10)
+description: The security log records each event as defined by the audit policies you set on each object.
+ms.assetid: 20DD2ACD-241A-45C5-A92F-4BE0D9F198B9
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# View the security event log
+
+
+**Applies to**
+
+-   Windows 10
+
+The security log records each event as defined by the audit policies you set on each object.
+
+**To view the security log**
+
+1.  Open Event Viewer.
+2.  In the console tree, expand **Windows Logs**, and then click **Security**. The results pane lists individual security events.
+3.  If you want to see more details about a specific event, in the results pane, click the event.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/vpn-profile-options.md b/windows/keep-secure/vpn-profile-options.md
new file mode 100644
index 0000000000..6c71e30d5a
--- /dev/null
+++ b/windows/keep-secure/vpn-profile-options.md
@@ -0,0 +1,90 @@
+---
+title: VPN profile options (Windows 10)
+description: Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect.
+ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# VPN profile options
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect.
+
+## Always On
+
+
+Always On is a new feature in Windows 10 which enables the active VPN profile to connect automatically on the following triggers:
+
+-   User sign-on
+
+-   Network change
+
+When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** &gt; **Network & Internet** &gt; **VPN** &gt; *VPN profile* &gt; **Let apps automatically use this VPN connection**.
+
+## App-triggered VPN
+
+
+VPN profiles in Windows 10 can be configured to connect automatically on the launch of a specified set of applications. This feature was included in Windows 8.1 as "On demand VPN". The applications can be defined using the following:
+
+-   Package family name for Universal Windows Platform (UWP) apps
+
+-   File path for Classic Windows applications
+
+## Traffic filters
+
+
+Traffic Filters give enterprises the ability to decide what traffic is allowed into the corporate network based on policy . With the ever-increasing landscape of remote threats on the corporate network and lesser IT controls on machines, it becomes essential to control the traffic that is allowed through. While server-side layers of firewalls and proxies help, by adding traffic filters the first layer of filtering can be moved onto the client with more advanced filtering on the server side. There are two types of Traffic Filter rules:
+
+-   **App-based rules**. With app-based rules, a list of applications can be marked such that only traffic originating from these apps is allowed to go over the VPN interface.
+
+-   **Traffic-based rules**. Traffic-based rules are 5-tuple policies (ports, addresses, protocol) that can be specified such that only traffic matching these rules is allowed to go over the VPN interface.
+
+There can be many sets of rules which are linked by **OR**. Within each set, there can be app-based rules and traffic-based rules; all the properties within the set will be linked by **AND**. This gives the IT admins a lot of power to craft the perfect policy befitting their use case.
+
+## LockDown VPN
+
+
+A VPN profile configured with LockDown secures the device to only allow network traffic over the VPN interface. It has the following features:
+
+-   The system attempts to keep the VPN connected at all times.
+
+-   The user cannot disconnect the VPN connection.
+
+-   The user cannot delete or modify the VPN profile.
+
+-   The VPN LockDown profile uses forced tunnel connection.
+
+-   If the VPN connection is not available, outbound network traffic is blocked.
+
+-   Only one VPN LockDown profile is allowed on a device.
+
+**Note**  
+For inbox VPN, Lockdown VPN is only available for the Internet Key Exchange version 2 (IKEv2) tunnel type.
+
+ 
+
+## Learn more
+
+
+[VPNv2 configuration service provider (CSP) reference](http://go.microsoft.com/fwlink/p/?LinkId=617588)
+
+[How to Create VPN Profiles in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=618028)
+
+[Help users connect to their work using VPN profiles with Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=618029)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/what-is-applocker.md b/windows/keep-secure/what-is-applocker.md
new file mode 100644
index 0000000000..28bc523226
--- /dev/null
+++ b/windows/keep-secure/what-is-applocker.md
@@ -0,0 +1,207 @@
+---
+title: What Is AppLocker (Windows 10)
+description: This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies.
+ms.assetid: 44a8a2bb-0f83-4f95-828e-1f364fb65869
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# What Is AppLocker?
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies.
+
+AppLocker advances the app control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps.
+
+Using AppLocker, you can:
+
+-   Control the following types of apps: executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.mst, .msi and .msp), and DLL files (.dll and .ocx), and packaged apps and packaged app installers (appx).
+
+-   Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file.
+
+-   Assign a rule to a security group or an individual user.
+
+-   Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run except Registry Editor (Regedit.exe).
+
+-   Use audit-only mode to deploy the policy and understand its impact before enforcing it.
+
+-   Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, all criteria in the existing policy are overwritten.
+
+-   Streamline creating and managing AppLocker rules by using Windows PowerShell cmdlets.
+
+AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of help desk calls that result from users running unapproved apps
+
+For information about the application control scenarios that AppLocker addresses, see [AppLocker policy use scenarios](applocker-policy-use-scenarios.md).
+
+## What features are different between Software Restriction Policies and AppLocker?
+
+
+**Feature differences**
+
+The following table compares AppLocker to Software Restriction Policies.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Feature</th>
+<th align="left">Software Restriction Policies</th>
+<th align="left">AppLocker</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Rule scope</p></td>
+<td align="left"><p>All users</p></td>
+<td align="left"><p>Specific user or group</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Rule conditions provided</p></td>
+<td align="left"><p>File hash, path, certificate, registry path, and Internet zone</p></td>
+<td align="left"><p>File hash, path, and publisher</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Rule types provided</p></td>
+<td align="left"><p>Defined by the security levels:</p>
+<ul>
+<li><p>Disallowed</p></li>
+<li><p>Basic User</p></li>
+<li><p>Unrestricted</p></li>
+</ul></td>
+<td align="left"><p>Allow and deny</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Default rule action</p></td>
+<td align="left"><p>Unrestricted</p></td>
+<td align="left"><p>Implicit deny</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Audit-only mode</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Wizard to create multiple rules at one time</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Policy import or export</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Rule collection</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows PowerShell support</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Custom error messages</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Application control function differences**
+
+The following table compares the application control functions of Software Restriction Policies (SRP) and AppLocker.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Application control function</th>
+<th align="left">SRP</th>
+<th align="left">AppLocker</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Operating system scope</p></td>
+<td align="left"><p>SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.</p></td>
+<td align="left"><p>AppLocker policies apply only to those supported operating system versions and editions listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). But these systems can also use SRP.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>Use different GPOs for SRP and AppLocker rules.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>User support</p></td>
+<td align="left"><p>SRP allows users to install applications as an administrator.</p></td>
+<td align="left"><p>AppLocker policies are maintained through Group Policy, and only the administrator of the device can update an AppLocker policy.</p>
+<p>AppLocker permits customization of error messages to direct users to a Web page for help.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Policy maintenance</p></td>
+<td align="left"><p>SRP policies are updated by using the Local Security Policy snap-in or the Group Policy Management Console (GPMC).</p></td>
+<td align="left"><p>AppLocker policies are updated by using the Local Security Policy snap-in or the GPMC.</p>
+<p>AppLocker supports a small set of PowerShell cmdlets to aid in administration and maintenance.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Policy management infrastructure</p></td>
+<td align="left"><p>To manage SRP policies, SRP uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.</p></td>
+<td align="left"><p>To manage AppLocker policies, AppLocker uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Block malicious scripts</p></td>
+<td align="left"><p>Rules for blocking malicious scripts prevents all scripts associated with the Windows Script Host from running, except those that are digitally signed by your organization.</p></td>
+<td align="left"><p>AppLocker rules can control the following file formats: .ps1, .bat, .cmd, .vbs, and .js. In addition, you can set exceptions to allow specific files to run.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Manage software installation</p></td>
+<td align="left"><p>SRP can prevent all Windows Installer packages from installing. It allows .msi files that are digitally signed by your organization to be installed.</p></td>
+<td align="left"><p>The Windows Installer rule collection is a set of rules created for Windows Installer file types (.mst, .msi and .msp) to allow you to control the installation of files on client computers and servers.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Manage all software on the computer</p></td>
+<td align="left"><p>All software is managed in one rule set. By default, the policy for managing all software on a device disallows all software on the user's device, except software that is installed in the Windows folder, Program Files folder, or subfolders.</p></td>
+<td align="left"><p>Unlike SRP, each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection will be allowed to run. This configuration makes it easier for administrators to determine what will occur when an AppLocker rule is applied.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Different policies for different users</p></td>
+<td align="left"><p>Rules are applied uniformly to all users on a particular device.</p></td>
+<td align="left"><p>On a device that is shared by multiple users, an administrator can specify the groups of users who can access the installed software. Using AppLocker, an administrator can specify the user to whom a specific rule should apply.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[AppLocker technical reference](applocker-technical-reference.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md
new file mode 100644
index 0000000000..fed78d4afa
--- /dev/null
+++ b/windows/keep-secure/which-editions-of-windows-support-advanced-audit-policy-configuration.md
@@ -0,0 +1,47 @@
+---
+title: Which editions of Windows support advanced audit policy configuration (Windows 10)
+description: This reference topic for the IT professional describes which versions of the Windows operating systems support advanced security auditing policies.
+ms.assetid: 87c71cc5-522d-4771-ac78-34a2a0825f31
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Which editions of Windows support advanced audit policy configuration
+
+
+**Applies to**
+
+-   Windows 10
+
+This reference topic for the IT professional describes which versions of the Windows operating systems support advanced security auditing policies.
+
+Versions of the Windows operating system that cannot join a domain do not have access to these features. There is no difference in security auditing support between 32-bit and 64-bit versions.
+
+## Are there any special considerations?
+
+
+In addition, the following special considerations apply to the various tasks associated with advanced security auditing enhancements:
+
+-   **Creating an audit policy.** To create an advanced security auditing policy, you must use a computer running any supported version of Windows. You can use the Group Policy Management Console (GPMC) on a computer running a supported version of the Windows client operating system after installing the Remote Server Administration Tools.
+
+-   **Applying audit policy settings.** If you are using Group Policy to apply the advanced audit policy settings and global object access settings, client computers must be running any supported version of the Windows server operating system or Windows client operating system. In addition, only computers running any of these supported operating systems can provide "reason for access" reporting data.
+
+-   **Developing an audit policy model.** To plan advanced security audit settings and global object access settings, you must use the GPMC that targets a domain controller running a supported version of the Windows server operating system.
+
+-   **Distributing the audit policy.** After a Group Policy Object (GPO) that includes advanced security auditing settings is developed, it can be distributed by using domain controllers running any Windows Server operating system. However, if you cannot put client computers running a supported version of the Windows client operating system into a separate organizational unit (OU), you should use Windows Management Instrumentation (WMI) filtering to ensure that the advanced security auditing policy settings are applied only to client computers running a supported version of the Windows client operating system.
+
+**Important**  
+Using both the basic auditing policy settings under **Local Policies\\Audit Policy** and the advanced auditing policy settings under **Advanced Audit Policy Configuration** can cause unexpected results in audit reporting. Therefore, the two sets of audit policy settings should not be combined. If you use advanced audit policy configuration settings, you should enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.  
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/why-a-pin-is-better-than-a-password.md b/windows/keep-secure/why-a-pin-is-better-than-a-password.md
new file mode 100644
index 0000000000..b571b9abd8
--- /dev/null
+++ b/windows/keep-secure/why-a-pin-is-better-than-a-password.md
@@ -0,0 +1,103 @@
+---
+title: Why a PIN is better than a password (Windows 10)
+description: Microsoft Passport in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password .
+ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212
+keywords: ["pin", "security", "password"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Why a PIN is better than a password
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Microsoft Passport in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
+
+On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Passport PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
+
+## PIN is tied to the device
+
+
+One important difference between a password and a Passport PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
+
+Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Passport on each device.
+
+## PIN is local to the device
+
+
+A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server.
+
+When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
+
+**Note**  
+For details on how Passport uses asymetric key pairs for authentication, see [Microsoft Passport guide](http://go.microsoft.com/fwlink/p/?LinkId=691928).
+
+ 
+
+## PIN is backed by hardware
+
+
+The Passport PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.
+
+User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Microsoft Passport uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.
+
+The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
+
+## PIN can be complex
+
+
+The Passport PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](implement-microsoft-passport-in-your-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
+
+## What if someone steals the laptop or phone?
+
+
+To compromise a Microsoft Passport credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device.
+
+You can provide additional protection for laptops that don't have TPM by enablng BitLocker and setting a policy to limit failed sign-ins.
+
+**Configure BitLocker without TPM**
+
+1.  Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
+
+    **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **BitLocker Drive Encryption** &gt; **Operating System Drives** &gt; **Require additional authentication at startup**
+
+2.  In the policy option, select **Allow BitLocker without a compatible TPM**, and then click **OK.**
+
+3.  Go to Control Panel &gt; **System and Security** &gt; **BitLocker Drive Encryption** and select the operating system drive to protect.
+
+**Set account lockout threshold**
+
+1.  Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
+
+    **Computer Configuration** &gt;**Windows Settings** ?**Security Settings** &gt;**Account Policies** &gt; **Account Lockout Policy** &gt; **Account lockout threshold**
+
+2.  Set the number of invalid logon attempts to allow, and then click OK.
+
+## Why do you need a PIN to use Windows Hello?
+
+
+Windows Hello is the biometric sign-in for Microsoft Passport in Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using Passport when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
+
+If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account name and password, which doesn't provide you the same level of protection as Passport.
+
+## Related topics
+
+
+[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+
+[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/windows-10-enterprise-security-guides.md b/windows/keep-secure/windows-10-enterprise-security-guides.md
new file mode 100644
index 0000000000..7422955a9c
--- /dev/null
+++ b/windows/keep-secure/windows-10-enterprise-security-guides.md
@@ -0,0 +1,66 @@
+---
+title: Enterprise security guides (Windows 10)
+description: Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides.
+ms.assetid: 57134f84-bd4b-4b1d-b663-4a2d36f5a7f8
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Enterprise security guides
+
+
+## Purpose
+
+
+Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)</p></td>
+<td align="left"><p>This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Device Guard deployment guide](device-guard-deployment-guide.md)</p></td>
+<td align="left"><p>Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security. Windows 10 employs Device Guard as well as code integrity and advanced hardware features such as CPU virtualization extensions, Trusted Platform Module, and second-level address translation to offer comprehensive modern security to its users. This guide explores the individual features in Device Guard as well as how to plan for, configure, and deploy them.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Microsoft Passport guide](microsoft-passport-guide.md)</p></td>
+<td align="left"><p>This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10 operating system. It highlights specific capabilities of these technologies that help mitigate threats from conventional credentials and provides guidance about how to design and deploy these technologies as part of your Windows 10 rollout.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)</p></td>
+<td align="left"><p>This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Windows 10 security overview](windows-10-security-guide.md)</p></td>
+<td align="left"><p>This guide provides a detailed description of the most important security improvements in the Windows 10 operating system, with links to more detailed articles about many of its security features. Wherever possible, specific recommendations are provided to help you implement and configure Windows 10 security features.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/windows-10-mobile-security-guide.md b/windows/keep-secure/windows-10-mobile-security-guide.md
new file mode 100644
index 0000000000..b8fcdfb590
--- /dev/null
+++ b/windows/keep-secure/windows-10-mobile-security-guide.md
@@ -0,0 +1,637 @@
+---
+title: Windows 10 Mobile security guide (Windows 10)
+description: This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security.
+ms.assetid: D51EF508-699E-4A68-A7CD-91D821A97205
+keywords: ["data protection, encryption, malware resistance, smartphone, device, Windows Store"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Windows 10 Mobile security guide
+
+
+**Applies to**
+
+-   Windows 10 Mobile
+
+This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security.
+
+## Overview
+
+
+Windows 10 Mobile is specifically designed for smartphones and small tablets. It uses the same security technologies as the Windows 10 operating system to help protect against known and emerging security threats across the spectrum of attack vectors. Several broad categories of security work went into Windows 10 Mobile:
+
+-   **Identity and access control.** Microsoft has greatly enhanced identity and access control features to simplify and improve the security of user authentication. These features include Windows Hello and Microsoft Passport, which better protect user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). (Windows Hello requires either a specialized illuminated infrared \[IR\] camera for facial recognition and iris detection or a finger print reader that supports the Windows Biometric Framework.)
+
+-   **Data protection.** Confidential data is better protected from compromise than ever before. Windows 10 Mobile uses several data-protection technologies and delivers them in a user-friendly and IT-manageable way.
+
+-   **Malware resistance.**Windows 10 Mobile helps protect critical system resources and apps to reduce the threat of malware, including support for enterprise-grade secure hardware and Secure Boot.
+
+-   **App platform security.** The Windows 10 Mobile enterprise-grade secure app platform provides multiple layers of security. For example, Windows Store checks all apps for malware to help prevent malware from reaching devices. In addition, AppContainer application isolation helps prevent any malicious app from compromising other apps.
+
+This guide explains each of these technologies and how they help protect your Windows 10 Mobile devices.
+
+## Identity and access control
+
+
+A fundamental component of security is the notion that a user has a unique identity and that that identity is either allowed or denied access to resources. This notion is traditionally known as access control, which has three parts:
+
+-   **Identification.** The user (subject) asserts a unique identity to the computer system for the purpose of accessing a resource (object), such as a file or an app.
+
+-   **Authentication.** Authentication is the process of proving the asserted identity and verifying that the subject is indeed the subject.
+
+-   **Authorization.** The system compares the authenticated subject’s access rights against the object’s permissions and either allows or denies the requested access.
+
+The way an operating system implements these components makes a difference in preventing attackers from accessing corporate data. Only users who prove their identities and are authorized to access that data can access it. In security, however, there are varying degrees of identity proof and many different requirements for authorization limits. The access control flexibility most corporate environments need presents a challenge for any operating system. Table 1 lists typical Windows access control challenges and the solutions that Windows 10 Mobile offers.
+
+Table 1. Windows 10 Mobile solutions for typical access control challenges
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Access control challenge</th>
+<th align="left">Windows 10 Mobile solutions</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Organizations frequently use passwords to authenticate users and provide access to business applications or the corporate network, because more trustworthy authentication alternatives are too complex and costly to deploy.</p></td>
+<td align="left"><p>Windows Hello provides biometrics to identify the user and unlock the device that closely integrates with Microsoft Passport to identify, authenticate, and authorize users to access the corporate network or applications from their Windows 10 Mobile device with supporting biometric hardware.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>When an organization uses smart cards, it must purchase a smart card reader, smart cards, and smart card management software. These solutions are complex and costly to implement; they also tend to delay mobile productivity.</p></td>
+<td align="left"><p>Windows Hello with Microsoft Passport enables a simple and cost-effective MFA deployment across the organization, enhancing the business’ security stance.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Mobile device users must enter their password on a touch keyboard. Entering complex passwords in this way is error prone and less efficient than a keyboard.</p></td>
+<td align="left"><p>Windows Hello helps enable iris scan, fingerprint, and facial recognition-based authentication for devices that have biometric sensors. These biometric identification options are more convenient and more efficient than password-based logon.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Users dislike the need to enter long, complex passwords to log on to corporate services, especially passwords that must change frequently. This frustration often leads to password reuse, passwords written on notepads, and weak password composition.</p></td>
+<td align="left"><p>Microsoft Passport allows users to sign in once and gain access to corporate resources without having to re-enter complex passwords. Authentication credentials are bound to the device through a built-in Trusted Platform Module (TPM) and cannot be removed.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The following sections describe these challenges and solutions in more detail.
+
+### Microsoft Passport
+
+Microsoft Passport provides strong MFA, fully integrated into Windows devices, to replace passwords. To authenticate, the user must have a Microsoft Azure Active Directory (Azure AD)–registered device and either a PIN or Windows Hello biometric gesture to unlock the device. Microsoft Passport is conceptually similar to a smart card but more flexible, as it doesn’t require a public key infrastructure or the implementation of additional hardware and supports biometric identification.
+
+Microsoft Passport offers three significant advantages over the previous state of Windows authentication: it’s more flexible, it’s based on industry standards, and it more effectively mitigates risks.
+
+### It's effective
+
+Microsoft Passport eliminates the use of passwords for logon and so reduces the risk that an attacker will steal and reuse a user’s credentials. User key material, which includes the user’s private key, is available only on the device that generated it. The key material is protected with the TPM, which protects the key material from attackers who want to capture and reuse it. It is a Windows Hardware Certification Program requirement that every Windows 10 Mobile device include a TPM.
+
+To compromise a Microsoft Passport credential that the TPM protects, an attacker must have access to the physical device, and then find a way to spoof the user’s biometrics identity or guess his or her PIN—and all of this must be done before TPM brute-force resistance capabilities lock the mobile device, the theft-protection mechanism kicks in, or the user or corporate administrator remotely wipes the device. This technology greatly reduces an attacker’s window of opportunity for compromising a user’s credentials.
+
+### It's flexible
+
+Microsoft Passport offers unprecedented flexibility along with enterprise-grade security.
+
+Most importantly, Microsoft Passport works with biometrics or PINs and gives you options beyond long, complex passwords. Instead of users memorizing and retyping often-changed passwords, Microsoft Passport enables PIN- and biometrics-based identification through Windows Hello to identify users more securely.
+
+The Windows 10 Mobile device that the user logs on to is an authentication factor, as well. The credentials used and the private key on the device are device specific and bound to the device’s TPM.
+
+In the future, Microsoft Passport will also enable people to use Windows 10 Mobile devices as a remote credential when signing in to PCs running Windows 10. Users will use their PINs or biometrics to unlock their phones, and their phones will unlock their PCs. Phone sign-in with Microsoft Passport will make implementing MFA for scenarios where the user’s credentials must be physically separate from the PC the user is signing in to less costly and complex than other solutions. Phone sign-in will also make it easier for users and IT pros because users can use their phones to sign in to any corporate device instead of enrolling a user credential on each.
+
+With Microsoft Passport, you gain flexibility in the data center, too. To deploy it for Windows 10 Mobile devices, you must set up Azure AD, but you don’t have to replace or remove your existing Active Directory environment. Using Azure AD Connect, organizations can synchronize these two directory services. Microsoft Passport builds on and adds to your existing infrastructure and allows you to federate with Azure AD.
+
+Microsoft Passport is also supported on the desktop, giving organizations a uniform way to implement strong authentication on all devices. This flexibility makes it simpler for Microsoft Passport to supplement existing smart card or token deployments for on-premises Windows PC scenarios, adding MFA to mobile devices and users who don’t currently have it for extra protection of sensitive resources or systems that these mobile devices access.
+
+### It's standardized
+
+Both software vendors and enterprise customers have come to realize that proprietary identity and authentication systems are a dead end: the future lies with open, interoperable systems that allow secure authentication across a variety of devices, line-of-business (LOB) apps, and external applications and websites. To this end, a group of industry players formed the Fast Identity Online (FIDO) Alliance. The FIDO Alliance is a nonprofit organization that works to address the lack of interoperability among strong authentication devices as well as the problems users face in creating and remembering multiple user names and passwords. The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to authenticate users of online services securely. This new standard can allow any business network, app, website, or cloud application to interface with a broad variety of existing and future FIDO-enabled devices and operating system platforms using a standardized set of interfaces and protocols.
+
+In 2014, Microsoft joined the board of the FIDO Alliance. FIDO standards enable a universal framework that a global ecosystem delivers for a consistent and greatly improved user experience of strong password-less authentication. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: password-less (known as UAF) and second factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals that incorporate the best ideas from its U2F and UAF FIDO 1.0 standards and of course new ideas. Microsoft has contributed Microsoft Passport technology to the FIDO 2.0 specification workgroup for review and feedback and continues to work with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for enterprises and consumers alike.
+
+### Windows Hello
+
+Windows Hello is the new biometric framework for Windows 10. Because biometric identification is built directly into the operating system, it allows you to use your iris, face, or fingerprint to unlock your mobile device. Windows Hello unlocks Microsoft Passport credentials, which enable authentication to resources or relying parties such as software-as-a-service applications like Microsoft Office 365.
+
+Windows Hello supports three biometric sensor options that are suitable for enterprise scenarios:
+
+-   **Facial recognition** uses special IR cameras to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major manufacturers are already shipping laptops with integrated facial-recognition technology. Both Surface Pro 4 and Surface Book support this technology.
+
+-   **Fingerprint recognition** uses a sensor to scan the user’s fingerprint. Although fingerprint readers have been available for computers running the Windows operating system for years, the detection, anti-spoofing, and recognition algorithms in Windows 10 are more advanced than in previous Windows versions. Most existing fingerprint readers (whether external to or integrated into laptops or USB keyboards) that support the Windows Biometric Framework will work with Windows Hello.
+
+-   **Iris scanning** uses cameras designed to scan the user’s iris, the colorful and highly detailed portion of the eye. Because the data must be accurate, iris scanning uses a combination of an IR light source and a high-quality camera. Microsoft Lumia 950 and 950 XL devices support this technology.
+
+**Note**  
+Users must create an unlock PIN before they enroll a biometric gesture. The device uses this PIN as a fallback mechanism in situations where it cannot capture the biometric gesture.
+
+ 
+
+All three of these biometric factors—the face, the finger, and the iris—are unique to an individual. To capture enough data to uniquely identify an individual, a biometric scanner might initially capture images in multiple conditions or with additional details. For example, an iris scanner will capture images of both eyes; or both with and without eyeglasses or contact lenses.
+
+Spoofing biometric data is often a big concern in enterprise environments. Microsoft employs several anti-spoofing techniques in Windows 10 Mobile that verify the trustworthiness of the biometric device as well as guard against intentional collision with stored biometric measurements. These techniques help improve the false-acceptance rate (the rate at which spoofed biometric data is accepted as authentic) while maintaining the overall usability and manageability of MFA.
+
+The biometric image collected at enrollment is converted into an algorithmic form that cannot be converted back into the original image. Only the algorithmic form is kept; the actual biometric image is removed from the device after conversion. Windows 10 Mobile devices both encrypt the algorithmic form of the biometric data and bind the encrypted data to the device, both of which help prevent someone from removing the data from the phone. As a result, the biometric information that Windows Hello uses is a local gesture and doesn’t roam among the user’s devices.
+
+Windows Hello offers several major benefits. First, it helps to address the problems of credential theft and sharing because an attacker must obtain the mobile phone and impersonate the user’s biometric identity, which is more difficult than stealing a device unlock password. Second, the use of biometrics gives users an authenticator that’s always with them—there’s nothing to forget, lose, or leave behind. Instead of worrying about memorizing long, complex passwords, users can take advantage of a convenient, enterprise-grade secure method for logging on to their Windows 10 Mobile device. Finally, there’s nothing additional to deploy, because Microsoft built Windows Hello support directly into the operating system. All you need is a device that includes a supported biometric sensor.
+
+The device that senses the biometric factors must report the data to Windows Hello quickly and accurately. For this reason, Microsoft determines which factors and devices are trustworthy and accurate prior to their inclusion in Windows Hello. For more information, see [Windows 10 specifications](http://go.microsoft.com/fwlink/p/?LinkId=722908).
+
+## Data protection
+
+
+Windows 10 Mobile continues to provide solutions that help protect information against unauthorized access and disclosure.
+
+### Device encryption
+
+Windows 10 Mobile uses device encryption, based on BitLocker technology, to encrypt all internal storage, including operating system and data storage partitions. The user can activate device encryption, or the IT department can activate and enforce encryption for company-managed devices through MDM tools. When device encryption is turned on, all data stored on the phone is encrypted automatically. A Windows 10 Mobile device with encryption turned on helps protect the confidentiality of data stored if the device is lost or stolen. The combination of Windows Hello lock and data encryption makes it extremely difficult for an unauthorized party to retrieve sensitive information from the device.
+
+You can customize how device encryption works to meet your unique security requirements. Device encryption even enables you to define your own cipher suite. For example, you can specify the algorithm and key size that Windows 10 Mobile uses for data encryption, which Transport Layer Security (TLS) cipher suites are permitted, and whether Federal Information Processing Standard (FIPS) policy is enabled. Table 2 lists the policies you can change to customize device encryption on Windows 10 Mobile devices.
+
+Table 2. Windows 10 cryptography policies
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Area name</th>
+<th align="left">Policy name</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Cryptography</p></td>
+<td align="left"><p>Allow FIPS Algorithm Policy</p></td>
+<td align="left"><p>Enable or disable the FIPS policy. A restart is needed to enforce this policy. The default value is disabled.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>BitLocker</p></td>
+<td align="left"><p>Encryption Method</p></td>
+<td align="left"><p>Configures the BitLocker Drive Encryption Method and cipher strength. The default value is AES-CBC 128-bit. If the device cannot use the value specified, it will use another one.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Cryptography</p></td>
+<td align="left"><p>TLS Cipher Suite</p></td>
+<td align="left"><p>This policy contains a list of the cryptographic cipher algorithms allowed for Secure Sockets Layer connections.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+For a complete list of policies available, see [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=733963).
+
+### <a href="" id="enterprise-data-protection--"></a>Enterprise data protection
+
+Enterprises have seen huge growth in the convergence of personal and corporate data storage. Personal data is frequently stored on corporate devices and vice versa. This situation increases the potential for compromise of sensitive corporate data.
+
+One growing risk is authorized users’ accidental disclosure of sensitive data—a risk that is rapidly becoming the biggest source of confidential data leakage as organizations allow personal devices to access corporate resources. One example is common among organizations: an employee connects his or her personal phone to the company’s Microsoft Exchange Server instance for email. He or she uses the phone to work on email that includes attachments with sensitive data. When sending the email, the user accidentally copies a supplier. Content protection is only as strong as the weakest link, and in this example, the unintended sharing of sensitive data with unauthorized people might not have been prevented with standard data encryption.
+
+In Windows 10 Mobile, enterprise data protection (EDP) helps separate personal and enterprise data and prevent data leakage. Key features include its ability to:
+
+-   Automatically tag personal and corporate data.
+
+-   Protect data while it’s at rest on local or removable storage.
+
+-   Control which apps can access corporate data.
+
+-   Control which apps can access a virtual private network (VPN) connection.
+
+-   Prevent users from copying corporate data to public locations.
+
+**Note**  
+EDP is currently being tested in select customer evaluation programs. For more information about EDP, see [Enterprise data protection overview](../whats-new/edp-whats-new-overview.md).
+
+ 
+
+### <a href="" id="enlightenment--"></a>Enlightenment
+
+Third-party data loss protection solutions usually require developers to wrap their apps. In contrast, EDP puts the intelligence in Windows 10 Mobile so that it doesn’t require wrappers. As a result, most apps require nothing extra to work with EDP.
+
+EDP can enforce policy without the need for an app to change. This means that an app that always handles business data (such as an LOB app) can be added to the allowed list and will always encrypt all data that it handles. However, if the app does not use common controls, cut and paste operations from this app to a non-enterprise app will silently fail. In addition, if the app needs to handle personal data, this data will also be encrypted.
+
+Therefore, to improve the user experience, in some cases, developers should enlighten their apps by adding code to and compiling them to use the EDP application programming interfaces. Those cases include apps that:
+
+-   Don’t use common controls for saving files.
+
+-   Don’t use common controls for text boxes.
+
+-   Work on personal and enterprise data simultaneously (for example, contact apps that display personal and enterprise data in a single view; a browser that displays personal and enterprise web pages on tabs within a single instance).
+
+Figure 1 summarizes when an app might require enlightenment to work with EDP. Microsoft Word is a good example. Not only can Word access personal and enterprise data simultaneously, but it can also transmit enterprise data (for example, email attachments containing enterprise data).
+
+In any case, most apps don’t require enlightenment for them to use EDP protection. Simply adding them to the EDP allow list is all you must do. Because unenlightened apps cannot automatically tag data as personal or enterprise, if they are in an EDP policy, they treat all data as enterprise data. An LOB app is a good example. Adding an LOB app to an EDP policy protects all data that the app handles. Another example is a legacy app that cannot be updated, which you can add to an EDP policy and use without even being aware that EDP exists.
+
+![figure 1](images/mobile-security-guide-fig1.png)
+
+Figure 1. When is enlightenment required?
+
+### Data leakage control
+
+To configure EDP in an MDM solution that supports it, add authorized apps to the EDP allow list. When a device running Windows 10 Mobile enrolls in the MDM solution, apps that this policy doesn’t authorize won’t have access to enterprise data.
+
+EDP works seamlessly until users try to access enterprise data with or try to paste enterprise data into unauthorized apps or locations on the web. For example, copying enterprise data from an authorized app to another authorized app works as usual, but EDP blocks users from copying enterprise data from an authorized app to an unauthorized app. Likewise, EDP blocks users from using an unauthorized app to open a file that contains enterprise data.
+
+In addition, users cannot copy and paste data from authorized apps to unauthorized apps or locations on the Web without triggering one of the EDP protection levels:
+
+-   **Block.** EDP blocks users from completing the operation.
+
+-   **Override.** EDP notifies users that the operation is inappropriate but allows them to override the policy, although it logs the operation in the audit log.
+
+-   **Audit.** EDP does not block or notify users but logs the operation in the audit log.
+
+-   **Off.** EDP does not block or notify users and does not log operations in the audit log.
+
+### Data separation
+
+As the name suggests, data separation separates personal from enterprise data. Most third-party solutions require an app wrapper, and from here, enterprise data goes in a container while personal data is outside the container. Often, people must use two different apps for the same purpose: one for personal data and another for enterprise data.
+
+EDP provides the same data separation but neither uses containers nor requires a special version of an app to access business data, and then a second instance of it to access personal data. There are no containers, partitions, or special folders to physically separate personal and business data. Instead, Windows 10 Mobile is the access control broker, identifying enterprise data because it’s encrypted to the enterprise. Therefore, EDP provides data separation by virtue of encrypting enterprise data.
+
+### Visual cues
+
+In Windows 10 Mobile, visual cues indicate the status of EDP to users (see Figure 2):
+
+-   **Start screen.** On the Start screen, apps that an EDP policy manages display a visual cue.
+
+-   **Files.** In File Explorer, a visual cue indicates whether a file or folder contains enterprise data and is therefore encrypted.
+
+For example, Erwin is an employee at Fabrikam. He opens Microsoft Edge from the Start screen and sees that the tile indicates that an EDP policy manages the browser. Erwin opens the Fabrikam sales website and downloads a spreadsheet. In File Explorer, Erwin sees that the file he downloaded has a visual cue which indicates that it’s encrypted and contains enterprise data. When Erwin tries to paste data from that spreadsheet into an app that no EDP policy manages (for example, his Twitter app), Erwin might see a message that allows him to override protection while logging the action, depending on the protection level configured in the EDP policy.
+
+![figure 2](images/mobile-security-guide-fig2.png)
+
+Figure 2. Visual cues in EDP
+
+## Malware resistance
+
+
+Just as software has automated so much of our lives, malware has automated attacks on our devices. Those attacks are relentless. Malware is constantly changing, and when it infects a device, it can be difficult to detect and remove.
+
+The best way to fight malware is to prevent the infection from happening. Windows 10 Mobile provides strong malware resistance because it takes advantage of secured hardware and protects both the startup process and the core operating system architecture.
+
+Table 3 lists specific malware threats and the mitigation that Windows 10 Mobile provides.
+
+Table 3. Threats and Windows 10 Mobile mitigations
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Threat</th>
+<th align="left">Windows 10 Mobile mitigation</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Firmware bootkits replace the firmware with malware.</p></td>
+<td align="left"><p>All certified devices include Unified Extensible Firmware (UEFI) with Secure Boot, which requires signed firmware for updates to UEFI and Option ROMs.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Bootkits start malware before Windows starts.</p></td>
+<td align="left"><p>UEFI with Secure Boot verifies Windows bootloader integrity to help ensure that no malicious operating system can start before Windows.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>System or driver rootkits (typically malicious software that hides from the operating system) start kernel- level malware while Windows is starting, before antimalware solutions can start.</p></td>
+<td align="left"><p>Windows Trusted Boot verifies Windows boot components, including Microsoft drivers. Measured Boot runs in parallel with Trusted Boot and can provide information to a remote server that verifies the boot state of the device to help ensure that Trusted Boot and other boot components successfully checked the system.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>An app infects other apps or the operating system with malware.</p></td>
+<td align="left"><p>All Windows 10 Mobile apps run inside an AppContainer that isolates them from all other processes and sensitive operating system components. Apps cannot access any resources outside their AppContainer.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>An unauthorized app or malware attempts to start on the device.</p></td>
+<td align="left"><p>All Windows 10 Mobile apps must come from Windows Store or Windows Store for Business. Device Guard enforces administrative policies to select exactly which apps are allowed to run.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>User-level malware exploits a vulnerability in the system or an application and owns the device.</p></td>
+<td align="left"><p>Improvements to address space layout randomization (ASLR), Data Execution Prevention (DEP), the heap architecture, and memory-management algorithms reduce the likelihood that vulnerabilities can enable successful exploits.</p>
+<p>Protected Processes isolates non-trusted processes from each other and from sensitive operating system components.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Users access a dangerous website without knowledge of the risk.</p></td>
+<td align="left"><p>The SmartScreen URL Reputation feature prevents users from going to a malicious website that may try to exploit the browser and take control of the device.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Malware exploits a vulnerability in a browser add-on.</p></td>
+<td align="left"><p>Microsoft Edge is an app built on the Universal Windows Platform (UWP) that does not run legacy binary extensions, including Microsoft ActiveX and browser helper objects frequently used for toolbars, which eliminates these risks.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>A website that includes malicious code exploits a vulnerability in the web browser to run malware on the client device.</p></td>
+<td align="left"><p>Microsoft Edge includes Enhanced Protected Mode, which uses AppContainer-based sandboxing to help protect the system against vulnerabilities that at attacker may discover in the extensions running in the browser (for example, Adobe Flash, Java) or the browser itself.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Note**  
+Windows 10 Mobile devices use a System on a Chip (SoC) design provided by SoC vendors such as Qualcomm. With this architecture, the SoC vendor and device manufacturers provide the pre-UEFI bootloaders and the UEFI environment. The UEFI environment implements the UEFI Secure Boot standard described in section 27 of the UEFI specification, which can be found at [http://www.uefi.org/specsandtesttools](http://go.microsoft.com/fwlink/p/?LinkId=722912). This standard describes the process by which all UEFI drivers and applications are validated against keys provisioned into a UEFI-based device before they are executed.
+
+ 
+
+The following sections describe these improvements in more detail.
+
+### <a href="" id="secure-hardware"></a>Enterprise-grade secure hardware
+
+Taking full advantage of Windows 10 Mobile security features requires advancements in hardware-based security. These advances include UEFI with Secure Boot, TPM, and biometric sensors (hardware dependent).
+
+### <a href="" id="uefi-with-secure-boot--"></a>UEFI with Secure Boot
+
+When a Windows 10 Mobile device starts, it begins the process of loading the operating system by locating the bootloader in the device’s storage system. Without safeguards in place, the phone might simply hand control over to the bootloader without even determining whether it’s a trusted operating system or malware.
+
+UEFI is a standards-based solution that offers a modern-day replacement for the BIOS. In fact, it provides the same functionality as BIOS while adding security features and other advanced capabilities. Like BIOS, UEFI initializes devices, but UEFI components with the Secure Boot feature (version 2.3.1 or later) also help ensure that only trusted firmware in Option ROMs, UEFI apps, and operating system bootloaders can start on the mobile phone.
+
+UEFI can run internal integrity checks that verify the firmware’s digital signature before running it. Because only the mobile phone’s manufacturer has access to the digital certificate required to create a valid firmware signature, UEFI has protection against firmware-based malware that loads before Windows 10 Mobile and can successfully hide its malicious behavior from Windows 10 Mobile. Firmware-based malware of this nature is typically called a bootkit.
+
+When a mobile device with UEFI and Secure Boot starts, the UEFI firmware verifies the bootloader’s digital signature to verify that no one has modified it after it was digitally signed. The firmware also verifies that a trusted authority issued the bootloader’s digital signature. This check helps to ensure that the system starts only after checking that the bootloader is both trusted and unmodified since signing.
+
+All Windows 10 Mobile devices always have Secure Boot enabled. In addition, they trust only the Windows operating system signature.
+
+Neither Windows 10 Mobile, apps, or even malware can change the UEFI configuration. For more information about UEFI with Secure Boot, read [Protecting the pre-OS environment with UEFI](http://go.microsoft.com/fwlink/p/?LinkId=722909).
+
+### <a href="" id="trusted-platform-module--"></a>Trusted Platform Module
+
+A Trusted Platform Module is a tamper-resistant cryptographic module that enhances the security and privacy of computing platforms. The TPM is incorporated as a component in a trusted computing platform like a PC, tablet, or mobile phone. A trusted computing platform is specially designed to work with the TPM to support privacy and security scenarios that software alone cannot achieve. It is a Windows 10 Mobile device hardware certification requirement to include a TPM in every Windows 10 Mobile device.
+
+A proper implementation of a TPM as part of a trusted computing platform provides a hardware root of trust, meaning that the hardware behaves in a trusted way. For example, if you create a key in a TPM with the property that no one can export that key from the TPM, the key absolutely cannot leave the TPM. The close integration of a TPM with a platform increases the transparency of the boot process and supports device health scenarios by enabling reliable report of the software used to start a platform.
+
+The following list describes key functionality that a TPM provides in Windows 10 Mobile:
+
+-   **Manage cryptographic keys.** A TPM can create, store, and permit the use of keys in defined ways. Windows 10 Mobile uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and various other keys.
+
+-   **Safeguard and report integrity measurements.**Windows 10 Mobile uses the TPM to record and help protect integrity-related measurements of select hardware and Windows boot components for the Measured Boot feature. In this scenario, Measured Boot measures each component, from firmware up through the drivers, and then stores those measurements in the device’s TPM. From here, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 Mobile device.
+
+-   **Prove a TPM is really a TPM.** Managing cryptographic keys and measuring integrity are so central to protecting privacy and security that a TPM must differentiate itself from malware that masquerades as a TPM.
+
+Windows 10 Mobile supports TPM implementations that comply with the 2.0 standard. The TPM 2.0 standard includes several improvements that make it superior to the 1.2 standard, the most notable of which is cryptographic agility. TPM 1.2 is restricted to a fixed set of encryption and hash algorithms. At the time the TPM 1.2 standard appeared in the early 2000s, the security community considered these algorithms cryptographically strong. Since that time, advances in cryptographic algorithms and cryptanalysis attacks have increased expectations for stronger cryptography. TPM 2.0 supports additional algorithms that offer stronger cryptographic protection as well as the ability to plug in algorithms that certain geographies or industries may prefer. It also opens the possibility for inclusion of future algorithms without changing the TPM component itself.
+
+Many people assume that original equipment manufacturers (OEMs) must implant a TPM in hardware on a motherboard as a discrete module, but TPM can also be effective when implemented in firmware. Windows 10 Mobile supports only firmware TPM that complies with the 2.0 standard. Windows does not differentiate between discrete and firmware-based solutions because both must meet the same implementation and security requirements; therefore, any Windows 10 feature that can take advantage of TPM can be used with Windows 10 Mobile.
+
+**Note**  
+Microsoft requires TPM 2.0 on devices running any version of Windows 10 Mobile. For more information, see [Minimum hardware requirements](http://go.microsoft.com/fwlink/p/?LinkId=733964).
+
+ 
+
+Several Windows 10 Mobile security features require TPM:
+
+-   Virtual smart cards
+
+-   Measured Boot
+
+-   Health attestation (requires TPM 2.0 or later)
+
+Still other features will use the TPM if it is available. For example, Microsoft Passport does not require TPM but uses it if it’s available. Organizations can configure policy to require TPM for Microsoft Passport.
+
+### <a href="" id="biometrics--"></a>Biometrics
+
+Windows 10 Mobile makes biometrics a core security feature. Microsoft has fully integrated biometrics into the Windows 10 Mobile security components, not just tacked it on top of the platform (as was the case in previous versions of Windows). This is a big change. Earlier biometric implementations were largely front-end methods that simplified authentication. Under the hood, the system used biometrics to access a password, which it then used for authentication behind the scenes. Biometrics may have provided convenience but not necessarily enterprise-grade authentication.
+
+Microsoft has been evangelizing the importance of enterprise-grade biometric sensors to the OEMs that create Windows 10 Mobile devices. These facial-recognition and iris-scanning sensors are fully supported by MFA features such as Microsoft Passport and Windows Hello.
+
+In the future, Microsoft expects OEMs to produce even more advanced enterprise-grade biometric sensors and to continue to integrate them into mobile devices. As a result, biometrics will become a commonplace authentication method as part of an MFA system.
+
+### <a href="" id="enterprise-grade-secure-windows-startup--"></a>Enterprise-grade secure Windows startup
+
+UEFI with Secure Boot uses hardware technologies to help protect users from bootkits. Secure Boot can validate the integrity of the devices, firmware, and bootloader. After the bootloader launches, users must rely on the operating system to protect the integrity of the remainder of the system.
+
+### <a href="" id="trusted-boot--"></a>Trusted Boot
+
+When UEFI with Secure Boot verifies that it trusts the bootloader and starts Windows 10 Mobile, the Windows Trusted Boot feature protects the rest of the startup process by verifying that all Windows startup components are trustworthy (for example, signed by a trusted source) and have integrity. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, and startup files.
+
+If someone has modified a file (for example, if malware has tampered with it or it has been corrupted), Trusted Boot will detect the problem and attempt to automatically repair the corrupted component. When repaired, Windows will start normally after only a brief delay.
+
+### <a href="" id="measured-boot--"></a>Measured Boot
+
+The biggest challenge with rootkits and bootkits in earlier versions of Windows was that they could frequently be undetectable to the client. Because they often started before Windows defenses and the antimalware solution—and they had system-level privileges—rootkits and bootkits could completely disguise themselves while continuing to access system resources. Although UEFI with Secure Boot and Trusted Boot could prevent most rootkits and bootkits, intruders could still potentially exploit a few attack vectors (for example, if someone compromised the signature used to sign a boot component, such as a non-Microsoft driver, and used it to sign a malicious one).
+
+Windows 10 Mobile implements the Measured Boot feature, which uses the TPM hardware component to record a series of measurements for critical startup-related components, including firmware, Windows boot components, and drivers. Because Measured Boot uses the hardware-based security capabilities of TPM, which isolates and protects the measurement data against malware attacks, the log data is well protected against even sophisticated attacks.
+
+Measured Boot focuses on acquiring the measurement data and protecting it against tampering. You must couple it, however, with a service that can analyze the data to determine device health and provide a more complete security service. The next section introduces just such a service.
+
+### <a href="" id="device-health-attestation--"></a>Device health attestation
+
+Device health attestation is new feature in Windows 10 Mobile that helps prevent low-level malware infections. Device health attestation uses a device’s TPM and firmware to measure the critical security properties of the device’s BIOS and Windows startup processes. These measurements are made in such a way that even on a system infected with kernel-level malware or a rootkit, an attacker is unlikely to spoof the properties.
+
+You can integrate Device health attestation with Microsoft Intune or non-Microsoft MDM solutions and combine these hardware-measured security properties with other device properties to gain an overall view of the device’s health and compliance state. From there, you can use this integration in a variety of scenarios, from detecting jailbroken devices to monitoring device compliance, generating compliance reports, alerting users or administrators, initiating corrective action on the device, and managing conditional access to resources such as Office 365.
+
+### <a href="" id="conditional-access--"></a>Conditional Access
+
+The example that follows shows how Windows 10 protective measures integrate and work with Intune and non-Microsoft MDM solutions. It demonstrates how the phone security architecture in Windows 10 Mobile helps you monitor and verify compliance and how the security and trust rooted in the device hardware protect corporate resources end to end.
+
+When a user turns on a phone:
+
+1.  The Secure Boot feature in Windows 10 Mobile helps protect the startup sequence, allows the device to boot into a defined and trusted configuration, and loads a factory-trusted boot loader.
+
+2.  Windows 10 Mobile Trusted Boot takes control when the Secure Boot process is complete, verifying the digital signature of the Windows kernel and the components that are loaded and executed during the startup process.
+
+3.  In parallel to steps 1 and 2, the phone’s TPM runs independently in a hardware-protected security zone (isolated from the boot execution path, which monitors boot activities). It creates a protected, tamper-evident audit trail, signed with a secret that only the TPM can access.
+
+4.  Devices that a Device health attestation-enabled MDM solution manage send a copy of this audit trail to the Microsoft Health Attestation Service (HAS) in a protected, tamper-resistant, and tamper-evident communication channel.
+
+5.  HAS reviews the audit trails, issues an encrypted and signed report, and forwards it to the device.
+
+6.  From your Device health attestation-enabled MDM solution, you can review the report in a protected, tamper-resistant, and tamper-evident communication channel to assess whether the device is running in a compliant (healthy) state, allow access, or trigger corrective action aligned with the organization’s security needs and policies.
+
+Because this solution can detect and prevent low-level malware that may be extremely difficult to detect any other way, Microsoft recommends that you consider implementing a Device health attestation-enabled MDM system like Intune that takes advantage of the Windows 10 Mobile cloud-based health attestation server feature to detect and block devices infected with advanced malware.
+
+## <a href="" id="app-platform-security--"></a>App platform security
+
+
+Applications built for Windows are designed to be secure and free of defects, but the reality is that human error can create vulnerabilities in code. When malicious users and software identify such vulnerabilities, they may attempt to manipulate data in memory in the hope that they can compromise the system and take control.
+
+To mitigate these risks, Windows 10 Mobile includes a series of improvements to make it more difficult for malware to compromise the device. Windows 10 Mobile even enables organizations to choose which apps are allowed to run on mobile devices. In addition, it includes improvements that can dramatically reduce the likelihood that newly discovered vulnerabilities can be successful exploited. It takes detailed knowledge of operating system architecture and malware exploit techniques to fully appreciate the impact of these improvements, but the sections that follow explain them at a high level.
+
+### <a href="" id="device-guard--"></a>Device Guard
+
+Device Guard is a feature set that consists of both hardware and software system integrity-hardening features. These features revolutionize Windows operating system security by moving the entire operating system to a trust-nothing model.
+
+All apps on Windows 10 Mobile must be digitally signed and come from Windows Store or a trusted enterprise store. Device Guard implements policies that further restrict this. By default, Device Guard supports all apps from Windows Store. You can create policies that define the apps that can and cannot run on the Windows 10 Mobile device. If the app doesn’t have a digital signature or is prevented by policy, or it does not come from a trusted store, it will not run on Windows 10 Mobile.
+
+Advanced hardware features (described earlier in the [Enterprise-grade secure hardware](#secure-hardware) section) drive these security offerings. By integrating these hardware features further into the core operating system, Windows 10 Mobile can use them in new ways. To deliver this additional security, Device Guard requires UEFI with Secure Boot.
+
+### <a href="" id="appcontainer--"></a>AppContainer
+
+The Windows 10 Mobile security model is based on the principle of least privilege and uses isolation to achieve it. Every app and even portions of the operating system itself run inside their own isolated sandbox called an AppContainer—a secured isolation boundary within which an app and its processes can run. Each AppContainer is defined and implemented through a security policy.
+
+The security policy of a specific AppContainer defines the operating system capabilities that apps have access to from within the AppContainer. A capability is a Windows 10 Mobile device resource such as geographical location information, camera, microphone, networking, and sensors.
+
+A set of default permissions are granted to all AppContainers, including access to a unique, isolated storage location. In addition, access to other capabilities can be declared within the app code itself. Access to additional capabilities and privileges cannot be requested at run time, as can be done with traditional desktop applications.
+
+The AppContainer concept is advantageous for the following reasons:
+
+-   **Attack surface reduction.** Apps can access only those capabilities that are declared in the application code and needed to perform their functions.
+
+-   **User consent and control.** Capabilities that apps use are automatically published to the app details page in the Windows Store. App access to capabilities that may expose sensitive information automatically prompt the user to acknowledge and provide consent.
+
+-   **App isolation.** Communication between Windows apps is tightly controlled. Apps are isolated from one another and can communicate only by using predefined communications channels and data types.
+
+Apps receive the minimal privileges they need to perform their legitimate tasks. This means that even if a malicious attacker exploits an app, the potential damage is limited because the app cannot elevate its privileges and is contained within its AppContainer. Windows Store displays the permissions that the app requires along with the app’s age rating and publisher.
+
+The combination of Device Guard and AppContainer help to prevent unauthorized apps from running. In the event malware slips into the app ecosystem, the AppContainer helps to constrain the app and limit potential damage. The Windows 10 Mobile trust-nothing model doesn’t assume that any component is perfect, however, potential vulnerabilities in apps, AppContainers, and Windows 10 Mobile itself could give an attacker a chance to compromise a system. For this reason, we need redundant vulnerability mitigations. The next several topics describe some of the redundant mitigations in Windows 10 Mobile.
+
+### <a href="" id="address-space-layout-randomization--"></a>Address Space Layout Randomization
+
+One of the most common techniques attackers use to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data reside, and then overwrite that information with a malicious payload. In the early days of operating systems, any malware that could write directly to the system memory could do such a thing; the malware would simply overwrite system memory in well-known and predictable locations.
+
+Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates how ASLR works, showing how the locations of different critical Windows components can change in memory between restarts.
+
+![figure 3](images/mobile-security-guide-figure3.png)
+
+Figure 3. ASLR at work
+
+Microsoft has substantively improved the ASLR implementation in Windows 10 Mobile over previous versions, especially with 64-bit system and application processes that can take advantage of a vastly increased memory space, making it even more difficult for malware to predict where Windows 10 Mobile stores vital data. When used on systems that have TPMs, ASLR memory randomization will be increasingly unique across devices, making it even more difficult for a successful exploit that works on one system to work reliably on another. Microsoft also holistically applied ASLR across the entire system in Windows 10 Mobile rather than it working only on specific apps.
+
+### <a href="" id="data-execution-prevention--"></a>Data Execution Prevention
+
+Malware depends on its ability to put a malicious payload into memory with the hope that an unsuspecting user will execute it later. ASLR makes that much more difficult.
+
+Extending that protection, it would be great if you could prevent malware from running if it wrote to an area that you have allocated solely for the storage of information. Data Execution Prevention (DEP) does exactly that, substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the **No execute** bit on modern CPUs to mark blocks of memory as read only so that malware can’t use those blocks to execute malicious code. All Windows 10 and Windows 10 Mobile devices support DEP.
+
+### <a href="" id="windows-heap--"></a>Windows heap
+
+The heap is a location in memory that Windows uses to store dynamic application data. Microsoft continues to improve on earlier Windows heap designs by further mitigating the risk of heap exploits that an attacker could use.
+
+Windows 10 Mobile has several important improvements to the security of the heap over previous versions of Windows:
+
+-   Internal data structures that the heap uses are better protected against memory corruption.
+
+-   Heap memory allocations have randomized locations and sizes, making it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 Mobile adds a random offset to the address of a newly allocated heap, which makes the allocation much less predictable.
+
+-   Windows 10 Mobile uses “guard pages” before and after blocks of memory as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 Mobile responds by instantly terminating the app.
+
+### <a href="" id="memory-reservations--"></a>Memory reservations
+
+Microsoft reserves the lowest 64 KB of process memory for the operating system. Apps are no longer allowed to allocate that portion of the memory, which makes it more difficult for malware to overwrite critical system data structures in memory.
+
+### <a href="" id="control-flow-guard--"></a>Control Flow Guard
+
+When Windows loads applications into memory, it allocates space to those applications based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls additional code located in other memory addresses. The relationships among the code locations are well known—they are written in the code itself—but until Windows 10 Mobile, the operating system didn’t enforce the flow among these locations, giving attackers the opportunity to change the flow to meet their needs. In other words, an application exploit takes advantage of this behavior by running code that the application may not typically run.
+
+Windows 10 Mobile mitigates this kind of threat through the Control Flow Guard (CFG) feature. When a trusted application that its creator compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If CFG doesn’t trust the location, it immediately terminates the application as a potential security risk.
+
+You cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when he or she compiles the application. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. Of course, browsers are a key entry point for attacks; thus Microsoft Edge and other Windows features take full advantage of CFG.
+
+### <a href="" id="protected-processes--"></a>Protected processes
+
+In general, preventing a computer security incident is more cost-effective than repairing the damage an incident can cause. For malware in particular, most security controls are designed to prevent an attack from being initially successful. The reasoning is that if malware cannot infect the system, the system is immune to malware.
+
+Unfortunately, no device is immune to malware. Despite all the best preventative controls, malware can eventually find a way to infect any operating system or hardware platform. So, although prevention with a defense-in-depth strategy is important, it cannot be the only type of malware control.
+
+The key security scenario is to assume that malware is running on a system but limit what it can do. Windows 10 Mobile has security controls and design features in place to reduce compromise from existing malware infections. Protected Processes is one such feature.
+
+With Protected Processes, Windows 10 Mobile prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes: it prevents less trusted processes from interacting with and therefore attacking more trusted processes. Windows 10 Mobile uses Protected Processes more broadly across the operating system.
+
+### Store for Business
+
+Store for Business allows IT pros to find, acquire, distribute, and manage apps for their organization. The model provides flexible ways to distribute apps, depending on the size of your organization, and does not require additional infrastructure in some scenarios.
+
+UWP apps are inherently more secure than typical applications because they are sandboxed, which restricts the app’s risk of compromise or tampering with in a way that would put the system, data, and other applications at risk. Windows Store can further reduce the likelihood that malware will infect devices by reviewing all applications that enter the Windows Store ecosystem before making them available. Store for Business extends this concept by enabling you to distribute custom LOB apps, and even some Windows Store apps, to Windows 10 Mobile devices through the same Windows Store infrastructure.
+
+Regardless of how users acquire UWP apps, they can use them with increased confidence. UWP apps run in an AppContainer sandbox with limited privileges and capabilities. For example, the apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission.
+
+In addition, all UWP apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is significantly limited and should be contained within the sandbox. Windows Store displays the exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and publisher.
+
+The Windows Store app-distribution process and the app sandboxing capabilities of Windows 10 Mobile can dramatically reduce the likelihood that users encounter malicious apps on the system.
+
+For more information about Store for Business, see [Windows Store for Business overview](../whats-new/windows-store-for-business-overview.md).
+
+### App management
+
+An enterprise typically exerts some configuration and control over the apps installed on devices. In this way, the organization accomplishes several business goals, such managing software licenses, ensuring mandatory app deployment on required devices, and preventing the installation of unacceptable apps on corporate devices.
+
+An important component in delivering on these goals is Store for Business, which builds on the Windows Store infrastructure that Microsoft hosts and enables you to deploy Windows Store apps across your Windows 10-based devices. Store for Business is both powerful and highly flexible. It allows you to extend and customize features without having to stand up new on-premises infrastructure. It supports and integrates with your existing MDM service but doesn’t require one. (Ask your MDM service vendor about integration with Store for Business.) You can configure Store for Business for a wide variety of scenarios, including online and offline licensing and different app-distribution options. For a more detailed description of the available Store for Business scenarios, see [Windows Store for Business overview](../whats-new/windows-store-for-business-overview.md).
+
+A web-based portal for IT pros simplifies Windows 10 Mobile app deployment. The familiar look of Windows Store was used to design the Store for Business experience. It showcases apps relevant to business use, hand-selected and sorted by category. The store can use Azure AD accounts for all users, linking them to a single, unique organizational identity.
+
+Another key benefit is licensing. Store for Business enables you to track and manage licenses for all UWP apps. You can easily determine which users have installed specific apps, track remaining licenses left, and acquire new licenses directly through the web interface. Those new licenses are added within Store for Business and do not require complex export and import processes. As long as your clients are online and have Internet connectivity, the licensing scenario with Store for Business is a great improvement over manual licensing tasks.
+
+Store for Business allows you to find the right apps for your users, acquire them, manage app licenses, and distribute apps to individuals. The best way to understand Store for Business is to look at the steps involved in a common scenario: delivering apps to Windows 10 Mobile users without an MDM—specifically, deploying apps to Windows 10 Mobile users. In this scenario, you identify several apps that must be on each mobile device that are currently available for free in the Windows Store (for example, a VPN app for your Dell SonicWALL solution) and some internally developed LOB apps.
+
+### The IT side
+
+You begin the app deployment process by preparing the private store and the apps before your users receive their new Windows 10 Mobile devices.
+
+First, you open [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910) and use an Azure AD account to log in. This account is linked to the company’s unique organizational identity and must have an Azure AD tenant. In addition, the account must have Azure AD Enterprise Admin permissions if this is the first time you’re using Store for Business. You can delegate later access through permissions within Store for Business.
+
+Next, you locate and acquire any apps you want to deploy to the mobile devices, adding the apps and licenses to the organization’s inventory.
+
+Along with existing Windows Store apps, you can use Store for Business to manage custom LOB apps that are developed for your organization. First, you grant permission for a trusted app developer to submit the apps. You and the developer submit these apps through the [Windows Dev Center](http://go.microsoft.com/fwlink/p/?LinkId=722911), and they must be digitally signed with a trusted certificate. These apps are not published to the retail Windows Store catalog and are not visible to anyone outside the organization.
+
+You can deliver the apps through a private store within Windows Store. The next step, then, is for you to mark the app to be available in the private store, which you do through the Store for Business web portal.
+
+Alternatively, you can choose one of two other app-distribution options in Store for Business web portal:
+
+-   Assign the app to people in your organization by selecting one or more Azure AD identities
+
+-   Add the app to the organization’s private store, and allow all users to discover and install it.
+
+For details about app distribution, see [Distribute apps using your private store](../manage/distribute-apps-from-your-private-store.md).
+
+The IT process for preparing Store for Business for app deployment is shown in Figure 4.
+
+![figure 4](images/mobile-security-guide-figure4.png)
+
+Figure 4. The IT process for Store for Business
+
+For details about the process of distributing apps through Store for Business, see [Find and acquire apps](../manage/find-and-acquire-apps-overview.md).
+
+### <a href="" id="the-user-side--"></a>The user side
+
+After you have prepared Store for Business, the user side of the process takes over. This side of the process is designed to be user friendly, with the primary app deployment method—through Store for Business—streamlined and straightforward. This process doesn’t require an MDM system or any on-premises infrastructure. In fact, the user never sees the “for Business” label, just the familiar Windows Store.
+
+1.  The user opens the Windows Store app on his or her Windows 10 Mobile device.
+
+2.  The same Windows Store interface appears, with the addition of the private store you created. The private store appears as a new page, similar to Games and Music. The interface integrates the public Windows Store with the organization’s private store, which contains curated apps.
+
+3.  The user simply selects and installs apps as usual.
+
+If the user wants to make a private purchase of apps, music, movies, or TV shows with his or her Microsoft account, that’s an option, as well. The user pays for and owns his or her purchase, independent of the company. This flexibility enables hybrid scenarios for devices in many bring your own device environments.
+
+### Microsoft Edge
+
+Windows 10 Mobile includes critical improvements designed to thwart attacks and malware. The environment is now more resistant to malware thanks to significant improvements to SmartScreen Filters. Internet browsing is a safer experience thanks to Microsoft Edge, a completely new browser.
+
+Windows 10 Mobile includes Microsoft Edge, an entirely new web browser that goes beyond browsing with features like Reading View. Microsoft Edge is more secure than previous Microsoft web browsers in several ways:
+
+-   **Microsoft Edge does not support non-Microsoft binary extensions.** Microsoft Edge supports Flash content and PDF viewing by default through built-in extensions but includes no non-Microsoft binary extensions, such as ActiveX controls or Java.
+
+-   **Microsoft Edge is designed as a UWP app.** It is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps.
+
+-   **Microsoft Edge simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, fewer security settings are required. In addition, Microsoft established Microsoft Edge default settings that align with security best practices, making it more secure by design.
+
+The web browser is a critical component of any security strategy, and for good reason: it is the user’s interface to the Internet, an environment teeming with malicious sites and nefarious content. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the number one pathway from which malicious hackers initiate their attacks.
+
+## Related topics
+
+
+[Windows 10 security overview](windows-10-security-guide.md)
+
+[Windows 10 Mobile and MDM](../manage/windows-10-mobile-and-mdm.md)
+
+[Windows 10 and Windows 10 Mobile](../index.md)
+
+[Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910)
+
+[Windows Store for Business overview](../whats-new/windows-store-for-business-overview.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md
new file mode 100644
index 0000000000..ec556b3cf0
--- /dev/null
+++ b/windows/keep-secure/windows-10-security-guide.md
@@ -0,0 +1,919 @@
+---
+title: Windows 10 security overview (Windows 10)
+description: This guide provides a detailed description of the most important security improvements in the Windows 10 operating system, with links to more detailed articles about many of its security features.
+ms.assetid: 4561D80B-A914-403C-A17C-3BE6FC95B59B
+keywords: ["configure", "feature", "file encryption"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Windows 10 security overview
+
+
+**Applies to**
+
+-   Windows 10
+
+This guide provides a detailed description of the most important security improvements in the Windows 10 operating system, with links to more detailed articles about many of its security features. Wherever possible, specific recommendations are provided to help you implement and configure Windows 10 security features.
+
+## Introduction
+
+
+Windows 10 is designed to protect against known and emerging security threats across the spectrum of attack vectors. Three broad categories of security work went into Windows 10:
+
+-   [**Identity and access control**](#identity) features have been greatly expanded to both simplify and enhance the security of user authentication. These features include Windows Hello and Microsoft Passport, which better protect user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). Another new feature is Credential Guard, which uses virtualization-based security (VBS) to help protect the Windows authentication subsystems and users’ credentials.
+
+-   [**Information protection**](#information) that guards information at rest, in use, and in transit. In addition to BitLocker and BitLocker To Go for protection of data at rest, Windows 10 includes file-level encryption with Enterprise Data Protection that performs data separation and containment and, when combined with Rights Management services, can keep data encrypted when it leaves the corporate network. Windows 10 can also help keep data secure by using virtual private networks (VPNs) and Internet Protocol Security.
+
+-   [**Malware resistance**](#malware) includes architectural changes that can isolate critical system and security components from threats. Several new features in Windows 10 help reduce the threat of malware, including VBS, Device Guard, Microsoft Edge, and an entirely new version of Windows Defender. In addition, the many antimalware features from the Windows 8.1 operating system— including AppContainers for application sandboxing and numerous boot-protection features, such as Trusted Boot—have been carried forward and improved in Windows 10.
+
+## <a href="" id="identity"></a>Identity and access control
+
+
+Traditionally, access control is a process that has three components:
+
+-   **Identification** - when a user asserts a unique identity to the computer system for the purpose of gaining access to a resource, such as a file or a printer. In some definitions, the user is called the subject and the resource is the object.
+
+-   **Authentication** - the process of proving the asserted identity and verification that the subject is indeed *the* subject.
+
+-   **Authorization** - performed by the system to compare the authenticated subject’s access rights against the object’s permissions and either allow or deny the requested access.
+
+The way these components are implemented makes the difference in stopping attackers from accessing secret data. Only a user who proves his or her identity – and is authorized to access that data – will access it. But in security, there are varying degrees of identity proof and many different requirements for authorization limits. The access control flexibility needed in most corporate environments presents a challenge for any operating system. Table 1 lists typical Windows access control challenges and the Windows 10 solutions.
+
+Table 1. Windows 10 solutions to typical access control challenges
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Access control challenge</th>
+<th align="left">Windows 10 solutions</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Organizations frequently use passwords because the alternative methods are too complex and costly to deploy.</p>
+<p>Organizations that choose password alternatives such as smart cards must purchase and manage smart card readers, smart cards, and management software. These solutions delay productivity when the MFA component is lost or damaged. Consequently, MFA solutions like smart cards tend to be used only for VPN and select assets.</p></td>
+<td align="left"><p>Windows Hello on biometric-capable devices and Microsoft Passport enable simpler MFA.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Tablet users must type their password on a touchscreen, which is error prone and less efficient than a keyboard. Windows Hello enables secure facial recognition–based authentication.</p></td>
+<td align="left"><p>Windows Hello enables secure facial recognition–based authentication.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>IT must purchase and manage non-Microsoft tools to meet regulatory requirements for access control and auditing.</p></td>
+<td align="left"><p>Combined with the Windows Server 2012 operating system, Dynamic Access Control provides flexible access control and auditing designed to meet many government security and regulatory requirements.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Users dislike typing their passwords.</p></td>
+<td align="left"><p>Single sign-on (SSO) allows users to sign in once with their Microsoft Passport and get access to all corporate resources without the need to re-authenticate.</p>
+<p>Windows Hello enables secure fingerprint- and facial recognition–based authentication and can be used to revalidate user presence when sensitive resources are accessed.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows adds increasing delays between logon attempts and can lock out a user account when it detects brute-force attacks.</p></td>
+<td align="left"><p>When BitLocker is enabled on the system drive and brute-force protection is enabled, Windows can restart the PC after a specified number of incorrect password entries, lock access to the hard drive, and require the user to type the 48-character BitLocker recovery key to start the device and access the disk.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The sections that follow describe these challenges and solutions in more detail.
+
+**Microsoft Passport**
+
+Microsoft Passport provides strong two-factor authentication (2FA), fully integrated into Windows, and replaces passwords with the combination of an enrolled device and either a PIN or Windows Hello. Microsoft Passport is conceptually similar to smart cards but more flexible. Authentication is performed by using an asymmetric key pair instead of a string comparison (for example, password), and the user’s key material can be secured by using hardware.
+
+Unlike smart cards, Microsoft Passport does not require the extra infrastructure components required for smart card deployment. In particular, you do not need public key infrastructure (PKI). If you already use PKI – for example, in secure email or VPN authentication – you can use the existing infrastructure with Microsoft Passport. Microsoft Passport combines the major advantages of smart card technology – deployment flexibility for virtual smart cards and robust security for physical smart cards – without any of their drawbacks.
+
+Microsoft Passport offers three significant advantages over the current state of Windows authentication: It’s more flexible, it’s based on industry standards, and it effectively mitigates risks. The sections that follow look at each of these advantages in more detail.
+
+**It’s flexible**
+
+Microsoft Passport offers unprecedented flexibility. Although the format and use of passwords and smart cards is fixed, Microsoft Passport gives both administrators and users options to manage authentication. First and foremost, Microsoft Passport works with biometric sensors and PINs. Next, you can use your PC or even your phone as one of the factors to authenticate on your PC. Finally, your user credentials can come from your PKI infrastructure, or Windows can create the credential itself.
+
+Microsoft Passport gives you options beyond long, complex passwords. Instead of requiring users to memorize and retype frequently-changed passwords, Microsoft Passport enables PIN- and biometrics-based authentication through Windows Hello to securely identify users.
+
+With Microsoft Passport, you gain flexibility in the data center, too. To deploy it, you must add Windows Server 2016 domain controllers to your Active Directory environment, but you do not have to replace or remove your existing Active Directory servers: Microsoft Passport builds on and adds to your existing infrastructure. You can either add on premises servers or use Microsoft Azure Active Directory to deploy Microsoft Passport to your network. The choice of which users to enable for Microsoft Passport use is completely up to you – you choose which items to protect and which authentication factors you want to support. This flexibility makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding 2FA to users who do not currently have it, or to deploy Microsoft Passport in scenarios that call for extra protection for sensitive resources or systems.
+
+**It’s standardized**
+
+Both software vendors and enterprise customers have come to realize that proprietary identity and authentication systems are a dead end: The future lies with open, interoperable systems that allow secure authentication across a variety of devices, line of business (LOB) apps, and external applications and websites. To this end, a group of industry players formed FIDO, the Fast IDentity Online Alliance. The FIDO Alliance is a nonprofit organization intended to address the lack of interoperability among strong authentication devices, as well as the problems users face when they need to create and remember multiple user names and passwords. The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. This new standard for security devices and browser plug ins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security.
+
+In 2014, Microsoft joined the board of the [FIDO Alliance](http://go.microsoft.com/fwlink/p/?LinkId=626934). FIDO standards enable a universal framework that a global ecosystem delivers for a consistent and greatly improved user experience of strong password-less authentication. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: password-less (known as UAF) and second factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals that incorporate the best ideas from its U2F and UAF FIDO 1.0 standards, and of course, on new ideas. Microsoft has contributed Microsoft Passport technology to the FIDO 2.0 specification workgroup for review and feedback and continues to work with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for enterprises and consumers alike.
+
+**It’s effective**
+
+Microsoft Passport effectively mitigates two major security risks. First, it eliminates the use of passwords for logon and so reduces the risk that a nefarious attacker will steal and reuse the user’s credentials. User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Second, because Microsoft Passport uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.
+
+To compromise a Microsoft Passport credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device. This sets the bar magnitudes of order higher than password phishing attacks.
+
+### <a href="" id="windows-hello"></a>
+
+**Windows Hello**
+
+Windows Hello is the name given to the new biometric sign-in option for Microsoft Passport. Because biometric authentication is built directly into the operating system, Windows Hello allows users to unlock their devices by using their face or fingerprint. From here, authentication to the devices and resources is enabled through a combination of the user’s unique biometric identifier and the device itself.
+
+The user’s biometric data that is used for Windows Hello is considered a local gesture and consequently doesn’t roam among a user’s devices and is not centrally stored. The biometric image of the user the sensor takes is converted into an algorithmic form that cannot be converted back into the original image that the sensor took. Devices that have TPM 2.0 encrypt the biometric data in a form that makes it unreadable if the data is ever removed from the device. If multiple users share a device, each user will be able to enroll and use Windows Hello for his or her Windows profile.
+
+Windows Hello supports two biometric sensor options that are suitable for enterprise scenarios:
+
+-   **Facial recognition** uses special infrared cameras to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major manufacturers are already shipping integrated devices with facial-recognition technology.
+
+-   **Fingerprint recognition** uses a fingerprint sensor to scan the user’s fingerprint. Although fingerprint readers have been available for computers running Windows for years, the detection, antispoofing, and recognition algorithms in Windows 10 are more advanced than previous Windows versions. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) can be used with Windows Hello.
+
+Windows Hello offers several major benefits. First, it addresses the problems of credential theft and sharing, because an attacker must obtain the device and impersonate the user’s biometric identity, which is more difficult than stealing a password or PIN. Second, the use of biometrics gives users an authenticator that’s always with them – there’s nothing to forget, lose, or leave behind. Instead of worrying about memorizing long, complex passwords, users can take advantage of a convenient, secure method for logging in to all their Windows devices. Finally, there’s nothing additional to deploy or manage. Because Windows Hello support is built directly into the operating system, there are no additional drivers to deploy.
+
+**Brute-force attack resistance**
+
+A brute-force attack is the process used to break into a device simply by guessing a user’s password, PIN, or even his or her biometric identity over and over until the attacker gets it right. Over the last several versions of Windows, Microsoft has added features that dramatically reduce the chances that such an attack would succeed.
+
+The Windows 7 operating system and previous versions defended against brute-force attacks in a straightforward way: they slowed or prevented additional guesses after multiple mistakes. When users use a full password to log on, Windows forces users to wait several seconds between attempts if they type their password incorrectly multiple times. You can even choose to have Windows lock out an account for a period of time when it detects a brute-force attack.
+
+Windows 8.1 and Windows 10 support an even more powerful – but optional – form of brute-force protection when the credentials are tied to TPM. If the operating system detects a brute-force attack against the Windows sign-in and BitLocker protects the system drive, Windows can automatically restart the device and put it in BitLocker recovery mode until someone enters a recovery key password. This password is a virtually unguessable 48-character recovery code that must be used before Windows will be able to start normally.
+
+If you’re interested in learning how to configure brute-force protection, use a test Windows 10 PC on which BitLocker protection is enabled for the system drive, and then print the BitLocker recovery key to ensure that you have it available. Then, open the Local Group Policy Editor by running **gpedit.msc**, and go to Computer Configuration\\Windows Settings\\Security Settings\\Security Options. Open the policy **Interactive Login: Machine Account Lockout Threshold**, and set the value to **5**, as shown in Figure 1.
+
+![figure 1](images/security-fig1-invalidaccess.png)
+
+Figure 1. Set the number of invalid access attempts prior to lockout
+
+Now, your PC is configured with brute-force protection. Restart your PC. When prompted to log on, mistype your password until the PC restarts. Now, try to guess the 48-character recovery key. You will be glad you printed it out beforehand.
+
+## <a href="" id="information"></a>Information protection
+
+
+When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives; in Windows 10, BitLocker will even protect individual files, with data loss prevention capabilities. Windows consistently improves data protection by improving existing options and by providing new strategies.
+
+Table 2 lists specific data-protection concerns and how they are addressed in Windows 10 and Windows 7.
+
+Table 2. Data Protection in Windows 10 and Windows 7
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Windows 7</th>
+<th align="left">Windows 10</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>When BitLocker is used with a PIN to protect startup, PCs such as kiosks cannot be restarted remotely.</p></td>
+<td align="left"><p>Modern Windows devices are increasingly protected with device encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.</p>
+<p>Network Unlock allows PCs to start automatically when connected to the internal network.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Users must contact the IT department to change their BitLocker PIN or password.</p></td>
+<td align="left"><p>Modern Windows devices no longer require a PIN in the pre-boot environment to protect BitLocker encryption keys from cold boot attacks.</p>
+<p>Users who have standard privileges can change their BitLocker PIN or password on legacy devices that require a PIN.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>When BitLocker is enabled, the provisioning process can take several hours.</p></td>
+<td align="left"><p>BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>There is no support for using BitLocker with self-encrypting drives (SEDs).</p></td>
+<td align="left"><p>BitLocker supports offloading encryption to encrypted hard drives.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Administrators have to use separate tools to manage encrypted hard drives.</p></td>
+<td align="left"><p>BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Encrypting a new flash drive can take more than 20 minutes.</p></td>
+<td align="left"><p>Used Space Only encryption in BitLocker To Go allows users to encrypt drives in seconds.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>BitLocker could require users to enter a recovery key when system configuration changes occur.</p></td>
+<td align="left"><p>BitLocker requires the user to enter a recovery key only when disk corruption occurs or when he or she loses the PIN or password.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Users need to enter a PIN to start the PC, and then their password to sign in to Windows.</p></td>
+<td align="left"><p>Modern Windows devices are increasingly protected with device encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The sections that follow describe these improvements in more detail.
+
+**Prepare for drive and file encryption**
+
+The best type of security measures are transparent to the user during implementation and use. Every time there is a possible delay or difficulty because of a security feature, there is strong likelihood that users will try to bypass security. This situation is especially true for data protection, and that’s a scenario that organizations need to avoid.
+
+Whether you’re planning to encrypt entire volumes, removable devices, or individual files, Windows 10 meets your needs by providing streamlined, usable solutions. In fact, you can take several steps in advance to prepare for data encryption and make the deployment quick and smooth.
+
+**TPM pre-provisioning**
+
+In Windows 7, preparing the TPM for use offered a couple of challenges:
+
+-   You can turn on the TPM in the BIOS, which requires someone to either go into the BIOS settings to turn it on or to install a driver to turn it on from within Windows.
+
+-   When you enable the TPM, it may require one or more restarts.
+
+Basically, it was a big hassle. If IT staff were provisioning new PCs, they could handle all of this, but if you wanted to add BitLocker to devices that were already in users’ hands, those users would have struggled with the technical challenges and would either call IT for support or simply leave BitLocker disabled.
+
+Microsoft includes instrumentation in Windows 10 that enables the operating system to fully manage the TPM. There is no need to go into the BIOS, and all scenarios that required a restart have been eliminated.
+
+**Deploy hard drive encryption**
+
+BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Preinstallation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows is not yet installed), it takes only a few seconds to enable BitLocker.
+
+With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which significantly delayed deployment. Microsoft has improved this process through multiple features in Windows 10.
+
+**Device encryption**
+
+Beginning in Windows 8.1, Windows automatically enables BitLocker device encryption on devices that support InstantGo. With Windows 10, Microsoft offers device encryption support on a much broader range of devices, including those that are InstantGo. Microsoft expects that most devices in the future will pass the testing requirements, which makes device encryption pervasive across modern Windows devices. Device encryption further protects the system by transparently implementing device-wide data encryption.
+
+Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:
+
+-   When a clean installation of Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, device encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state).
+
+-   If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
+
+-   If the user uses a domain account to sign in, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
+
+-   Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.
+
+Microsoft recommends that device encryption be enabled on any systems that support it, but the automatic device encryption process can be prevented by changing the following registry setting:
+
+-   **Subkey**: HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\BitLocker
+
+-   **Value**: PreventDeviceEncryption equal to True (1)
+
+-   **Type**: REG\_DWORD
+
+Administrators can manage domain-joined devices that have device encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, device encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required.
+
+**Used Disk Space Only encryption**
+
+BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted, in which case traces of the confidential data could remain on portions of the drive marked as unused.
+
+But why encrypt a new drive when you can simply encrypt the data as it is being written? To reduce encryption time, BitLocker in Windows 10 lets users choose to encrypt just their data. Depending on the amount of data on the drive, this option can reduce encryption time by more than 99 percent.
+
+Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they are overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it is written to the disk.
+
+**Encrypted hard drive support**
+
+SEDs have been available for years, but Microsoft couldn’t support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives.
+
+Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PC’s processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use whole-drive encryption with Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements.
+
+For more information about encrypted hard drives, see [Encrypted Hard Drive](http://go.microsoft.com/fwlink/p/?LinkId=733880).
+
+**Preboot information protection**
+
+An effective information protection implementation, like most security controls, considers usability as well as security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it.
+
+It is crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection should not be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows logon. Challenging users for input more than once should be avoided.
+
+Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they are not as user-friendly; depending on the devices’ configuration they may not offer additional security when it comes to key protection. For more information about how to configure BitLocker for SSO, see [BitLocker Countermeasures](bitlocker-countermeasures.md).
+
+**Manage passwords and PINs**
+
+When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows logon, which makes it virtually impossible for the attacker to access or modify user data and system files.
+
+Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second “something you know”). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password on a regular basis.
+
+Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, InstantGo devices do not require a PIN for startup: They are designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
+
+For more information about how startup security works and the countermeasures that Windows 10 provides, see [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md).
+
+**Configure Network Unlock**
+
+Some organizations have location-specific data security requirements. This is most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication; therefore, policy states that those PCs should not leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary.
+
+Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC is not connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled).
+
+Network Unlock requires the following infrastructure:
+
+-   Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP)
+
+-   A server running Windows Server 2012 with the Windows Deployment Services role
+
+-   A server with the DHCP server role installed
+
+For more information about how to configure Network Unlock, see [BitLocker: How to enable Network Unlock](http://go.microsoft.com/fwlink/p/?LinkId=733905).
+
+**Microsoft BitLocker Administration and Monitoring**
+
+Part of the Microsoft Desktop Optimization Pack, MBAM makes it easier to manage and support BitLocker and BitLocker To Go. MBAM 2.5 with Service Pack 1, the latest version, has the following key features:
+
+-   Enables administrators to automate the process of encrypting volumes on client computers across the enterprise.
+
+-   Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself.
+
+-   Provides centralized reporting and hardware management with Microsoft System Center Configuration Manager.
+
+-   Reduces the workload on the help desk to assist end users with BitLocker recovery requests.
+
+-   Enables end users to recover encrypted devices independently by using the Self-Service Portal.
+
+-   Enables security officers to easily audit access to recovery key information.
+
+-   Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected.
+
+-   Enforces the BitLocker encryption policy options that you set for your enterprise.
+
+-   Integrates with existing management tools, such as System Center Configuration Manager.
+
+-   Offers an IT-customizable recovery user experience.
+
+-   Supports Windows 10.
+
+For more information about MBAM, including how to obtain it, see [Microsoft BitLocker Administration and Monitoring](http://go.microsoft.com/fwlink/p/?LinkId=626935) on the MDOP TechCenter.
+
+## <a href="" id="malware"></a>Malware resistance
+
+
+In movies, security threats always seem to be initiated by a nefarious hacker sitting in front of a monitor with green text scrolling across it. In the real world, the vast majority of security threats occur without any human interaction at all. Just as software has automated so much of our lives, malware has automated attacks on our PCs. Those attacks are relentless. Malware is constantly changing, and when it infects a PC, it can in some cases be extremely difficult to detect and remove.
+
+Prevention is the best bet, and Windows 10 provides strong malware resistance because it takes advantage of secure hardware, which secures the startup process, the core operating system architecture, and the desktop.
+
+Table 3 lists specific malware threats and the mitigation that Windows 10 provides.
+
+Table 3. Threats and Windows 10 mitigations
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Threat</th>
+<th align="left">Windows 10 mitigation</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Firmware bootkits replace the firmware with malware.</p></td>
+<td align="left"><p>All certified PCs include a UEFI with Secure Boot, which requires signed firmware for updates to UEFI and Option ROMs.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Bootkits start malware before Windows starts.</p></td>
+<td align="left"><p>UEFI Secure Boot verifies Windows bootloader integrity to ensure that no malicious operating system can start before Windows.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>System or driver rootkits start kernel-level malware while Windows is starting, before Windows Defender and antimalware solutions can start.</p></td>
+<td align="left"><p>Windows Trusted Boot verifies Windows boot components; Microsoft drivers; and the Early Launch Antimalware (ELAM) antimalware driver, which verifies non-Microsoft drivers.</p>
+<p>Measured Boot runs in parallel with Trusted Boot and can provide information to a remote server that verifies the boot state of the device to help ensure Trusted Boot and other boot components successfully checked the system.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>User-level malware exploits a vulnerability in the system or an application and owns the device.</p></td>
+<td align="left"><p>Improvements to address space layout randomization (ASLR), Data Execution Prevention (DEP), the heap architecture, and memory-management algorithms reduce the likelihood that vulnerabilities can enable successful exploits.</p>
+<p>Protected Processes isolates nontrusted processes from each other and from sensitive operating system components.</p>
+<p>VBS, built on top of Microsoft Hyper-V, protects sensitive Windows processes from the Windows operating system by isolating them from user mode processes and the Windows kernel.</p>
+<p>Configurable code integrity enforces administrative policies to select exactly which applications are allowed to run in user mode. No other applications are permitted to run.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Users download dangerous software (for example, a seemingly legitimate application with an embedded Trojan horse) and run it without knowledge of the risk.</p></td>
+<td align="left"><p>The SmartScreen Application Reputation feature is part of the core operating system; Microsoft Edge and Internet Explorer can use this feature either to warn users or to block users from downloading or running potentially malicious software.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Malware exploits a vulnerability in a browser add-on.</p></td>
+<td align="left"><p>Microsoft Edge is a Universal App that does not run older binary extensions, including Microsoft Active X and Browser Helper Objects (BHO) frequently used for toolbars, thus eliminating these risks.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>A website that includes malicious code exploits a vulnerability in Microsoft Edge and IE to run malware on the client PC.</p></td>
+<td align="left"><p>Both Microsoft Edge and IE include Enhanced Protected Mode, which uses AppContainer-based sandboxing to protect the system from vulnerabilities that may be discovered in the extensions running in the browser (for example, Adobe Flash, Java) or the browser itself.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The sections that follow describe these improvements in more detail.
+
+**Secure hardware**
+
+Although Windows 10 is designed to run on almost any hardware capable of running Windows 8, Windows 7, or Windows Vista, taking full advantage of Windows 10 security requires advancements in hardware-based security, including UEFI with Secure Boot, CPU virtualization features (for example, Intel VT-x), CPU memory-protection features (for example, Intel VT-d), TPM, and biometric sensors.
+
+**UEFI with Secure Boot**
+
+When a PC starts, it begins the process of loading the operating system by locating the bootloader on the PC’s hard drive. Without safeguards in place, the PC may simply hand control over to the bootloader without even determining whether it is a trusted operating system or malware.
+
+UEFI is a standards-based solution that offers a modern-day replacement for the BIOS. In fact, it provides the same functionality as BIOS while adding security features and other advanced capabilities. Like BIOS, UEFI initializes devices, but UEFI components with the Secure Boot feature (version 2.3.1 or later) also ensure that only trusted firmware in Option ROMs, UEFI apps, and operating system bootloaders can start on the device.
+
+UEFI can run internal integrity checks that verify the firmware’s digital signature before running it. Because only the PC’s hardware manufacturer has access to the digital certificate required to create a valid firmware signature, UEFI has protection from firmware bootkits. Thus, UEFI is the first link in the chain of trust.
+
+UEFI with Secure Boot became a hardware requirement starting with Windows 8 devices. If a PC supports UEFI, it must be enabled by default. It is possible to disable the Secure Boot feature on many devices, but Microsoft strongly discourages doing so because it dramatically reduces the security of the startup process.
+
+When a PC with UEFI and Secure Boot starts, the UEFI firmware verifies the bootloader’s digital signature to verify that it has not been modified after it was digitally signed. The firmware also verifies that a trusted authority issued the bootloader’s digital signature. This check helps to ensure that the system starts only after checking that the bootloader is both trusted and unmodified since signing.
+
+All Windows 8 certified PCs must meet several requirements related to Secure Boot:
+
+-   They must have Secure Boot enabled by default.
+
+-   They must trust Microsoft’s certification authority (CA) and thus any bootloader Microsoft has signed.
+
+-   They must allow the user to add signatures and hashes to the UEFI database.
+
+-   They must allow the user to completely disable Secure Boot (although administrators can restrict this).
+
+This behavior doesn’t limit the choice of operating system. In fact, users typically have three options for running non-Microsoft operating systems:
+
+-   **Use an operating system with a Microsoft-signed bootloader.** Microsoft offers a service to sign non-Microsoft bootloaders so that they can be used on the device. In this case, a signature from the Microsoft third-party UEFI CA is used to sign the non-Microsoft bootloader, and the signature itself is added to the UEFI database. Several non-Microsoft operating systems, including several varieties of Linux, have had their bootloaders signed by Microsoft so that they can take advantage of the Secure Boot capability. For more information about the Microsoft third-party UEFI signing policy, read [Microsoft UEFI CA Signing policy updates](http://go.microsoft.com/fwlink/p/?LinkId=626936) and [Pre-submission testing for UEFI submissions](http://go.microsoft.com/fwlink/p/?LinkId=626937).
+
+    **Note**  
+    PCs configured to use Device Guard boot only a secured version of Windows and do not permit a third-party bootloader. For more information, see the [Device Guard](#device-guard) section of this document.
+
+     
+
+-   **Configure UEFI to trust a non–Microsoft-signed bootloader or hashes.** Some Certified For Windows 8 or later PCs allow users to add noncertified bootloaders through a signature or hashes sent to the UEFI database, which allows them to run any operating system without Microsoft signing it.
+
+-   **Turn off Secure Boot.**Windows 8 certified PCs allow users to turn off Secure Boot so they can run unsigned operating systems. In this mode, the behavior is identical to PCs that have BIOS: The PC simply runs the bootloader without any verification. Microsoft strongly recommends that Secure Boot remain enabled whenever the device starts so that it can help prevent bootkit infections.
+
+    **Note**  
+    With Windows 10, original equipment manufacturers (OEMs) have the ability to ship built-to-order PCs that lock down UEFI Secure Boot so that it cannot be disabled and allows only the operating system of the customer’s choice to start on the device.
+
+     
+
+Windows, apps, and even malware cannot change the UEFI configuration. Instead, users must be physically present to manually boot a PC into a UEFI shell, and then change UEFI firmware settings. For more information about UEFI Secure Boot, read [Protecting the pre-OS environment with UEFI](http://go.microsoft.com/fwlink/p/?LinkId=626938).
+
+**Virtualization-based security**
+
+One of the most powerful changes to Windows 10 is virtual-based security. Virtual-based security (VBS) takes advantage of advances in PC virtualization to change the game when it comes to protecting system components from compromise. VBS is able to isolate some of the most sensitive security components of Windows 10. These security components aren’t just isolated through application programming interface (API) restrictions or a middle-layer: They actually run in a different virtual environment and are isolated from the Windows 10 operating system itself.
+
+VBS and the isolation it provides is accomplished through the novel use of the Hyper V hypervisor. In this case, instead of running other operating systems on top of the hypervisor as virtual guests, the hypervisor supports running the VBS environment in parallel with Windows and enforces a tightly limited set of interactions and access between the environments.
+
+Think of the VBS environment as a miniature operating system: It has its own kernel and processes. Unlike Windows, however, the VBS environment runs a micro-kernel and only two processes called trustlets:
+
+-   **Local Security Authority (LSA)** enforces Windows authentication and authorization policies. LSA is a well-known security component that has been part of Windows since 1993. Sensitive portions of LSA are isolated within the VBS environment and are protected by a new feature called Credential Guard.
+
+-   **Hypervisor-enforced code integrity** verifies the integrity of kernel-mode code prior to execution. This is a part of the [Device Guard](#device-guard) feature described later in this document.
+
+VBS provides two major improvements in Windows 10 security: a new trust boundary between key Windows system components and a secure execution environment within which they run. A trust boundary between key Windows system components is enabled though the VBS environment’s use of platform virtualization to isolate the VBS environment from the Windows operating system. Running the VBS environment and Windows operating system as guests on top of Hyper-V and the processor’s virtualization extensions inherently prevents the guests from interacting with each other outside the limited and highly structured communication channels between the trustlets within the VBS environment and Windows operating system.
+
+VBS acts as a secure execution environment because the architecture inherently prevents processes that run within the Windows environment – even those that have full system privileges – from accessing the kernel, trustlets, or any allocated memory within the VBS environment. In addition, the VBS environment uses TPM 2.0 to protect any data that is persisted to disk. Similarly, a user who has access to the physical disk is unable to access the data in an unencrypted form.
+
+The VBS architecture is illustrated in Figure 2.
+
+![figure 2](images/security-fig2-vbsarchitecture.png)
+
+Figure 2. The VBS architecture
+
+Note that VBS requires a system that includes:
+
+-   Windows 10 Enterprise Edition
+
+-   A-64-bit processor
+
+-   UEFI with Secure Boot
+
+-   Second-Level Address Translation (SLAT) technologies (for example, Intel Extended Page Tables \[EPT\], AMD Rapid Virtualization Indexing \[RVI\])
+
+-   Virtualization extensions (for example, Intel VT-x, AMD RVI)
+
+-   I/O memory management unit (IOMMU) chipset virtualization (Intel VT-d or AMD-Vi)
+
+-   TPM 2.0
+
+**Trusted Platform Module**
+
+A TPM is a tamper-resistant cryptographic module designed to enhance the security and privacy of computing platforms. The TPM is incorporated as a component in a trusted computing platform like a personal computer, tablet, or phone. The computing platform is specially designed to work with the TPM to support privacy and security scenarios that cannot be achieved through software alone. A proper implementation of a TPM as part of a trusted computing platform provides a hardware root of trust, meaning that the hardware behaves in a trusted way. For example, a key created in a TPM with the property that it can never be exported from the TPM really means the key cannot leave the TPM. The close integration of a TPM with a platform increases the transparency of the boot process and supports device health scenarios by enabling reliable report of the software used to start a platform.
+
+The functionality a TPM provides includes:
+
+-   **Cryptographic key management.** Create, store, and permit the use of keys in defined ways.
+
+-   **Safeguarding and reporting integrity measurements.** Software used to boot the platform can be recorded in the TPM and used to establish trust in the software running on the platform.
+
+-   **Prove a TPM is really a TPM.** The TPM’s capabilities are so central to protecting privacy and security that a TPM needs to be able to differentiate itself from malware that masquerades as a TPM.
+
+Microsoft combined this small list of TPM benefits with Windows 10 and other hardware security technologies to provide practical security and privacy benefits.
+
+Among other functions, Windows 10 uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and the many other keys that the TPM is used to generate. Windows 10 also uses the TPM to securely record and protect integrity-related measurements of select hardware and Windows boot components for the [Measured Boot](#measure-boot) feature described later in this document. In this scenario, Measured Boot measures each component, from firmware up through the drivers, and then stores those measurements in the PC’s TPM. From there, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 PC.
+
+Windows 10 supports TPM implementations that comply with either the 1.2 or 2.0 standards. Several improvements have been made in the TPM 2.0 standard, the most notable of which is cryptographic agility. TPM 1.2 is restricted to a fixed set of encryption and hash algorithms. At the time the TPM 1.2 standard was created in the early 2000s, these algorithms were considered cryptographically strong. Since that time, advances in cryptographic algorithms and cryptanalysis attacks have increased expectations for stronger cryptography. TPM 2.0 supports additional algorithms that offer stronger cryptographic protection as well as the ability to plug in algorithms that may be preferred in certain geographies or industries. It also opens the possibility for inclusion of future algorithms without changing the TPM component itself.
+
+TPM is usually assumed to be implanted in hardware on a motherboard as a discrete module, but TPM can also be effective when implemented in firmware. Windows 10 supports both discrete and firmware TPM that complies with the 2.0 standard (1.2 can only be discrete). Windows does not differentiate between discrete and firmware-based solutions because they must meet the same requirements; therefore, any Windows feature that can take advantage of TPM can use either implementation.
+
+**Note**  
+Microsoft will not initially require new Windows 10 PCs to include TPM support. Microsoft will require systems to include a TPM 2.0 beginning one year from the launch of Windows 10, however, to give manufacturers enough time to incorporate this critical functionality and to give IT pros enough time to determine which benefits they will leverage.
+
+ 
+
+Several Windows 10 security features require TPM:
+
+-   Virtual smart cards
+
+-   Measured Boot
+
+-   Health attestation (requires TPM 2.0 or later)
+
+-   InstantGo (requires TPM 2.0 or later)
+
+Other Windows 10 security features like BitLocker may take advantage of TPM if it is available but do not require it to work. An example of this is Microsoft Passport.
+
+All of these features are covered in this document.
+
+**Biometrics**
+
+You read in the [Windows Hello](#windows-hello) section of this document that Windows 10 has built-in support for biometric hardware. Windows has included some amount of built-in biometric support since the Windows XP operating system, so what’s different about this in Windows 10?
+
+Windows 10 makes biometrics a core security feature. Biometrics is fully integrated into the Windows 10 security components, not just tacked on as an extra part of a larger scheme. This is a big change. Earlier biometric implementations were largely front-end methods to simplify authentication. Under the hood, biometrics was used to access a password, which was then used for authentication behind the scenes. Biometrics may have provided convenience but not necessarily enterprise-grade authentication.
+
+Microsoft has evangelized the importance of enterprise-grade biometric sensors to the OEMs that create Windows PCs and peripherals. Many OEMs already ship systems that have integrated fingerprint sensors and are transitioning from swipe-based to touch-based sensors. Facial-recognition sensors were already available when Windows 10 launched and are becoming more commonplace as integrated system components.
+
+In the future, Microsoft expects OEMs to produce even more enterprise-grade biometric sensors and to continue to integrate them into systems as well as provide separate peripherals. As a result, biometrics will become a commonplace authentication method as part of an MFA system.
+
+**Secure Windows startup**
+
+UEFI Secure Boot uses hardware technologies to help protect users from bootkits. Secure Boot can validate the integrity of the devices, firmware, and bootloader. After the bootloader launches, users must rely on the operating system to protect the integrity of the remainder of the system.
+
+**Trusted Boot**
+
+When UEFI Secure Boot verifies that the bootloader is trusted and starts Windows, the Windows Trusted Boot feature protects the rest of the startup process by verifying that all Windows startup components are trustworthy (for example, signed by a trusted source) and have integrity. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM component.
+
+If a file has been modified (for example, if malware has tampered with it or it has been corrupted), Trusted Boot will detect the problem and automatically repair the corrupted component. When repaired, Windows will start normally after only a brief delay.
+
+**Early Launch Antimalware**
+
+Malware that targeted previous versions of Windows often attempted to start before the antimalware solution. To do this, some types of malware would update or replace a non-Microsoft–related driver that starts during the Windows startup process. The malicious driver would then use its system access privileges to modify critical parts of the system and disguise its presence so it could not be detected when the antimalware solution later started.
+
+Early Launch Antimalware (ELAM) is part of the Trusted Boot feature set and is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. ELAM checks the integrity of non-Microsoft drivers to determine whether the drivers are trustworthy. Because Windows needs to start as fast as possible, ELAM cannot be a complicated process of checking the driver files against known malware signatures; doing so would delay startup too much. Instead, ELAM has the simple task of examining every boot driver and determining whether it is on the list of trusted drivers. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits. ELAM also allows the registered antimalware provider to scan drivers that are loaded after the boot process is complete.
+
+The design is simple but effective. ELAM is a component of a full-featured antimalware solution, and it helps prevent malicious drivers and apps from starting before the rest of the antimalware solution starts later during the boot process. Indeed, ELAM runs only for a few seconds each time a PC starts. Windows Defender in Windows 10 supports ELAM, as does Microsoft System Center 2012 Endpoint Protection and several non-Microsoft antimalware apps.
+
+If you want to learn how to configure ELAM, you can use Group Policy settings to configure how ELAM responds to potentially malicious boot drivers. In the Group Policy Management Editor, go to Computer Configuration\\Administrative Templates\\System\\Early Launch Antimalware, and enable the **Boot-Start Driver Initialization Policy** setting. Now, you can select which driver classifications ELAM loads. When you select the **Good Only** setting, it provides the highest level of security, but test it thoroughly to ensure that it does not prevent users with healthy PCs from starting.
+
+### <a href="" id="measure-boot"></a>
+
+**Measured Boot**
+
+The biggest challenge with rootkits and bootkits in earlier versions of Windows is that they can frequently be undetectable to the client. Because they often start before Windows defenses and the antimalware solution and they have system-level privileges, rootkits and bootkits can completely disguise themselves while continuing to access system resources. Although UEFI Secure Boot and Trusted Boot can prevent most rootkits and bootkits, intruders could still potentially exploit a few attack vectors (for example, if UEFI with Secure Boot is disabled or if the signature used to sign a boot component, such as a non-Microsoft driver, has been compromised and is used to sign a malicious one).
+
+Windows 10 implements the Measured Boot feature, which uses the TPM hardware component built into newer PCs to record a series of measurements for critical startup-related components, including firmware, Windows boot components, drivers, and even the ELAM driver. Because Measured Boot leverages the hardware-based security capabilities of TPM, which isolates and protects the measurement data from malware attacks, the log data is well protected against even sophisticated attacks.
+
+Measured Boot focuses on acquiring the measurement data and protecting it from tampering. It must be coupled with a service that can analyze the data to determine device health and provide a more complete security service. The next section introduces just such a service.
+
+**Verify device compliance for conditional access to corporate resources**
+
+Measured Boot itself does not prevent malware from loading during the startup process – that is the job of Secure Boot, Device Guard, and ELAM. Instead, Measured Boot provides a TPM-protected audit log that allows a trusted remote health attestation service to evaluate the PC’s startup components, state, and overall configuration. If the health attestation service detects that the PC loaded an untrustworthy component and is therefore out of compliance, the service can block the PC’s access to specific network resources or the entire network. You can even couple a health attestation service with a management system to facilitate conditional access capabilities that can initiate the quarantine and remediation processes to fix an infected PC and return it to a compliant state.
+
+![figure 3](images/security-fig3-healthattestation.png)
+
+Figure 3. Health Attestation in Windows 10
+
+Figure 3 illustrates the following process for device compliance verification and conditional access implementation:
+
+1.  The PC uses the TPM to record measurements of the bootloader, boot drivers, and ELAM driver. The TPM prevents anyone from tampering with these measurements, so even if malware is successfully loaded, it will not be able to modify the measurements. These measurements are signed with an Attestation Identity Key (AIK) that is stored in the TPM. Because the TPM hardware has signed the measurements, malware cannot modify them without being detected.
+
+2.  Health Attestation is not enabled by default and requires an enrollment with a mobile device management (MDM) server in order to enable it. If it is enabled, the health attestation client will contact a remote server, called a health attestation server. Microsoft provides a cloud-based Windows Health Attestation service that can help evaluate the health of a device. The health attestation client sends the signed measurements, the device’s TPM boot log, and an AIK certificate (if present), which lets the health attestation server verify that the key used to sign the measurements was issued to a trusted TPM.
+
+3.  The health attestation server analyzes the measurements and boot log and creates a statement of device health. This statement is encrypted to help ensure the confidentiality of the data.
+
+4.  A management system, such as an MDM server, can request that an enrolled device present a statement of device health. Windows 10 supports both Microsoft and non-Microsoft MDM server requests for device health. To prevent theft of device health statements and reuse from other devices, an MDM server sends the enrolled device a “number used only once” (nonce) request along with this request for the device health statement.
+
+5.  The enrolled device digitally signs the nonce with its AIK (which is stored in the TPM) and sends the MDM server the encrypted statement of device health, the digitally signed nonce, and a signed boot counter, which asserts that the device has not been restarted since it obtained the statement of health.
+
+6.  The MDM server can send the same data to the health attestation server. The server decrypts the statement of health, asserts that the boot counter in the statement matches the boot counter that was sent to the MDM server, and compiles a list of health attributes.
+
+7.  The health attestation server sends this list of health attributes back to the MDM server. The MDM server now enforces access and compliance policies if configured to do so.
+
+For a list of data points that the health attestation server verifies, along with a description of the data, see the [HealthAttestation CSP article on MSDN](http://go.microsoft.com/fwlink/p/?LinkId=626940).
+
+The management system’s implementation determines which attributes within the statement of device health are evaluated when assessing a device’s health. Broadly speaking, the management server receives information about how the device booted, what kind of policy is enforced on the device, and how data on the device is secured. Depending on the implementation, the management server may add checks that go beyond what the statement of device health provides—for example, Windows patch level and other device attributes.
+
+Based on these data points, the management server can determine whether the client is healthy and grant it access to either a limited quarantine network or to the full network. Individual network resources, such as servers, can also grant or deny access based on whether the remote attestation client were able to retrieve a valid health certification from the remote attestation server.
+
+Because this solution can detect and prevent low-level malware that may be extremely difficult to detect any other way, Microsoft recommends that you consider the implementation of a management system, like Microsoft Intune, or any management solutions that take advantage of the Windows 10 cloud-based Health Attestation Server feature to detect and block devices that have been infected with advanced malware from network resources.
+
+## Secure the Windows core
+
+
+Applications built for Windows are designed to be secure and free of defects, but the reality is that as long as human beings are writing code, vulnerabilities will continue to crop up. When identified, malicious users and software may attempt to exploit vulnerabilities by manipulating data in memory in the hope that they can bootstrap a successful exploit.
+
+To mitigate these risks, Windows 10 includes core improvements to make it more difficult for malware to perform buffer overflow, heap spraying, and other low-level attacks and even which code is allowed to run on the PC. In addition, these improvements dramatically reduce the likelihood that newly discovered vulnerabilities result in a successful exploit. It takes detailed knowledge of operating system architecture and malware exploit techniques to fully appreciate the impact of these improvements, but the sections that follow explain them at a high level.
+
+### <a href="" id="device-guard"></a>
+
+**Device Guard**
+
+Today’s security threat landscape is more aggressive than ever before. Modern malicious attacks are focused on revenue generation, intellectual property theft, and targeted system degradation resulting in financial loss. Many of these nefarious attackers are sponsored by nation states that have ulterior motives and large cyber-terrorism budgets. These threats can enter a company through something as simple as an email and can permanently damage the organization’s reputation for securing employee and customer data and intellectual property, not to mention having a significant financial impact. The Windows 10 operating system introduces several new security features that help mitigate a large percentage of today’s known threats.
+
+It is estimated that more than 300,000 new malware variants are discovered daily. Unfortunately, companies currently use an ancient method to discover this infectious software and prevent its use. In fact, current PCs trust everything that runs until antimalware signatures determine whether a threat exists; then, the antimalware software attempts to clean the PC, often after the malicious software’s effect has already occurred. This signature-based system focuses on reacting to an infection and then ensuring that that particular infection does not happen again. In this model, the system that drives malware detection relies on the discovery of malicious software; only then can a signature be provided to the client to remediate it, which implies that a computer has often already been infected. The time between detection of the malware and a client being issued a signature could mean the difference between losing data and staying safe.
+
+In addition to antimalware solutions, “app control” or “whitelisting” technologies are available, including AppLocker. These perform single-instance or blanket allow or deny rules for running applications. In Windows 10, these types of solutions are most effective when deployed alongside the Windows 10 Device Guard feature.
+
+Device Guard breaks the current model of detection first-block later and allows only trusted applications to run, period. This methodology is consistent with the successful prevention strategy for mobile phone security. With Device Guard, Microsoft has changed how the Windows operating system handles untrusted applications, which makes its defenses difficult for malware to penetrate. This new prevention versus detection model will provide Windows clients with the necessary security for modern threats and, when implemented, mitigates many of today’s threats from day one.
+
+**Device Guard overview**
+
+Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features revolutionize the Windows operating system’s security by taking advantage of new VBS options to protect the system core and the processes and drivers running in kernel mode—the trust-nothing model you see in mobile device operating systems. A key feature used with Device Guard is *configurable code integrity*, which allows your organization to choose exactly which software from trusted software publishers is allowed to run code on your client machines—exactly what has made mobile phone security on some platforms, such as Windows Mobile, so successful. Trusted applications are those signed directly (in other words, binaries) or indirectly by using a signed file that lists the hash values for application binaries that are considered trustworthy. In addition, Device Guard offers organizations a way to sign existing LOB applications so that they can trust their own code without the requirement that the application be rebuilt or packaged. Also, this same method of signing can provide organizations a way to trust non-Microsoft applications, including those that may not have been signed directly. Device Guard with configurable code integrity, Credential Guard, and AppLocker present the most complete security defense that any Microsoft product has ever been able to offer a Windows client.
+
+Advanced hardware features such as CPU virtualization extensions, IOMMUs, and SLAT drive these new client security offerings. By integrating these hardware features further into the core operating system, Windows 10 can leverage them in new ways. For example, the same type 1 hypervisor technology that is used to run virtual machines in Hyper V isolates core Windows services into a virtualization-based, protected container. This is just one example of how Windows 10 integrates advanced hardware features deeper into the operating system to offer comprehensive modern security to its users.
+
+To deliver this additional security, Device Guard has the following hardware and software requirements:
+
+-   UEFI Secure Boot (optionally with a non-Microsoft UEFI CA removed from the UEFI database)
+
+-   Virtualization support enabled by default in the system firmware (BIOS):
+
+    -   Virtualization extensions (for example, Intel VT-x, AMD RVI)
+
+    -   SLAT (for example, Intel EPT, AMD RVI)
+
+    -   IOMMU (for example, Intel VT-d, AMD-Vi)
+
+-   UEFI BIOS configured to prevent an unauthorized user from disabling Device Guard–dependent hardware security features (for example, Secure Boot)
+
+-   Kernel mode drivers signed and compatible with hypervisor-enforced code integrity
+
+-   Windows 10 Enterprise only
+
+-   X64 version of Windows
+
+Along with these new features, some components of Device Guard are existing tools or technologies that have been included in this strategic security offering to provide customers with the most secure Windows operating system possible. Device Guard is intended as a set of client security features to be used in conjunction with the other threat-resistance features available in the Windows operating system, some of which are mentioned in this guide.
+
+**Configurable code integrity**
+
+The Windows operating system consists of two operating modes: user mode and kernel mode. The base of the operating system runs within the kernel mode, which is where the Windows operating system directly interfaces with hardware resources. User mode is primarily responsible for running applications and brokering information to and from the kernel mode for hardware resource requests. For example, when an application running in user mode needs additional memory, the user mode process must request the resources from the kernel, not directly from RAM.
+
+Code integrity is the component of the Windows operating system that verifies that the code Windows is running came from a trusted source and is tamper free. Like the operating system, Windows code integrity contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). KMCI has been used in recent versions of the Windows operating system to protect the kernel mode from executing unsigned drivers. Although effective, drivers are not the only route that malware can take to penetrate the kernel mode space of the operating system. In Windows 10, however, Microsoft has raised the requirements for kernel mode code out of the box as well as provided enterprises with a way to set their own UMCI and KMCI policies. Starting with the Code Integrity service itself and continuing through the policies a Windows client uses to verify that an application should be allowed to run, Microsoft has made Windows 10 more secure than any previous Windows release. Historically, UMCI has been available only in Windows RT and on Windows Mobile devices, which has made it difficult to infect these devices with viruses and malware. These same successful UMCI policies are available in Windows 10Windows 10.
+
+Historically, most malware has been unsigned. Simply by deploying code integrity policies, organizations will immediately protect themselves against unsigned malware, which is estimated to be responsible for the vast majority of current attacks. By using code integrity policies, an enterprise can also select exactly which binaries are allowed to run in both user mode and kernel mode based on the signer, binary hash, or both. When completely enforced, it makes user mode in Windows function like some mobile platforms, trusting and running only specific applications or specific signatures. This feature alone fundamentally changes security in an enterprise. This additional security is *not* limited to Windows apps and does *not* require an application rewrite to be compatible with your existing and possibly unsigned applications. You can run configurable code integrity independent of Device Guard, thus making it available to devices that don’t meet Device Guard hardware requirements.
+
+**Hardware security features and VBS**
+
+The core functionality and protection of Device Guard starts at the hardware level. Devices that have processors equipped with SLAT technologies and virtualization extensions, such as Intel VT x and AMD V, will be able to take advantage of a VBS environment that dramatically enhances Windows security by isolating critical Windows services from the operating system itself. This isolation is necessary, because you must assume that the operating system kernel will be compromised, and you need assurance that some processes will remain secure.
+
+Device Guard leverages VBS to isolate its Hypervisor Code Integrity (HVCI) service, which enables Device Guard to protect all kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s IOMMU functionality to force all software running in kernel mode to safely allocate memory. This means that after memory has been allocated, its state must be changed from writable to read only or execute only. By forcing memory into these states, it helps ensure that attacks are unable to inject malicious code into kernel mode processes and drivers through techniques such as buffer overruns or heap spraying. In the end, the VBS environment protects the Device Guard HVCI service from tampering even if the operating system’s kernel has been fully compromised, and HVCI protects kernel mode processes and drivers so that a compromise of this magnitude can’t happen in the first place.
+
+Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard protects credentials by running the Windows authentication service known as LSA, and then storing the user’s derived credentials (for example, NTLM hashes; Kerberos tickets) within the same VBS environment that Device Guard uses to protect its HVCI service. By isolating the LSA service and the user’s derived credentials from both user mode and kernel mode, an attacker that has compromised the operating system core will still be unable to tamper with authentication or access derived credential data. Credential Guard prevents pass-the-hash and ticket types of attacks, which are central to the success of nearly every major network breach you’ve read about, which makes Credential Guard one of the most impactful and important features to deploy within your environment. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#dgwithcg) section.
+
+**Device Guard with AppLocker**
+
+Although AppLocker is not considered a new Device Guard feature, you can use it to complement configurable code integrity functionality when enforced code integrity cannot be fully implemented or its functionality does not cover every desired scenario. There are many scenarios in which you could use code integrity policies alongside AppLocker rules. As a best practice, enforce code integrity policies at the most restrictive level possible for your organization, and then use AppLocker to fine-tune the restrictions to an even lower level.
+
+**Note**  
+One example in which Device Guard functionality needs AppLocker supplementation is when your organization would like to limit which universal applications from the Windows Store users can install on a device. Microsoft has already validated universal applications from the Windows Store as trustworthy to run, but an organization may not want to allow specific universal applications to run in its environment. You could use an AppLocker rule to enforce such a stance.
+
+In another example, you could enable a configurable code integrity policy to allow users to run all the apps from a specific publisher. To do so, you would add the publisher’s signature to the policy. If your organization decides that only specific apps from that publisher should be allowed to run, you would add the signature for the publisher to the configurable code integrity policy, and then use AppLocker to determine which specific apps can run.
+
+ 
+
+AppLocker and Device Guard can run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, Microsoft recommends that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
+
+### <a href="" id="dgwithcg"></a>
+
+**Device Guard with Credential Guard**
+
+Although Credential Guard isn’t a feature within Device Guard, many organizations will likely deploy Credential Guard alongside Device Guard for additional protection against derived credential theft. Similar to virtualization-based protection of kernel mode through the Device Guard HVCI service, Credential Guard leverages hypervisor technology to protect the Windows authentication service (the LSA) and users’ derived credentials. This mitigation is targeted at preventing the use of pass-the-hash and pass-the-ticket techniques.
+
+Because Credential Guard uses VBS, it is decisive in its ability to prevent pass-the-hash and pass-the-ticket attacks from occurring on Windows 10 devices. Microsoft recognizes, however, that most organizations will have a blend of Windows versions running in their environments. Mitigations for devices not capable of running Credential Guard on both the client side and the server side are available to help with this scenario. Microsoft will be releasing details to TechNet regarding these additional mitigations in the near future.
+
+**Unified manageability through Device Guard**
+
+You can easily manage Device Guard features through the familiar enterprise and client-management tools that IT pros use every day. Use the following management tools to enable and manage Device Guard:
+
+-   **Group Policy.**Windows 10 provides an administrative template that you can use to configure and deploy the configurable code integrity policies for your organization. This template also allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings with your existing Group Policy objects, which makes it simple to implement Device Guard features. In addition to the code integrity and hardware-based security features, Group Policy can help you manage your catalog files.
+
+-   **System Center Configuration Manager.** Use System Center Configuration Manager to simplify deployment and management of catalog files, code integrity policies, and hardware-based security features as well as to provide version control.
+
+-   **MDM systems.** Organizations will be able to use Microsoft Intune and non-Microsoft MDM systems for deployment and management of code integrity policies and catalog files.
+
+-   **Windows PowerShell.** You use Windows PowerShell primarily to create and service code integrity policies. These policies represent the most impactful component of Device Guard.
+
+These options provide the same experience you’re used to for management of your existing enterprise management solutions.
+
+**Address Space Layout Randomization**
+
+One of the most common techniques used to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data have been placed, and then overwrite that information with a malicious payload. In the early days of operating systems, any malware that could write directly to the system memory could do such a thing; the malware would simply overwrite system memory in well-known and predictable locations.
+
+Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 4 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts.
+
+![image 4](images/security-fig4-aslr.png)
+
+Figure 4. ASLR at work
+
+Although the ASLR implementation in Windows 7 was effective, it wasn’t applied holistically across the operating system, and the level of entropy (cryptographic randomization) wasn’t always at the highest possible level. To decrease the likelihood that sophisticated attacks such as heap spraying could succeed in the Windows 8 operating system, Microsoft applied ASLR holistically across the system and increased the level of entropy many times.
+
+The ASLR implementation in Windows 8 and Windows 10 is greatly improved over Windows 7, especially with 64-bit system and application processes that can take advantage of a vastly increased memory space, which makes it even more difficult for malware to predict where Windows 10 stores vital data. When used on systems that have TPMs, ASLR memory randomization will be increasingly unique across devices, which makes it even more difficult for a successful exploit that works on one system to work reliably on another.
+
+**Data Execution Prevention**
+
+Malware depends on its ability to put a malicious payload into memory with the hope that it will be executed later, and ASLR will make that much more difficult. Wouldn’t it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information?
+
+Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can’t be used to execute malicious code that may be inserted within through a vulnerability exploit.
+
+Because of the importance of DEP, users cannot install Windows 10 on a computer that does not have DEP capability. Fortunately, most processors released since the mid-2000s support DEP.
+
+If you want to see which apps use DEP, complete these steps:
+
+1.  Open Task Manager: Press Ctrl+Alt+Esc or by searching the Start screen.
+
+2.  Click **More Details** (if necessary), and then click the **Details** tab.
+
+3.  Right-click any column heading, and then click **Select Columns**.
+
+4.  In the **Select Columns** dialog box, select the last **Data Execution Prevention** check box.
+
+5.  Click **OK**.
+
+You can now see which processes have DEP enabled. Figure 5 shows the processes running on a Windows 10 PC with a single process that does not support DEP.
+
+![figure 5](images/security-fig5-dep.png)
+
+Figure 5. Processes on which DEP has been enabled in Windows 10
+
+**Windows Heap**
+
+The *heap* is a location in memory that Windows uses to store dynamic application data. Windows 10 continues to improve on earlier Windows heap designs by further mitigating the risk of heap exploits that could be used as part of an attack.
+
+Windows 10 has several important improvements to the security of the heap over Windows 7:
+
+-   Internal data structures that the heap uses are now better protected against memory corruption.
+
+-   Heap memory allocations now have randomized locations and sizes, which makes it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which makes the allocation much less predictable.
+
+-   Windows 10 uses “guard pages” before and after blocks of memory as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 responds by instantly terminating the app.
+
+Windows 10 resolves known heap attacks that could be used to compromise a PC running previous versions of Windows.
+
+**Memory reservations**
+
+The lowest 64 KB of process memory is reserved for the system. Apps are no longer allowed to allocate that portion of the memory, which makes it more difficult for malware to overwrite critical system data structures in memory.
+
+**Control Flow Guard**
+
+When applications are loaded into memory, they are allocated space based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls additional code located in other memory addresses. The relationships between the code locations are well known—they are written in the code itself—but previous to Windows 10, the flow between these locations was not enforced, which gives attackers the opportunity to change the flow to meet their needs. In other words, an application exploit takes advantage of this behavior by running code that the application may not typically run.
+
+This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG) feature. When a trusted application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If the location is not trusted, the application is immediately terminated as a potential security risk.
+
+An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Administrators should consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. Of course, browsers are a key entry point for attacks; thus Microsoft Edge, IE, and other Windows features take full advantage of CFG.
+
+**Protected Processes**
+
+Benjamin Franklin once said that "an ounce of prevention is worth a pound of cure." His wisdom directly applies to PC security. Most security controls are designed to prevent the initial infection point. The reasoning is that if malware cannot infect the system, the system is immune to malware.
+
+No computer is immune to malware, however. Despite all the best preventative controls, malware can eventually find a way to infect any operating system or hardware platform. So, although prevention with a defense-in-depth strategy is important, it cannot be the only type of malware control.
+
+The key security scenario is to assume that malware is running on a system but limit what it can do. Windows 10 has security controls and design features in place to reduce compromise from existing malware infections. Protected Processes is one such feature.
+
+With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and for the first time, you can put antimalware solutions into the protected process space, which helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system.
+
+## Secure the Windows desktop
+
+
+Windows 10 includes critical improvements to the Windows core and the desktop environment, where attacks and malware most frequently enter. The desktop environment is now more resistant to malware thanks to significant improvements to Windows Defender and SmartScreen Filters. Internet browsing is a safer experience because of Microsoft Edge, a completely new browser. The Windows Store reduces the likelihood that malware will infect devices by ensuring that all applications that enter the Windows Store ecosystem have been thoroughly reviewed before being made available. Universal Windows applications are inherently more secure than typical applications because they are sandboxed. Sandboxing restricts the application’s risk of being compromised or tampered with in a way that would put the system, data, and other applications at risk.
+
+The sections that follow describe Windows 10 improvements to application security in more detail.
+
+**Microsoft Edge and Internet Explorer 11**
+
+Browser security is a critical component of any security strategy, and for good reason: The browser is the user’s interface to the Internet, an environment that is quite literally overwhelmed with malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the number one pathway from which malicious hackers initiate their attacks.
+
+All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two common examples of this are Flash and Java extensions that enable their respective applications to run inside a browser. Keeping Windows 10 secure for web browsing and applications, especially for these two content types, is a priority.
+
+Microsoft includes an entirely new browser, Microsoft Edge, in Windows 10. Microsoft Edge is more secure in several ways, especially:
+
+-   **Microsoft Edge does not support non-Microsoft binary extensions.** Microsoft Edge supports Flash content and PDF viewing by default through built-in extensions but no other binary extensions, including ActiveX controls and Java.
+
+-   **Microsoft Edge runs 64-bit processes.** A 64-bit PC running an older version of Windows often runs in 32-bit compatibility mode to support older and less secure extensions. When Microsoft Edge runs on a 64-bit PC, it runs only 64-bit processes, which are much more secure when vulnerabilities are discovered and attempts are made to exploit them.
+
+-   **Microsoft Edge is designed as a Universal Windows app.** It is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. IE11 on Windows 10 can also take advantage of the same AppContainer technology through Enhanced Protect Mode. However, because it can run ActiveX and BHOs, the browser and sandbox are susceptible to a much broader range of attacks than Microsoft Edge.
+
+-   **Microsoft Edge simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft created Microsoft Edge default settings that align with security best practices, which makes it secure by default.
+
+In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10 primarily for backwards-compatibility with websites and binary extensions that do not work with Microsoft Edge. It should not be configured as the primary browser but rather as an optional or automatic switchover, as shown in Figure 6.
+
+![figure 6](images/security-fig6-edge2.png)
+
+Figure 6. Configure Windows 10 to switch from Microsoft Edge to IE11 for backwards-compatibility.
+
+Microsoft’s recommendation is to use Microsoft Edge as the primary web browser because it provides compatibility with the modern web and the best possible security. For sites that require IE11 compatibility, including those that require binary extensions and plug ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. When configured, when users use Microsoft Edge and it identifies a site that requires IE11, they will automatically be switched to IE11.
+
+**The SmartScreen Filter**
+
+Recent versions of Windows have many effective techniques to prevent malware from installing itself without the user’s knowledge. To work around those restrictions, malware attacks often use social engineering techniques to trick users into running software. For example, malware known as a Trojan horse pretends to be something useful, such as a utility, but carries an additional, malicious payload.
+
+Starting with Windows Internet Explorer 8, the SmartScreen Filter has helped protect users from both malicious applications and nefarious websites by using the SmartScreen Filter’s application and URL reputation services. The SmartScreen Filter in Internet Explorer would check URLs and newly downloaded apps against an online reputation service that Microsoft maintained. If the app or URL were not known to be safe, SmartScreen Filter would warn the user or even prevent the app or URL from loading, depending on how systems administrators had configured Group Policy settings.
+
+For Windows 10, Microsoft further developed the SmartScreen Filter by integrating its app reputation abilities into the operating system itself, which allows the filter to protect users regardless of the web browser they are using or the path that the app uses to arrive on the device (for example, email, USB flash drive). The first time a user runs an app that originates from the Internet, even if the user copied it from another PC, the SmartScreen Filter checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, the SmartScreen Filter warns the user or blocks execution entirely, depending on how the administrator has configured Group Policy (see Figure 7).
+
+![figure 7](images/security-fig7-smartscreenfilter.png)
+
+Figure 7. The SmartScreen Filter at work in Windows 10
+
+By default, users have the option to bypass SmartScreen Filter protection so that it will not prevent a user from running a legitimate app. You can use Control Panel or Group Policy settings to disable the SmartScreen Filter or to completely prevent users from running apps that the SmartScreen Filter does not recognize. The Control Panel settings are shown in Figure 8.
+
+![figure 8](images/security-fig8-smartscreenconfig.png)
+
+Figure 8. The Windows SmartScreen configuration options in Control Panel
+
+If you want to try the SmartScreen Filter, use Windows 7 to download this simulated (but not dangerous) malware file:[freevideo.exe](http://go.microsoft.com/fwlink/p/?LinkId=626943). Save it to your computer, and then run it from Windows Explorer. As shown in Figure 9, Windows runs the app without much warning. In Windows 7, you might receive a warning message about the app not having a certificate, but you can easily bypass it.
+
+![figure 9](images/security-fig9-windows7allow.png)
+
+Figure 9. Windows 7 allows the app to run
+
+Now, repeat the test on a computer running Windows 10 by copying the file to a Windows 10 PC or by downloading the file again and saving it to your local computer. Run the file directly from File Explorer, and the SmartScreen Filter will warn you before it allows it to run. Microsoft’s data shows that for a vast majority of users, that extra warning is enough to save them from a malware infection.
+
+**Universal Windows apps**
+
+The good news is that the download and use of Universal Windows apps or even Windows Classic applications (Win32) from the Windows Store will dramatically reduce the likelihood that you encounter malware on your PC because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements.
+
+Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Unlike Windows Classic applications, which can run with elevated privileges and have potentially sweeping access to the system and data, Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission.
+
+In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Windows Store displays the exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and publisher.
+
+In the end, the Windows Store app distribution process and the app sandboxing capabilities of Windows 10 will dramatically reduce the likelihood that users encounter malicious apps on the system.
+
+**Windows Defender**
+
+Antimalware software, also generically called virus scanners, antivirus, and a host of other names, has been around for a long time. Microsoft shipped its first program in this category, Microsoft Anti-Virus, in 1993 for MS DOS 6.0. At the time, the approach of running a standalone MS DOS program to locate and remove viruses was sufficient.
+
+Times change and technology progresses, and antimalware software has also evolved. It is crucial to have multilayered defense with interoperability when you manage modern threats. Windows Defender uses the operating system extensively to achieve interoperability across the varying layers of defense. It is important to have an effective antimalware solution in place as an important obstacle between malware and enterprise assets, and it complements features like Device Guard. For example, an antimalware solution could help detect malicious behavior in memory or even within trusted applications, an area that Device Guard is not designed to address.
+
+Windows Defender has evolved to meet the growing complexity of IT and the challenges that come with this complexity. Windows included Windows Defender, a robust inbox antimalware solution, starting with Windows 8. Now, with Windows 10, Microsoft has significantly improved Windows Defender.
+
+Windows Defender in Windows 10 uses a four-pronged approach to improve antimalware: rich local context, extensive global sensors, tamper proofing, and the empowerment of IT security professionals. This section explains each prong.
+
+**Rich, local context** improves how malware is identified. Windows 10 informs Windows Defender not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Windows Defender to apply different levels of scrutiny to different content.
+
+For example, an application downloaded from the Internet would be more heavily scrutinized than an application installed from a trusted server. Windows 10 persists the history of the Internet-sourced application at the operating system level so that the app cannot erase its own tracks. The history is tracked and stored by the Persisted Store, a new feature in Windows 10 that securely manages the rich local context and prevents unauthorized modification or deletion. The rich local context improvements also help prevent malware from using tactics such as obfuscation as a means to evade detection.
+
+Local context also extends to how antimalware software exposes interfaces. Windows Defender implements the Antimalware Scan Interface (AMSI), a generic public interface standard that allows applications and services to request Windows Defender to scan and analyze obfuscated code before execution. AMSI is available for any application and antimalware solution to implement. In Windows 10, AMSI is accessible through Windows PowerShell, the Windows Script Host, JavaScript, and Microsoft JScript.
+
+In Windows 10, Microsoft implemented a new technology that allows Windows Defender to work closely with User Account Control (UAC) requests. When the UAC system is triggered, it requests a scan from Windows Defender before it prompts for elevation. Windows Defender scans the file or process and determines whether it's malicious. If it’s malicious, the user will see a message that explains that Windows Defender blocked the file or process from executing; if it's not malicious, then UAC will run and display the usual elevation request prompt.
+
+**Extensive global sensors** help keep Windows Defender current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data. The goal is to identify new, emerging malware and block it in the first critical hours of its lifetime to limit exposure to the broader PC ecosystem.
+
+With Windows Defender in Windows 8, Microsoft first introduced Windows Defender Cloud Protection, which helps to better react in the quickly evolving malware landscape. The goal is to block malware the "first time it’s seen" in the first critical hours of a malware attack.
+
+To help preserve the privacy of customers, Microsoft allows customers to opt in or out of the system. To participate, you simply opt into the program. To opt in for Windows 10, click **Settings**, click **Update & Security**, and then click **Windows Defender**. The opt-in choices are shown in Figure 10.
+
+![figure 10](images/security-fig10-optinsettings.png)
+
+Figure 10. Windows Defender opt-in settings in Windows 10
+
+Of course, system administrators have centralized control of all Windows Defender settings through Group Policy. The Windows Defender configuration settings are shown under Computer Configuration/Windows Components/Windows Defender, as shown in Figure 11.
+
+![figure 11](images/security-fig11-defendersettings.png)
+
+Figure 11. Windows Defender settings in Group Policy– the sample submission options are listed under MAPS
+
+**Tamper proofing** is the safeguarding of Windows Defender itself against malware attacks. Malware creators assume that antimalware software is implemented on most PCs. Many malware creators choose to overcome that obstacle by designing malware that modifies the antimalware software in some way, such as disabling real-time scanning or by hiding specific processes. Some malware goes as far as completely disabling the antimalware software while making it appear fully functional to the user.
+
+Windows Defender is designed to resist tampering; it uses several security technologies available in Windows 10, the primary of which is Protected Processes, which prevents untrusted processes from attempting to tamper with Windows Defender components, its registry keys, and so on. Tamper proofing in Windows Defender is also the indirect result of system-wide security components, including UEFI with Secure Boot and ELAM. These components help provide a more secure environment in which Windows Defender can launch in before it begins to defend itself.
+
+**Empowerment of IT security professionals** means that Windows Defender gives IT pros the tools and configuration options necessary to make it an enterprise-class antimalware solution. It has numerous enterprise-level features that put it on par with the top products in this category:
+
+-   Integration with centralized management software, including Microsoft Intune, System Center Configuration Manager, and Microsoft System Center Operations Manager. Unlike Windows 8.1, no additional client is necessary, because Windows Defender is now integrated into Windows and only a management layer needs to be added.
+
+-   Windows Defender supports the Open Mobile Alliance Device Management standard for centralized management by many non-Microsoft device management solutions.
+
+-   It includes integrated classic command-line and Windows PowerShell cmdlet support.
+
+-   Support for Windows Management Instrumentation reporting and application management is built in.
+
+-   Full integration with Group Policy offers complete IT configuration management.
+
+In addition, Windows Defender now integrates the Windows Defender Offline Tool, which formerly required the creation of a bootable, standalone version of Windows Defender into the Windows Recovery Environment. This simplifies the process of remediating low-level malware infections, which may prove difficult to detect and remove with the antimalware solution running on the Windows desktop. You can update signatures for this environment automatically from within the Windows Defender Offline experience.
+
+Beyond Windows Defender, Windows 10 provides deep operating system access for antimalware products. Non-Microsoft antimalware vendors can take advantage of Microsoft’s new APIs and interfaces to gain unprecedented access to Windows 10 resources for malware detection and removal. Non-Microsoft antimalware solutions can implement ELAM drivers, which scan Windows 10 while it’s in its initial startup process. The broad set of new low-level interfaces lets non-Microsoft antimalware solutions perform advanced malware detection in a way that enables them to retain application compatibility even when Microsoft makes significant changes to Windows internals, such as are often made between major operating system versions.
+
+This access presents a security challenge, however: How does Windows 10 grant antimalware software generous access while ensuring that malware doesn’t take advantage of the very same access? Microsoft has been hard at work with several non-Microsoft software vendors to meet this challenge. If a third party wants this level of access, it must meet certain criteria and vetting requirements, and then Microsoft must digitally sign its software. This allows Microsoft to verify the authenticity of the software vendors and prevent nefarious individuals from creating their own self-signed fake malware scanners.
+
+To be clear, Microsoft is not restricting the antimalware vendors or their innovations. Nor is Microsoft changing software distribution channels. When Microsoft has signed the antimalware application, you can deploy and install it through any means. Microsoft is basically ensuring that these software developers are authentic, industry-recognized entities before signing their antimalware software and, in doing so, granting extended privileges to it.
+
+Another security threat that customers face particularly in consumer and bring your own device (BYOD) scenarios is a disabled or outdated antimalware product. A BYOD computer that has an installed but ineffective antimalware product can be more dangerous than no product at all, because it gives the illusion of security. Windows Defender in Windows 10 mitigates this threat by helping ensure that either Windows Defender or the customer’s preferred non-Microsoft solution is running and in a healthy state.
+
+Whenever non-Microsoft real-time protection is in an inoperable state (for example, disabled, expired) for 24 hours, Windows Defender automatically turns on to ensure that the device is protected. Windows attempts to help the user remediate the issue with the non-Microsoft antimalware solution by notifying him or her as early as 5 days before the software expires. If the solution expires, Windows enables Windows Defender and continues to remind the user to renew the non-Microsoft solution. When the user updates or reactivates the solution, Windows Defender is automatically disabled. In the end, the goal is to make sure that an operable antimalware solution is running at all times.
+
+## Conclusion
+
+
+Windows 10 is the culmination of many years of effort from Microsoft, and its impact from a security perspective will be significant. Many of us still remember the years of Windows XP, when the attacks on the Windows operating system, applications, and data increased in volume and matured into serious threats. With the existing platforms and security solutions that you’ve likely deployed, you’re better defended than ever. But as attackers have become more advanced, there is no doubt that they have exceeded your ability to defend your organization and users. Evidence of this fact can be found in the news virtually every day as yet another major organization falls victim. Microsoft specifically designed Windows 10 to address these modern threats and tactics from the most advanced adversaries. It can truly change the game for your organization, and it can restore your advantage against those would like to make you their next victim.
+
+## Related topics
+
+
+[Windows 10 Specifications](http://go.microsoft.com/fwlink/p/?LinkId=625077 )
+
+[HealthAttestation CSP](http://go.microsoft.com/fwlink/p/?LinkId=626940 )
+
+[Making Windows 10 More Personal and More Secure with Windows Hello](http://go.microsoft.com/fwlink/p/?LinkId=626945)
+
+[Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/windows-defender-in-windows-10.md b/windows/keep-secure/windows-defender-in-windows-10.md
new file mode 100644
index 0000000000..f2dee1270d
--- /dev/null
+++ b/windows/keep-secure/windows-defender-in-windows-10.md
@@ -0,0 +1,102 @@
+---
+title: Windows Defender in Windows 10 (Windows 10)
+description: This topic provides an overview of Windows Defender, including a list of system requirements and new features.
+ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Windows Defender in Windows 10
+
+
+**Applies to**
+
+-   Windows 10
+
+Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
+
+This topic provides an overview of Windows Defender, including a list of system requirements and new features.
+
+For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server Technical Preview](https://technet.microsoft.com/library/dn765478.aspx).
+
+Take advantage of Windows Defender by configuring the settings and definitions using the following tools:
+
+-   Microsoft Active Directory *Group Policy* for settings
+-   Windows Server Update Services (WSUS) for definitions
+
+Windows Defender provides the most protection when cloud-based protection is enabled. Learn how to enable cloud-based protection in [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md).
+
+**Note**  System Center 2012 R2 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, and Microsoft Intune can provide centralized management of Windows Defender, including:
+-   Settings management
+-   Definition update management
+-   Alerts and alert management
+-   Reports and report management
+
+When you enable endpoint protection for your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for Endpoint Protection will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed.
+
+ 
+
+### Minimum system requirements
+
+Windows Defender has the same hardware requirements as Windows 10. For more information, see:
+
+-   [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx)
+-   [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx)
+
+### New and changed functionality
+
+-   **Improved detection for unwanted applications and emerging threats using cloud-based protection.** Use the Microsoft Active Protection Service to improve protection against unwanted applications and advanced persistent threats in your enterprise.
+
+-   **Windows 10 integration.** All Windows Defender in Windows 10 endpoints will show the Windows Defender user interface, even when the endpoint is managed.
+
+-   **Operating system, enterprise-level management, and bring your own device (BYOD) integration.** Windows 10 introduces a mobile device management (MDM) interface for devices running Windows 10. Administrators can use MDM-capable products, such as Intune, to manage Windows Defender on Windows 10 devices.
+
+For more information about what's new in Windows Defender in Windows 10, see [Windows Defender in Windows 10: System integration](https://www.microsoft.com/security/portal/enterprise/threatreports_august_2015.aspx) on the Microsoft Active Protection Service website.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)</p></td>
+<td align="left"><p>IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Active Directory or WSUS, apply updates to endpoints, and manage scans using:</p>
+<ul>
+<li>Group Policy Settings</li>
+<li>Windows Management Instrumentation (WMI)</li>
+<li>PowerShell</li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)</p></td>
+<td align="left"><p>IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Active Directory and WSUS.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)</p></td>
+<td align="left"><p>IT professionals can review information about <em>event IDs</em> in Windows Defender for Windows 10 and see any relevant action they can take.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/windows-hello-in-enterprise.md b/windows/keep-secure/windows-hello-in-enterprise.md
new file mode 100644
index 0000000000..7b9bed5681
--- /dev/null
+++ b/windows/keep-secure/windows-hello-in-enterprise.md
@@ -0,0 +1,87 @@
+---
+title: Windows Hello biometrics in the enterprise (Windows 10)
+description: Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
+ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc
+keywords: ["Windows Hello", "enterprise biometrics"]
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: eross-msft
+---
+
+# Windows Hello biometrics in the enterprise
+**Applies to:**
+
+-   Windows 10
+
+Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
+
+Because we realize your employees are going to want to use this new technology in your enterprise, we’ve been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization.
+
+##How does Windows Hello work?
+Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Microsoft Passport credentials.
+
+The Windows Hello authenticator works with Microsoft Passport to authenticate and allow employees onto your enterprise network. Authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
+
+## Why should I let my employees use Windows Hello?
+Windows Hello provides many benefits, including:
+
+-   Combined with Microsoft Passport, it helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it’s much more difficult to gain access without the employee’s knowledge.
+
+-   Employees get a simple authentication method (backed up with a PIN) that’s always with them, so there’s nothing to lose. No more forgetting passwords!
+
+-   Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.<br>For more info about the available Group Policies and MDM CSPs, see the [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) topic.
+
+## Where is Microsoft Hello data stored?
+The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor.
+
+## Has Microsoft set any device requirements for Windows Hello?
+We’ve been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements:
+
+-   **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regards to the security of the biometric algorithm.
+
+-   **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection.
+
+### Fingerprint sensor requirements
+To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee’s unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required) and a way to configure them (optional).
+
+**Acceptable performance range for small to large size touch sensors**
+
+-   False Accept Rate (FAR): &lt;0.001 – 0.002%
+
+-   False Reject Rate (FRR) without Anti-spoofing or liveness detection: &lt;5%
+
+-   Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
+
+**Acceptable performance range for swipe sensors**
+
+-   False Accept Rate (FAR): &lt;0.002%
+
+-   False Reject Rate (FRR) without Anti-spoofing or liveness detection: &lt;5%
+
+-   Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
+
+### Facial recognition sensors
+To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee’s facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional).
+
+-   False Accept Rate (FAR): &lt;0.001
+
+-   False Reject Rate (FRR) without Anti-spoofing or liveness detection: &lt;5%
+
+-   Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
+
+## Related topics
+- [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
+- [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
+- [Microsoft Passport guide](microsoft-passport-guide.md)
+- [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
+- [PassportforWork CSP](http://go.microsoft.com/fwlink/p/?LinkId=708219)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/windows-installer-rules-in-applocker.md b/windows/keep-secure/windows-installer-rules-in-applocker.md
new file mode 100644
index 0000000000..5bab8afeaf
--- /dev/null
+++ b/windows/keep-secure/windows-installer-rules-in-applocker.md
@@ -0,0 +1,81 @@
+---
+title: Windows Installer rules in AppLocker (Windows 10)
+description: This topic describes the file formats and available default rules for the Windows Installer rule collection.
+ms.assetid: 3fecde5b-88b3-4040-81fa-a2d36d052ec9
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Windows Installer rules in AppLocker
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic describes the file formats and available default rules for the Windows Installer rule collection.
+
+AppLocker defines Windows Installer rules to include only the following file formats:
+
+-   .msi
+
+-   .msp
+
+-   .mst
+
+The purpose of this collection is to allow you to control the installation of files on client computers and servers through Group Policy or the Local Security Policy snap-in. The following table lists the default rules that are available for the Windows Installer rule collection.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Purpose</th>
+<th align="left">Name</th>
+<th align="left">User</th>
+<th align="left">Rule condition type</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Allow members of the local Administrators group to run all Windows Installer files</p></td>
+<td align="left"><p>(Default Rule) All Windows Installer files</p></td>
+<td align="left"><p>BUILTIN\Administrators</p></td>
+<td align="left"><p>Path: *</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Allow all users to run Windows Installer files that are digitally signed</p></td>
+<td align="left"><p>(Default Rule) All digitally signed Windows Installer files</p></td>
+<td align="left"><p>Everyone</p></td>
+<td align="left"><p>Publisher: * (all signed files)</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Allow all users to run Windows Installer files that are located in the Windows Installer folder</p></td>
+<td align="left"><p>(Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer</p></td>
+<td align="left"><p>Everyone</p></td>
+<td align="left"><p>Path: %windir%\Installer\*</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Understanding AppLocker default rules](understanding-applocker-default-rules.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/working-with-applocker-policies.md b/windows/keep-secure/working-with-applocker-policies.md
new file mode 100644
index 0000000000..815ea0211f
--- /dev/null
+++ b/windows/keep-secure/working-with-applocker-policies.md
@@ -0,0 +1,99 @@
+---
+title: Working with AppLocker policies (Windows 10)
+description: This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies.
+ms.assetid: 7062d2e0-9cbb-4cb8-aa8c-b24945c3771d
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Working with AppLocker policies
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Configure the Application Identity service](configure-the-application-identity-service.md)</p></td>
+<td align="left"><p>This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes how to set AppLocker policies to <strong>Audit only</strong> within your IT environment by using AppLocker.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes how to import an AppLocker policy.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Merge AppLocker policies manually](merge-applocker-policies-manually.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Refresh an AppLocker policy](refresh-an-applocker-policy.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes the steps to force an update for an AppLocker policy.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/keep-secure/working-with-applocker-rules.md b/windows/keep-secure/working-with-applocker-rules.md
new file mode 100644
index 0000000000..5fad689a53
--- /dev/null
+++ b/windows/keep-secure/working-with-applocker-rules.md
@@ -0,0 +1,469 @@
+---
+title: Working with AppLocker rules (Windows 10)
+description: This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
+ms.assetid: 3966b35b-f2da-4371-8b5f-aec031db6bc9
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Working with AppLocker rules
+
+
+**Applies to**
+
+-   Windows 10
+
+This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)</p></td>
+<td align="left"><p>This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)</p></td>
+<td align="left"><p>This topic for IT professionals shows how to create an AppLocker rule with a path condition.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)</p></td>
+<td align="left"><p>This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Create AppLocker default rules](create-applocker-default-rules.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Create a rule for packaged apps](create-a-rule-for-packaged-apps.md)</p></td>
+<td align="left"><p>This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Delete an AppLocker rule](delete-an-applocker-rule.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes the steps to delete an AppLocker rule.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Edit AppLocker rules](edit-applocker-rules.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Enable the DLL rule collection](enable-the-dll-rule-collection.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Enforce AppLocker rules](enforce-applocker-rules.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes how to enforce application control rules by using AppLocker.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md)</p></td>
+<td align="left"><p>This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+The three AppLocker enforcement modes are described in the following table. The enforcement mode setting defined here can be overwritten by the setting derived from a linked Group Policy Object (GPO) with a higher precedence.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Enforcement mode</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Not configured</strong></p></td>
+<td align="left"><p>This is the default setting which means that the rules defined here will be enforced unless a linked GPO with a higher precedence has a different value for this setting.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Enforce rules</strong></p></td>
+<td align="left"><p>Rules are enforced.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Audit only</strong></p></td>
+<td align="left"><p>Rules are audited but not enforced. When a user runs an app that is affected by an AppLocker rule, the app is allowed to run and the info about the app is added to the AppLocker event log. The Audit-only enforcement mode helps you determine which apps will be affected by the policy before the policy is enforced. When the AppLocker policy for a rule collection is set to <strong>Audit only</strong>, rules for that rule collection are not enforced</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+When AppLocker policies from various GPOs are merged, the rules from all the GPOs are merged and the enforcement mode setting of the winning GPO is applied.
+
+## Rule collections
+
+
+The AppLocker console is organized into rule collections, which are executable files, scripts, Windows Installer files, packaged apps and packaged app installers, and DLL files. These collections give you an easy way to differentiate the rules for different types of apps. The following table lists the file formats that are included in each rule collection.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Rule collection</th>
+<th align="left">Associated file formats</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Executable files</p></td>
+<td align="left"><p>.exe</p>
+<p>.com</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Scripts</p></td>
+<td align="left"><p>.ps1</p>
+<p>.bat</p>
+<p>.cmd</p>
+<p>.vbs</p>
+<p>.js</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows Installer files</p></td>
+<td align="left"><p>.msi</p>
+<p>.msp</p>
+<p>.mst</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Packaged apps and packaged app installers</p></td>
+<td align="left"><p>.appx</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>DLL files</p></td>
+<td align="left"><p>.dll</p>
+<p>.ocx</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Important**  
+If you use DLL rules, you need to create an allow rule for each DLL that is used by all of the allowed apps.
+
+When DLL rules are used, AppLocker must check each DLL that an application loads. Therefore, users may experience a reduction in performance if DLL rules are used.
+
+The DLL rule collection is not enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#bkmk-dllrulecollections).
+
+ 
+
+## Rule conditions
+
+
+Rule conditions are criteria that help AppLocker identify the apps to which the rule applies. The three primary rule conditions are publisher, path, and file hash.
+
+-   [Publisher](#bkmk-publisher): Identifies an app based on its digital signature
+
+-   [Path](#bkmk-path): Identifies an app by its location in the file system of the computer or on the network
+
+-   [File hash](#bkmk-filehash): Represents the system computed cryptographic hash of the identified file
+
+### <a href="" id="bkmk-publisher"></a>Publisher
+
+This condition identifies an app based on its digital signature and extended attributes when available. The digital signature contains info about the company that created the app (the publisher). Executable files, dlls, Windows installers, packaged apps and packaged app installers also have extended attributes, which are obtained from the binary resource. In case of executable files, dlls and Windows installers, these attributes contain the name of the product that the file is a part of, the original name of the file as supplied by the publisher, and the version number of the file. In case of packaged apps and packaged app installers, these extended attributes contain the name and the version of the app package.
+
+**Note**  
+Rules created in the packaged apps and packaged app installers rule collection can only have publisher conditions since Windows does not support unsigned packaged apps and packaged app installers.
+
+ 
+
+**Note**  
+Use a publisher rule condition when possible because they can survive app updates as well as a change in the location of files.
+
+ 
+
+When you select a reference file for a publisher condition, the wizard creates a rule that specifies the publisher, product, file name, and version number. You can make the rule more generic by moving the slider up or by using a wildcard character (\*) in the product, file name, or version number fields.
+
+**Note**  
+To enter custom values for any of the fields of a publisher rule condition in the Create Rules Wizard, you must select the **Use custom values** check box. When this check box is selected, you cannot use the slider.
+
+ 
+
+The **File version** and **Package version** control whether a user can run a specific version, earlier versions, or later versions of the app. You can choose a version number and then configure the following options:
+
+-   **Exactly.** The rule applies only to this version of the app
+
+-   **And above.** The rule applies to this version and all later versions.
+
+-   **And below.** The rule applies to this version and all earlier versions.
+
+The following table describes how a publisher condition is applied.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Option</th>
+<th align="left">The publisher condition allows or denies…</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>All signed files</strong></p></td>
+<td align="left"><p>All files that are signed by any publisher.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Publisher only</strong></p></td>
+<td align="left"><p>All files that are signed by the named publisher.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Publisher and product name</strong></p></td>
+<td align="left"><p>All files for the specified product that are signed by the named publisher.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Publisher and product name, and file name</strong></p></td>
+<td align="left"><p>Any version of the named file or package for the named product that are signed by the publisher.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Publisher, product name, file name, and file version</strong></p></td>
+<td align="left"><p><strong>Exactly</strong></p>
+<p>The specified version of the named file or package for the named product that are signed by the publisher.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Publisher, product name, file name, and file version</strong></p></td>
+<td align="left"><p><strong>And above</strong></p>
+<p>The specified version of the named file or package and any new releases for the product that are signed by the publisher.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Publisher, product name, file name, and file version</strong></p></td>
+<td align="left"><p><strong>And below</strong></p>
+<p>The specified version of the named file or package and any earlier versions for the product that are signed by the publisher.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Custom</strong></p></td>
+<td align="left"><p>You can edit the <strong>Publisher</strong>, <strong>Product name</strong>, <strong>File name</strong>, <strong>Version</strong> <strong>Package name</strong>, and <strong>Package version</strong> fields to create a custom rule.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="bkmk-path"></a>Path
+
+This rule condition identifies an application by its location in the file system of the computer or on the network.
+
+AppLocker uses custom path variables for well-known paths, such as Program Files and Windows.
+
+The following table details these path variables.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Windows directory or disk</th>
+<th align="left">AppLocker path variable</th>
+<th align="left">Windows environment variable</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Windows</p></td>
+<td align="left"><p>%WINDIR%</p></td>
+<td align="left"><p>%SystemRoot%</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>System32</p></td>
+<td align="left"><p>%SYSTEM32%</p></td>
+<td align="left"><p>%SystemDirectory%</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Windows installation directory</p></td>
+<td align="left"><p>%OSDRIVE%</p></td>
+<td align="left"><p>%SystemDrive%</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Program Files</p></td>
+<td align="left"><p>%PROGRAMFILES%</p></td>
+<td align="left"><p>%ProgramFiles% and</p>
+<p>%ProgramFiles(x86)%</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Removable media (for example, a CD or DVD)</p></td>
+<td align="left"><p>%REMOVABLE%</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Removable storage device (for example, a USB flash drive)</p></td>
+<td align="left"><p>%HOT%</p></td>
+<td align="left"><p></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Important**  
+Because a path rule condition can be configured to include a large number of folders and files, path conditions should be carefully planned. For example, if an allow rule with a path condition includes a folder location that non-administrators are allowed to write data into, a user can copy unapproved files into that location and run the files. For this reason, it is a best practice to not create path conditions for standard user writable locations, such as a user profile.
+
+ 
+
+### <a href="" id="bkmk-filehash"></a>File hash
+
+When you choose the file hash rule condition, the system computes a cryptographic hash of the identified file. The advantage of this rule condition is that because each file has a unique hash, a file hash rule condition applies to only one file. The disadvantage is that each time the file is updated (such as a security update or upgrade) the file's hash will change. As a result, you must manually update file hash rules.
+
+## AppLocker default rules
+
+
+AppLocker allows you to generate default rules for each rule collection.
+
+Executable default rule types include:
+
+-   Allow members of the local **Administrators** group to run all apps.
+
+-   Allow members of the **Everyone** group to run apps that are located in the Windows folder.
+
+-   Allow members of the **Everyone** group to run apps that are located in the Program Files folder.
+
+Script default rule types include:
+
+-   Allow members of the local **Administrators** group to run all scripts.
+
+-   Allow members of the **Everyone** group to run scripts that are located in the Program Files folder.
+
+-   Allow members of the **Everyone** group to run scripts that are located in the Windows folder.
+
+Windows Installer default rule types include:
+
+-   Allow members of the local **Administrators** group to run all Windows Installer files.
+
+-   Allow members of the **Everyone** group to run all digitally signed Windows Installer files.
+
+-   Allow members of the **Everyone** group to run all Windows Installer files that are located in the Windows\\Installer folder.
+
+DLL default rule types:
+
+-   Allow members of the local **Administrators** group to run all DLLs.
+
+-   Allow members of the **Everyone** group to run DLLs that are located in the Program Files folder.
+
+-   Allow members of the **Everyone** group to run DLLs that are located in the Windows folder.
+
+Packaged apps default rule types:
+
+-   Allow members of the **Everyone** group to install and run all signed packaged apps and packaged app installers.
+
+## AppLocker rule behavior
+
+
+If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For example, if you create an executable rule that allows .exe files in *%SystemDrive%\\FilePath* to run, only executable files located in that path are allowed to run.
+
+A rule can be configured to use allow or deny actions:
+
+-   **Allow.** You can specify which files are allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
+
+-   **Deny.** You can specify which files are *not* allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
+
+**Important**  
+For a best practice, use allow actions with exceptions. You can use a combination of allow and deny actions but understand that deny actions override allow actions in all cases, and can be circumvented.
+
+ 
+
+**Important**  
+If you join a computer running at least Windows Server 2012 or Windows 8 to a domain that already enforces AppLocker rules for executable files, users will not be able to run any packaged apps unless you also create rules for packaged apps. If you want to allow any packaged apps in your environment while continuing to control executable files, you should create the default rules for packaged apps and set the enforcement mode to Audit-only for the packaged apps rule collection.
+
+ 
+
+## Rule exceptions
+
+
+You can apply AppLocker rules to individual users or to a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. For example, the rule "Allow everyone to run Windows except Registry Editor" allows everyone in the organization to run the Windows operating system, but it does not allow anyone to run Registry Editor.
+
+The effect of this rule would prevent users such as Help Desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Help Desk user group: "Allow Help Desk to run Registry Editor." If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Help Desk user group to run Registry Editor.
+
+## <a href="" id="bkmk-dllrulecollections"></a>DLL rule collection
+
+
+Because the DLL rule collection is not enabled by default, you must perform the following procedure before you can create and enforce DLL rules.
+
+Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
+
+**To enable the DLL rule collection**
+
+1.  Click **Start**, type **secpol.msc**, and then press ENTER.
+
+2.  If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+
+3.  In the console tree, double-click **Application Control Policies**, right-click **AppLocker**, and then click **Properties**.
+
+4.  Click the **Advanced** tab, select the **Enable the DLL rule collection** check box, and then click **OK**.
+
+    **Important**  
+    Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps.
+
+     
+
+## AppLocker wizards
+
+
+You can create rules by using two AppLocker wizards:
+
+1.  The Create Rules Wizard enables you to create one rule at a time.
+
+2.  The Automatically Generate Rules Wizard allows you to create multiple rules at one time. You can either select a folder and let the wizard create rules for the relevant files within that folder or in case of packaged apps let the wizard create rules for all packaged apps installed on the computer. You can also specify the user or group to which to apply the rules. This wizard automatically generates allow rules only.
+
+## Additional considerations
+
+
+-   By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. Administrators should maintain an up-to-date list of allowed applications.
+
+-   There are two types of AppLocker conditions that do not persist following an update of an app:
+
+    -   **A file hash condition** File hash rule conditions can be used with any app because a cryptographic hash value of the app is generated at the time the rule is created. However, the hash value is specific to that exact version of the app. If there are several versions of the application in use within the organization, you need to create file hash conditions for each version in use and for any new versions that are released.
+
+    -   **A publisher condition with a specific product version set** If you create a publisher rule condition that uses the **Exactly** version option, the rule cannot persist if a new version of the app is installed. A new publisher condition must be created, or the version must be edited in the rule to be made less specific.
+
+-   If an app is not digitally signed, you cannot use a publisher rule condition for that app.
+
+-   AppLocker rules cannot be used to manage computers running a Windows operating system earlier than Windows Server 2008 R2 or Windows 7. Software Restriction Policies must be used instead. If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs.
+
+-   The packaged apps and packaged apps installer rule collection is available on devices running at least Windows Server 2012 and Windows 8.
+
+-   When the rules for the executable rule collection are enforced and the packaged apps and packaged app installers rule collection does not contain any rules, no packaged apps and packaged app installers are allowed to run. In order to allow any packaged apps and packaged app installers, you must create rules for the packaged apps and packaged app installers rule collection.
+
+-   When an AppLocker rule collection is set to **Audit only**, the rules are not enforced. When a user runs an application that is included in the rule, the app is opened and runs normally, and information about that app is added to the AppLocker event log.
+
+-   A custom configured URL can be included in the message that is displayed when an app is blocked.
+
+-   Expect an increase in the number of Help Desk calls initially because of blocked apps until users understand that they cannot run apps that are not allowed.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
new file mode 100644
index 0000000000..2398446f4f
--- /dev/null
+++ b/windows/manage/TOC.md
@@ -0,0 +1,57 @@
+# [Manage and update Windows 10](index.md)
+## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)
+## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
+## [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)
+## [Manage corporate devices](manage-corporate-devices.md)
+### [New policies for Windows 10](new-policies-for-windows-10.md)
+### [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
+### [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
+### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md)
+## [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
+### [Customize and export Start layout](customize-and-export-start-layout.md)
+### [Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+### [Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+### [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+## [Lock down Windows 10](lock-down-windows-10.md)
+### [Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)
+#### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
+#### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
+### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
+### [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md)
+### [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)
+### [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
+### [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
+#### [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)
+#### [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
+### [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
+## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)
+## [Configure devices without MDM](configure-devices-without-mdm.md)
+## [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md)
+## [Application development for Windows as a service](application-development-for-windows-as-a-service.md)
+## [Windows Store for Business](windows-store-for-business.md)
+### [Sign up and get started](sign-up-windows-store-for-business-overview.md)
+#### [Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md)
+#### [Sign up for Windows Store for Business](sign-up-windows-store-for-business.md)
+#### [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md)
+#### [Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md)
+### [Find and acquire apps](find-and-acquire-apps-overview.md)
+#### [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md)
+#### [Working with line-of-business apps](working-with-line-of-business-apps.md)
+### [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md)
+#### [Distribute apps using your private store](distribute-apps-from-your-private-store.md)
+#### [Assign apps to employees](assign-apps-to-employees.md)
+#### [Distribute apps with a management tool](distribute-apps-with-management-tool.md)
+#### [Distribute offline apps](distribute-offline-apps.md)
+### [Manage apps](manage-apps-windows-store-for-business-overview.md)
+#### [Manage access to private store](manage-access-to-private-store.md)
+#### [App inventory managemement for Windows Store for Business](app-inventory-managemement-windows-store-for-business.md)
+#### [Manage private store settings](manage-private-store-settings.md)
+#### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md)
+### [Device Guard signing portal](device-guard-signing-portal.md)
+#### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md)
+#### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md)
+### [Manage settings in the Windows Store for Business](manage-settings-windows-store-for-business.md)
+#### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md)
+#### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md)
+### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md)
+
diff --git a/windows/manage/add-unsigned-app-to-code-integrity-policy.md b/windows/manage/add-unsigned-app-to-code-integrity-policy.md
new file mode 100644
index 0000000000..538034d0f2
--- /dev/null
+++ b/windows/manage/add-unsigned-app-to-code-integrity-policy.md
@@ -0,0 +1,122 @@
+---
+title: Add unsigned app to code integrity policy (Windows 10)
+description: When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device.
+ms.assetid: 580E18B1-2FFD-4EE4-8CC5-6F375BE224EA
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Add unsigned app to code integrity policy
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies.
+
+## In this section
+
+
+-   [Create a code integrity policy based on a reference device](#create-ci-policy)
+-   [Create catalog files for your unsigned app](#create-catalog-files)
+-   [Catalog signing with Device Guard signing portal](#catalog-signing-device-guard-portal)
+
+## <a href="" id="create-ci-policy"></a>Create a code integrity policy based on a reference device
+
+
+To add an unsigned app to a code integrity policy, your code integrity policy must be created from golden image machine. For more information, see [Create a Device Guard code integrity policy based on a reference device](https://technet.microsoft.com/library/mt243445.aspx).
+
+## <a href="" id="create-catalog-files"></a>Create catalog files for your unsigned app
+
+
+Creating catalog files starts the process for adding an unsigned app to a code integrity policy.
+
+Before you get started, be sure to review these best practices and requirements:
+
+**Requirements**
+
+-   You'll use Package Inspector during this process.
+
+-   Only perform this process with a code integrity policy running in audit mode. You should not perform this process on a system running an enforced Device Guard policy.
+
+**Best practices**
+
+-   **Naming convention** -- Using a naming convention makes it easier to find deployed catalog files. We'll use \*-Contoso.cat as the naming convention in this topic. For more information, see the section Inventorying catalog files by using Configuration Manager in the [Device Guard deployment guide](https://technet.microsoft.com/library/mt463091.aspx).
+
+-   **Where to deploy code integrity policy** -- The [code integrity policy that you created](#create-ci-policy) should be deployed to the system on which you are running Package Inspector. This will ensure that the code integrity policy binaries are trusted.
+
+Copy the commands for each step into an elevated Windows PowerShell session. You'll use Package Inspector to find and trust all binaries in the app.
+
+**To create catalog files for your unsigned app**
+
+1.  Start Package Inspector to scan the C drive.
+
+    `PackageInspector.exe Start C:`
+
+2.  Copy the installation media to the C drive.
+
+    Copying the installation media to the C drive ensures that Package Inspector finds and catalogs the installer. If you skip this step, the code integrity policy may trust the application to run, but not trust it to be installed.
+
+3.  Install and start the app.
+
+    All binaries that are used while Package Inspector is running will be part of the catalog files. After the installation, start the app and make sure that any product updates are installed and any downloadable content was found during the scan. Then, close and restart the app to make sure that the scan found all binaries.
+
+4.  Stop the scan and create definition and catalog files.
+
+    After app install is complete, stop the Package Inspector scan and create catalog and definition files on your desktop.
+
+    `$ExamplePath=$env:userprofile+"\Desktop"`
+
+    `$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
+
+    `$CatDefName=$ExamplePath+"\LOBApp.cdf"`
+
+    `PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName`
+
+The Package Inspector scan catalogs the hash values for each binary file that is finds. If the app that was scanned are updated, do this process again to trust the new binaries hash values.
+
+After you're done, the files are saved to your desktop. You still need to sign the catalog file so that it will be trusted within the code integrity policy.
+
+## <a href="" id="catalog-signing-device-guard-portal"></a>Catalog signing with Device Guard signing portal
+
+
+To sign catalog files with the Device Guard signing portal, you need to be signed up with the Windows Store for Business. For more information, see [Sign up for the Windows Store for Business](sign-up-windows-store-for-business.md).
+
+Catalog signing is a vital step to adding your unsigned apps to your code integrity policy.
+
+**To sign a catalog file with Device Guard signing portal**
+
+1.  Sign in to the Store for Business
+
+2.  Click **Settings**, and then choose **Device Guard signing**.
+
+3.  Click **Upload** to upload your unsigned catalog files. These are the catalog files you created earlier in [Create catalog files for your unsigned app](#create-catalog-files).
+
+4.  After the files are uploaded, click **Sign** to sign the catalog files.
+
+5.  Click Download to download each item:
+
+    -   signed catalog file
+
+    -   default policy
+
+    -   root certificate for your organization
+
+    When you use the Device Guard signing portal to sign a catalog file, the signing certificate is added to the default policy. When you download the signed catalog file, you should also download the default policy and merge this code integrity policy with your existing code integrity policies to protect machines running the catalog file. You need to do this step to trust and run your catalog files. For more information, see the Merging code integrity policies in the [Device Guard deployment guide](https://technet.microsoft.com/library/mt463091.aspx).
+
+6.  Open the root certificate that you downloaded, and follow the steps in **Certificate Import wizard** to install the certificate in your machine's certificate store.
+
+7.  Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with System Center Configuration Manager in the [Device Guard deployment guide](https://technet.microsoft.com/library/mt463091.aspx).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/administrative-tools-in-windows-10.md b/windows/manage/administrative-tools-in-windows-10.md
new file mode 100644
index 0000000000..fc68012857
--- /dev/null
+++ b/windows/manage/administrative-tools-in-windows-10.md
@@ -0,0 +1,52 @@
+---
+title: Administrative Tools in Windows 10 (Windows 10)
+description: Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users.
+ms.assetid: FDC63933-C94C-43CB-8373-629795926DC8
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Administrative Tools in Windows 10
+
+
+**Applies to**
+
+-   Windows 10
+
+Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. The tools in the folder might vary depending on which edition of Windows you are using.
+
+These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list links to documentation for each tool.
+
+**Tip**  
+If the content that is linked to a tool in the following list doesn't provide the information you need to use that tool, send us a comment by using the **Was this page helpful?** feature on this **Administrative Tools in Windows 10** page. Details about the information you want for a tool will help us plan future content.
+
+ 
+
+-   [Component Services]( http://go.microsoft.com/fwlink/p/?LinkId=708489)
+-   [Computer Management](http://go.microsoft.com/fwlink/p/?LinkId=708490)
+-   [Defragment and Optimize Drives](http://go.microsoft.com/fwlink/p/?LinkId=708488)
+-   [Disk Cleanup](http://go.microsoft.com/fwlink/p/?LinkID=698648)
+-   [Event Viewer](http://go.microsoft.com/fwlink/p/?LinkId=708491)
+-   [iSCSI Initiator](http://go.microsoft.com/fwlink/p/?LinkId=708492)
+-   [Local Security Policy](http://go.microsoft.com/fwlink/p/?LinkId=708493)
+-   [ODBC Data Sources]( http://go.microsoft.com/fwlink/p/?LinkId=708494)
+-   [Performance Monitor](http://go.microsoft.com/fwlink/p/?LinkId=708495)
+-   [Print Management](http://go.microsoft.com/fwlink/p/?LinkId=708496)
+-   [Resource Monitor](http://go.microsoft.com/fwlink/p/?LinkId=708497)
+-   [Services](http://go.microsoft.com/fwlink/p/?LinkId=708498)
+-   [System Configuration](http://go.microsoft.com/fwlink/p/?LinkId=708499)
+-   [System Information]( http://go.microsoft.com/fwlink/p/?LinkId=708500)
+-   [Task Scheduler](http://go.microsoft.com/fwlink/p/?LinkId=708501)
+-   [Windows Firewall with Advanced Security](http://go.microsoft.com/fwlink/p/?LinkId=708503)
+-   [Windows Memory Diagnostic]( http://go.microsoft.com/fwlink/p/?LinkId=708507)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/app-inventory-managemement-windows-store-for-business.md b/windows/manage/app-inventory-managemement-windows-store-for-business.md
new file mode 100644
index 0000000000..77c0e6e634
--- /dev/null
+++ b/windows/manage/app-inventory-managemement-windows-store-for-business.md
@@ -0,0 +1,206 @@
+---
+title: App inventory management for Windows Store for Business (Windows 10)
+description: You can manage all apps that you've acquired on your Inventory page.
+ms.assetid: 44211937-801B-4B85-8810-9CA055CDB1B2
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# App inventory management for Windows Store for Business
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+You can manage all apps that you've acquired on your **Inventory** page.
+
+The **Inventory** page in Windows Store for Business shows all apps in your inventory. This includes all apps that you've acquired from Store for Business, and the line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Inventory** page. On the **New line-of-business apps** page, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md).
+
+All of these apps are treated the same once they are in your inventory and you can perform app lifecycle tasks for them: distribute apps, add apps to private store, review license details, and reclaim app licenses.
+
+![](images/wsfb-inventoryaddprivatestore.png)
+
+Store for Business shows this info for each app in your inventory:
+
+-   Name
+
+-   Access to actions for the app
+
+-   Last modified date
+
+-   Supported devices
+
+-   Private store status
+
+### Find apps in your inventory
+
+There are a couple of ways to find specific apps, or groups of apps in your inventory.
+
+**Search** - Use the Search box to search for an app.
+
+**Refine** - Use **Refine** to scope your list of apps by one or more of these app attributes:
+
+-   **License** - Online or offline licenses. For more info, see [Apps in Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model).
+
+-   **Platforms** - Lists the devices that apps in your inventory were originally written to support. This list is cumulative for all apps in your inventory.
+
+-   **Source** - **Store**, for apps acquired from Store for Business, or LOB, for line-of-business apps.
+
+-   **Private store** - **In private store**, or **Not in private store**, depending on whether or not you've added the app to your private store.
+
+### Manage apps in your inventory
+
+Each app in the Store for Business has an online, or an offline license. For more information on Store for Business licensing model, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model). There are different actions you can take depending on the app license type. They're summarized in this table.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Action</th>
+<th align="left">Online-licensed app</th>
+<th align="left">Offline-licensed app</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Assign to employees</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Add to private store</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Remove from private store</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+</tr>
+<tr class="even">
+<td align="left"><p>View license details</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>View product details</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Download for offline use</p></td>
+<td align="left"></td>
+<td align="left"><p>X</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Note**  
+Removing apps from inventory is not currently supported.
+
+ 
+
+The actions in the table are how you distribute apps, and manage app licenses. We'll cover those in the next sections. Working with offline-licensed apps has different steps. For more information on distributing offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md).
+
+### Distribute apps
+
+For online-licensed apps, there are a couple of ways to distribute apps from your inventory:
+
+-   Assign apps to people in your organization.
+
+-   Add apps to your private store, and let people in your organization install the app.
+
+If you use a management tool that supports Store for Business, you can distribute apps with your management tool. Once it is configured to work with Store for Business, your managment tool will have access to all apps in your inventory. For more information, see [Distribute apps with a management tool](distribute-apps-with-management-tool.md).
+
+### Assign apps
+
+You can assign apps directly to people in your organization. You can assign apps to individuals, a few people, or to a group. For more information, see [Assign apps to employees](assign-apps-to-employees.md).
+
+### Private store
+
+The private store is a feature in the Store for Business. Once an online-licensed app is in your inventory, you can make it available in your private store. When you add apps to the private store, all employees in your organization can view and download the app. Employees access the private store as a page in Windows Store app.
+
+For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md).
+
+### Manage app licenses
+
+For each app in your inventory, you can view and manage license details. This give you another way to assign apps to people in your organization. It also allows you to reclaim app licenses after they've been assigned to people, or claimed by people in your organization.
+
+**To view license details**
+
+1.  Sign in to [Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=691845)
+
+2.  Click **Manage**, and then choose **Inventory**.
+
+3.  Click the ellipses for and app, and then choose **View license details**.
+
+    ![](images/wsfb-inventory-viewlicense.png)
+
+    You'll see the names of people in your organization who have installed the app and are using one of the licenses.
+
+    ![](images/wsfb-licensedetails.png)
+
+    On **Assigned licenses**, you can do several things:
+
+    -   Assign the app to other people in your organization.
+
+    -   Reclaim app licenses.
+
+    -   View app details.
+
+    -   Add the app to your private store, if it is not in the private store.
+
+    You can assign the app to more people in your organization, or reclaim licenses.
+
+    **To assign an app to more people**
+
+    -   Click Assign to people, type the email address for the employee that you're assigning the app to, and click **Assign**.
+
+        ![](images/wsfb-licenseassign.png)
+
+        Store for Business updates the list of assigned licenses.
+
+    **To reclaim licenses**
+
+    -   Choose the person you want to reclaim the license from, click **Reclaim licenses**, and then click **Reclaim licenses**.
+
+        ![](images/wsfb-licensereclaim.png)
+
+        Store for Business updates the list of assigned licenses.
+
+### <a href="" id="download-offline-licensed-apps"></a>Download offline-licensed app
+
+Offline licensing is a new feature in Windows 10 and allows apps to be deployed to devices that are not connected to the Internet. This means organizations can deploy apps when users or devices do not have connectivity to the Store.
+
+You can download offline-licensed apps from your inventory. You'll need to download these items:
+
+-   App metadata
+
+-   App package
+
+-   App license
+
+-   App framework
+
+For more information about online and offline licenses, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model).
+
+For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/application-development-for-windows-as-a-service.md b/windows/manage/application-development-for-windows-as-a-service.md
new file mode 100644
index 0000000000..bc011ba032
--- /dev/null
+++ b/windows/manage/application-development-for-windows-as-a-service.md
@@ -0,0 +1,189 @@
+---
+title: Application development for Windows as a service (Windows 10)
+description: In today’s environment, where user expectations frequently are set by device-centric experiences, complete product cycles need to be measured in months, not years.
+ms.assetid: 28E0D103-B0EE-4B14-8680-6F30BD373ACF
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Application development for Windows as a service
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+-   Windows 10 IoT Core (IoT Core)
+
+In today’s environment, where user expectations frequently are set by device-centric experiences, complete product cycles need to be measured in months, not years. Additionally, new releases must be made available on a continual basis, and must be deployable with minimal impact on users. Microsoft designed Windows 10 to meet these requirements by implementing a new approach to innovation, development, and delivery called [Windows as a service (WaaS)](introduction-to-windows-10-servicing.md). The key to enabling significantly shorter product cycles while maintaining high quality levels is an innovative community-centric approach to testing that Microsoft has implemented for Windows 10. The community, known as Windows Insiders, is comprised of millions of users around the world. When Windows Insiders opt in to the community, they test many builds over the course of a product cycle and provide feedback to Microsoft through an iterative methodology called flighting.
+
+Builds distributed as flights provide the Windows engineering team with significant data regarding how well builds are performing in actual use. Flighting with Windows Insiders also enables Microsoft to test builds in much more diverse hardware, application, and networking environments than in the past, and to identify issues far more quickly. As a result, Microsoft believes that community-focused flighting will enable both a faster pace of innovation delivery and better public release quality than ever.
+
+## Windows 10 release types and cadences
+
+
+Although Microsoft releases flight builds to Windows Insiders, Microsoft will publish two types of Windows 10 releases broadly to the public on an ongoing basis:
+
+**Feature updates** install the latest new features, experiences, and capabilities on devices that are already running Windows 10. Because feature updates contain an entire copy of Windows, they are also what customers use to install Windows 10 on existing devices running Windows 7 or Windows 8.1, and on new devices where no operating system is installed. Microsoft expects to publish an average of one to two new feature updates per year.
+
+**Quality updates** deliver security issue resolutions and other important bug fixes. Quality updates will be provided to improve each feature currently in support, on a cadence of one or more times per month. Microsoft will continue publishing quality updates on Update Tuesday (sometimes referred to as Patch Tuesday). Additionally, Microsoft may publish additional quality updates for Windows 10 outside the Update Tuesday process when required to address customer needs.
+
+During Windows 10 development, Microsoft streamlined the Windows product engineering and release cycle so that we can deliver the features, experiences, and functionality customers want, more quickly than ever. We also created new ways to deliver and install feature updates and quality updates that simplify deployments and on-going management, broaden the base of employees who can be kept current with the latest Windows capabilities and experiences, and lower total cost of ownership. Hence we have implemented new servicing options – referred to as Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB) – that provide pragmatic solutions to keep more devices more current in enterprise environments than was previously possible.
+
+The following table shows describes the various servicing branches and their key attributes.
+
+| Servicing option                  | Availability of new feature upgrades for installation     | Minimum length of servicing lifetime | Key benefits                                                                              | Supported editions                                                                         |
+|-----------------------------------|-----------------------------------------------------------|--------------------------------------|-------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|
+| Current Branch (CB)               | Immediately after first published by Microsoft            | Approximately 4 months               | Makes new features available to users as soon as possible                                 | Home, Pro, Education, Enterprise, Mobile, IoT Core, Windows 10 IoT Core Pro (IoT Core Pro) |
+| Current Branch for Business (CBB) | Approximately 4 months after first published by Microsoft | Approximately 8 months               | Provides additional time to test new feature upgrades before deployment                   | Pro, Education, Enterprise, Mobile Enterprise, IoT Core Pro                                |
+| Long-Term Servicing Branch (LTSB) | Immediately after published by Microsoft                  | 10 Years                             | Enables long-term deployment of selected Windows 10 releases in low-change configurations | Enterprise LTSB                                                                            |
+
+ 
+
+For more information, see [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md).
+
+## Supporting apps in Windows as a service
+
+
+The traditional approach for supporting apps has been to release a new app version in response to a Windows release. This assumes that there are breaking changes in the underlying OS that could potentially cause a regression with the application. This model involves a dedicated development and validation cycle that requires our ISV partners to align with the Windows release cadence.
+
+In the Windows as a service model, Microsoft is making a commitment to maintaining the compatibility of the underlying OS. This means Microsoft will make a concerted effort to ensure that there are no breaking changes that impact the app ecosystem negatively. In this scenario, when there is a release of a Windows build, most apps (those with no kernel dependencies) will continue to work.
+
+In view of this change, Microsoft recommends that our ISV partners decouple their app release and support from specific Windows builds. Our mutual customers are better served by an application lifecycle approach. This means when an application version is released it will be supported for a certain period of time irrespective of however many Windows builds are released in the interim. The ISV makes a commitment to provide support for that specific version of the app as long as it is supported in the lifecycle. Microsoft follows a similar lifecycle approach for Windows that can be referenced [here](http://go.microsoft.com/fwlink/?LinkID=780549).
+
+This approach will reduce the burden of maintaining an app schedule that aligns with Windows releases. ISV partners should be free to release features or updates at their own cadence. We feel that our partners can keep their customer base updated with the latest app updates independent of a Windows release. In addition, our customers do not have to seek an explicit support statement whenever a Windows build is released. Here is an example of a support statement that covers how an app may be supported across different versions of the OS:
+
+| Example of an application lifecycle support statement                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
+|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Contoso is a software development company and is the owner of the popular Mojave app which has a major share in the enterprise space. Contoso releases its next major release Mojave 14.0 and declares mainstream support for a period of three years from the release date. During mainstream support all updates and support are complimentary for the licensed product. Contoso also declares an additional two years of extended support where customers can purchase updates and support for a grace period. Beyond the extended support end date this product version is no longer supported. During the period of mainstream support Contoso will support Mojave 14.0 on all released builds of Windows. Contoso will also release updates to Mojave as necessary and independent of the Windows product releases. |
+
+ 
+
+In the following sections, you will find additional information about the steps Microsoft takes to maintain the compatibility of the underlying OS. You will also find guidance on steps you can take to help maintain the compatibility of the combined OS and app ecosystem. There is a section on how to leverage Windows flighting builds to detect app regressions before a Windows build is released. Lastly, we describe how we use an instrumentation and telemetry-driven approach to increase the quality of Windows builds. We recommend ISVs adopt a similar approach with their app portfolio.
+
+## Key changes since Windows 7 to ensure app compatibility
+
+
+We understand that compatibility matters to developers. ISVs and developers want to ensure their apps will run as expected on all supported versions of the Windows OS. Consumers and businesses have a key investment here—they want to ensure that the apps they have paid for will continue to work. We know that compatibility is the primary criteria for purchase decisions. Apps that are well written based on best practices will lead to much less code churn when a new Windows version is released and will reduce fragmentation—these apps have a reduced engineering investment to maintain, and a faster time to market.
+
+In the Windows 7 timeframe, compatibility was very much a reactive approach. In Windows 8 we started looking at this differently, working within Windows to ensure that compatibility was by design rather than an afterthought. Windows 10 is the most compatible-by-design version of the OS to date. Here are some key ways we accomplished this:
+
+-   **App telemetry**: This helps us understand app popularity in the Windows ecosystem to inform compatibility testing.
+-   **ISV partnerships**: Work directly with external partners to provide them with data and help fix issues that our users experience.
+-   **Design reviews, upstream detection**: Partner with feature teams to reduce the number of breaking changes in Windows. Compatibility review is a gate that our feature teams must pass.
+-   **Communication**: Tighter control over API changes and improved communication.
+-   **Flighting and feedback loop**: Windows insiders receive flighted builds that help improve our ability to find compatibility issues before a final build is released to customers. This feedback process not only exposes bugs, but ensures we are shipping features our users want.
+
+## Microsoft uses data to make Windows 10 better
+
+
+Microsoft uses diagnostic and usage data to identify and troubleshoot problems, improve our products and services, and provide our users with personalized experiences. The usage data we collect also extends to the apps that PCs in the Windows ecosystem are running. Based on what our customers use, we build our list to test these apps, devices, and drivers against new versions of the Windows OS. Windows 10 has been the most compatible version of Windows to-date, with over 90% compatibility against thousands of popular apps. The Windows Compatibility team commonly reaches out to our ISV partners to provide feedback if issues are discovered, so that we can partner together on solutions. Ideally, we’d like our common customers to be able to update Windows seamlessly and without losing functionality in either their OS or the apps they depend on for their productivity or entertainment.
+
+The following sections contain some best practices Microsoft recommends so you can ensure your apps are compatible with Windows 10.
+
+**Windows version check**
+
+The OS version has been incremented with Windows 10. This means that the internal version number has been changed to 10.0. As in the past, we go to great lengths to maintain application and device compatibility after an OS version change. For most app categories (without any kernel dependencies) the change will not negatively impact app functionality, and existing apps will continue to work fine on Windows 10.
+
+The manifestation of this change is app-specific. This means any app that specifically checks for the OS version will get a higher version number, which can lead to one or more of the following situations:
+
+-   App installers might not be able to install the app, and apps might not be able to start.
+-   Apps might become unstable or crash.
+-   Apps might generate error messages, but continue to function properly.
+
+Some apps perform a version check and simply pass a warning to users. However, there are apps that are bound very tightly to a version check (in the drivers, or in kernel mode to avoid detection). In these cases, the app will fail if an incorrect version is found. Rather than a version check, we recommend one of the following approaches:
+
+-   If the app is dependent on specific API functionality, ensure you target the correct API version.
+-   Ensure you detect the change via APISet or another public API, and do not use the version as a proxy for some feature or fix. If there are breaking changes and a proper check is not exposed, then that is a bug.
+-   Ensure the app does NOT check for version in odd ways, such as via the registry, file versions, offsets, kernel mode, drivers, or other means. If the app absolutely needs to check the version, use the GetVersion APIs, which should return the major, minor, and build number.
+-   If you are using the [GetVersion](http://go.microsoft.com/fwlink/?LinkID=780555) API, remember that the behavior of this API has changed since Windows 8.1.
+
+If you own apps such as antimalware or firewall apps, you should work through your usual feedback channels and via the Windows Insider program.
+
+**Undocumented APIs**
+
+Your apps should not call undocumented Windows APIs, or take dependency on specific Windows file exports or registry keys. This can lead to broken functionality, data loss, and potential security issues. If there is functionality your app requires that is not available, this is an opportunity to provide feedback through your usual feedback channels and via the Windows Insider program.
+
+**Develop Universal Windows Platform (UWP) and Centennial apps**
+
+We encourage all Win32 app ISVs to develop [Universal Windows Platform (UWP)](http://go.microsoft.com/fwlink/?LinkID=780560) and, specifically, [Centennial](http://go.microsoft.com/fwlink/?LinkID=780562) apps moving forward. There are great benefits to developing these app packages rather than using traditional Win32 installers. UWP apps are also supported in the [Windows Store](http://go.microsoft.com/fwlink/?LinkID=780563), so it’s easier for you to update your users to a consistent version automatically, lowering your support costs.
+
+If your Win32 app types do not work with the Centennial model, we highly recommend that you use the right installer and ensure this is fully tested. An installer is your user or customer’s first experience with your app, so ensure that this works well. All too often, this doesn’t work well or it hasn’t been fully tested for all scenarios. The [Windows App Certification Kit](http://go.microsoft.com/fwlink/?LinkID=780565) can help you test the install and uninstall of your Win32 app and help you identify use of undocumented APIs, as well as other basic performance-related best-practice issues, before your users do.
+
+**Best pratcices:**
+
+-   Use installers that work for both 32-bit and 64-bit versions of Windows.
+-   Design your installers to run on multiple scenarios (user or machine level).
+-   Keep all Windows redistributables in the original packaging – if you repackage these, it’s possible that this will break the installer.
+-   Schedule development time for your installers—these are often overlooked as a deliverable during the software development lifecycle.
+
+## Optimized test strategies and flighting
+
+
+Windows OS flighting refers to the interim builds available to Windows Insiders before a final build is released to the general population. The more Insiders that flight these interim builds, the more feedback we receive on the build quality, compatibility, etc., and this helps improve quality of the final builds. You can participate in this flighting program to ensure that your apps work as expected on iterative builds of the OS. We also encourage you to provide feedback on how these flighted builds are working for you, issues you run into, and so on.
+
+If your app is in the Store, you can flight your app via the Store, which means that your app will be available for our Windows Insider population to install. Users can install your app and you can receive preliminary feedback on your app before you release it to the general population. The follow sections outline the steps for testing your apps against Windows flighted builds.
+
+**Step 1: Become a Windows Insider and participate in flighting**
+
+As a [Windows Insider,](http://go.microsoft.com/fwlink/p/?LinkId=521639) you can help shape the future of Windows—your feedback will help us improve features and functionality in the platform. This is a vibrant community where you can connect with other enthusiasts, join forums, trade advice, and learn about upcoming Insider-only events.
+
+Since you’ll have access to preview builds of Windows 10, Windows 10 Mobile, and the latest Windows SDK and Emulator, you’ll have all the tools at your disposal to develop great apps and explore what's new in the Universal Windows Platform and the Windows Store.
+
+This is also a great opportunity to build great hardware, with preview builds of the hardware development kits so you can develop universal drivers for Windows. The IoT Core Insider Preview is also available on supported IoT development boards, so you can build amazing connected solutions using the Universal Windows Platform.
+
+Before you become a Windows Insider, please note that participation is intended for users who:
+
+-   Want to try out software that’s still in development.
+-   Want to share feedback about the software and the platform.
+-   Don’t mind lots of updates or a UI design that might change significantly over time.
+-   Really know their way around a PC and feel comfortable troubleshooting problems, backing up data, formatting a hard drive, installing an operating system from scratch, or restoring an old one if necessary.
+-   Know what an ISO file is and how to use it.
+-   Aren't installing it on their everyday computer or device.
+
+**Step 2: Test your scenarios**
+
+Once you have updated to a flighted build, the following are some sample test cases to help you get started on testing and gathering feedback. For most of these tests, ensure you cover both x86 and AMD64 systems.
+
+**Clean install test:** On a clean install of Windows 10, ensure your app is fully functional. If your app fails this test and the upgrade test, then it’s likely that the issue is caused by underlying OS changes or bugs in the app. If after investigation, the former is the case, be sure to use the Windows Insider program to provide feedback and partner on solutions.
+
+**Upgrade Test:** Check that your app works after upgrading from a down-level version of Windows (i.e. Windows 7 or Windows 8.1) to Windows 10. Your app shouldn’t cause roll backs during upgrade, and should continue to work as expected after upgrade—this is crucial to achieve a seamless upgrade experience.
+
+**Reinstall Test:** Ensure that app functionality can be restored by reinstalling your app after you upgrade the PC to Windows 10 from a down-level OS. If your app didn’t pass the upgrade test and you have not been able to narrow down the cause of these issues, it’s possible that a reinstall can restore lost functionality. A passing reinstall test indicates that parts of the app may not have been migrated to Windows 10.
+
+**OS\\Device Features Test:** Ensure that your app works as expected if your app relies on specific functionality in the OS. Common areas for testing include the following, often against a selection of the commonly used PC models to ensure coverage:
+
+-   Audio
+-   USB device functionality (keyboard, mouse, memory stick, external hard disk, and so on)
+-   Bluetooth
+-   Graphics\\display (multi-monitor, projection, screen rotation, and so on)
+-   Touch screen (orientation, on-screen keyboard, pen, gestures, and so on)
+-   Touchpad (left\\right buttons, tap, scroll, and so on)
+-   Pen (single\\double tap, press, hold, eraser, and so on)
+-   Print\\Scan
+-   Sensors (accelerometer, fusion, and so on)
+-   Camera
+
+**Step 3: Provide feedback**
+
+Let us know how your app is performing against flighted builds. As you discover issues with your app during testing, please log bugs via the partner portal if you have access, or through your Microsoft representative. We encourage this information so that we can build a quality experience for our users together.
+
+**Step 4: Register on Windows 10**
+
+The [Ready for Windows 10](http://go.microsoft.com/fwlink/?LinkID=780580) website is a directory of software that supports Windows 10. It’s intended for IT administrators at companies and organizations worldwide that are considering Windows 10 for their deployments. IT administrators can check the site to see whether software deployed in their enterprise is supported in Windows 10.
+
+## Related topics
+
+
+[Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/apps-in-windows-store-for-business.md b/windows/manage/apps-in-windows-store-for-business.md
new file mode 100644
index 0000000000..5e896b7a2f
--- /dev/null
+++ b/windows/manage/apps-in-windows-store-for-business.md
@@ -0,0 +1,91 @@
+---
+title: Apps in Windows Store for Business (Windows 10)
+description: Windows Store for Business has thousands of apps from many different categories.
+ms.assetid: CC5641DA-3CEA-4950-AD81-1AF1AE876926
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Apps in Windows Store for Business
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Windows Store for Business has thousands of apps from many different categories.
+
+## <a href="" id="apps"></a>
+
+
+These app types are supported in Store for Business:
+
+-   Universal Windows apps for Windows 10
+
+-   Universal Windows apps, by device: phone, Surface Hub, IoT, HoloLens
+
+Apps in your inventory will have at least one of these supported platforms listed for the app:
+
+-   Windows 10 desktops
+
+-   Windows 10 phones
+
+-   Windows 10 xbox
+
+-   Windows 10 IOT devices
+
+-   Windows 10 servers
+
+-   Windows 10 \*all devices\*
+
+-   Windows 10 Surface Hub
+
+-   Windows 10 HoloLens
+
+Apps that you acquire from the Store for Business only work on Windows 10-based devices. Even though an app might list Windows 8 as its supported platform, that tells you what platform the app was originally written for. Apps developed for Windows 8, or Windows phone 8 will work on Windows 10.
+
+Line-of-business (LOB) apps are also supported using the Store for Business. Admins can invite IT devs and ISVs to be LOB publishers. Apps developed by your LOB publishers that are submitted to the Store are only available to your organization. Once an administrator accepts an app submitted by one of their LOB publishers, the app can be distributed just like any other app from Store for Business. For more information, see Working with Line-of-Business apps.
+
+## <a href="" id="iap"></a>In-app purchases
+
+
+Some apps offer you the option to make in-app purchases. In-app purchases are not currently supported for apps that are acquired through Store for Business and distributed to employees.
+
+If an employee makes an in-app purchase, they'll make it with their personal Microsoft account and pay for it with a personal payment method. The employee will own the item purchased, and it cannot be transferred to your organization’s inventory.
+
+## <a href="" id="licensing-model"></a>Licensing model: online and offline licenses
+
+
+Store for Business supports two options to license apps: online and offline.
+
+**Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. Licensing management is enforced based on the user’s Azure AD identity and maintained by the store as well as the management tool. By default app updates are handled by Windows Update.
+
+Distribution options for online-licensed apps include the ability to:
+
+-   Assign an app to employees.
+
+-   Add an app to your private store, allowing employees to download the app.
+
+-   Distribute through a management tool.
+
+**Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store.
+
+You have the following distribution options for offline-licensed apps:
+
+-   Include the app in a provisioning package, and then use it as part of imaging a device.
+
+-   Distribute the app through a management tool.
+
+For more information, see [Distribute apps to your employees from the Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/assign-apps-to-employees.md b/windows/manage/assign-apps-to-employees.md
new file mode 100644
index 0000000000..0864ee8dac
--- /dev/null
+++ b/windows/manage/assign-apps-to-employees.md
@@ -0,0 +1,40 @@
+---
+title: Assign apps to employees (Windows 10)
+description: Administrators can assign online-licensed apps to employees in their organization.
+ms.assetid: A0DF4EC2-BE33-41E1-8832-DBB0EBECA31A
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Assign apps to employees
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Administrators can assign online-licensed apps to employees in their organization.
+
+**To assign an app to an employee**
+
+1.  Sign in to Windows Store for Business.
+
+2.  Click **Manage**, and then choose **Inventory**.
+
+3.  Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
+
+4.  Type the email address for the employee that you're assigning the app to, and click **Confirm**.
+
+Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
new file mode 100644
index 0000000000..cbf16e02fc
--- /dev/null
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -0,0 +1,177 @@
+---
+title: Change history for Manage and update Windows 10 (Windows 10)
+description: This topic lists new and updated topics in the Manage and update Windows 10 documentation for Windows 10 and Windows 10 Mobile.
+ms.assetid: 29144AFA-1DA9-4532-B07D-1EBE34B7E1E0
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Change history for Manage and update Windows 10
+
+
+This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+
+## April 2016
+
+
+<table>
+
+<thead>
+<tr class="header">
+<th align="left">New or changed topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">[Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md)</td>
+<td align="left"><p>Added the font streaming section.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## March 2016
+
+
+<table>
+
+<thead>
+<tr class="header">
+<th align="left">New or changed topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">[Application development for Windows as a service](application-development-for-windows-as-a-service.md)</td>
+<td align="left">New</td>
+</tr>
+<tr class="even">
+<td align="left">[Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)</td>
+<td align="left"><p>New</p></td>
+</tr>
+<tr class="odd">
+<td align="left">[Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)</td>
+<td align="left"><p>Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## February 2016
+
+
+<table>
+
+<thead>
+<tr class="header">
+<th align="left">New or changed topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">[Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md)</td>
+<td align="left"><p>Added call history and email to the Settings &gt; Privacy section.</p>
+<p>Added the Turn off Windows Mail application Group Policy to the Mail synchronization section.</p></td>
+</tr>
+<tr class="even">
+<td align="left">[Customize and export Start layout](customize-and-export-start-layout.md)</td>
+<td align="left">Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later</td>
+</tr>
+<tr class="odd">
+<td align="left">[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)</td>
+<td align="left">Added instructions for replacing markup characters with escape characters in Start layout XML</td>
+</tr>
+<tr class="even">
+<td align="left">[Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md)</td>
+<td align="left">New</td>
+</tr>
+<tr class="odd">
+<td align="left">[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)</td>
+<td align="left">New</td>
+</tr>
+<tr class="even">
+<td align="left">[Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md)</td>
+<td align="left">Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core).</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## December 2015
+
+
+<table>
+
+<thead>
+<tr class="header">
+<th align="left">New or changed topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">[Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)</td>
+<td align="left">New</td>
+</tr>
+<tr class="even">
+<td align="left">[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)</td>
+<td align="left">New</td>
+</tr>
+<tr class="odd">
+<td align="left">[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)</td>
+<td align="left"></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## November 2015
+
+
+| New or changed topic                                                                                                                             | Description |
+|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
+| [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)                                                                     | New         |
+| [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)                                                                               | New         |
+| [Customize and export Start layout](customize-and-export-start-layout.md)                                                                       | New         |
+| [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | New         |
+| [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)                                                               | New         |
+| [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)                                                                         | New         |
+| [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)                                                                         | New         |
+| [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)                                  | New         |
+| [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)                      | New         |
+| [Windows Hello biometrics in the enterprise](../keep-secure/windows-hello-in-enterprise.md)                                       | New         |
+| [Windows Store for Business](windows-store-for-business.md) (multiple topics)                                                                   | New         |
+| [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)                                             | Updated     |
+| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md)                                 | Updated     |
+| [New policies for Windows 10](new-policies-for-windows-10.md)                                                                                   | Updated     |
+
+ 
+
+## Related topics
+
+
+[Change history for What's new in Windows 10](../whats-new/change-history-for-what-s-new-in-windows-10.md)
+
+[Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
+
+[Change history for Deploy Windows 10](../deploy/change-history-for-deploy-windows-10.md)
+
+[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/changes-to-start-policies-in-windows-10.md b/windows/manage/changes-to-start-policies-in-windows-10.md
new file mode 100644
index 0000000000..30a8c0a870
--- /dev/null
+++ b/windows/manage/changes-to-start-policies-in-windows-10.md
@@ -0,0 +1,171 @@
+---
+title: Changes to Group Policy settings for Windows 10 Start (Windows 10)
+description: Windows 10 has a brand new Start experience.
+ms.assetid: 612FB68A-3832-451F-AA97-E73791FEAA9F
+keywords: ["group policy", "start menu", "start screen"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Changes to Group Policy settings for Windows 10 Start
+
+
+**Applies to**
+
+-   Windows 10
+
+Windows 10 has a brand new Start experience. As a result, there are changes to the Group Policy settings that you can use to manage Start. Some policy settings are new or changed, and some old Start policy settings still apply. Other Start policy settings no longer apply and are deprecated.
+
+## Start policy settings supported for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+
+
+These policy settings are available in **Administrative Templates\\Start Menu and Taskbar** under **User Configuration**.
+
+<table>
+
+<thead>
+<tr class="header">
+<th align="left">Policy</th>
+<th align="left">Notes</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">Clear history of recently opened documents on exit</td>
+<td align="left">Documents that the user opens are tracked during the session. When the user signs off, the history of opened documents is deleted.</td>
+</tr>
+<tr class="even">
+<td align="left">Do not allow pinning items in Jump Lists</td>
+<td align="left">Jump Lists are lists of recently opened items, such as files, folders, or websites, organized by the program that you use to open them. This policy prevents users from pinning items to any Jump List.</td>
+</tr>
+<tr class="odd">
+<td align="left">Do not display or track items in Jump Lists from remote locations</td>
+<td align="left">When this policy is applied, only items local on the computer are shown in Jump Lists.</td>
+</tr>
+<tr class="even">
+<td align="left">Do not keep history of recently opened documents</td>
+<td align="left">Documents that the user opens are not tracked during the session.</td>
+</tr>
+<tr class="odd">
+<td align="left">Prevent changes to Taskbar and Start Menu Settings</td>
+<td align="left">In Windows 10, this disables all of the settings in <strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> as well as the options in dialog available via right-click Taskbar &gt; <strong>Properties</strong></td>
+</tr>
+<tr class="even">
+<td align="left">Prevent users from customizing their Start Screen</td>
+<td align="left"><p>Use this policy in conjunction with [CopyProfile](http://go.microsoft.com/fwlink/p/?LinkId=623229) or other methods for configuring the layout of Start to prevent users from changing it</p></td>
+</tr>
+<tr class="odd">
+<td align="left">Prevent users from uninstalling applications from Start</td>
+<td align="left">In Windows 10, this removes the uninstall button in the context menu. It does not prevent users from uninstalling the app through other entry points (e.g. PowerShell)</td>
+</tr>
+<tr class="even">
+<td align="left">Remove All Programs list from the Start menu</td>
+<td align="left">In Windows 10, this removes the <strong>All apps</strong> button.</td>
+</tr>
+<tr class="odd">
+<td align="left">Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands</td>
+<td align="left">This removes the Shut Down, Restart, Sleep, and Hibernate commands from the Start Menu, Start Menu power button, CTRL+ALT+DEL screen, and Alt+F4 Shut Down Windows menu.</td>
+</tr>
+<tr class="even">
+<td align="left">Remove common program groups from Start Menu</td>
+<td align="left">As in earlier versions of Windows, this removes apps specified in the All Users profile from Start</td>
+</tr>
+<tr class="odd">
+<td align="left">Remove frequent programs list from the Start Menu</td>
+<td align="left">In Windows 10, this removes the top left <strong>Most used</strong> group of apps.</td>
+</tr>
+<tr class="even">
+<td align="left">Remove Logoff on the Start Menu</td>
+<td align="left"><strong>Logoff</strong> has been changed to <strong>Sign Out</strong> in the user interface, however the functionality is the same.</td>
+</tr>
+<tr class="odd">
+<td align="left">Remove pinned programs list from the Start Menu</td>
+<td align="left">In Windows 10, this removes the bottom left group of apps (by default, only File Explorer and Settings are pinned).</td>
+</tr>
+<tr class="even">
+<td align="left">Show &quot;Run as different user&quot; command on Start</td>
+<td align="left">This enables the <strong>Run as different user</strong> option in the right-click menu for apps.</td>
+</tr>
+<tr class="odd">
+<td align="left">Start Layout</td>
+<td align="left"><p>This applies a specific Start layout, and it also prevents users from changing the layout. This policy can be configured in <strong>User Configuration</strong> or <strong>Computer Configuration</strong>.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>Start Layout policy setting applies only to Windows 10 Enterprise and Windows 10 Education.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left">Force Start to be either full screen size or menu size</td>
+<td align="left">This applies a specific size for Start.</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="deprecated-group-policy-settings-for-start-"></a>Deprecated Group Policy settings for Start
+
+
+The Start policy settings listed below do not work on Windows 10. Most of them were deprecated in Windows 8 however a few more were deprecated in Windows 10. Deprecation in this case means that the policy setting will not work on Windows 10. The “Supported on” text for a policy setting will not list Windows 10. The policy settings are still in the Group Policy Management Console and can be used on the operating systems that they apply to.
+
+| Policy                                                                           | When deprecated |
+|----------------------------------------------------------------------------------|-----------------|
+| Go to the desktop instead of Start when signing in                               | Windows 10      |
+| List desktop apps first in the Apps view                                         | Windows 10      |
+| Pin Apps to Start when installed (User or Computer)                              | Windows 10      |
+| Remove Default Programs link from the Start menu.                                | Windows 10      |
+| Remove Documents icon from Start Menu                                            | Windows 10      |
+| Remove programs on Settings menu                                                 | Windows 10      |
+| Remove Run menu from Start Menu                                                  | Windows 10      |
+| Remove the "Undock PC" button from the Start Menu                                | Windows 10      |
+| Search just apps from the Apps view                                              | Windows 10      |
+| Show Start on the display the user is using when they press the Windows logo key | Windows 10      |
+| Show the Apps view automatically when the user goes to Start                     | Windows 10      |
+| Add the Run command to the Start Menu                                            | Windows 8       |
+| Change Start Menu power button                                                   | Windows 8       |
+| Gray unavailable Windows Installer programs Start Menu shortcuts                 | Windows 8       |
+| Remove Downloads link from Start Menu                                            | Windows 8       |
+| Remove Favorites menu from Start Menu                                            | Windows 8       |
+| Remove Games link from Start Menu                                                | Windows 8       |
+| Remove Help menu from Start Menu                                                 | Windows 8       |
+| Remove Homegroup link from Start Menu                                            | Windows 8       |
+| Remove Music icon from Start Menu                                                | Windows 8       |
+| Remove Network icon from Start Menu                                              | Windows 8       |
+| Remove Pictures icon from Start Menu                                             | Windows 8       |
+| Remove Recent Items menu from Start Menu                                         | Windows 8       |
+| Remove Recorded TV link from Start Menu                                          | Windows 8       |
+| Remove user folder link from Start Menu                                          | Windows 8       |
+| Remove Videos link from Start Menu                                               | Windows 8       |
+
+ 
+
+## Related topics
+
+
+[Manage corporate devices](manage-corporate-devices.md)
+
+[New policies for Windows 10](new-policies-for-windows-10.md)
+
+[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
+
+[Customize and export Start layout](customize-and-export-start-layout.md)
+
+[Customize Windows 10 Start screens with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+
+[Customize Windows 10 Start screens with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+
+[Customize Windows 10 Start screens with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/configure-devices-without-mdm.md b/windows/manage/configure-devices-without-mdm.md
new file mode 100644
index 0000000000..82e3420ae6
--- /dev/null
+++ b/windows/manage/configure-devices-without-mdm.md
@@ -0,0 +1,186 @@
+---
+title: Configure devices without MDM (Windows 10)
+description: Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10. 
+ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
+keywords: ["runtime provisioning", "provisioning package"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Configure devices without MDM
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise.
+
+Sometimes mobile device management (MDM) isn't available to you for setting up a device because the device isn't connected to your network, or because an employee is remote and needs a fast replacement for a work device. You might not use MDM in your organization at all, but would like an easy way to place a standard configuration on multiple devices.
+
+Rather than wiping a device and applying a new system image, in Windows 10 you can apply a provisioning package at any time. A provisioning package can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
+
+You can provide provisioning packages on a network shared folder that employees can access to configure their devices. Or you can put a provisioning package on a USB flash drive or SD card to hand out. You can even send the provisioning package to someone in email.
+
+Provisioning packages are simple for employees to install. And when they remove a provisioning package, policies that the package applied to their device are removed.
+
+## Advantages
+
+
+-   You can configure new devices without re-imaging.
+
+-   Works on both mobile and desktop devices.
+
+-   No network connectivity required.
+
+-   Simple for people to apply.
+
+-   Ensures compliance and security before a device is enrolled in MDM.
+
+## Typical use cases
+
+
+-   **Set up a new off-the-shelf device for an employee**
+
+    Package might include edition upgrade, device name, company root certificate, Wi-Fi profile, domain join with service account, or company application.
+
+-   **Configure an off-the-shelf mobile device to be used as a point of sale or inventory terminal**
+
+    Package might include edition upgrade, device name, company root certificate, Wi-Fi profile, security policies, company application, or assigned access (also known as [kiosk mode](set-up-a-device-for-anyone-to-use.md).
+
+-   **Help employees set up personally-owned devices to use for work**
+
+    Package might include company root certificate, Wi-Fi profiles, security policies, or company application.
+
+    **Note**  
+    Test to make sure that removing the provisioning package from a personal device removes everything that the package installed. Some settings are not reverted when a provisioning package is removed from the device.
+
+     
+
+-   **Repurpose devices by returning the device to a specific state between users**
+
+    Package might include computer name, company root certificate, Wi-Fi profile, or company application.
+
+    **Note**  
+    To return the **Start** menu to a specific state, you must reset the device. When you reset the device, you can apply the provisioning package during the first-run experience.
+
+     
+
+For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
+
+## Create package
+
+
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
+
+1.  Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
+
+2.  Choose **New provisioning package**.
+
+3.  Name your project, and click **Next**.
+
+4.  Choose **Common to all Windows editions**, **Common to all Windows desktop editions**, or **Common to all Windows mobile editions**, depending on the devices you intend to provision, and click **Next**.
+
+5.  On **New project**, click **Finish**. The workspace for your package opens.
+
+6.  Configure settings. [Learn more about specific settings in provisioning packages.]( http://go.microsoft.com/fwlink/p/?LinkId=615916)
+
+7.  On the **File** menu, select **Save.**
+
+8.  On the **Export** menu, select **Provisioning package**.
+
+9.  Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+
+10. Set a value for **Package Version**.
+
+    **Tip**  
+    You can make changes to existing packages and change the version number to update previously applied packages.
+
+     
+
+11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+
+    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
+
+        **Important**  
+        We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
+
+         
+
+12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
+
+    Optionally, you can click **Browse** to change the default output location.
+
+13. Click **Next**.
+
+14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+
+    If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+
+    If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
+
+    -   Shared network folder
+
+    -   SharePoint site
+
+    -   Removable media (USB/SD)
+
+    -   Email
+
+    -   USB tether (mobile only)
+
+Learn more: [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651)
+
+## Apply package
+
+
+On a desktop computer, the employee goes to **Settings** &gt; **Accounts** &gt; **Work access** &gt; **Add or remove a management package** &gt; **Add a package**, and selects the package to install. The user can also add a provisioning package simply by double-clicking the .ppkg file in email, in local storage, on removable media, or at a URL.
+
+![add a package option](images/package.png)
+
+On a mobile device, the employee goes to **Settings** &gt; **Accounts** &gt; **Provisioning.** &gt; **Add a package**, and selects the package on removable media to install. The user can also add a provisioning package simply by double-tapping the .ppkg file in email.
+
+![add provisioning package on phone](images/phoneprovision.png)
+
+## Manage a package
+
+
+-   Users can view details or delete package (if policy allows deletion); only user-installed packages are listed.
+
+-   Deleting a package removes settings, profiles, certificates, and apps it contains.
+
+-   Use policies to disable manual deletion of packages, installation of unsigned packages, or the installation of any additional packages.
+
+-   Update content by installing a new package with same name and new version number.
+
+-   Optionally, keep packages when you reset a mobile device. When you reset a desktop, runtime packages are removed.
+
+    ![](images/resetdevice.png)
+
+## Learn more
+
+
+-   [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
+
+-   [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/configure-mdm-provider-windows-store-for-business.md b/windows/manage/configure-mdm-provider-windows-store-for-business.md
new file mode 100644
index 0000000000..2b94aba619
--- /dev/null
+++ b/windows/manage/configure-mdm-provider-windows-store-for-business.md
@@ -0,0 +1,56 @@
+---
+title: Configure an MDM provider (Windows 10)
+description: For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Windows Store for Business inventory to manage apps with offline licenses.
+ms.assetid: B3A45C8C-A96C-4254-9659-A9B364784673
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Configure an MDM provider
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Windows Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content.
+
+Your management tool needs to be installed and configured with Azure AD, in the same directory that you are using for Store for Business. Once that's done, you can configure it to work with Store for Business
+
+**To configure a management tool in Azure AD**
+
+1.  Sign in to the Azure Portal as an Administrator.
+
+2.  Click **Active Directory**, and then choose your directory. 
+
+3.  Click **Applications**, find the application, and add it to your directory.
+
+After your management tool is added to your Azure AD directory, you can configure it to work with Store for Business.
+
+**To configure a management tool in Store for Business**
+
+1.  Log in to Store for Business.
+
+2.  Click **Settings**, and then choose **Management tool**.
+
+    You'll see a list of available MDM tools.
+
+    ![](images/wsfb-settings-mgmt.png)
+
+3.  Choose the MDM tool you want to synchronize with Store for Business, and then click **Activate.**
+
+Your MDM tool is ready to use with Store for Business. Consult docs for your management tool to learn how to distribute apps from your synchronized inventory.
+
+See [Manage apps you purchased from Windows Store for Business with Microsoft InTune](https://technet.microsoft.com/library/mt676514.aspx) to learn how to configure synchroniztion and deploy apps.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/customize-and-export-start-layout.md b/windows/manage/customize-and-export-start-layout.md
new file mode 100644
index 0000000000..4d1f382a15
--- /dev/null
+++ b/windows/manage/customize-and-export-start-layout.md
@@ -0,0 +1,141 @@
+---
+title: Customize and export Start layout (Windows 10)
+description: The easiest method for creating a customized Start layout is to set up the Start screen and export the layout.
+ms.assetid: CA8DF327-5DD4-452F-9FE5-F17C514B6236
+keywords: ["start screen"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Customize and export Start layout
+
+
+**Applies to**
+
+-   Windows 10
+
+**Looking for consumer information?**
+
+-   [Customize the Start menu](http://go.microsoft.com/fwlink/p/?LinkId=623630)
+
+The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout.
+
+After you export the layout, decide whether you want to apply a *full* Start layout or a *partial* Start layout.
+
+When a full Start layout is applied, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start.
+
+When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
+
+**Note**  Partial Start layout is only supported on Windows 10, version 1511 and later.
+
+ 
+
+You can deploy the resulting .xml file to devices using one of the following methods:
+
+-   [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+
+-   [Windows Imaging and Configuration Designer provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+
+-   [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+
+## <a href="" id="bkmkcustomizestartscreen"></a>Customize the Start screen on your test computer
+
+
+To prepare a Start layout for export, you simply customize the Start layout on a test computer.
+
+**To prepare a test computer**
+
+1.  Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users’ computers (Windows 10 Enterprise or Windows 10 Education). Install all apps and services that the Start layout should display.
+
+    **Important**  
+    **Start layout** can only be applied to a device using the same architecture (32-bit or 64-bit) as the device on which **Start layout** was created.
+
+     
+
+2.  Create a new user account that you will use to customize the Start layout.
+
+<a href="" id="bmk-customize-start"></a>
+**To customize Start**
+
+1.  Sign in to your test computer with the user account that you created.
+
+2.  Customize the Start layout as you want users to see it by using the following techniques:
+
+    -   **Pin apps to Start**. From Start, type the name of the app. When the app appears in the search results, right-click the app, and then click **Pin to Start**.
+
+        To view all apps, click **All apps** in the bottom-left corner of Start. Right-click any app, and pin or unpin it from Start.
+
+    -   **Unpin apps** that you don’t want to display. To unpin an app, right-click the app, and then click **Unpin from Start**.
+
+    -   **Drag tiles** on Start to reorder or group apps.
+
+    -   **Resize tiles**. To resize tiles, right-click the tile and then click **Resize.**
+
+    -   **Create your own app groups**. Drag the apps to an empty area. To name a group, click above the group of tiles and then type the name in the **Name group** field that appears above the group.
+
+## <a href="" id="bmk-exportstartscreenlayout"></a>Export the Start layout
+
+
+When you have the Start layout that you want your users to see, use the [Export-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet in Windows PowerShell to export the Start layout to an .xml file.
+
+**To export the Start layout to an .xml file**
+
+1.  From Start, open **Windows PowerShell**.
+
+2.  At the Windows PowerShell command prompt, enter the following command:
+
+    `export-startlayout –path <path><file name>.xml `
+
+    In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
+
+    Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet does not append the file name extension, and the policy settings require the extension.
+
+## Configure a partial Start layout
+
+
+A partial Start layout enables you to add one or more customized tile groups to users' Start screens or menus, while still allowing users to make changes to other parts of the Start layout. All groups that you add are *locked*, meaning users cannot change the contents of those tile groups, however users can change the location of those groups. Locked groups are identified with an icon, as shown in the following image.
+
+![locked tile group](images/start-pinned-app.png)
+
+When a partial Start layout is applied for the first time, the new groups are added to the users' existing Start layouts. If an app tile is in both an existing group and in a new locked group, the duplicate app tile is removed from the existing (unlocked) group.
+
+When a partial Start layout is applied to a device that already has a StartLayout.xml applied, groups that were added previously are removed and the groups in the new layout are added.
+
+If the Start layout is applied by Group Policy or MDM, and the policy is removed, the groups remain on the devices but become unlocked.
+
+**To configure a partial Start screen layout**
+
+1.  [Customize the Start layout](#bmk-customize-start).
+
+2.  [Export the Start layout](#bmk-exportstartscreenlayout).
+3.  Open the layout .xml file. There is a `<DefaultLayoutOverride>` element. Add `LayoutCustomizationRestrictionType="OnlySpecifiedGroups"` to the **DefaultLayoutOverride** element as follows:
+
+    ``` syntax
+    <DefaultLayoutOverride LayoutCustomizationRestrictionType="OnlySpecifiedGroups">
+    ```
+
+4.  Save the file and apply using any of the deployment methods.
+
+## Related topics
+
+
+[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
+
+[Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+
+[Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+
+[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+
+[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
new file mode 100644
index 0000000000..614edb4d66
--- /dev/null
+++ b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
@@ -0,0 +1,139 @@
+---
+title: Customize Windows 10 Start with Group Policy (Windows 10)
+description: In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain.
+ms.assetid: F4A47B36-F1EF-41CD-9CBA-04C83E960545
+keywords: ["Start layout", "start menu", "layout", "group policy"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Customize Windows 10 Start with Group Policy
+
+
+**Applies to**
+
+-   Windows 10
+
+**Looking for consumer information?**
+
+-   [Customize the Start menu](http://go.microsoft.com/fwlink/p/?LinkId=623630)
+
+In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
+
+This topic describes how to update Group Policy settings to display a customized Start layout when the users sign in. By creating a domain-based GPO with these settings, you can deploy a customized Start layout to users in a domain.
+
+**Warning**  
+When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
+
+ 
+
+**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md)
+
+## Operating system requirements
+
+
+Start layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education. Start layout control is not supported in Windows 10 Pro.
+
+The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841](http://go.microsoft.com/fwlink/p/?LinkId=691687) in the Microsoft Knowledge Base.
+
+## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
+
+
+Two features enable Start layout control:
+
+-   The [Export-StartLayout](http://go.microsoft.com/fwlink/p/?LinkID=620879) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. **Start layout** can only be applied to a device using the same architecture (32-bit or 64-bit) as the device on which **Start layout** was created.
+
+    **Note**  
+    To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
+
+     
+
+-   In Group Policy, you use the **Start Layout** settings for the **Start Menu and Taskbar** administrative template to set a Start layout from an .xml file when the policy is applied.
+
+**Note**  
+To learn how customize Start to include your line-of-business apps when you deploy Windows 10, see [Customize the Windows 10 Start layout]( http://go.microsoft.com/fwlink/p/?LinkId=620863).
+
+ 
+
+## <a href="" id="bkmk-domaingpodeployment"></a>Use Group Policy to apply a customized Start layout in a domain
+
+
+To apply the Start layout to users in a domain, use the Group Policy Management Console (GPMC) to configure a domain-based Group Policy Object (GPO) that sets **Start Layout** policy settings in the **Start Menu and Taskbar** administrative template for users in a domain.
+
+The GPO applies the Start layout at the next user sign-in. Each time the user signs in, the timestamp of the .xml file with the Start layout is checked and if a newer version of the file is available, the settings in the latest version of the file are applied.
+
+The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed.
+
+The .xml file with the Start layout must be located on shared network storage that is available to the users’ computers when they sign in and the users must have Read-only access to the file. If the file is not available at sign-in, Start is not customized during the session, and the user can make changes to Start.
+
+For information about deploying GPOs in a domain, see [Working with Group Policy Objects](http://go.microsoft.com/fwlink/p/?LinkId=620889).
+
+## <a href="" id="bkmk-localgpimport"></a>Use Group Policy to apply a customized Start layout on the local computer
+
+
+You can use the Local Group Policy Editor to provide a customized Start layout for any user who signs in on the local computer. To display the customized Start layout for any user who signs in, configure **Start Layout** policy settings for the **Start Menu and Taskbar** administrative template. You can use the **Start Menu and Taskbar** administrative template in **User Configuration** or **Computer Configuration**.
+
+**Note**  
+This procedure applies the policy settings on the local computer only. For information about deploying the Start layout to users in a domain, see [Use Group Policy to deploy a customized Start layout in a domain](#bkmk-domaingpodeployment), later in this topic.
+
+This procedure creates a Local Group Policy that applies to all users on the computer. To configure Local Group Policy that applies to a specific user or group on the computer, see [Step-by-Step Guide to Managing Multiple Local Group Policy Objects](http://go.microsoft.com/fwlink/p/?LinkId=620881). The guide was written for Windows Vista and the procedures still apply to Windows 10.
+
+ 
+
+This procedure adds the customized Start layout to the user configuration, which overrides any Start layout settings in the local computer configuration when a user signs in on the computer.
+
+**To configure Start Layout policy settings in Local Group Policy Editor**
+
+1.  On the test computer, press the Windows key, type **gpedit**, and then select **Edit group policy (Control panel)**.
+
+2.  Go to **User Configuration** or **Computer Configuration** &gt; **Administrative Templates** &gt;**Start Menu and Taskbar**.
+
+    ![start screen layout policy settings](images/starttemplate.jpg)
+
+3.  Right-click **Start Layout** in the right pane, and click **Edit**.
+
+    This opens the **Start Layout** policy settings.
+
+    ![policy settings for start screen layout](images/startlayoutpolicy.jpg)
+
+4.  Enter the following settings, and then click **OK**:
+
+    1.  Select **Enabled**.
+
+    2.  Under **Options**, specify the path to the .xml file that contains the Start layout. For example, type **C:\\Users\\Test01\\StartScreenMarketing.xml**.
+
+    3.  Optionally, enter a comment to identify the Start layout.
+
+    **Important**  
+    If you disable Start Layout policy settings that have been in effect and then re-enable the policy, users will not be able to make changes to Start, however the layout in the .xml file will not be reapplied unless the file has been updated. In Windows PowerShell, you can update the timestamp on a file by running the following command:
+
+    `(ls <path>).LastWriteTime = Get-Date`
+
+     
+
+## <a href="" id="bkmk-updatestartscreenlayout"></a>Update a customized Start layout
+
+
+After you use Group Policy to apply a customized Start layout on a computer or in a domain, you can update the layout simply by replacing the .xml file that is specified in the Start Layout policy settings with a file with a newer timestamp.
+
+## Related topics
+
+
+[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
+
+[Customize and export Start layout](customize-and-export-start-layout.md)
+
+[Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+
+[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
new file mode 100644
index 0000000000..d3c9160101
--- /dev/null
+++ b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -0,0 +1,146 @@
+---
+title: Customize Windows 10 Start with mobile device management (MDM) (Windows 10)
+description: In Windows 10 Enterprise and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users.
+ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4
+keywords: ["start screen", "start menu"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Customize Windows 10 Start with mobile device management (MDM)
+
+
+**Applies to**
+
+-   Windows 10
+
+**Looking for consumer information?**
+
+-   [Customize the Start menu](http://go.microsoft.com/fwlink/p/?LinkId=623630)
+
+In Windows 10 Enterprise and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
+
+**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md)
+
+**Warning**  
+When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
+
+ 
+
+## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
+
+
+Two features enable Start layout control:
+
+-   The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. **Start layout** can only be applied to a device using the same architecture (32-bit or 64-bit) as the device on which **Start layout** was created.
+
+    **Note**  
+    To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
+
+     
+
+-   In MDM, you set the path to the .xml file that defines the Start layout using an OMA-URI setting, which is based on the [Policy configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkID=623244).
+
+## <a href="" id="bkmk-domaingpodeployment"></a>Create a policy for your customized Start layout
+
+
+This example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout. See the documentation for your MDM solution for help in applying the policy.
+
+1.  In the Start layout file created when you ran **Export-StartLayout**, replace markup characters with escape characters, and save the file. (You can replace the characters manually or use an online tool.)
+
+    Example of a layout file produced by Export-StartLayout:
+
+    <span codelanguage="XML"></span>
+    <table>
+    <colgroup>
+    <col width="100%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">XML</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><pre><code>&lt;LayoutModificationTemplate Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt;
+      &lt;DefaultLayoutOverride&gt;
+        &lt;StartLayoutCollection&gt;
+          &lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot; xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot;&gt;
+            &lt;start:Group Name=&quot;Life at a glance&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot;&gt;
+              &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge&quot; /&gt;
+              &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI&quot; /&gt;
+              &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
+            &lt;/start:Group&gt;        
+          &lt;/defaultlayout:StartLayout&gt;
+        &lt;/StartLayoutCollection&gt;
+      &lt;/DefaultLayoutOverride&gt;
+    &lt;/LayoutModificationTemplate&gt;</code></pre></td>
+    </tr>
+    </tbody>
+    </table>
+
+    Example of the same layout file with escape characters replacing the markup characters:
+
+```
+    &amp;lt;wdcml:p xmlns:wdcml=&amp;quot;http://microsoft.com/wdcml&amp;quot;&amp;gt;Example of a layout file produced by Export-StartLayout:&amp;lt;/wdcml:p&amp;gt;&amp;lt;wdcml:snippet xmlns:wdcml=&amp;quot;http://microsoft.com/wdcml&amp;quot;&amp;gt;&amp;lt;![CDATA[&amp;lt;LayoutModificationTemplate Version=&amp;quot;1&amp;quot; xmlns=&amp;quot;http://schemas.microsoft.com/Start/2014/LayoutModification&amp;quot;&amp;gt;
+      &amp;lt;DefaultLayoutOverride&amp;gt;
+        &amp;lt;StartLayoutCollection&amp;gt;
+          &amp;lt;defaultlayout:StartLayout GroupCellWidth=&amp;quot;6&amp;quot; xmlns:defaultlayout=&amp;quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&amp;quot;&amp;gt;
+            &amp;lt;start:Group Name=&amp;quot;Life at a glance&amp;quot; xmlns:start=&amp;quot;http://schemas.microsoft.com/Start/2014/StartLayout&amp;quot;&amp;gt;
+              &amp;lt;start:Tile Size=&amp;quot;2x2&amp;quot; Column=&amp;quot;0&amp;quot; Row=&amp;quot;0&amp;quot; AppUserModelID=&amp;quot;Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge&amp;quot; /&amp;gt;
+              &amp;lt;start:Tile Size=&amp;quot;2x2&amp;quot; Column=&amp;quot;4&amp;quot; Row=&amp;quot;0&amp;quot; AppUserModelID=&amp;quot;Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI&amp;quot; /&amp;gt;
+              &amp;lt;start:Tile Size=&amp;quot;2x2&amp;quot; Column=&amp;quot;2&amp;quot; Row=&amp;quot;0&amp;quot; AppUserModelID=&amp;quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&amp;quot; /&amp;gt;
+            &amp;lt;/start:Group&amp;gt;        
+          &amp;lt;/defaultlayout:StartLayout&amp;gt;
+        &amp;lt;/StartLayoutCollection&amp;gt;
+      &amp;lt;/DefaultLayoutOverride&amp;gt;
+    &amp;lt;/LayoutModificationTemplate&amp;gt;]]&amp;gt;&amp;lt;/wdcml:snippet&amp;gt;
+```
+
+2.  In the Microsoft Intune administration console, click **Policy** &gt; **Add Policy**.
+
+3.  Under **Windows**, choose a **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy.
+
+4.  Enter a name (mandatory) and description (optional) for the policy.
+
+5.  In the **OMA-URI Settings** section, click **Add.**
+
+6.  In **Add or Edit OMA-URI Setting**, enter the following information.
+
+    | Item  | Information |
+    |----|----|
+    | **Setting name**             | Enter a unique name for the OMA-URI setting to help you identify it in the list of settings.                      |
+    | **Setting description**      | Provide a description that gives an overview of the setting and other relevant information to help you locate it. |
+    | **Data type**                | **String**                                                                                                        |
+    | **OMA-URI (case sensitive)** | **./User/Vendor/MSFT/Policy/Config/Start/StartLayout**                                                            |
+    | **Value**                    | Path to the Start layout .xml file that you created.                                                              |
+
+     
+
+7.  Click **OK** to save the setting and return to the **Create Policy** page.
+
+8.  Click **Save Policy**.
+
+## Related topics
+
+
+[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
+
+[Customize and export Start layout](customize-and-export-start-layout.md)
+
+[Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+
+[Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+
+[Use Windows 10 custom policies to manage device settings with Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=616316)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
new file mode 100644
index 0000000000..3af066fdac
--- /dev/null
+++ b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -0,0 +1,111 @@
+---
+title: Customize Windows 10 Start with ICD and provisioning packages (Windows 10)
+description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users.
+ms.assetid: AC952899-86A0-42FC-9E3C-C25F45B1ACAC
+keywords: ["Start layout", "start menu"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Customize Windows 10 Start with ICD and provisioning packages
+
+
+**Applies to**
+
+-   Windows 10
+
+**Looking for consumer information?**
+
+-   [Customize the Start menu](http://go.microsoft.com/fwlink/p/?LinkId=623630)
+
+In Windows 10 Enterprise and Windows 10 Education, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
+
+**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md)
+
+## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
+
+
+Two features enable Start layout control:
+
+-   The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. **Start layout** can only be applied to a device using the same architecture (32-bit or 64-bit) as the device on which **Start layout** was created.
+
+    **Note**  
+    To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
+
+     
+
+-   In ICD, you use the **Start/StartLayout** setting to set the path to the .xml file that defines the Start layout.
+
+## <a href="" id="bkmk-domaingpodeployment"></a>Create a provisioning package that contains a customized Start layout
+
+
+Use the [Imaging and Configuration Designer (ICD) tool](http://go.microsoft.com/fwlink/p/?LinkID=525483) included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that applies a customized Start layout. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
+
+1.  Open ICD (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
+
+2.  Choose **New provisioning package**.
+
+3.  Name your project, and click **Next**.
+
+4.  Choose **Common to all Windows desktop editions** and click **Next**.
+
+5.  On **New project**, click **Finish**. The workspace for your package opens.
+
+6.  Expand **Runtime settings** &gt; **Start**, and click **StartLayout**.
+
+7.  Specify the path and file name of the Start layout .xml that you created with the [Export-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet.
+
+8.  On the **File** menu, select **Save.**
+
+9.  On the **Export** menu, select **Provisioning package**.
+
+10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+
+11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+
+    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
+
+12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
+
+    Optionally, you can click **Browse** to change the default output location.
+
+13. Click **Next**.
+
+14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
+
+    If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+
+    If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+16. Copy the provisioning package to the target device.
+
+17. Double-click the ppkg file and allow it to install.
+
+## Related topics
+
+
+[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
+
+[Customize and export Start layout](customize-and-export-start-layout.md)
+
+[Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+
+[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/device-guard-signing-portal.md b/windows/manage/device-guard-signing-portal.md
new file mode 100644
index 0000000000..4604411897
--- /dev/null
+++ b/windows/manage/device-guard-signing-portal.md
@@ -0,0 +1,95 @@
+---
+title: Device Guard signing (Windows 10)
+description: Device Guard signing is a Device Guard feature that is available in the Windows Store for Business.
+ms.assetid: 8D9CD2B9-5FC6-4C3D-AA96-F135AFEEBB78
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Device Guard signing
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Device Guard signing is a Device Guard feature that is available in the Windows Store for Business. It gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files.
+
+Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features use new virtualization-based security options and the trust-nothing mobile device operating system model. A key feature in this model is called configurable code integrity, which allows your organization to choose exactly which software or trusted software publishers are allowed to run code on your client machines. Also, Device Guard offers organizations a way to sign existing line-of-business (LOB) applications so that they can trust their own code, without the requirement that the application be repackaged. Also, this same method of signing allows organizations to trust individual third-party applications. For more information, see [Device Guard deployment guide](https://technet.microsoft.com/library/mt463091.aspx).
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md)</p></td>
+<td align="left"><p>When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md)</p></td>
+<td align="left"><p>Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## File and size limits
+
+
+When you're uploading files for Device Guard signing, there are a few limits for files and file size:
+
+|                                                       |          |
+|-------------------------------------------------------|----------|
+| Description                                           | Limit    |
+| Maximum size for a policy or catalog file             | 3.5 MB   |
+| Maximum size for multiple files (uploaded in a group) | 4 MB     |
+| Maximum number of files per upload                    | 15 files |
+
+ 
+
+## File types
+
+
+Catalog and policy files have required files types.
+
+|               |                    |
+|---------------|--------------------|
+| File          | Required file type |
+| catalog files | .cat               |
+| policy files  | .bin               |
+
+ 
+
+##  Store for Business roles and permissions
+
+
+Signing code integrity policies and access to Device Guard portal requires the Device Guard signer role.
+
+## Device Guard signing certificates
+
+
+All certificates generated by the Device Guard signing service are unique per customer and are independent of the Microsoft production code signing certificate authorities. All Certification Authority (CA) keys are stored within the cryptographic boundary of Federal Information Processing Standards (FIPS) publication 140-2 compliant hardware security modules. After initial generation, root certificate keys and top level CA keys are removed from the online signing service, encrypted, and stored offline.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/disconnect-your-organization-from-microsoft.md b/windows/manage/disconnect-your-organization-from-microsoft.md
new file mode 100644
index 0000000000..13cf2f06a6
--- /dev/null
+++ b/windows/manage/disconnect-your-organization-from-microsoft.md
@@ -0,0 +1,1809 @@
+---
+title: Configure telemetry and other settings in your organization (Windows 10)
+description: Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
+ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Configure telemetry and other settings in your organization
+
+
+**Applies to**
+
+-   Windows 10
+
+Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
+
+If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
+
+**Note**  Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services. We discuss separately the network connections that Windows features and components make directly to Microsoft Services. It is used to provide a service to the user as part of Windows.
+
+ 
+
+Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all.
+
+In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
+
+We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization.
+
+Here's what's covered in this article:
+
+-   [Info management settings](#bkmk-othersettings)
+
+    -   [1. Cortana](#bkmk-cortana)
+
+        -   [1.1 Cortana Group Policies](#bkmk-cortana-gp)
+
+        -   [1.2 Cortana MDM policies](#bkmk-cortana-mdm)
+
+        -   [1.3 Cortana Windows Provisioning](#bkmk-cortana-prov)
+
+    -   [2. Date & Time](#bkmk-datetime)
+
+    -   [3. Device metadata retrieval](#bkmk-devinst)
+
+    -   [4. Font streaming](#font-streaming)
+
+    -   [5. Insider Preview builds](#bkmk-previewbuilds)
+
+    -   [6. Internet Explorer](#bkmk-ie)
+
+        -   [6.1 Internet Explorer Group Policies](#bkmk-ie-gp)
+
+        -   [6.2 ActiveX control blocking](#bkmk-ie-activex)
+
+    -   [7. Mail synchronization](#bkmk-mailsync)
+
+    -   [8. Microsoft Edge](#bkmk-edge)
+
+        -   [8.1 Microsoft Edge Group Policies](#bkmk-edgegp)
+
+        -   [8.2 Microsoft Edge MDM policies](#bkmk-edge-mdm)
+
+        -   [8.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov)
+
+    -   [9. Network Connection Status Indicator](#bkmk-ncsi)
+
+    -   [10. Offline maps](#bkmk-offlinemaps)
+
+    -   [11. OneDrive](#bkmk-onedrive)
+
+    -   [12. Preinstalled apps](#bkmk-preinstalledapps)
+
+    -   [13. Settings &gt; Privacy](#bkmk-settingssection)
+
+        -   [13.1 General](#bkmk-general)
+
+        -   [13.2 Location](#bkmk-priv-location)
+
+        -   [13.3 Camera](#bkmk-priv-camera)
+
+        -   [13.4 Microphone](#bkmk-priv-microphone)
+
+        -   [13.5 Speech, inking, & typing](#bkmk-priv-speech)
+
+        -   [13.6 Account info](#bkmk-priv-accounts)
+
+        -   [13.7 Contacts](#bkmk-priv-contacts)
+
+        -   [13.8 Calendar](#bkmk-priv-calendar)
+
+        -   [13.9 Call history](#bkmk-priv-callhistory)
+
+        -   [13.10 Email](#bkmk-priv-email)
+
+        -   [13.11 Messaging](#bkmk-priv-messaging)
+
+        -   [13.12 Radios](#bkmk-priv-radios)
+
+        -   [13.13 Other devices](#bkmk-priv-other-devices)
+
+        -   [13.14 Feedback & diagnostics](#bkmk-priv-feedback)
+
+        -   [13.15 Background apps](#bkmk-priv-background)
+
+    -   [14. Software Protection Platform](#bkmk-spp)
+
+    -   [15. Sync your settings](#bkmk-syncsettings)
+
+    -   [16. Teredo](#bkmk-teredo)
+
+    -   [17. Wi-Fi Sense](#bkmk-wifisense)
+
+    -   [18. Windows Defender](#bkmk-defender)
+
+    -   [19. Windows Media Player](#bkmk-wmp)
+
+    -   [20. Windows spotlight](#bkmk-spotlight)
+
+    -   [21. Windows Store](#bkmk-windowsstore)
+
+    -   [22. Windows Update Delivery Optimization](#bkmk-updates)
+
+        -   [22.1 Settings &gt; Update & security](#bkmk-wudo-ui)
+
+        -   [22.2 Delivery Optimization Group Policies](#bkmk-wudo-gp)
+
+        -   [22.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm)
+
+        -   [22.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov)
+
+    -   [23. Windows Update](#bkmk-wu)
+
+-   [Manage your telemetry settings](#bkmk-utc)
+
+-   [How telemetry works](#bkmk-moreutc)
+
+## What's new in Windows 10, version 1511
+
+
+Here's a list of changes that were made to this article for Windows 10, version 1511:
+
+-   Added the following new sections:
+
+    -   [Mail synchronization](#bkmk-mailsync)
+
+    -   [Offline maps](#bkmk-offlinemaps)
+
+    -   [Windows spotlight](#bkmk-spotlight)
+
+    -   [Windows Store](#bkmk-windowsstore)
+
+-   Added the following Group Policies:
+
+    -   Open a new tab with an empty tab
+
+    -   Configure corporate Home pages
+
+    -   Let Windows apps access location
+
+    -   Let Windows apps access the camera
+
+    -   Let Windows apps access the microphone
+
+    -   Let Windows apps access account information
+
+    -   Let Windows apps access contacts
+
+    -   Let Windows apps access the calendar
+
+    -   Let Windows apps access messaging
+
+    -   Let Windows apps control radios
+
+    -   Let Windows apps access trusted devices
+
+    -   Do not show feedback notifications
+
+    -   Turn off Automatic Download and Update of Map Data
+
+    -   Force a specific default lock screen image
+
+-   Added the AllowLinguisticDataCollection MDM policy.
+
+-   Added steps in the [Cortana](#bkmk-cortana) section on how to disable outbound traffic using Windows Firewall.
+
+-   Added steps in the [Live tiles](#bkmk-livetiles) section on how to remove the Money and Sports apps.
+
+-   Changed the Windows Update section to apply system-wide settings, and not just per user.
+
+## <a href="" id="bkmk-othersettings"></a>Info management settings
+
+
+This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
+
+The settings in this section assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch.
+
+-   [1. Cortana](#bkmk-cortana)
+
+-   [2. Date & Time](#bkmk-datetime)
+
+-   [3. Device metadata retrieval](#bkmk-devinst)
+
+-   [4. Font streaming](#font-streaming)
+
+-   [5. Insider Preview builds](#bkmk-previewbuilds)
+
+-   [6. Internet Explorer](#bkmk-ie)
+
+-   [7. Mail synchronization](#bkmk-mailsync)
+
+-   [8. Microsoft Edge](#bkmk-edge)
+
+-   [9. Network Connection Status Indicator](#bkmk-ncsi)
+
+-   [10. Offline maps](#bkmk-offlinemaps)
+
+-   [11. OneDrive](#bkmk-onedrive)
+
+-   [12. Preinstalled apps](#bkmk-preinstalledapps)
+
+-   [13. Settings &gt; Privacy](#bkmk-settingssection)
+
+-   [14. Software Protection Platform](#bkmk-spp)
+
+-   [15. Sync your settings](#bkmk-syncsettings)
+
+-   [16. Teredo](#bkmk-teredo)
+
+-   [17. Wi-Fi Sense](#bkmk-wifisense)
+
+-   [18. Windows Defender](#bkmk-defender)
+
+-   [19. Windows Media Player](#bkmk-wmp)
+
+-   [20. Windows spotlight](#bkmk-spotlight)
+
+-   [21. Windows Store](#bkmk-windowsstore)
+
+-   [22. Windows Update](#bkmk-wu)
+
+-   [23. Windows Update Delivery Optimization](#bkmk-updates)
+
+See the following table for a summary of the management settings. For more info, see its corresponding section.
+
+![](images/settings-table.png)
+
+### <a href="" id="bkmk-cortana"></a>1. Cortana
+
+Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730683).
+
+### <a href="" id="bkmk-cortana-gp"></a>1.1 Cortana Group Policies
+
+Find the Cortana Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Search**.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Policy</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Allow Cortana</p></td>
+<td align="left"><p>Choose whether to let Cortana install and run on the device.</p>
+<p>Default: Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Allow search and Cortana to use location</p></td>
+<td align="left"><p>Choose whether Cortana and Search can provide location-aware search results.</p>
+<p>Default: Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Do not allow web search</p></td>
+<td align="left"><p>Choose whether to search the web from Windows Desktop Search.</p>
+<p>Default: Disabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Don't search the web or display web results in Search</p></td>
+<td align="left"><p>Choose whether to search the web from Cortana.</p>
+<p>Default: Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Set what information is shared in Search</p></td>
+<td align="left"><p>Control what information is shared with Bing in Search.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic.
+
+1.  Expand **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Windows Firewall with Advanced Security** &gt; **Windows Firewall with Advanced Security - &lt;LDAP name&gt;**, and then click **Outbound Rules**.
+
+2.  Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts.
+
+3.  On the **Rule Type** page, click **Program**, and then click **Next**.
+
+4.  On the **Program** page, click **This program path**, type **%windir%\\systemapps\\Microsoft.Windows.Cortana\_cw5n1h2txyewy\\SearchUI.exe**, and then click **Next**.
+
+5.  On the **Action** page, click **Block the connection**, and then click **Next**.
+
+6.  On the **Profile** page, ensure that the **Domain**, **Private**, and **Public** check boxes are selected, and then click **Next**.
+
+7.  On the **Name** page, type a name for the rule, such as **Cortana firewall configuration**, and then click **Finish.**
+
+8.  Right-click the new rule, click **Properties**, and then click **Protocols and Ports**.
+
+9.  Configure the **Protocols and Ports** page with the following info, and then click **OK**.
+
+    -   For **Protocol type**, choose **TCP**.
+
+    -   For **Local port**, choose **All Ports**.
+
+    -   For **Remote port**, choose **All ports**.
+
+**Note**  
+If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. You should use a network traffic analyzer, such as WireShark or Message Analyzer.
+
+ 
+
+### <a href="" id="bkmk-cortana-mdm"></a>1.2 Cortana MDM policies
+
+The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Policy</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Experience/AllowCortana</p></td>
+<td align="left"><p>Choose whether to let Cortana install and run on the device.</p>
+<p>Default: Allowed</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Search/AllowSearchToUseLocation</p></td>
+<td align="left"><p>Choose whether Cortana and Search can provide location-aware search results.</p>
+<p>Default: Allowed</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="bkmk-cortana-prov"></a>1.3 Cortana Windows Provisioning
+
+To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** &gt; **Policies** to find **Experience** &gt; **AllowCortana** and **Search** &gt; **AllowSearchToUseLocation**.
+
+### <a href="" id="bkmk-datetime"></a>2. Date & Time
+
+You can prevent Windows from setting the time automatically.
+
+-   To turn off the feature in the UI: **Settings** &gt; **Time & language** &gt; **Date & time** &gt; **Set time automatically**
+
+    -or-
+
+-   Create a REG\_DWORD registry setting called **NoSync** in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters**, with a value of 1.
+
+### <a href="" id="bkmk-devinst"></a>3. Device metadata retrieval
+
+To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Device Installation** &gt; **Prevent device metadata retrieval from the Internet**.
+
+### <a href="" id="font-streaming"></a>4. Font streaming
+
+Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand.
+
+To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
+
+**Note**  
+This may change in future versions of Windows.
+
+ 
+
+### <a href="" id="bkmk-previewbuilds"></a>5. Insider Preview builds
+
+To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
+
+-   Turn off the feature in the UI: **Settings** &gt; **Update & security** &gt; **Windows Update** &gt; **Advanced options** &gt; **Stop Insider builds**.
+
+    -or-
+
+-   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Data Collection and Preview Builds** &gt; **Toggle user control over Insider builds**.
+
+    -or-
+
+-   Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
+
+    -   **0**. Users cannot make their devices available for downloading and installing preview software.
+
+    -   **1**. Users can make their devices available for downloading and installing preview software.
+
+    -   **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
+
+    -or-
+
+-   Create a provisioning package: **Runtime settings** &gt; **Policies** &gt; **System** &gt; **AllowBuildPreview**, where:
+
+    -   **0**. Users cannot make their devices available for downloading and installing preview software.
+
+    -   **1**. Users can make their devices available for downloading and installing preview software.
+
+    -   **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
+
+### <a href="" id="bkmk-ie"></a>6. Internet Explorer
+
+Use Group Policy to manage settings for Internet Explorer.
+
+### <a href="" id="bkmk-ie-gp"></a>6.1 Internet Explorer Group Policies
+
+Find the Internet Explorer Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Internet Explorer**.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Policy</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Turn on Suggested Sites</p></td>
+<td align="left"><p>Choose whether an employee can configure Suggested Sites.</p>
+<p>Default: Enabled</p>
+<p>You can also turn this off in the UI by clearing the <strong>Internet Options</strong> &gt; <strong>Advanced</strong> &gt; <strong>Enable Suggested Sites</strong> check box.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar</p></td>
+<td align="left"><p>Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar.</p>
+<p>Default: Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Turn off the auto-complete feature for web addresses</p></td>
+<td align="left"><p>Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.</p>
+<p>Default: Disabled</p>
+<p>You can also turn this off in the UI by clearing the <strong>Internet Options</strong> &gt; <strong>Advanced</strong> &gt; <strong>Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog</strong> check box.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Disable Periodic Check for Internet Explorer software updates</p></td>
+<td align="left"><p>Choose whether Internet Explorer periodically checks for a new version.</p>
+<p>Default: Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Turn off browser geolocation</p></td>
+<td align="left"><p>Choose whether websites can request location data from Internet Explorer.</p>
+<p>Default: Disabled</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="bkmk-ie-activex"></a>6.2 ActiveX control blocking
+
+ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
+
+For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx).
+
+### <a href="" id="bkmk-mailsync"></a>7. Mail synchronization
+
+To turn off mail synchronization for Microsoft Accounts that are configured on a device:
+
+-   In **Settings** &gt; **Accounts** &gt; **Your email and accounts**, remove any connected Microsoft Accounts.
+
+    -or-
+
+-   Remove any Microsoft Accounts from the Mail app.
+
+    -or-
+
+-   Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device.
+
+To turn off the Windows Mail app:
+
+-   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Mail** &gt; **Turn off Windows Mail application**
+
+### <a href="" id="bkmk-edge"></a>8. Microsoft Edge
+
+Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682).
+
+### <a href="" id="bkmk-edgegp"></a>8.1 Microsoft Edge Group Policies
+
+Find the Microsoft Edge Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Edge**.
+
+**Note**  
+The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes.
+
+ 
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Policy</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Turn off autofill</p></td>
+<td align="left"><p>Choose whether employees can use autofill on websites.</p>
+<p>Default: Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Allow employees to send Do Not Track headers</p></td>
+<td align="left"><p>Choose whether employees can send Do Not Track headers.</p>
+<p>Default: Disabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Turn off password manager</p></td>
+<td align="left"><p>Choose whether employees can save passwords locally on their devices.</p>
+<p>Default: Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Turn off address bar search suggestions</p></td>
+<td align="left"><p>Choose whether the address bar shows search suggestions.</p>
+<p>Default: Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Turn off the SmartScreen Filter</p></td>
+<td align="left"><p>Choose whether SmartScreen is turned on or off.</p>
+<p>Default: Enabled</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Open a new tab with an empty tab</p></td>
+<td align="left"><p>Choose whether a new tab page appears.</p>
+<p>Default: Enabled</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Configure corporate Home pages</p></td>
+<td align="left"><p>Choose the corporate Home page for domain-joined devices.</p>
+<p>Set this to <strong>about:blank</strong></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="bkmk-edge-mdm"></a>8.2 Microsoft Edge MDM policies
+
+The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Policy</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Browser/AllowAutoFill</p></td>
+<td align="left"><p>Choose whether employees can use autofill on websites.</p>
+<p>Default: Allowed</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Browser/AllowDoNotTrack</p></td>
+<td align="left"><p>Choose whether employees can send Do Not Track headers.</p>
+<p>Default: Not allowed</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Browser/AllowPasswordManager</p></td>
+<td align="left"><p>Choose whether employees can save passwords locally on their devices.</p>
+<p>Default: Allowed</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Browser/AllowSearchSuggestionsinAddressBar</p></td>
+<td align="left"><p>Choose whether the address bar shows search suggestions.</p>
+<p>Default: Allowed</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Browser/AllowSmartScreen</p></td>
+<td align="left"><p>Choose whether SmartScreen is turned on or off.</p>
+<p>Default: Allowed</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="bkmk-edge-prov"></a>8.3 Microsoft Edge Windows Provisioning
+
+Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** &gt; **Policies**.
+
+For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx).
+
+### <a href="" id="bkmk-ncsi"></a>9. Network Connection Status Indicator
+
+Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
+
+You can turn off NCSI through Group Policy:
+
+-   Enable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Internet Communication Management** &gt; **Internet Communication Settings** &gt; **Turn off Windows Network Connectivity Status Indicator active tests**
+
+### <a href="" id="bkmk-offlinemaps"></a>10. Offline maps
+
+You can turn off the ability to download and update offline maps.
+
+-   In the UI: **Settings** &gt; **System** &gt; **Offline maps** &gt; **Automatically update maps**
+
+    -or-
+
+-   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Maps** &gt; **Turn off Automatic Download and Update of Map Data**
+
+### <a href="" id="bkmk-onedrive"></a>11. OneDrive
+
+To turn off OneDrive in your organization:
+
+-   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **OneDrive** &gt; **Prevent the usage of OneDrive for file storage**
+
+### <a href="" id="bkmk-preinstalledapps"></a>12. Preinstalled apps
+
+Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
+
+To remove the News app:
+
+-   Right-click the app in Start, and then click **Uninstall**.
+
+    -or-
+
+-   Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+    -and-
+
+    Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage**
+
+To remove the Weather app:
+
+-   Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+    -and-
+
+    Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage**
+
+To remove the Money app:
+
+-   Right-click the app in Start, and then click **Uninstall**.
+
+    -or-
+
+-   Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+    -and-
+
+    Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage**
+
+To remove the Sports app:
+
+-   Right-click the app in Start, and then click **Uninstall**.
+
+    -or-
+
+-   Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+    -and-
+
+    Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage**
+
+To remove the Twitter app:
+
+-   Right-click the app in Start, and then click **Uninstall**.
+
+    -or-
+
+-   Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+    -and-
+
+    Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage \*.Twitter | Remove-AppxPackage**
+
+To remove the XBOX app:
+
+-   Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+    -and-
+
+    Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage**
+
+To remove the Sway app:
+
+-   Right-click the app in Start, and then click **Uninstall**.
+
+    -or-
+
+-   Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+    -and-
+
+    Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage**
+
+To remove the OneNote app:
+
+-   Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+    -and-
+
+    Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage**
+
+To remove the Get Office app:
+
+-   Right-click the app in Start, and then click **Uninstall**.
+
+    -or-
+
+-   Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+    -and-
+
+    Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage**
+
+To remove the Get Skype app:
+
+-   Right-click the Sports app in Start, and then click **Uninstall**.
+
+    -or-
+
+-   Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+    -and-
+
+    Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage**
+
+### <a href="" id="bkmk-settingssection"></a>13. Settings &gt; Privacy
+
+Use Settings &gt; Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
+
+-   [13.1 General](#bkmk-general)
+
+-   [13.2 Location](#bkmk-priv-location)
+
+-   [13.3 Camera](#bkmk-priv-camera)
+
+-   [13.4 Microphone](#bkmk-priv-microphone)
+
+-   [13.5 Speech, inking, & typing](#bkmk-priv-speech)
+
+-   [13.6 Account info](#bkmk-priv-accounts)
+
+-   [13.7 Contacts](#bkmk-priv-contacts)
+
+-   [13.8 Calendar](#bkmk-priv-calendar)
+
+-   [13.9 Call history](#bkmk-priv-callhistory)
+
+-   [13.10 Email](#bkmk-priv-email)
+
+-   [13.11 Messaging](#bkmk-priv-messaging)
+
+-   [13.12 Radios](#bkmk-priv-radios)
+
+-   [13.13 Other devices](#bkmk-priv-other-devices)
+
+-   [13.14 Feedback & diagnostics](#bkmk-priv-feedback)
+
+-   [13.15 Background apps](#bkmk-priv-background)
+
+### <a href="" id="bkmk-priv-general"></a>13.1 General
+
+**General** includes options that don't fall into other areas.
+
+To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**:
+
+**Note**  
+When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
+
+ 
+
+-   Turn off the feature in the UI.
+
+    -or-
+
+-   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **User Profiles** &gt; **Turn off the advertising ID**.
+
+    -or-
+
+-   Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero).
+
+To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**:
+
+-   Turn off the feature in the UI.
+
+    -or-
+
+-   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Edge** &gt; **Turn off the SmartScreen Filter**.
+
+    Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **File Explorer** &gt; **Configure Windows SmartScreen**.
+
+    -or-
+
+-   Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
+
+    -or-
+
+-   Create a provisioning package, using:
+
+    -   For Internet Explorer: **Runtime settings** &gt; **Policies** &gt; **Browser** &gt; **AllowSmartScreen**
+
+    -   For Microsoft Edge: **Runtime settings** &gt; **Policies** &gt; **MicrosoftEdge** &gt; **AllowSmartScreen**
+
+    -or-
+
+-   Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation**, with a value of 0 (zero).
+
+To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
+
+**Note**  
+If the telemetry level is set to either [Basic](#bkmk-utc-basic) or [Security](#bkmk-utc-security), this is turned off automatically.
+
+ 
+
+-   Turn off the feature in the UI.
+
+    -or-
+
+-   Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
+
+    -   **0**. Not allowed
+
+    -   **1**. Allowed (default)
+
+To turn off **Let websites provide locally relevant content by accessing my language list**:
+
+-   Turn off the feature in the UI.
+
+    -or-
+
+-   Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1.
+
+### <a href="" id="bkmk-priv-location"></a>13.2 Location
+
+In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location.
+
+To turn off **Location for this device**:
+
+-   Click the **Change** button in the UI.
+
+    -or-
+
+-   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Location and Sensors** &gt; **Turn off location**.
+
+    -or-
+
+-   Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+    -   **0**. Turned off and the employee can't turn it back on.
+
+    -   **1**. Turned on, but lets the employee choose whether to use it. (default)
+
+    -   **2**. Turned on and the employee can't turn it off.
+
+    **Note**  
+    You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
+
+     
+
+    -or-
+
+-   Create a provisioning package, using **Runtime settings** &gt; **Policies** &gt; **System** &gt; **AllowLocation**, where
+
+    -   **No**. Turns off location service.
+
+    -   **Yes**. Turns on location service. (default)
+
+To turn off **Location**:
+
+-   Turn off the feature in the UI.
+
+-   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access location**
+
+    -   Set the **Select a setting** box to **Force Deny**.
+
+    -or-
+
+To turn off **Location history**:
+
+-   Erase the history using the **Clear** button in the UI.
+
+To turn off **Choose apps that can use your location**:
+
+-   Turn off each app using the UI.
+
+### <a href="" id="bkmk-priv-camera"></a>13.3 Camera
+
+In the **Camera** area, you can choose which apps can access a device's camera.
+
+To turn off **Let apps use my camera**:
+
+-   Turn off the feature in the UI.
+
+    -or-
+
+-   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access the camera**
+
+    -   Set the **Select a setting** box to **Force Deny**.
+
+    -or-
+
+-   Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+    -   **0**. Apps can't use the camera.
+
+    -   **1**. Apps can use the camera.
+
+    **Note**  
+    You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
+
+     
+
+    -or-
+
+-   Create a provisioning package with use Windows ICD, using **Runtime settings** &gt; **Policies** &gt; **Camera** &gt; **AllowCamera**, where:
+
+    -   **0**. Apps can't use the camera.
+
+    -   **1**. Apps can use the camera.
+
+To turn off **Choose apps that can use your camera**:
+
+-   Turn off the feature in the UI for each app.
+
+### <a href="" id="bkmk-priv-microphone"></a>13.4 Microphone
+
+In the **Microphone** area, you can choose which apps can access a device's microphone.
+
+To turn off **Let apps use my microphone**:
+
+-   Turn off the feature in the UI.
+
+    -or-
+
+-   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access the microphone**
+
+    -   Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can use your microphone**:
+
+-   Turn off the feature in the UI for each app.
+
+### <a href="" id="bkmk-priv-speech"></a>13.5 Speech, inking, & typing
+
+In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
+
+**Note**  
+For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
+
+ 
+
+To turn off the functionality:
+
+-   Click the **Stop getting to know me** button, and then click **Turn off**.
+
+    -or-
+
+-   Enable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Regional and Language Options** &gt; **Handwriting personalization** &gt; **Turn off automatic learning**
+
+    -or-
+
+-   Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero).
+
+    -and-
+
+    Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
+
+### <a href="" id="bkmk-priv-accounts"></a>13.6 Account info
+
+In the **Account Info** area, you can choose which apps can access your name, picture, and other account info.
+
+To turn off **Let apps access my name, picture, and other account info**:
+
+-   Turn off the feature in the UI.
+
+    -or-
+
+-   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access account information**
+
+    -   Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose the apps that can access your account info**:
+
+-   Turn off the feature in the UI for each app.
+
+### <a href="" id="bkmk-priv-contacts"></a>13.7 Contacts
+
+In the **Contacts** area, you can choose which apps can access an employee's contacts list.
+
+To turn off **Choose apps that can access contacts**:
+
+-   Turn off the feature in the UI for each app.
+
+    -or-
+
+-   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access contacts**
+
+    -   Set the **Select a setting** box to **Force Deny**.
+
+### <a href="" id="bkmk-priv-calendar"></a>13.8 Calendar
+
+In the **Calendar** area, you can choose which apps have access to an employee's calendar.
+
+To turn off **Let apps access my calendar**:
+
+-   Turn off the feature in the UI.
+
+    -or-
+
+-   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access the calendar**
+
+    -   Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can access calendar**:
+
+-   Turn off the feature in the UI for each app.
+
+### <a href="" id="bkmk-priv-callhistory"></a>13.9 Call history
+
+In the **Call history** area, you can choose which apps have access to an employee's call history.
+
+To turn off **Let apps access my call history**:
+
+-   Turn off the feature in the UI.
+
+    -or-
+
+-   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access call history**
+
+    -   Set the **Select a setting** box to **Force Deny**.
+
+### <a href="" id="bkmk-priv-email"></a>13.10 Email
+
+In the **Email** area, you can choose which apps have can access and send email.
+
+To turn off **Let apps access and send email**:
+
+-   Turn off the feature in the UI.
+
+    -or-
+
+-   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access email**
+
+    -   Set the **Select a setting** box to **Force Deny**.
+
+### <a href="" id="bkmk-priv-messaging"></a>13.11 Messaging
+
+In the **Messaging** area, you can choose which apps can read or send messages.
+
+To turn off **Let apps read or send messages (text or MMS)**:
+
+-   Turn off the feature in the UI.
+
+    -or-
+
+-   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access messaging**
+
+    -   Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can read or send messages**:
+
+-   Turn off the feature in the UI for each app.
+
+### <a href="" id="bkmk-priv-radios"></a>13.12 Radios
+
+In the **Radios** area, you can choose which apps can turn a device's radio on or off.
+
+To turn off **Let apps control radios**:
+
+-   Turn off the feature in the UI.
+
+    -or-
+
+-   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps control radios**
+
+    -   Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can control radios**:
+
+-   Turn off the feature in the UI for each app.
+
+### <a href="" id="bkmk-priv-other-devices"></a>13.13 Other devices
+
+In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info.
+
+To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**:
+
+-   Turn off the feature in the UI.
+
+To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**:
+
+-   Turn off the feature in the UI.
+
+    -or-
+
+-   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access trusted devices**
+
+    -   Set the **Select a setting** box to **Force Deny**.
+
+### <a href="" id="bkmk-priv-feedback"></a>13.14 Feedback & diagnostics
+
+In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
+
+To change how frequently **Windows should ask for my feedback**:
+
+**Note**  
+Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
+
+ 
+
+-   To change from **Automatically (Recommended)**, use the drop-down list in the UI.
+
+    -or-
+
+-   Enable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Data Collection and Preview Builds** &gt; **Do not show feedback notifications**
+
+    -or-
+
+-   Create the registry keys (REG\_DWORD type):
+
+    -   HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds
+
+    -   HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod
+
+    Based on these settings:
+
+    | Setting       | PeriodInNanoSeconds         | NumberOfSIUFInPeriod        |
+    |---------------|-----------------------------|-----------------------------|
+    | Automatically | Delete the registry setting | Delete the registry setting |
+    | Never         | 0                           | 0                           |
+    | Always        | 100000000                   | Delete the registry setting |
+    | Once a day    | 864000000000                | 1                           |
+    | Once a week   | 6048000000000               | 1                           |
+
+     
+
+To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**:
+
+-   To change from [Enhanced](#bkmk-utc-enhanced), use the drop-down list in the UI. The other levels are **Basic** and **Full**. For more info about these levels, see [How telemetry works](#bkmk-moreutc).
+
+    **Note**  
+    You can't use the UI to change the telemetry level to [Security](#bkmk-utc-security).
+
+     
+
+    -or-
+
+-   Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry**
+
+    -or-
+
+-   Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+    -   **0**. Maps to the [Security](#bkmk-utc-security) level.
+
+    -   **1**. Maps to the [Basic](#bkmk-utc-basic) level.
+
+    -   **2**. Maps to the [Enhanced](#bkmk-utc-enhanced) level.
+
+    -   **3**. Maps to the [Full](#bkmk-utc-full) level.
+
+    -or-
+
+-   Create a provisioning package, using **Runtime settings** &gt; **Policies** &gt; **System** &gt; **AllowTelemetry**, where:
+
+    -   **0**. Maps to the [Security](#bkmk-utc-security) level.
+
+    -   **1**. Maps to the [Basic](#bkmk-utc-basic) level.
+
+    -   **2**. Maps to the [Enhanced](#bkmk-utc-enhanced) level.
+
+    -   **3**. Maps to the [Full](#bkmk-utc-full) level.
+
+### <a href="" id="bkmk-priv-background"></a>13.15 Background apps
+
+In the **Background Apps** area, you can choose which apps can run in the background.
+
+To turn off **Let apps run in the background**:
+
+-   Turn off the feature in the UI for each app.
+
+### <a href="" id="bkmk-spp"></a>14. Software Protection Platform
+
+Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy:
+
+**Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Software Protection Platform** &gt; **Turn off KMS Client Online AVS Activation**
+
+The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
+
+### <a href="" id="bkmk-syncsettings"></a>15. Sync your settings
+
+You can control if your settings are synchronized:
+
+-   In the UI: **Settings** &gt; **Accounts** &gt; **Sync your settings**
+
+    -or-
+
+-   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Sync your settings** &gt; **Do not sync**
+
+    -or-
+
+-   Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed.
+
+    -or-
+
+-   Create a provisioning package, using **Runtime settings** &gt; **Policies** &gt; **Experience** &gt; **AllowSyncMySettings**, where
+
+    -   **No**. Settings are not synchronized.
+
+    -   **Yes**. Settings are synchronized. (default)
+
+To turn off Messaging cloud sync:
+
+-   Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero).
+
+### <a href="" id="bkmk-teredo"></a>16. Teredo
+
+You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
+
+-   From an elevated command prompt, run **netsh interface teredo set state disabled**
+
+### <a href="" id="bkmk-wifisense"></a>17. Wi-Fi Sense
+
+Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
+
+To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**:
+
+-   Turn off the feature in the UI.
+
+    -or-
+
+-   Disable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Network** &gt; **WLAN Service** &gt; **WLAN Settings** &gt; **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**.
+
+    -or-
+
+-   Create a new REG\_DWORD registry setting called **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config**, with a value of 0 (zero).
+
+    -or-
+
+-   Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620909).
+
+    -or-
+
+-   Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed.](http://go.microsoft.com/fwlink/p/?LinkId=620910)
+
+When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee.
+
+### <a href="" id="bkmk-defender"></a>18. Windows Defender
+
+You can opt of the Microsoft Antimalware Protection Service.
+
+-   Disable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender** &gt; **MAPS** &gt; **Join Microsoft MAPS**
+
+    -or-
+
+-   Apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+    -or-
+
+-   Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero).
+
+You can stop sending file samples back to Microsoft.
+
+-   Set the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender** &gt; **MAPS** &gt; **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**.
+
+    -or-
+
+-   Apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+    -   **0**. Always prompt.
+
+    -   **1**. (default) Send safe samples automatically.
+
+    -   **2**. Never send.
+
+    -   **3**. Send all samples automatically.
+
+    -or-
+
+-   Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send.
+
+You can stop downloading definition updates:
+
+-   Enable the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender** &gt; **Signature Updates** &gt; **Define the order of sources for downloading definition updates** and set it to **FileShares**.
+
+    -and-
+
+-   Enable the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender** &gt; **Signature Updates** &gt; **Define file shares for downloading definition updates** and set it to nothing.
+
+You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
+
+### <a href="" id="bkmk-wmp"></a>19. Windows Media Player
+
+To remove Windows Media Player:
+
+-   From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**.
+
+    -or-
+
+-   Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
+
+### <a href="" id="bkmk-spotlight"></a>20. Windows spotlight
+
+Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy.
+
+-   Configure the following in **Settings**:
+
+    -   **Personalization** &gt; **Lock screen** &gt; **Background** &gt; **Windows spotlight**, select a different background, and turn off **Show me tips, tricks, and more on the lock screen**.
+
+    -   **Personalization** &gt; **Start** &gt; **Occasionally show suggestions in Start**.
+
+    -   **System** &gt; **Notifications & actions** &gt; **Show me tips about Windows**.
+
+    -or-
+
+-   Apply the Group Policies:
+
+    -   **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Force a specific default lock screen image**.
+        -   Add a location in the **Path to local lock screen image** box.
+
+        -   Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
+
+        **Note**  This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Do not display the lock screen**.
+
+         
+
+    -   **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Cloud Content** &gt; **Do not show Windows Tips**.
+
+    -   **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Cloud Content** &gt; **Turn off Microsoft consumer experiences**.
+
+For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md).
+
+### <a href="" id="bkmk-windowsstore"></a>21. Windows Store
+
+You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled.
+
+-   Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Store** &gt; **Disable all apps from Windows Store**.
+
+### <a href="" id="bkmk-updates"></a>22. Windows Update Delivery Optimization
+
+Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization’s PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
+
+By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network.
+
+Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization.
+
+### <a href="" id="bkmk-wudo-ui"></a>22.1 Settings &gt; Update & security
+
+You can set up Delivery Optimization from the **Settings** UI.
+
+-   Go to **Settings** &gt; **Update & security** &gt; **Windows Update** &gt; **Advanced options** &gt; **Choose how updates are delivered**.
+
+### <a href="" id="bkmk-wudo-gp"></a>22.2 Delivery Optimization Group Policies
+
+You can find the Delivery Optimization Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Delivery Optimization**.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Policy</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Download Mode</p></td>
+<td align="left"><p>Lets you choose where Delivery Optimization gets or sends updates and apps, including</p>
+<ul>
+<li><p><strong>None</strong>. Turns off Delivery Optimization.</p></li>
+<li><p><strong>Group</strong>. Gets or sends updates and apps to PCs on the same local network domain.</p></li>
+<li><p><strong>Internet</strong>. Gets or sends updates and apps to PCs on the Internet.</p></li>
+<li><p><strong>LAN</strong>. Gets or sends updates and apps to PCs on the same NAT only.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Group ID</p></td>
+<td align="left"><p>Lets you provide a Group ID that limits which PCs can share apps and updates.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>This ID must be a GUID.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Max Cache Age</p></td>
+<td align="left"><p>Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.</p>
+<p>The default value is 259200 seconds (3 days).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Max Cache Size</p></td>
+<td align="left"><p>Lets you specify the maximum cache size as a percentage of disk size.</p>
+<p>The default value is 20, which represents 20% of the disk.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Max Upload Bandwidth</p></td>
+<td align="left"><p>Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.</p>
+<p>The default value is 0, which means unlimited possible bandwidth.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="bkmk-wudo-mdm"></a>22.3 Delivery Optimization MDM policies
+
+The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Policy</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>DeliveryOptimization/DODownloadMode</p></td>
+<td align="left"><p>Lets you configure where Delivery Optimization gets or sends updates and apps, including:</p>
+<ul>
+<li><p><strong>0</strong>. Turns off Delivery Optimization.</p></li>
+<li><p><strong>1</strong>. Gets or sends updates and apps to PCs on the same NAT only.</p></li>
+<li><p><strong>2</strong>. Gets or sends updates and apps to PCs on the same local network domain.</p></li>
+<li><p><strong>3</strong>. Gets or sends updates and apps to PCs on the Internet.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DeliveryOptimization/DOGroupID</p></td>
+<td align="left"><p>Lets you provide a Group ID that limits which PCs can share apps and updates.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>This ID must be a GUID.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>DeliveryOptimization/DOMaxCacheAge</p></td>
+<td align="left"><p>Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.</p>
+<p>The default value is 259200 seconds (3 days).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DeliveryOptimization/DOMaxCacheSize</p></td>
+<td align="left"><p>Lets you specify the maximum cache size as a percentage of disk size.</p>
+<p>The default value is 20, which represents 20% of the disk.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>DeliveryOptimization/DOMaxUploadBandwidth</p></td>
+<td align="left"><p>Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.</p>
+<p>The default value is 0, which means unlimited possible bandwidth.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="bkmk-wudo-prov"></a>22.4 Delivery Optimization Windows Provisioning
+
+If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies
+
+Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windows ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526803), to create a provisioning package for Delivery Optimization.
+
+1.  Open Windows ICD, and then click **New provisioning package**.
+
+2.  In the **Name** box, type a name for the provisioning package, and then click **Next.**
+
+3.  Click the **Common to all Windows editions** option, click **Next**, and then click **Finish**.
+
+4.  Go to **Runtime settings** &gt; **Policies** &gt; **DeliveryOptimization** to configure the policies.
+
+For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684).
+
+### <a href="" id="bkmk-wu"></a>23. Windows Update
+
+You can turn off Windows Update by setting the following registry entries:
+
+-   Add a REG\_DWORD value called **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
+
+    -and-
+
+-   Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
+
+You can turn off automatic updates by doing one of the following. This is not recommended.
+
+-   Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5.
+
+    -or-
+
+-   Apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+    -   **0**. Notify the user before downloading the update.
+
+    -   **1**. Auto install the update and then notify the user to schedule a device restart.
+
+    -   **2** (default). Auto install and restart.
+
+    -   **3**. Auto install and restart at a specified time.
+
+    -   **4**. Auto install and restart without end-user control.
+
+    -   **5**. Turn off automatic updates.
+
+To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx).
+
+## <a href="" id="bkmk-utc"></a>Manage your telemetry settings
+
+
+You can manage your telemetry settings using the management tools you're already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any device-level settings.
+
+You can set your organization's devices to use 1 of 4 telemetry levels:
+
+-   [Security](#bkmk-utc-security) (only available on Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core (IoT Core) editions)
+
+-   [Basic](#bkmk-utc-basic)
+
+-   [Enhanced](#bkmk-utc-enhanced)
+
+-   [Full](#bkmk-utc-full)
+
+For more info about these telemetry levels, see [Telemetry levels](#bkmk-telemetrylevels). In Windows 10 Enterprise, Windows 10 Education, and IoT Core, the default telemetry level is [Enhanced](#bkmk-utc-enhanced).
+
+**Important**  
+These telemetry levels only apply to Windows components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. App publishers must let people know about how they use their telemetry, ways to opt in or opt out, and they must separately document their privacy policies.
+
+ 
+
+### Use Group Policy to set the telemetry level
+
+Use a Group Policy object to set your organization’s telemetry level.
+
+1.  From the Group Policy Management Console, go to **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Data Collection and Preview Builds**.
+
+2.  Double-click **Allow Telemetry**.
+
+3.  In the **Options** box, select the level that you want to configure, and then click **OK**.
+
+### Use MDM to set the telemetry level
+
+Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy, using one of these telemetry values:
+
+-   **0**. Maps to the [Security](#bkmk-utc-security) level.
+
+-   **1**. Maps to the [Basic](#bkmk-utc-basic) level.
+
+-   **2**. Maps to the [Enhanced](#bkmk-utc-enhanced) level.
+
+-   **3**. Maps to the [Full](#bkmk-utc-full) level.
+
+### Use Windows Provisioning to set the telemetry level
+
+Use Windows Provisioning and the Windows Imaging and Configuration Designer (Windows ICD) tool - part of the [Windows Assessment and Deployment Kit (Windows ADK) toolkit](http://go.microsoft.com/fwlink/p/?LinkId=526803) - to create a provisioning package and runtime setting that sets your organization's telemetry level.
+
+After you create the provisioning package, you can email it to your employees, put it on a network share, or integrate the package directly into a custom image using Windows ICD.
+
+**To use Windows ICD to integrate your package into a custom image**
+
+1.  Open Windows ICD, and then click **New provisioning package**.
+
+2.  In the **Name** box, type a name for the provisioning package, and then click **Next**.
+
+3.  Click **Common to all Windows editions** &gt; **Next** &gt; **Finish**.
+
+4.  Go to **Runtime settings** &gt; **Policies** &gt; **System** &gt; **AllowTelemetry** to configure the policies. You can set it to one of the following:
+
+    -   **Disabled \[Enterprise SKU Only\]**. Maps to the [Security](#bkmk-utc-security) level.
+
+    -   **Basic**. Maps to the [Basic](#bkmk-utc-basic) level.
+
+    -   **Full**. Maps to the [Enhanced](#bkmk-utc-enhanced) level
+
+    -   **Diagnostic**. Maps to the [Full](#bkmk-utc-full) level.
+
+5.  After you've added all of your settings to the provisioning package, click **Export** &gt; **Provisioning package**.
+
+6.  On the **Describe the provisioning package** step, in the **Owner** box, click **IT Admin** &gt; **Next**.
+
+7.  On the **Select security details for the provisioning package** step, if you want to protect the package with a password, select the **Encrypt package** check box. If you'd like to sign the package with a certificate, select the **Sign package** check box and select the certificate to use. Click **Next**.
+
+8.  On the **Select where to save the provisioning package** step, if you want to save it somewhere other than the Windows ICD project folder, choose a new location, and then click **Next**.
+
+9.  On the **Build the provisioning package** step, click **Build**.
+
+### Use Registry Editor to set the telemetry level
+
+Use Registry Editor to manually set the registry level on each device in your organization, or write a script to edit the registry.
+
+If a management policy already exists (from Group Policy, MDM, or Windows Provisioning), it will override this registry setting.
+
+1.  Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**.
+
+2.  Right-click **DataCollection**, click **New**, and then click **DWORD (32-bit) Value**.
+
+3.  Type **AllowTelemetry**, and then press ENTER.
+
+4.  Double-click **AllowTelemetry** and set the value to one of the following levels, and the click **OK**.
+
+    -   **0**. This setting maps to the [Security](#bkmk-utc-security) level.
+
+    -   **1**. This setting maps to the [Basic](#bkmk-utc-basic) level.
+
+    -   **2**. This setting maps to the [Enhanced](#bkmk-utc-enhanced) level
+
+    -   **3**. This setting maps to the [Full](#bkmk-utc-full) level.
+
+5.  Click **File** &gt; **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
+
+### Additional telemetry controls
+
+There are a few more settings that you can turn off that may send telemetry information:
+
+-   To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
+
+-   Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** &gt; **Update & security** &gt; **Windows Defender**.
+
+-   Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
+
+-   Turn off Linguistic Data Collection in **Settings** &gt; **Privacy**. At telemetry levels Enhanced and Full, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. For more info, see the **Get to know me** setting in the [Speech, inking, & typing](#bkmk-priv-speech) section of this article and the **Send Microsoft info about how I write to help us improve typing and writing in the future** setting in the [General](#bkmk-priv-general) section of this article.
+
+    **Note**  
+    Microsoft doesn't intentionally gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
+
+     
+
+## <a href="" id="bkmk-moreutc"></a>How telemetry works
+
+
+Windows uses telemetry information to analyze and fix software problems. It also helps Microsoft improve its software and provide updates that enhance the security and reliability of devices within your organization.
+
+### <a href="" id="bkmk-telemetrylevels"></a>Telemetry levels
+
+This section explains the different telemetry levels in Windows 10. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the Security level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core.
+
+-   **Security**. Information that's required to help keep Windows secure, including info about theConnected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. This level is available only on Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core.
+
+-   **Basic**. Basic device info, including: quality-related info, app compat, and info from the Security level.
+
+-   **Enhanced** Additional insights, including: how Windows and Windows apps are used, how they perform, advanced reliability info, and info from both the Basic and the Security levels.
+
+-   **Full**. All info necessary to identify and help to fix problems, plus info from the Security, Basic, and Enhanced levels.
+
+As a diagram:
+
+![](images/priv-telemetry-levels.png)
+
+### <a href="" id="bkmk-utc-security"></a>Security level
+
+The Security level gathers only telemetry info that's required to keep Windows devices secure. This level is only available on Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions.
+
+**Note**  
+If your organization relies on Windows Update for updates, you shouldn't use the Security level. Because no Windows Update information is gathered at this level, Microsoft can't tell whether an update successfully installed.
+
+You can continue to use Windows Server Update Services and System Center Configuration Manager while using the Security level.
+
+ 
+
+Security level info includes:
+
+-   **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsoft’s servers. The data collected by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
+
+-   **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
+
+    **Note**  
+    You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users.
+
+     
+
+-   **Windows Defender**. Windows Defender requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. To configure this, see [Windows Defender](#bkmk-defender).
+
+    **Note**  
+    This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off.
+
+    Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates; moreover, Window Defender requires updated anti-malware signatures in order to provide security functionality.
+
+     
+
+No user content, such as user files or communications, is gathered at the Security telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer's registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
+
+To set the telemetry level to Security, use a management policy (Group Policy or MDM) or by manually changing the setting in the registry. For more info, see the [Manage your telemetry settings](#bkmk-utc) section of this article.
+
+### <a href="" id="bkmk-utc-basic"></a>Basic level
+
+The Basic level gathers a limited set of info that’s critical for understanding the device and its configuration. This level also includes the Security level info. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version.
+
+Basic level info includes:
+
+-   **Basic device info**. Helps provide an understanding about the various types of devices in the Windows 10 ecosystem, including:
+
+    -   Device attributes, such as camera resolution and display type
+
+    -   Internet Explorer version
+
+    -   Battery attributes, such as capacity and type
+
+    -   Networking attributes, such as mobile operator network and IMEI number
+
+    -   Processor and memory attributes, such as number of cores, speed, and firmware
+
+    -   Operating system attributes, such as Windows edition and IsVirtualDevice
+
+    -   Storage attributes, such as number of drives and memory size
+
+-   **Connected User Experience and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experience and Telemetry component is functioning, including uploaded events, dropped events, and the last upload time.
+
+-   **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the amount of time a connected standby device was able to fullsleep, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
+
+-   **App compat info**. Helps provide understanding about which apps are installed on a device and to help identify potential compatibility problems.
+
+    -   **General app info and app info for Internet Explorer add-ons**. Includes a list of apps and Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. This app info includes the app name, publisher, version, and basic details about which files have been blocked from usage.
+
+    -   **System info**. Helps provide understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as info about the processor and BIOS.
+
+    -   **Accessory device info**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
+
+    -   **Driver info**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This info can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
+
+-   **Store**. Provides info about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
+
+### <a href="" id="bkmk-utc-enhanced"></a>Enhanced level
+
+The Enhanced level gathers info about how Windows and apps are used and how they perform. This level also includes info from both the Basic and Security levels. This level helps to improve experiences by analyzing user interaction with the operating system and apps. Info from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
+
+Enhanced level info includes:
+
+-   **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, and other components.
+
+-   **Operating system app events**. A set of events resulting from Microsoft apps that were downloaded from the Store or pre-installed with Windows, including Photos, Mail, and Microsoft Edge.
+
+-   **Device-specific events**. Contains info about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
+
+If the Connected User Experience and Telemetry component detects a problem that requires gathering more detailed instrumentation, then the Connected User Experience and Telemetry component will only gather info about the events associated with the specific issue, for no more than 2 weeks. Also, if the operating system or an app crashes or hangs, Microsoft will gather the memory contents of the faulting process only at the time of the crash or hang.
+
+### <a href="" id="bkmk-utc-full"></a>Full level
+
+The Full level gathers info necessary to identify and to help fix problems, following the approval process described below. This level also includes info from the Basic, Enhanced, and Security levels.
+
+Additionally, at this level, devices opted in to the Windows Insider Program will send events that can show Microsoft how pre-release binaries and features are performing. All devices in the Windows Insider Program are automatically set to this level.
+
+If a device experiences problems that are difficult to identify or repeat using Microsoft's internal testing, additional info becomes necessary. This info can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the Full telemetry level and have exhibited the problem.
+
+However, before more info is gathered, Microsoft's privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
+
+-   Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
+
+-   Ability to get registry keys.
+
+-   Ability to gather user content, such as documents, if they might have been the trigger for the issue.
+
+### How is telemetry information handled by Microsoft?
+
+### Collection
+
+Information gathered by the Connected User Experience and Telemetry component complies with Microsoft's security and privacy policies, as well as international laws and regulations. Only those who can demonstrate a valid business need can access the telemetry info.
+
+### Data Transfer
+
+All telemetry info is encrypted during transfer from the device to the Microsoft Data Management Service. Data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as gaming achievements, are always sent immediately. Normal events are not uploaded on metered networks. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
+
+### Microsoft Data Management Service
+
+The Microsoft Data Management Service routes information to internal cloud storage, where it's compiled into business reports for analysis and research. Sensitive info is stored in a separate data store that's locked down to a small subset of Microsoft employees in the Windows Devices Group. The privacy governance team permits access only to people with a valid business justification. The Connected User Experiences and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com. The Connected User Experience and Telemetry component connects to settings-win.data.microsoft.com to collect its settings.
+
+### Usage
+
+Information is used by teams within Microsoft to provide, improve, and personalize experiences, and for security, health, quality, and performance analysis.
+
+An example of personalization is to create individually tailored in-product messages.
+
+Microsoft doesn't share organization-specific customer information with third parties, except at the customer's direction or for the limited purposes described in the privacy statement. However, we do share business reports with partners that include aggregated, anonymous telemetry information. Decisions to share info are made by an internal team that includes privacy, legal, and data management professionals.
+
+### Retention
+
+Microsoft believes in and practices information minimization, so we only gather the info we need, and we only store it for as long as it's needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, particularly if there is a regulatory requirement to do so. Info is typically gathered at a fractional sampling rate, which for some client services, can be as low as 1%.
+
+
+
+
+
diff --git a/windows/manage/distribute-apps-from-your-private-store.md b/windows/manage/distribute-apps-from-your-private-store.md
new file mode 100644
index 0000000000..d751c6d2f2
--- /dev/null
+++ b/windows/manage/distribute-apps-from-your-private-store.md
@@ -0,0 +1,75 @@
+---
+title: Distribute apps using your private store (Windows 10)
+description: The private store is a feature in Windows Store for Business that organizations receive during the sign up process.
+ms.assetid: C4644035-845C-4C84-87F0-D87EA8F5BA19
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Distribute apps using your private store
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+The private store is a feature in Windows Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in the Windows Store, and is usually named for your company or organization. Only apps with online licenses can be added to the private store.
+
+You can make an app available in your private store when you acquire the app, or you can do it later from your inventory. Once the app is in your private store, employees can claim and install the app.
+
+**To acquire an app and make it available in your private store**
+
+1.  Sign in to the Store for Business.
+
+2.  Click an app and then click **Get the app** to acquire the app for your organization.
+
+3.  You'll have a few options for distributing the app -- choose **Add to your private store where all people in your organization can find and install it.**
+
+    ![](images/wsfb-distribute.png)
+
+    It will take approximately twelve hours before the app is available in the private store.
+
+**To make an app in inventory available in your private store**
+
+1.  Sign in to the Store for Business.
+
+2.  Click **Manage**, and then choose **Inventory**.
+
+    ![](images/wsfb-manageinventory.png)
+
+3.  Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page.
+
+4.  From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**.
+
+    ![](images/wsfb-inventoryaddprivatestore.png)
+
+The value under **Private store** for the app will change to pending. It will take approximately twelve hours before the app is available in the private store.
+
+Employees can claim apps that admins added to the private store by doing the following.
+
+**To claim an app from the private store**
+
+1.  Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app.
+
+2.  Click the **private store** tab.
+
+3.  Click the app you want to install, and then click **Install**.
+
+## Related topics
+
+
+[Manage access to private store](manage-access-to-private-store.md)
+
+[Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md b/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md
new file mode 100644
index 0000000000..28f762ec11
--- /dev/null
+++ b/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md
@@ -0,0 +1,64 @@
+---
+title: Distribute apps to your employees from the Windows Store for Business (Windows 10)
+description: Distribute apps to your employees from Windows Store for Business. You can assign apps to employees, or let employees install them from your private store.
+ms.assetid: E591497C-6DFA-49C1-8329-4670F2164E9E
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Distribute apps to your employees from the Windows Store for Business
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Distribute apps to your employees from Windows Store for Business. You can assign apps to employees, or let employees install them from your private store.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Distribute apps using your private store](distribute-apps-from-your-private-store.md)</p></td>
+<td align="left"><p>The private store is a feature in Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in the Windows Store, and is usually named for your company or organization. Only apps with online licenses can be added to the private store.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Assign apps to employees](assign-apps-to-employees.md)</p></td>
+<td align="left"><p>Administrators can assign online-licensed apps to employees in their organization.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Distribute apps with a management tool](distribute-apps-with-management-tool.md)</p></td>
+<td align="left"><p>You can configure a mobile device management (MDM) tool to synchronize your Store for Business inventory. Store for Business management tool services work with MDM tools to manage content.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Distribute offline apps](distribute-offline-apps.md)</p></td>
+<td align="left"><p>Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in the Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/distribute-apps-with-management-tool.md b/windows/manage/distribute-apps-with-management-tool.md
new file mode 100644
index 0000000000..37824f30c5
--- /dev/null
+++ b/windows/manage/distribute-apps-with-management-tool.md
@@ -0,0 +1,73 @@
+---
+title: Distribute apps with a management tool (Windows 10)
+description: You can configure a mobile device management (MDM) tool to synchronize your Store for Business inventory. Store for Business management tool services work with MDM tools to manage content.
+ms.assetid: 006F5FB1-E688-4769-BD9A-CFA6F5829016
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Distribute apps with a management tool
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+You can configure a mobile device management (MDM) tool to synchronize your Store for Business inventory. Store for Business management tool services work with MDM tools to manage content.
+
+Your MDM tool needs to be installed and configured in Azure AD, in the same Azure AD directory used with Windows Store for Business.
+
+In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Store for Business. This allows the MDM tool to call Store for Business management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md).
+
+Store for Business services provide:
+
+-   Services for third-party MDM tools.
+
+-   Synchronize app purchases and updates.
+
+-   Synchronize metadata. For offline-licensed apps, also synchronize offline app package and offline licenses.
+
+-   The ability to download offline-licensed apps from Store for Business.
+
+MDM tool requirements:
+
+-   Must be an Azure Active Directory (AD) application to authenticate against the Store for Business services.
+
+-   Must be configured in Azure AD, and Store for Business.
+
+-   Azure AD identity is required to authorize Store for Business services.
+
+## Distribute offline-licensed apps
+
+
+If your vendor doesn’t support the ability to synchronize applications from the management tool services or cannot connect to the management tool services, your vendor may support the ability to deploy offline licensed applications by downloading the application and license from the store and then deploying the app through your MDM. For more information on online and offline licensing with Store for Business, see [Apps in the Windows Store for Business.](apps-in-windows-store-for-business.md#licensing-model)
+
+This diagram shows how you can use a management tool to distribute offline-licensed app to employees in your organization. Once synchronized from Store for Business, management tools can use the Windows Management framework to distribute applications to devices.
+
+![](images/wsfb-offline-distribute-mdm.png)
+
+## Distribute online-licensed apps
+
+
+This diagram shows how you can use a management tool to distribute an online-licensed app to employees in your organization. Once synchronized from Store for Business, management tools use the Windows Management framework to distribute applications to devices. For Online licensed applications, the management tool calls back in to Store for Business management services to assign an application prior to issuing the policy to install the application.
+
+![](images/wsfb-online-distribute-mdm.png)
+
+## Related topics
+
+
+[Configure MDM Provider](../manage/configure-mdm-provider-windows-store-for-business.md)
+
+[Manage apps you purchased from the Windows Store for Business with Micosoft InTune](https://technet.microsoft.com/library/mt676514.aspx)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/distribute-offline-apps.md b/windows/manage/distribute-offline-apps.md
new file mode 100644
index 0000000000..f4f70c7983
--- /dev/null
+++ b/windows/manage/distribute-offline-apps.md
@@ -0,0 +1,88 @@
+---
+title: Distribute offline apps (Windows 10)
+description: Offline licensing is a new licensing option for Windows 10.
+ms.assetid: 6B9F6876-AA66-4EE4-A448-1371511AC95E
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Distribute offline apps
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in the Windows Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store.
+
+## Why offline-licensed apps?
+
+
+Offline-licensed apps offer an alternative to online apps, and provide additional deployment options. Some reasons to use offline-licensed apps include:
+
+-   **You don't have access to Windows Store services** - If your employees don't have access to the internet and Windows Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps.
+
+-   **You use imaging to manage devices in your organization** - Offline-licensed apps can be added to images and deployed with Deployment Image Servicing and Management (DISM), or Windows Imaging and Configuration Designer (ICD).
+
+-   **Your employees do not have Azure Active Directory (AD) accounts** - Azure AD accounts are required for employees that install apps assigned to them from Store for Business or that claim apps from a private store.
+
+## Distribution options for offline-licensed apps
+
+
+You can't distribute offline-licensed apps directly from the Store for Business. Once you download the items for the offline-licensed app, you have three options for distributing the apps:
+
+-   **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft WindowsWindows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/library/windows/hardware/dn898558.aspx).
+
+-   **Windows ICD**. ICD is GUI tool that you can use to create Windows provisioning answer files, and add third-party drivers, apps, or other assets to an answer file. For more information, see [Windows Imaging and Configuration Designer](https://msdn.microsoft.com/library/windows/hardware/dn916113.aspx).
+
+-   **Management server.**
+
+## Download an offline-licensed app
+
+
+There are several items to download or create for offline-licensed apps. You'll need all of these items to distribute offline apps to your employees. This section includes more info on each item, and tells you how to download an offline-licensed app.
+
+-   **App metadata** -- App metadata is required for distributing offline apps. The metadata includes app details, links to icons, product id, localized product ids, and other items.
+
+-   **App package** -- App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices.
+
+-   **App license** -- App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM.
+
+-   **App frameworks** -- App frameworks are required for distributing offline apps, but you might not need to download one. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected.
+
+<a href="" id="download-offline-licensed-app"></a>
+**To download an offline-licensed app**
+
+1.  Sign in to the Store for Business
+
+2.  Click **Manage**, and then choose **Inventory**.
+
+3.  Click **Refine**, and then choose **Offline**.
+
+4.  Find the app you want to download, click the ellipses under **Actions**, and then choose **Download for offline use**.
+
+5.  To download app metadata: choose the language for the app metadata, and then click **Download**. Save the downloaded app metadata.
+
+6.  To download app package for offline use: click to expand the package details information, choose the Platform and Architecture combination that you need for your organization, and then click **Download**. Save the downloaded app package.
+
+7.  To download an app license: choose either **Encoded**, or **Unencoded**, and then click **Generate license**. Save the downloaded license.
+
+8.  To download an app framework: find the framework you need to support your app package, and click **Download**.
+    **Note**  
+    You need the framework to support your app package, but if you already have a copy, you don't need to download it again.
+
+    Frameworks are backward compatible.
+
+     
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/find-and-acquire-apps-overview.md b/windows/manage/find-and-acquire-apps-overview.md
new file mode 100644
index 0000000000..dbb7882835
--- /dev/null
+++ b/windows/manage/find-and-acquire-apps-overview.md
@@ -0,0 +1,56 @@
+---
+title: Find and acquire apps (Windows 10)
+description: Use the Windows Store for Business to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization.
+ms.assetid: 274A5003-5F15-4635-BB8B-953953FD209A
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Find and acquire apps
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Use the Windows Store for Business to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Apps in the Windows Store for Business](apps-in-windows-store-for-business.md)</p></td>
+<td align="left"><p>Store for Business has thousands of apps from many different categories.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Working with line-of-business apps](working-with-line-of-business-apps.md)</p></td>
+<td align="left"><p>Your company can make line-of-business (LOB) applications available through Store for Business. These apps are custom to your company – they might be internal business apps, or apps specific to your business or industry.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/how-it-pros-can-use-configuration-service-providers.md b/windows/manage/how-it-pros-can-use-configuration-service-providers.md
new file mode 100644
index 0000000000..463a578534
--- /dev/null
+++ b/windows/manage/how-it-pros-can-use-configuration-service-providers.md
@@ -0,0 +1,236 @@
+---
+title: Introduction to configuration service providers (CSPs) for IT pros (Windows 10)
+description: Configuration service providers (CSPs) expose device configuration settings in Windows 10. 
+ms.assetid: 25C1FDCA-0E10-42A1-A368-984FFDB2B7B6
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Introduction to configuration service providers (CSPs) for IT pros
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Configuration service providers (CSPs) expose device configuration settings in Windows 10. This topic is written for people who have no experience with CSPs.
+
+The CSPs are documented on the [Hardware Dev Center](http://go.microsoft.com/fwlink/p/?LinkId=717390) because CSPs are used by mobile device management (MDM) service providers. This topic explains how IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations.
+
+**Note**  
+The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile.
+
+ 
+
+## What is a CSP?
+
+
+A CSP is an interface in the client operating system between configuration settings specified in a provisioning document and configuration settings on the device. Their function is similar to that of Group Policy client-side extensions in that they provide an interface to read, set, modify, or delete configuration settings for a given feature. Typically, these settings map to registry keys, files or permissions. Some of these settings are configurable and some are read-only.
+
+Starting in Windows Mobile 5.0, CSPs were used to manage Windows mobile devices. In the Windows 10 platform, the management approach for both desktop and mobile devices converges, taking advantage of the same CSPs to configure and manage all devices running Windows 10.
+
+Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](http://go.microsoft.com/fwlink/p/?LinkId=717438) contains the settings to create a Wi-Fi profile.
+
+CSPs are behind many of the management tasks and policies for Windows 10 in Microsoft Intune and non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkID=623244).
+
+![how intune maps to csp](images/policytocsp.png)
+
+CSPs receive configuration policies in the XML-based SyncML format pushed to it from an MDM-compliant management server such as Microsoft Intune. Traditional enterprise management systems, such as System Center Configuration Manager, can also target CSPs by using a client-side WMI-to-CSP bridge.
+
+### Synchronization Markup Language (SyncML)
+
+The Open Mobile Alliance Device Management (OMA-DM) protocol uses the XML-based Synchronization Markup Language (SyncML) for data exchange between compliant servers and clients. SyncML offers an open standard to use as an alternative to vendor-specific management solutions (such as WMI). The value for enterprises adopting industry standard management protocols is that it allows the management of a broader set of vendor devices using a single platform (such as Microsoft Intune). Device policies, including VPN connection profiles, are delivered to client devices formatted as in SyncML. The target CSP reads this information and applies the necessary configurations.
+
+### The WMI-to-CSP Bridge
+
+The WMI-to-CSP Bridge is a component allowing configuration of Windows 10 CSPs via scripts and traditional enterprise management software such as Configuration Manager using Windows Management Instrumentation (WMI). The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device.
+
+[Learn how to use the WMI Bridge Provider with PowerShell.](http://go.microsoft.com/fwlink/p/?LinkId=761090)
+
+## Why should you learn about CSPs?
+
+
+Generally, enterprises rely on Group Policy or MDM to configure and manage devices. For devices running Windows, MDM services use CSPs to configure your devices.
+
+In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management, or you want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried.
+
+In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](../index.md) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) which links to the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings.
+
+### CSPs in Windows Imaging and Configuration Designer (ICD)
+
+You can use Windows Imaging and Configuration Designer (ICD) to create [provisioning packages](http://go.microsoft.com/fwlink/p/?LinkId=717466) to apply settings to devices during the out-of-box-experience (OOBE) and after devices are set up. You can use provisioning packages to configure a device's connectivity and enroll the device in MDM. Many of the runtime settings in Windows ICD are based on CSPs.
+
+Many settings in Windows ICD will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image.
+
+![how help content appears in icd](images/cspinicd.png)
+
+[Configure devices without MDM](configure-devices-without-mdm.md) explains how to use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package.
+
+### CSPs in MDM
+
+Most, if not all, CSPs are surfaced through your MDM service. If you see a CSP that provides a capability that you want to make use of and cannot find that capability in your MDM service, contact your MDM provider for assistance. It might simply be named differently than you expected. You can see the CSPs supported by MDM in the [Configuration service provider reference](http://go.microsoft.com/fwlink/p/?LinkId=717390).
+
+When a CSP is available but is not explicitly included in your MDM solution, you may be able to make use of the CSP by using OMA-URI settings. In Intune, for example, you can use [custom policy settings](http://go.microsoft.com/fwlink/p/?LinkID=616316) to deploy settings. Intune documents [a partial list of settings](http://go.microsoft.com/fwlink/p/?LinkID=616317) that you can enter in the **OMA-URI Settings** section of a custom policy, if your MDM service provides that extension. You'll notice that the list doesn't explain the meanings of the allowed and default values, so use the [CSP reference documentation](http://go.microsoft.com/fwlink/p/?LinkId=717390) to locate that information.
+
+### CSPs in Lockdown XML
+
+Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkID=618601).
+
+## <a href="" id="bkmk-csp-doc"></a>How do you use the CSP documentation?
+
+
+All CSPs in Windows 10 are documented in the [Configuration service provider reference](http://go.microsoft.com/fwlink/p/?LinkId=717390).
+
+The [main CSP topic](http://go.microsoft.com/fwlink/p/?LinkId=717390) tells you which CSPs are supported on each edition of Windows 10, and links to the documentation for each individual CSP.
+
+![csp per windows edition](images/csptable.png)
+
+The documentation for each CSP follows the same structure. After an introduction that explains the purpose of the CSP, a diagram shows the parts of the CSP in tree format.
+
+The full path to a specific configuration setting is represented by its Open Mobile Alliance - Uniform Resource Identifier (OMA-URI). The URI is relative to the devices’ root node (MSFT, for example). Features supported by a particular CSP can be set by addressing the complete OMA-URI path.
+
+The following example shows the diagram for the [AssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=626608). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes and rectangular elements are settings or policies for which a value must be supplied.
+
+![assigned access csp tree](images/provisioning-csp-assignedaccess.png)
+
+The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see it uses the [AssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=626608).
+
+```XML
+./Vendor/MSFT/AssignedAccess/KioskModeApp
+```
+
+When an element in the diagram uses italic font, it indicates a placeholder for specific information, such as the tenant ID in the following example.
+
+![placeholder in csp tree](images/csp-placeholder.png)
+
+After the diagram, the documentation describes each element. For each policy or setting, the valid values are listed.
+
+For example, in the [AssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=626608), the setting is **KioskModeApp**. The documentation tells you that the value for **KioskModeApp** is a JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app.
+
+The documentation for most CSPs will also include an XML example.
+
+## CSP examples
+
+
+CSPs provide access to a number of settings useful to enterprises. This section introduces two CSPs that an enterprise might find particularly useful.
+
+-   [EnterpriseAssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=618601)
+
+    The EnterpriseAssignedAccess configuration service provider allows IT administrators to configure settings on a Windows 10 Mobile device. An enterprise can make use of this CSP to create single-use or limited-use mobile devices, such as a handheld device that only runs a price-checking app.
+
+    In addition to lockscreen wallpaper, theme, time zone, and language, the EnterpriseAssignedAccess CSP includes AssignedAccessXml which can be used to lock down the device through the following settings:
+
+    -   Enabling or disabling the Action Center.
+    -   Configuring the number of tile columns in the Start layout.
+    -   Restricting the apps that will be available on the device.
+    -   Restricting the settings that the user can access.
+    -   Restricting the hardware buttons that will be operable.
+    -   Restricting access to the context menu.
+    -   Enabling or disabling tile manipulation.
+    -   Creating role-specific configurations.
+-   [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkID=623244)
+
+    The Policy configuration service provider enables the enterprise to configure policies on Windows 10 and Windows 10 Mobile. Some of these policy settings can also be applied using Group Policy, and the CSP documentation lists the equivalent Group Policy settings.
+
+    Some of the settings available in the Policy CSP include the following:
+
+    -   **Accounts**, such as whether a non-Microsoft account can be added to the device
+    -   **Application management**, such as whether only Windows Store apps are allowed
+    -   **Bluetooth**, such as the services allowed to use it
+    -   **Browser**, such as restricting InPrivate browsing
+    -   **Connectivity**, such as whether the device can be connected to a computer by USB
+    -   **Defender** (for desktop only), such as day and time to scan
+    -   **Device lock**, such as the type of PIN or password required to unlock the device
+    -   **Experience**, such as allowing Cortana
+    -   **Security**, such as whether provisioning packages are allowed
+    -   **Settings**, such as allowing the user to change VPN settings
+    -   **Start**, such as applying a standard Start layout
+    -   **System**, such as allowing the user to reset the device
+    -   **Text input**, such as allowing the device to send anonymized user text input data samples to Microsoft
+    -   **Update**, such as specifying whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store
+    -   **WiFi**, such as whether to enable Internet sharing
+
+Here is a list of CSPs supported on Windows 10 Enterprise, Windows 10 Mobile Enterprise, or both:
+
+-   [ActiveSync CSP](http://go.microsoft.com/fwlink/p/?LinkId=723219)
+-   [Application CSP](http://go.microsoft.com/fwlink/p/?LinkId=723220)
+-   [AppLocker CSP](http://go.microsoft.com/fwlink/p/?LinkID=626609)
+-   [AssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=626608)
+-   [Bootstrap CSP](http://go.microsoft.com/fwlink/p/?LinkId=723224)
+-   [BrowserFavorite CSP](http://go.microsoft.com/fwlink/p/?LinkId=723428)
+-   [CellularSettings CSP](http://go.microsoft.com/fwlink/p/?LinkId=723427)
+-   [CertificateStore CSP](http://go.microsoft.com/fwlink/p/?LinkId=723225)
+-   [ClientCertificateInstall CSP](http://go.microsoft.com/fwlink/p/?LinkId=723226)
+-   [CM\_CellularEntries CSP](http://go.microsoft.com/fwlink/p/?LinkId=723426)
+-   [CM\_ProxyEntries CSP](http://go.microsoft.com/fwlink/p/?LinkId=723425)
+-   [CMPolicy CSP](http://go.microsoft.com/fwlink/p/?LinkId=723424)
+-   [Defender CSP](http://go.microsoft.com/fwlink/p/?LinkId=723227)
+-   [DevDetail CSP](http://go.microsoft.com/fwlink/p/?LinkId=723228)
+-   [DeviceInstanceService CSP](http://go.microsoft.com/fwlink/p/?LinkId=723275)
+-   [DeviceLock CSP](http://go.microsoft.com/fwlink/p/?LinkId=723370)
+-   [DeviceStatus CSP](http://go.microsoft.com/fwlink/p/?LinkId=723229)
+-   [DevInfo CSP](http://go.microsoft.com/fwlink/p/?LinkId=723230)
+-   [DiagnosticLog CSP](http://go.microsoft.com/fwlink/p/?LinkId=723231)
+-   [DMAcc CSP](http://go.microsoft.com/fwlink/p/?LinkId=723232)
+-   [DMClient CSP](http://go.microsoft.com/fwlink/p/?LinkId=723233)
+-   [Email2 CSP](http://go.microsoft.com/fwlink/p/?LinkId=723234)
+-   [EnterpriseAPN CSP](http://go.microsoft.com/fwlink/p/?LinkId=723235)
+-   [EnterpriseAppManagement CSP](http://go.microsoft.com/fwlink/p/?LinkId=723237)
+-   [EnterpriseAssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=618601)
+-   [EnterpriseDesktopAppManagement CSP](http://go.microsoft.com/fwlink/p/?LinkId=723236)
+-   [EnterpriseExt CSP](http://go.microsoft.com/fwlink/p/?LinkId=723423)
+-   [EnterpriseExtFileSystem CSP](http://go.microsoft.com/fwlink/p/?LinkID=703716)
+-   [EnterpriseModernAppManagement CSP](http://go.microsoft.com/fwlink/p/?LinkId=723257)
+-   [FileSystem CSP](http://go.microsoft.com/fwlink/p/?LinkId=723422)
+-   [HealthAttestation CSP](http://go.microsoft.com/fwlink/p/?LinkId=723258)
+-   [HotSpot CSP](http://go.microsoft.com/fwlink/p/?LinkId=723421)
+-   [Maps CSP](http://go.microsoft.com/fwlink/p/?LinkId=723420)
+-   [NAP CSP](http://go.microsoft.com/fwlink/p/?LinkId=723419)
+-   [NAPDEF CSP](http://go.microsoft.com/fwlink/p/?LinkId=723371)
+-   [NodeCache CSP]( http://go.microsoft.com/fwlink/p/?LinkId=723265)
+-   [PassportForWork CSP](http://go.microsoft.com/fwlink/p/?LinkID=692070)
+-   [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkID=623244)
+-   [PolicyManager CSP]( http://go.microsoft.com/fwlink/p/?LinkId=723418)
+-   [Provisioning CSP](http://go.microsoft.com/fwlink/p/?LinkId=723266)
+-   [Proxy CSP]( http://go.microsoft.com/fwlink/p/?LinkId=723372)
+-   [PXLOGICAL CSP](http://go.microsoft.com/fwlink/p/?LinkId=723374)
+-   [Registry CSP](http://go.microsoft.com/fwlink/p/?LinkId=723417)
+-   [RemoteFind CSP](http://go.microsoft.com/fwlink/p/?LinkId=723267)
+-   [RemoteWipe CSP](http://go.microsoft.com/fwlink/p/?LinkID=703714)
+-   [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkId=723375)
+-   [RootCATrustedCertificates CSP](http://go.microsoft.com/fwlink/p/?LinkId=723270)
+-   [SecurityPolicy CSP](http://go.microsoft.com/fwlink/p/?LinkId=723376)
+-   [Storage CSP](http://go.microsoft.com/fwlink/p/?LinkId=723377)
+-   [SUPL CSP](http://go.microsoft.com/fwlink/p/?LinkId=723378)
+-   [UnifiedWriteFilter CSP](http://go.microsoft.com/fwlink/p/?LinkId=723272)
+-   [Update CSP](http://go.microsoft.com/fwlink/p/?LinkId=723271)
+-   [VPN CSP](http://go.microsoft.com/fwlink/p/?LinkId=723416)
+-   [VPNv2 CSP](http://go.microsoft.com/fwlink/p/?LinkID=617588)
+-   [Wi-Fi CSP](http://go.microsoft.com/fwlink/p/?LinkID=71743)
+-   [WindowsLicensing CSP](http://go.microsoft.com/fwlink/p/?LinkId=723274)
+-   [WindowsSecurityAuditing CSP](http://go.microsoft.com/fwlink/p/?LinkId=723415)
+
+## Related topics
+
+
+[Lock down Windows 10](lock-down-windows-10.md)
+
+[Manage corporate devices](manage-corporate-devices.md)
+
+[New policies for Windows 10](new-policies-for-windows-10.md)
+
+[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
+
+[Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/images/aadj1.jpg b/windows/manage/images/aadj1.jpg
new file mode 100644
index 0000000000..2348fc4c84
Binary files /dev/null and b/windows/manage/images/aadj1.jpg differ
diff --git a/windows/manage/images/aadj2.jpg b/windows/manage/images/aadj2.jpg
new file mode 100644
index 0000000000..39486bfc66
Binary files /dev/null and b/windows/manage/images/aadj2.jpg differ
diff --git a/windows/manage/images/aadj3.jpg b/windows/manage/images/aadj3.jpg
new file mode 100644
index 0000000000..80e1f5762f
Binary files /dev/null and b/windows/manage/images/aadj3.jpg differ
diff --git a/windows/manage/images/aadj4.jpg b/windows/manage/images/aadj4.jpg
new file mode 100644
index 0000000000..0db2910012
Binary files /dev/null and b/windows/manage/images/aadj4.jpg differ
diff --git a/windows/manage/images/aadjbrowser.jpg b/windows/manage/images/aadjbrowser.jpg
new file mode 100644
index 0000000000..c8d909688e
Binary files /dev/null and b/windows/manage/images/aadjbrowser.jpg differ
diff --git a/windows/manage/images/aadjcal.jpg b/windows/manage/images/aadjcal.jpg
new file mode 100644
index 0000000000..1858886f5f
Binary files /dev/null and b/windows/manage/images/aadjcal.jpg differ
diff --git a/windows/manage/images/aadjcalmail.jpg b/windows/manage/images/aadjcalmail.jpg
new file mode 100644
index 0000000000..5a5661259a
Binary files /dev/null and b/windows/manage/images/aadjcalmail.jpg differ
diff --git a/windows/manage/images/aadjmail1.jpg b/windows/manage/images/aadjmail1.jpg
new file mode 100644
index 0000000000..89b1fcc3b7
Binary files /dev/null and b/windows/manage/images/aadjmail1.jpg differ
diff --git a/windows/manage/images/aadjmail2.jpg b/windows/manage/images/aadjmail2.jpg
new file mode 100644
index 0000000000..0608010c6a
Binary files /dev/null and b/windows/manage/images/aadjmail2.jpg differ
diff --git a/windows/manage/images/aadjmail3.jpg b/windows/manage/images/aadjmail3.jpg
new file mode 100644
index 0000000000..d7154a7e0e
Binary files /dev/null and b/windows/manage/images/aadjmail3.jpg differ
diff --git a/windows/manage/images/aadjonedrive.jpg b/windows/manage/images/aadjonedrive.jpg
new file mode 100644
index 0000000000..6fb1196d5f
Binary files /dev/null and b/windows/manage/images/aadjonedrive.jpg differ
diff --git a/windows/manage/images/aadjonenote.jpg b/windows/manage/images/aadjonenote.jpg
new file mode 100644
index 0000000000..4ccd207f9f
Binary files /dev/null and b/windows/manage/images/aadjonenote.jpg differ
diff --git a/windows/manage/images/aadjonenote2.jpg b/windows/manage/images/aadjonenote2.jpg
new file mode 100644
index 0000000000..1b6941e638
Binary files /dev/null and b/windows/manage/images/aadjonenote2.jpg differ
diff --git a/windows/manage/images/aadjonenote3.jpg b/windows/manage/images/aadjonenote3.jpg
new file mode 100644
index 0000000000..3ac6911046
Binary files /dev/null and b/windows/manage/images/aadjonenote3.jpg differ
diff --git a/windows/manage/images/aadjpin.jpg b/windows/manage/images/aadjpin.jpg
new file mode 100644
index 0000000000..dac6cfec30
Binary files /dev/null and b/windows/manage/images/aadjpin.jpg differ
diff --git a/windows/manage/images/aadjppt.jpg b/windows/manage/images/aadjppt.jpg
new file mode 100644
index 0000000000..268d5fe662
Binary files /dev/null and b/windows/manage/images/aadjppt.jpg differ
diff --git a/windows/manage/images/aadjverify.jpg b/windows/manage/images/aadjverify.jpg
new file mode 100644
index 0000000000..7b30210f39
Binary files /dev/null and b/windows/manage/images/aadjverify.jpg differ
diff --git a/windows/manage/images/aadjword.jpg b/windows/manage/images/aadjword.jpg
new file mode 100644
index 0000000000..db2a58406e
Binary files /dev/null and b/windows/manage/images/aadjword.jpg differ
diff --git a/windows/manage/images/aadjwsfb.jpg b/windows/manage/images/aadjwsfb.jpg
new file mode 100644
index 0000000000..428f1a26d4
Binary files /dev/null and b/windows/manage/images/aadjwsfb.jpg differ
diff --git a/windows/manage/images/apprule.png b/windows/manage/images/apprule.png
new file mode 100644
index 0000000000..ec5417849a
Binary files /dev/null and b/windows/manage/images/apprule.png differ
diff --git a/windows/manage/images/appwarning.png b/windows/manage/images/appwarning.png
new file mode 100644
index 0000000000..877d8afebd
Binary files /dev/null and b/windows/manage/images/appwarning.png differ
diff --git a/windows/manage/images/backicon.png b/windows/manage/images/backicon.png
new file mode 100644
index 0000000000..3007e448b1
Binary files /dev/null and b/windows/manage/images/backicon.png differ
diff --git a/windows/manage/images/checkmark.png b/windows/manage/images/checkmark.png
new file mode 100644
index 0000000000..04cc421e12
Binary files /dev/null and b/windows/manage/images/checkmark.png differ
diff --git a/windows/manage/images/configconflict.png b/windows/manage/images/configconflict.png
new file mode 100644
index 0000000000..011a2d76e7
Binary files /dev/null and b/windows/manage/images/configconflict.png differ
diff --git a/windows/manage/images/crossmark.png b/windows/manage/images/crossmark.png
new file mode 100644
index 0000000000..2b267dc802
Binary files /dev/null and b/windows/manage/images/crossmark.png differ
diff --git a/windows/manage/images/csp-placeholder.png b/windows/manage/images/csp-placeholder.png
new file mode 100644
index 0000000000..fe6bcf4720
Binary files /dev/null and b/windows/manage/images/csp-placeholder.png differ
diff --git a/windows/manage/images/cspinicd.png b/windows/manage/images/cspinicd.png
new file mode 100644
index 0000000000..a60ad9e2bf
Binary files /dev/null and b/windows/manage/images/cspinicd.png differ
diff --git a/windows/manage/images/csptable.png b/windows/manage/images/csptable.png
new file mode 100644
index 0000000000..ee210cad69
Binary files /dev/null and b/windows/manage/images/csptable.png differ
diff --git a/windows/manage/images/doneicon.png b/windows/manage/images/doneicon.png
new file mode 100644
index 0000000000..d80389f35b
Binary files /dev/null and b/windows/manage/images/doneicon.png differ
diff --git a/windows/manage/images/genrule.png b/windows/manage/images/genrule.png
new file mode 100644
index 0000000000..1d68f1ad0b
Binary files /dev/null and b/windows/manage/images/genrule.png differ
diff --git a/windows/manage/images/icdbrowse.png b/windows/manage/images/icdbrowse.png
new file mode 100644
index 0000000000..53c91074c7
Binary files /dev/null and b/windows/manage/images/icdbrowse.png differ
diff --git a/windows/manage/images/identitychoices.png b/windows/manage/images/identitychoices.png
new file mode 100644
index 0000000000..9a69c04f20
Binary files /dev/null and b/windows/manage/images/identitychoices.png differ
diff --git a/windows/manage/images/launchicon.png b/windows/manage/images/launchicon.png
new file mode 100644
index 0000000000..d469c68a2c
Binary files /dev/null and b/windows/manage/images/launchicon.png differ
diff --git a/windows/manage/images/lockdownapps.png b/windows/manage/images/lockdownapps.png
new file mode 100644
index 0000000000..ad928d87bc
Binary files /dev/null and b/windows/manage/images/lockdownapps.png differ
diff --git a/windows/manage/images/mdm.png b/windows/manage/images/mdm.png
new file mode 100644
index 0000000000..8ebcc00526
Binary files /dev/null and b/windows/manage/images/mdm.png differ
diff --git a/windows/manage/images/package.png b/windows/manage/images/package.png
new file mode 100644
index 0000000000..f5e975e3e9
Binary files /dev/null and b/windows/manage/images/package.png differ
diff --git a/windows/manage/images/phoneprovision.png b/windows/manage/images/phoneprovision.png
new file mode 100644
index 0000000000..01ada29ac9
Binary files /dev/null and b/windows/manage/images/phoneprovision.png differ
diff --git a/windows/manage/images/policytocsp.png b/windows/manage/images/policytocsp.png
new file mode 100644
index 0000000000..80ca76cb62
Binary files /dev/null and b/windows/manage/images/policytocsp.png differ
diff --git a/windows/manage/images/powericon.png b/windows/manage/images/powericon.png
new file mode 100644
index 0000000000..b497ff859d
Binary files /dev/null and b/windows/manage/images/powericon.png differ
diff --git a/windows/manage/images/priv-telemetry-levels.png b/windows/manage/images/priv-telemetry-levels.png
new file mode 100644
index 0000000000..9581cee54d
Binary files /dev/null and b/windows/manage/images/priv-telemetry-levels.png differ
diff --git a/windows/manage/images/provisioning-csp-assignedaccess.png b/windows/manage/images/provisioning-csp-assignedaccess.png
new file mode 100644
index 0000000000..14d49cdd89
Binary files /dev/null and b/windows/manage/images/provisioning-csp-assignedaccess.png differ
diff --git a/windows/manage/images/resetdevice.png b/windows/manage/images/resetdevice.png
new file mode 100644
index 0000000000..4e265c3f8d
Binary files /dev/null and b/windows/manage/images/resetdevice.png differ
diff --git a/windows/manage/images/settings-table.png b/windows/manage/images/settings-table.png
new file mode 100644
index 0000000000..1a4aff8def
Binary files /dev/null and b/windows/manage/images/settings-table.png differ
diff --git a/windows/manage/images/settingsicon.png b/windows/manage/images/settingsicon.png
new file mode 100644
index 0000000000..0ad27fc558
Binary files /dev/null and b/windows/manage/images/settingsicon.png differ
diff --git a/windows/manage/images/start-pinned-app.png b/windows/manage/images/start-pinned-app.png
new file mode 100644
index 0000000000..e1e4a24a00
Binary files /dev/null and b/windows/manage/images/start-pinned-app.png differ
diff --git a/windows/manage/images/startannotated.png b/windows/manage/images/startannotated.png
new file mode 100644
index 0000000000..d46f3a70c2
Binary files /dev/null and b/windows/manage/images/startannotated.png differ
diff --git a/windows/manage/images/starticon.png b/windows/manage/images/starticon.png
new file mode 100644
index 0000000000..fa8cbdff10
Binary files /dev/null and b/windows/manage/images/starticon.png differ
diff --git a/windows/manage/images/startlayoutpolicy.jpg b/windows/manage/images/startlayoutpolicy.jpg
new file mode 100644
index 0000000000..d3c8d054fe
Binary files /dev/null and b/windows/manage/images/startlayoutpolicy.jpg differ
diff --git a/windows/manage/images/starttemplate.jpg b/windows/manage/images/starttemplate.jpg
new file mode 100644
index 0000000000..900eed08c5
Binary files /dev/null and b/windows/manage/images/starttemplate.jpg differ
diff --git a/windows/manage/images/w10servicing-f1-branches.png b/windows/manage/images/w10servicing-f1-branches.png
new file mode 100644
index 0000000000..ac4a549aed
Binary files /dev/null and b/windows/manage/images/w10servicing-f1-branches.png differ
diff --git a/windows/manage/images/wifisense-grouppolicy.png b/windows/manage/images/wifisense-grouppolicy.png
new file mode 100644
index 0000000000..1142d834bd
Binary files /dev/null and b/windows/manage/images/wifisense-grouppolicy.png differ
diff --git a/windows/manage/images/wifisense-registry.png b/windows/manage/images/wifisense-registry.png
new file mode 100644
index 0000000000..cbb1fa8347
Binary files /dev/null and b/windows/manage/images/wifisense-registry.png differ
diff --git a/windows/manage/images/wifisense-settingscreens.png b/windows/manage/images/wifisense-settingscreens.png
new file mode 100644
index 0000000000..cbb6903177
Binary files /dev/null and b/windows/manage/images/wifisense-settingscreens.png differ
diff --git a/windows/manage/images/win10-mobile-mdm-fig1.png b/windows/manage/images/win10-mobile-mdm-fig1.png
new file mode 100644
index 0000000000..6ddac1df99
Binary files /dev/null and b/windows/manage/images/win10-mobile-mdm-fig1.png differ
diff --git a/windows/manage/images/win10servicing-fig2-featureupgrade.png b/windows/manage/images/win10servicing-fig2-featureupgrade.png
new file mode 100644
index 0000000000..e4dc76b44f
Binary files /dev/null and b/windows/manage/images/win10servicing-fig2-featureupgrade.png differ
diff --git a/windows/manage/images/win10servicing-fig3.png b/windows/manage/images/win10servicing-fig3.png
new file mode 100644
index 0000000000..688f92b173
Binary files /dev/null and b/windows/manage/images/win10servicing-fig3.png differ
diff --git a/windows/manage/images/win10servicing-fig4-upgradereleases.png b/windows/manage/images/win10servicing-fig4-upgradereleases.png
new file mode 100644
index 0000000000..961c8bebe2
Binary files /dev/null and b/windows/manage/images/win10servicing-fig4-upgradereleases.png differ
diff --git a/windows/manage/images/win10servicing-fig5.png b/windows/manage/images/win10servicing-fig5.png
new file mode 100644
index 0000000000..dc4b2fc5b2
Binary files /dev/null and b/windows/manage/images/win10servicing-fig5.png differ
diff --git a/windows/manage/images/win10servicing-fig6.png b/windows/manage/images/win10servicing-fig6.png
new file mode 100644
index 0000000000..4cdc5f9c6f
Binary files /dev/null and b/windows/manage/images/win10servicing-fig6.png differ
diff --git a/windows/manage/images/win10servicing-fig7.png b/windows/manage/images/win10servicing-fig7.png
new file mode 100644
index 0000000000..0a9a851449
Binary files /dev/null and b/windows/manage/images/win10servicing-fig7.png differ
diff --git a/windows/manage/images/wsfb-distribute.png b/windows/manage/images/wsfb-distribute.png
new file mode 100644
index 0000000000..f276ca5211
Binary files /dev/null and b/windows/manage/images/wsfb-distribute.png differ
diff --git a/windows/manage/images/wsfb-firstrun.png b/windows/manage/images/wsfb-firstrun.png
new file mode 100644
index 0000000000..2673567a1e
Binary files /dev/null and b/windows/manage/images/wsfb-firstrun.png differ
diff --git a/windows/manage/images/wsfb-inventory-viewlicense.png b/windows/manage/images/wsfb-inventory-viewlicense.png
new file mode 100644
index 0000000000..9fafad1aff
Binary files /dev/null and b/windows/manage/images/wsfb-inventory-viewlicense.png differ
diff --git a/windows/manage/images/wsfb-inventoryaddprivatestore.png b/windows/manage/images/wsfb-inventoryaddprivatestore.png
new file mode 100644
index 0000000000..b7152ea973
Binary files /dev/null and b/windows/manage/images/wsfb-inventoryaddprivatestore.png differ
diff --git a/windows/manage/images/wsfb-landing.png b/windows/manage/images/wsfb-landing.png
new file mode 100644
index 0000000000..beae0b52af
Binary files /dev/null and b/windows/manage/images/wsfb-landing.png differ
diff --git a/windows/manage/images/wsfb-licenseassign.png b/windows/manage/images/wsfb-licenseassign.png
new file mode 100644
index 0000000000..5904abb3b9
Binary files /dev/null and b/windows/manage/images/wsfb-licenseassign.png differ
diff --git a/windows/manage/images/wsfb-licensedetails.png b/windows/manage/images/wsfb-licensedetails.png
new file mode 100644
index 0000000000..53e0f5c935
Binary files /dev/null and b/windows/manage/images/wsfb-licensedetails.png differ
diff --git a/windows/manage/images/wsfb-licensereclaim.png b/windows/manage/images/wsfb-licensereclaim.png
new file mode 100644
index 0000000000..9f94cd3600
Binary files /dev/null and b/windows/manage/images/wsfb-licensereclaim.png differ
diff --git a/windows/manage/images/wsfb-manageinventory.png b/windows/manage/images/wsfb-manageinventory.png
new file mode 100644
index 0000000000..9a544ddc21
Binary files /dev/null and b/windows/manage/images/wsfb-manageinventory.png differ
diff --git a/windows/manage/images/wsfb-offline-distribute-mdm.png b/windows/manage/images/wsfb-offline-distribute-mdm.png
new file mode 100644
index 0000000000..ec0e77a9a9
Binary files /dev/null and b/windows/manage/images/wsfb-offline-distribute-mdm.png differ
diff --git a/windows/manage/images/wsfb-onboard-1.png b/windows/manage/images/wsfb-onboard-1.png
new file mode 100644
index 0000000000..012e91a845
Binary files /dev/null and b/windows/manage/images/wsfb-onboard-1.png differ
diff --git a/windows/manage/images/wsfb-onboard-2.png b/windows/manage/images/wsfb-onboard-2.png
new file mode 100644
index 0000000000..2ff98fb1f7
Binary files /dev/null and b/windows/manage/images/wsfb-onboard-2.png differ
diff --git a/windows/manage/images/wsfb-onboard-3.png b/windows/manage/images/wsfb-onboard-3.png
new file mode 100644
index 0000000000..ed9a61d353
Binary files /dev/null and b/windows/manage/images/wsfb-onboard-3.png differ
diff --git a/windows/manage/images/wsfb-onboard-4.png b/windows/manage/images/wsfb-onboard-4.png
new file mode 100644
index 0000000000..d99185ddc6
Binary files /dev/null and b/windows/manage/images/wsfb-onboard-4.png differ
diff --git a/windows/manage/images/wsfb-onboard-5.png b/windows/manage/images/wsfb-onboard-5.png
new file mode 100644
index 0000000000..68049f4425
Binary files /dev/null and b/windows/manage/images/wsfb-onboard-5.png differ
diff --git a/windows/manage/images/wsfb-onboard-7.png b/windows/manage/images/wsfb-onboard-7.png
new file mode 100644
index 0000000000..38b7348b21
Binary files /dev/null and b/windows/manage/images/wsfb-onboard-7.png differ
diff --git a/windows/manage/images/wsfb-online-distribute-mdm.png b/windows/manage/images/wsfb-online-distribute-mdm.png
new file mode 100644
index 0000000000..4b0f7cbf3a
Binary files /dev/null and b/windows/manage/images/wsfb-online-distribute-mdm.png differ
diff --git a/windows/manage/images/wsfb-permissions-assignrole.png b/windows/manage/images/wsfb-permissions-assignrole.png
new file mode 100644
index 0000000000..de2e1785ba
Binary files /dev/null and b/windows/manage/images/wsfb-permissions-assignrole.png differ
diff --git a/windows/manage/images/wsfb-privatestore.png b/windows/manage/images/wsfb-privatestore.png
new file mode 100644
index 0000000000..74c9f1690d
Binary files /dev/null and b/windows/manage/images/wsfb-privatestore.png differ
diff --git a/windows/manage/images/wsfb-privatestoreapps.png b/windows/manage/images/wsfb-privatestoreapps.png
new file mode 100644
index 0000000000..1ddb543796
Binary files /dev/null and b/windows/manage/images/wsfb-privatestoreapps.png differ
diff --git a/windows/manage/images/wsfb-renameprivatestore.png b/windows/manage/images/wsfb-renameprivatestore.png
new file mode 100644
index 0000000000..c6db282581
Binary files /dev/null and b/windows/manage/images/wsfb-renameprivatestore.png differ
diff --git a/windows/manage/images/wsfb-settings-mgmt.png b/windows/manage/images/wsfb-settings-mgmt.png
new file mode 100644
index 0000000000..2a7b590d19
Binary files /dev/null and b/windows/manage/images/wsfb-settings-mgmt.png differ
diff --git a/windows/manage/images/wsfb-settings-permissions.png b/windows/manage/images/wsfb-settings-permissions.png
new file mode 100644
index 0000000000..63d04d270b
Binary files /dev/null and b/windows/manage/images/wsfb-settings-permissions.png differ
diff --git a/windows/manage/images/wsfb-wsappaddacct.png b/windows/manage/images/wsfb-wsappaddacct.png
new file mode 100644
index 0000000000..5c0bd9a4ce
Binary files /dev/null and b/windows/manage/images/wsfb-wsappaddacct.png differ
diff --git a/windows/manage/images/wsfb-wsappprivatestore.png b/windows/manage/images/wsfb-wsappprivatestore.png
new file mode 100644
index 0000000000..9c29e7604c
Binary files /dev/null and b/windows/manage/images/wsfb-wsappprivatestore.png differ
diff --git a/windows/manage/images/wsfb-wsappsignin.png b/windows/manage/images/wsfb-wsappsignin.png
new file mode 100644
index 0000000000..c2c2631a94
Binary files /dev/null and b/windows/manage/images/wsfb-wsappsignin.png differ
diff --git a/windows/manage/images/wsfb-wsappworkacct.png b/windows/manage/images/wsfb-wsappworkacct.png
new file mode 100644
index 0000000000..5eb9035124
Binary files /dev/null and b/windows/manage/images/wsfb-wsappworkacct.png differ
diff --git a/windows/manage/index.md b/windows/manage/index.md
new file mode 100644
index 0000000000..35e01bcb09
--- /dev/null
+++ b/windows/manage/index.md
@@ -0,0 +1,90 @@
+---
+title: Manage and update Windows 10 (Windows 10)
+description: Learn about managing and updating Windows 10.
+ms.assetid: E5716355-02AB-4B75-A962-14B1A7F7BDA0
+keywords: ["Windows 10", "MDM", "WSUS", "Windows update"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Manage and update Windows 10
+
+
+Learn about managing and updating Windows 10.
+
+## In this section
+
+
+<table>
+
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)</p></td>
+<td align="left"><p>This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)</p></td>
+<td align="left"><p>Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)</p></td>
+<td align="left"><p>The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Manage corporate devices](manage-corporate-devices.md)</p></td>
+<td align="left"><p>You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)</p></td>
+<td align="left"><p>Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Lock down Windows 10](lock-down-windows-10.md)</p></td>
+<td align="left"><p>Enterprises often need to manage how people use corporate devices. Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)</p></td>
+<td align="left"><p>Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Configure devices without MDM](configure-devices-without-mdm.md)</p></td>
+<td align="left"><p>Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md)</p></td>
+<td align="left"><p>This article describes the new servicing options available in Windows 10, Windows 10 Mobile, and Windows 10 IoT Core (IoT Core) and how they enable enterprises to keep their devices current with the latest feature upgrades. It also covers related topics, such as how enterprises can make better use of Windows Update, and what the new servicing options mean for support lifecycles.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Application development for Windows as a service](application-development-for-windows-as-a-service.md)</p></td>
+<td align="left"><p>In today’s environment, where user expectations frequently are set by device-centric experiences, complete product cycles need to be measured in months, not years. Additionally, new releases must be made available on a continual basis, and must be deployable with minimal impact on users. Microsoft designed Windows 10 to meet these requirements by implementing a new approach to innovation, development, and delivery called [Windows as a service (WaaS)](introduction-to-windows-10-servicing.md). The key to enabling significantly shorter product cycles while maintaining high quality levels is an innovative community-centric approach to testing that Microsoft has implemented for Windows 10. The community, known as Windows Insiders, is comprised of millions of users around the world. When Windows Insiders opt in to the community, they test many builds over the course of a product cycle and provide feedback to Microsoft through an iterative methodology called flighting.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Windows Store for Business](windows-store-for-business.md)</p></td>
+<td align="left"><p>Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Windows 10 and Windows 10 Mobile](../index.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/introduction-to-windows-10-servicing.md b/windows/manage/introduction-to-windows-10-servicing.md
new file mode 100644
index 0000000000..a473efd209
--- /dev/null
+++ b/windows/manage/introduction-to-windows-10-servicing.md
@@ -0,0 +1,392 @@
+---
+title: Windows 10 servicing options for updates and upgrades (Windows 10)
+description: This article describes the new servicing options available in Windows 10.
+ms.assetid: D1DEB7C0-283F-4D7F-9A11-EE16CB242B42
+keywords: ["update", "LTSB", "lifecycle", "Windows update", "upgrade"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Windows 10 servicing options for updates and upgrades
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+-   Windows 10 IoT Core (IoT Core)
+
+This article describes the new servicing options available in Windows 10, Windows 10 Mobile, and IoT Core and how they enable enterprises to keep their devices current with the latest feature upgrades. It also covers related topics, such as how enterprises can make better use of Windows Update, and what the new servicing options mean for support lifecycles.
+
+**Note**  
+Several of the figures in this article show multiple feature upgrades of Windows being released by Microsoft over time. Be aware that these figures were created with dates that were chosen for illustrative clarity, not for release roadmap accuracy, and should not be used for planning purposes.
+
+ 
+
+## Introduction
+
+
+In enterprise IT environments, the desire to provide users with the latest technologies needs to be balanced with the need for manageability and cost control. In the past, many enterprises managed their Windows deployments homogeneously and performed large-scale upgrades to new releases of Windows (often in parallel with large-scale hardware upgrades) about every three to six years. Today, the rapid evolution of Windows as a platform for device-like experiences is causing businesses to rethink their upgrade strategies. Especially with the release of Windows 10, there are good business reasons to keep a significant portion of your enterprise's devices *current* with the latest release of Windows. For example, during the development of Windows 10, Microsoft:
+
+-   Streamlined the Windows product engineering and release cycle so that Microsoft can deliver the features, experiences, and functionality customers want, more quickly than ever.
+
+-   Created new ways to deliver and install feature upgrades and servicing updates that simplify deployments and on-going management, broaden the base of employees who can be kept current with the latest Windows capabilities and experiences, and lower total cost of ownership.
+
+-   Implemented new servicing options – referred to as Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB) – that provide pragmatic solutions to keep more devices more current in enterprise environments than was previously possible.
+
+The remainder of this article provides additional information about each of these areas. This article also provides an overview of the planning implications of the three Windows 10 servicing options (summarized in Table 1) so that IT administrators can be well-grounded conceptually before they start a Windows 10 deployment project.
+
+Table 1. Windows 10 servicing options
+
+| Servicing option                  | Availability of new feature upgrades for installation     | Minimum length of servicing lifetime | Key benefits                                                                              | Supported editions                                                                         |
+|-----------------------------------|-----------------------------------------------------------|--------------------------------------|-------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|
+| Current Branch (CB)               | Immediately after first published by Microsoft            | Approximately 4 months               | Makes new features available to users as soon as possible                                 | Home, Pro, Education, Enterprise, Mobile, IoT Core, Windows 10 IoT Core Pro (IoT Core Pro) |
+| Current Branch for Business (CBB) | Approximately 4 months after first published by Microsoft | Approximately 8 months               | Provides additional time to test new feature upgrades before deployment                   | Pro, Education, Enterprise, Mobile Enterprise, IoT Core Pro                                |
+| Long-Term Servicing Branch (LTSB) | Immediately after published by Microsoft                  | 10 Years                             | Enables long-term deployment of selected Windows 10 releases in low-change configurations | Enterprise LTSB                                                                            |
+
+ 
+
+## Streamlined product development and release cycles
+
+
+**Product cycles and builds**
+
+The Windows engineering team adds new features and functionality to Windows through *product cycles* comprised of development, testing, and release phases. Each day during a product cycle, the team compiles the source code for Windows and assembles the output into a *build* that users can install on their devices. The first recipients of builds are Microsoft employees who begin what Microsoft calls *selfhost* testing.
+
+**Testing and release prior to Windows 10**
+
+Prior to Windows 10, Microsoft issued and extensively tested many builds internally before selecting one for testing outside Microsoft. After repeating the external test cycle several times against builds of progressively better quality, the engineering team selected a build to enter the release phase. At the end of this phase, the team published the build as a new version of Windows – an event referred to as the *Release to Manufacturing* (RTM) milestone. In total, product cycles took between one and three years to complete, with testing and release processes taking up as much as half of the total investment in time.
+
+**A different approach for Windows 10**
+
+In today’s environment, where user expectations frequently are set by device-centric experiences, complete product cycles need to be measured in months, not years. Additionally, new releases must be made available on a continual basis, and must be deployable with minimal impact on users. Microsoft designed Windows 10 to meet these requirements by implementing a new approach to innovation development and delivery called *Windows as a Service* (WaaS).
+
+The key to enabling significantly shorter product cycles while maintaining high quality levels is an innovative community-centric approach to testing that Microsoft has implemented for Windows 10. The community, known as Windows Insiders, is comprised of millions of users around the world. When Windows Insiders opt in to the community, they test many builds over the course of a product cycle, and provide feedback to Microsoft through an iterative methodology called *flighting*.
+
+Builds distributed as *flights* provide the Windows engineering team with significant data regarding how well builds are performing in actual use. Flighting with Windows Insiders also enables Microsoft to test builds in much more diverse hardware, application, and networking environments than in the past, and to identify issues far more quickly. As a result, Microsoft believes that community-focused flighting will enable both a faster pace of innovation delivery, and better public release quality than ever.
+
+**Windows 10 release types and cadences**
+
+Although Microsoft releases flight builds to Windows Insiders, Microsoft will publish two types of Windows 10 releases broadly to the public on an ongoing basis:
+
+-   **Feature upgrades** that install the latest new features, experiences, and capabilities on devices that are already running Windows 10. Because feature upgrades contain an entire copy of Windows, they are also what customers use to install Windows 10 on existing devices running Windows 7 or Windows 8.1, and on new devices where no operating system is installed.
+
+-   **Servicing updates** that focus on the installation of security fixes and other important updates.
+
+Microsoft expects to publish an average of two to three new feature upgrades per year, and to publish servicing updates as needed for any feature upgrades that are still in support. Microsoft will continue publishing servicing updates on Update Tuesday (sometimes referred to as Patch Tuesday). Additionally, Microsoft may publish additional servicing updates for Windows 10 outside the Update Tuesday process when required to address customer needs.
+
+**The cumulative nature of all Windows 10 releases**
+
+It is important to note that, in order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10 will be *cumulative*. This means new feature upgrades and servicing updates will contain the *payloads* of all previous releases (in an optimized form to reduce storage and networking requirements), and installing the release on a device will bring it completely up to date. Also, unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 servicing update. For example, if a servicing update contains fixes for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four fixes.  
+
+## New Windows 10 delivery and installation alternatives
+
+
+As with earlier releases of Windows, Windows 10 includes support for the deployment of new releases using Windows Update, Windows Server Update Services, System Center Configuration Manager, and third-party configuration management tools. Because of the importance of the Windows as a Service (WaaS) approach to delivering innovations to businesses, and the proven ability of Windows Update to deploy releases quickly and seamlessly to consumers and small businesses, several of the largest investments in Windows 10 focus on enabling broader use of Windows Update within enterprises.
+
+**Windows Update use by consumers and small businesses**
+
+Since Microsoft introduced the first generation of Windows Update with Windows 95, Windows Update has evolved to become the standard way for consumers and small businesses to help keep devices running Windows secure and running reliably. Almost one billion Windows devices communicate with the Windows Update service on a regular basis. The process of downloading and installing updates has evolved to be less and less obtrusive to users. More recently, Microsoft also has used Windows Update to deliver larger, feature-centric updates, such as the upgrade from Windows 8 to Windows 8.1, and is using Windows Update to upgrade devices running Windows 7 and Windows 8.1 to Windows 10.
+
+**Windows Update use within enterprises**
+
+Although Windows Update greatly simplifies and accelerates update deployment, enterprises are not using Windows Update as broadly as consumers and small businesses. This is largely because Windows Update maintains control over which updates are installed and the timing of installation. This makes it difficult for IT administrators to test updates before deployment in their specific environment.
+
+**The role of Windows Server Update Services**
+
+To help address the concerns of IT administrators, Microsoft released Windows Server Update Services in 2005. Windows Server Update Services enables IT administrators to obtain the updates that Windows Update determines are applicable to the devices in their enterprise, perform additional testing and evaluation on the updates, and select the updates they want to install. Windows Server Update Services also provides IT administrators with an all or nothing way to specify when they want an approved update to be installed. Because IT administrators ultimately select and install most updates identified by Windows Update, the role of Windows Server Update Services in many enterprises is to provide IT administrators with the additional time they need to gain confidence in the quality of updates prior to deployment.
+
+**New Windows Update capabilities in Windows 10**
+
+To enable enterprises to manage more of their devices using Windows Update directly, Windows 10 provides IT administrators with a way to configure devices so that Windows Update will defer new feature upgrade installations until approximately four months after Microsoft first publishes them. The additional time can be used to perform testing or enable releases to gain additional time in market prior to deployment.
+
+At the end of each approximately four month period, Microsoft executes a set of processes that require no action from enterprise IT administrators. First, Microsoft creates new installation media for the feature upgrade by combining the original installation media with all the servicing updates published by Microsoft since the original media’s release. This reduces the time it can take to install a feature upgrade on a device. Second, Microsoft *republishes* the new media to Windows Update with *targeting* instructions that state (in effect) “install this media on devices that are configured for deferred installation of new feature upgrades.” At this point, devices configured to defer installation will begin receiving and installing the feature upgrade automatically.
+
+**The role of Windows Update for Business**
+
+Although Windows 10 will enable IT administrators to defer installation of new feature upgrades using Windows Update, enterprises may also want additional control over how and when Windows Update installs releases. With this need in mind, Microsoft [announced Windows Update for Business](http://go.microsoft.com/fwlink/p/?LinkId=624798) in May of 2015. Microsoft designed Windows Update for Business to provide IT administrators with additional Windows Update-centric management capabilities, such as the ability to deploy updates to groups of devices and to define maintenance windows for installing releases. This article will be updated with additional information about the role of Windows Update for Business in servicing Windows 10 devices as it becomes available.
+
+## Windows 10 servicing options
+
+
+Historically, because of the length of time between releases of new Windows versions, and the relatively low number of enterprise devices that were upgraded to newer versions of Windows during their deployment lifetimes, most IT administrators defined servicing as installing the updates that Microsoft published every month. Looking forward, because Microsoft will be publishing new feature upgrades on a continual basis, *servicing* will also include (on some portion of an enterprise's devices) installing new feature upgrades as they become available.
+
+In fact, when planning to deploy Windows 10 on a device, one of the most important questions for IT administrators to ask is, “What should happen to this device when Microsoft publishes a new feature upgrade?” This is because Microsoft designed Windows 10 to provide businesses with multiple servicing options, centered on enabling different rates of feature upgrade adoption. In particular, IT administrators can configure Windows 10 devices to:
+
+-   Receive feature upgrades immediately after Microsoft makes them available publicly, so that users gain access to new features, experiences, and functionality as soon as possible. For more information, see [Immediate feature upgrade installation with Current Branch (CB) servicing](#immediate-upgrade-cb).
+
+-   Defer receiving feature upgrades for a period of approximately four months after Microsoft makes them available publicly, to provide IT administrators with time to perform pre-deployment testing and provide feature upgrades releases with additional time-in-market to mature. For more information, see [Deferred feature upgrade installation with Current Branch for Business (CBB) servicing](#deferred-upgrade-cbb).
+
+-   Receive only servicing updates for the duration of their Windows 10 deployment in order to reduce the number of non-essential changes made to the device. For more information, see [Install servicing updates only by using Long-Term Servicing Branch (LTSB) servicing](#install-updates-ltsb).
+
+The breakout of a company’s devices by the categories above is likely to vary significantly by industry and other factors. What is most important is that companies can decide what works best for them and can choose different options for different devices.
+
+## Plan for Windows 10 deployment
+
+
+The remainder of this article focuses on the description of the three options outlined above, and their planning implications, in more detail. In practice, IT administrators have to focus on two areas when planning a Windows 10 device deployment:
+
+-   **When should new feature upgrades be deployed?** Should the device install new feature upgrades when they are published by Microsoft? If so, should installation occur immediately or on a deferred basis?
+
+-   **How will releases be installed on devices?** Will Windows Update or Windows Server Update Services be used to install new releases, or will installation be performed using a configuration management system such as Configuration Manager?
+
+The content that follows will provide IT administrators with the context needed to understand why these areas are pivotal, and the choices available to them.
+
+**How Microsoft releases Windows 10 feature upgrades**
+
+When it is time to release a build as a new feature upgrade for Windows 10, Microsoft performs several processes in sequence. The first process involves creating either one or two servicing branches in a source code management system. These branches (shown in Figure 1) are required to produce feature upgrade installation media and servicing update packages that can be deployed on different Windows 10 editions, running in different configurations.
+
+![figure 1](images/w10servicing-f1-branches.png)
+
+Figure 1. Feature upgrades and servicing branches
+
+In all cases, Microsoft creates a servicing branch (referred to in Figure 1 as Servicing Branch \#1) that is used to produce releases for approximately one year (although the lifetime of the branch will ultimately depend on when Microsoft publishes subsequent feature upgrade releases). If Microsoft has selected the feature upgrade to receive long-term servicing-only support, Microsoft also creates a second servicing branch (referred to in Figure 1 as Servicing Branch \#2) that is used to produce servicing update releases for up to 10 years.
+
+As shown in Figure 2, when Microsoft publishes a new feature upgrade, Servicing Branch \#1 is used to produce the various forms of media needed by OEMs, businesses, and consumers to install Windows 10 Home, Pro, Education, and Enterprise editions. Microsoft also produces the files needed by Windows Update to distribute and install the feature upgrade, along with *targeting* information that instructs Windows Update to only install the files on devices configured for *immediate* installation of feature upgrades.
+
+![figure 2](images/win10servicing-fig2-featureupgrade.png)
+
+Figure 2. Producing feature upgrades from servicing branches
+
+Approximately four months after publishing the feature upgrade, Microsoft uses Servicing Branch \#1 again to *republish* updated installation media for Windows 10 Pro, Education, and Enterprise editions. The updated media contains the exact same feature upgrade as contained in the original media except Microsoft also includes all the servicing updates that were published since the feature upgrade was first made available. This enables the feature upgrade to be installed on a device more quickly, and in a way that is potentially less obtrusive to users.
+
+Concurrently, Microsoft also changes the way the feature upgrade is published in the Windows Update service. In particular, the files used by Windows Update to distribute and install the feature upgrade are refreshed with the updated versions, and the targeting instructions are changed so that the updated feature upgrade will now be installed on devices configured for *deferred* installation of feature upgrades.
+
+**How Microsoft publishes the Windows 10 Enterprise LTSB Edition**
+
+If Microsoft has selected the feature upgrade to receive long-term servicing support, Servicing Branch \#2 is used to publish the media needed to install the Windows 10 Enterprise LTSB edition. The time between releases of feature upgrades with long-term servicing support will vary between one and three years, and is strongly influenced by input from customers regarding the readiness of the release for long-term enterprise deployment. Figure 2 shows the Windows 10 Enterprise LTSB edition being published at the same time as the other Windows 10 editions, which mirrors the way editions were actually published for Windows 10 in July of 2015. It is important to note that this media is never published to Windows Update for deployment. Installations of the Enterprise LTSB edition on devices must be performed another way.
+
+**How Microsoft releases Windows 10 servicing updates**
+
+As shown in Figure 3, servicing branches are also used by Microsoft to produce servicing updates containing fixes for security vulnerabilities and other important issues. Servicing updates are published in a way that determines the Windows 10 editions on which they can be installed. For example, servicing updates produced from a given servicing branch can only be installed on devices running a Windows 10 edition produced from the same servicing branch. In addition, because Windows 10 Home does not support deferred installation of feature upgrades, servicing updates produced from Servicing Branch \#1 are targeted at devices running Windows 10 Home only until Microsoft publishes feature upgrades for deferred installation.
+
+![figure 3](images/win10servicing-fig3.png)
+
+Figure 3. Producing servicing updates from servicing branches
+
+**Release installation alternatives**
+
+When IT administrators select Windows Update and/or Windows Server Update Services to deploy feature upgrades and servicing updates, Windows 10 and Windows Update will determine and deploy the correct releases for each of the three servicing options at the appropriate times. If there are multiple feature upgrades receiving long-term servicing support at the same time, Windows Update will select updates for each device that are appropriate for the feature upgrades they are running.
+
+When IT administrators manage deployments of feature upgrades and servicing updates directly with configuration management products such as Configuration Manager, they are responsible for the timing of installation of both feature upgrades and servicing updates. It is important to note that until IT administrators install a new servicing update, devices may remain exposed to security vulnerabilities. Therefore, when managing deployments directly, IT administrators should deploy new servicing updates as soon as possible.
+
+## Servicing options and servicing branch designations
+
+
+Servicing options have several different attributes that affect deployment planning decisions. For example, each servicing option:
+
+-   Is supported on a selected set of Windows 10 editions (and no Windows 10 edition supports all three servicing options).
+
+-   Has a policy that determines the periods of time during which Microsoft will produce servicing updates for a given feature upgrade.
+
+-   Has a policy that determines when devices being managed by Windows Update or Windows Server Update Services will install new feature upgrades when they become available from Microsoft.
+
+Because the servicing lifetime of a feature upgrade typically ends when the servicing lifetime of the subsequent feature upgrade begins, the length of servicing lifetimes will also vary. To simplify referring to these ranges, Microsoft created *servicing branch designations* for each of the three time range/servicing branch combinations. The designations are Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB).
+
+Because there is a one-to-one mapping between servicing options and servicing branch designations, Microsoft occasionally refers to servicing options using servicing branch-centric terminology. The following sections describe servicing options and servicing branch designations, including terminology, servicing lifetime policies, upgrade behavior, and edition support, in more detail.
+
+**Service lifetime and feature upgrade installation paths**
+
+Although Microsoft is currently planning to release approximately two to three feature upgrades per year, the actual frequency and timing of releases will vary. Because the servicing lifetimes of feature upgrades typically end when the servicing lifetimes of other, subsequent feature upgrades begin, the lengths of servicing lifetimes will also vary.
+
+![figure 4](images/win10servicing-fig4-upgradereleases.png)
+
+Figure 4. Example release cadence across multiple feature upgrades
+
+To show the variability of servicing lifetimes, and show the paths that feature upgrade installations will take when Windows Update and Windows Server Update Services are used for deployments, Figure 4 contains three feature upgrade releases (labeled *X*, *Y*, and *Z*) and their associated servicing branches. The time period between publishing X and Y is four months, and the time period between publishing Y and Z is six months. X and Z have long-term servicing support, and Y has shorter-term servicing support only.
+
+The same underlying figure will be used in subsequent figures to show all three servicing options in detail. It is important to note that Figure 4 is provided for illustration of servicing concepts only and should not be used for actual Windows 10 release planning.
+
+To simplify the servicing lifetime and feature upgrade behavior explanations that follow, this document refers to branch designations for a specific feature upgrade as the +0 versions, the designations for the feature upgrade after the +0 version as the +1 (or successor) versions, and the designation for the feature upgrade after the +1 version as the +2 (or second successor) versions.
+
+### <a href="" id="immediate-upgrade-cb"></a>
+
+**Immediate feature upgrade installation with Current Branch (CB) servicing**
+
+As shown in Figure 5, the Current Branch (CB) designation refers to Servicing Branch \#1 during the period that starts when Microsoft publishes a feature upgrade targeted for devices configured for *immediate* installation and ends when Microsoft publishes the *successor* feature upgrade targeted for devices configured for *immediate* installation.
+
+![figure 5](images/win10servicing-fig5.png)
+
+Figure 5. Immediate installation with Current Branch Servicing
+
+The role of Servicing Branch \#1 during the CB period is to produce feature upgrades and servicing updates for Windows 10 devices configured for *immediate* installation of new feature upgrades. Microsoft refers to devices configured this way as being *serviced from CBs*. The Windows 10 editions that support servicing from CBs are Home, Pro, Education, and Enterprise. The Current Branch designation is intended to reflect the fact that devices serviced using this approach will be kept as current as possible with respect to the latest Windows 10 feature upgrade release.
+
+Windows 10 Home supports Windows Update for release deployment. Windows 10 editions (Pro, Education, and Enterprise) support Windows Update, Windows Server Update Services, Configuration Manager, and other configuration management systems:
+
+-   When IT administrators use Windows Update to manage deployments, devices will receive new feature upgrades and servicing updates as soon as they are published by Microsoft in the Windows Update service, targeted to devices configured for *immediate* feature upgrade installation.
+
+-   When devices are being managed by using Windows Server Update Services, the same workflows are executed as with Windows Update except IT administrators must approve releases before installations begin.
+
+-   When using configuration management systems such as Configuration Manager to manage deployments, IT administrators can obtain installation media from Microsoft and deploy new feature upgrades immediately by using standard change control processes. IT administrators who use configuration management systems should also make sure to obtain and deploy all servicing updates published by Microsoft as soon as possible.
+
+It is important to note that devices serviced from CBs must install two to three feature upgrades per year to remain current and continue to receive servicing updates.
+
+### <a href="" id="deferred-upgrade-cbb"></a>
+
+**Deferred feature upgrade installation with Current Branch for Business (CBB) servicing**
+
+As shown in Figure 6, the Current Branch for Business (CBB) designation refers to Servicing Branch \#1 during the period that starts when Microsoft republishes a feature upgrade targeted for devices configured for *deferred* installation and ends when Microsoft republishes the *second successor* feature upgrade targeted for devices configured for *deferred* installation.
+
+![figure 6](images/win10servicing-fig6.png)
+
+Figure 6. Deferred installation with Current Branch for Business Servicing
+
+The role of Servicing Branch \#1 during the CBB period is to produce feature upgrades and servicing updates for Windows 10 devices configured for *deferred* installation of new feature upgrades. Microsoft refers to devices configured this way as being *serviced from CBBs*. The Windows 10 editions that support servicing from CBBs are Pro, Education, and Enterprise. The Current Branch for Business designation is intended to reflect the fact that many businesses require IT administrators to test feature upgrades prior to deployment, and servicing devices from CBBs is a pragmatic solution for businesses with testing constraints to remain as current as possible.
+
+Windows 10 (Pro, Education, and Enterprise editions) support release deployment by using Windows Update, Windows Server Update Services, Configuration Manager, and other configuration management systems:
+
+-   When IT administrators use Windows Update to manage deployments, devices will receive new feature upgrades and servicing updates as soon as they are published by Microsoft in the Windows Update service, targeted to devices configured for *deferred* feature upgrade installation. It is important to note that, even when devices are configured to defer installations, all servicing updates that are applicable to the feature upgrade that is running on a device will be installed immediately after being published by Microsoft in the Windows Update service.
+
+-   When devices are being managed through Windows Server Update Services, the same workflows are executed as with Windows Update except IT administrators must approve releases before installations begin.
+
+-   When using configuration management systems such as Configuration Manager to manage deployments, IT administrators can obtain media published for deferred installation from Microsoft and deploy new feature upgrades by using standard change control processes. When deferring feature upgrade installations, IT administrators should still deploy all applicable servicing updates as soon as they become available from Microsoft.
+
+Microsoft designed Windows 10 servicing lifetime policies so that CBBs will receive servicing updates for approximately twice as many months as CBs. This enables two CBBs to receive servicing support at the same time, which provides businesses with more flexibility when deploying new feature upgrades. That said, it is important to note that Microsoft will not produce servicing updates for a feature upgrade after its corresponding CBB reaches the end of its servicing lifetime. This means that feature upgrade deployments cannot be extended indefinitely and IT administrators should ensure that they deploy newer feature upgrades onto devices before CBBs end.
+
+### <a href="" id="install-updates-ltsb"></a>
+
+**Install servicing updates only by using Long-Term Servicing Branch (LTSB) servicing**
+
+As shown in Figure 7, the Long-Term Servicing Branch (LTSB) designation refers to Servicing Branch \#2 from beginning to end. LTSBs begin when a feature upgrade with long-term support is published by Microsoft and end after 10 years. It is important to note that only the Windows 10 Enterprise LTSB edition supports long-term servicing, and there are important differences between this edition and other Windows 10 editions regarding upgradability and feature set (described below in the [Considerations when configuring devices for servicing updates only](#servicing-only) section).
+
+![figure 7](images/win10servicing-fig7.png)
+
+Figure 7. Servicing updates only using LTSB Servicing
+
+The role of LTSBs is to produce servicing updates for devices running Windows 10 configured to install servicing updates only. Devices configured this way are referred to as being *serviced from LTSBs*. The Long-Term Servicing Branch designation is intended to reflect the fact that this servicing option is intended for scenarios where changes to software running on devices must be limited to essential updates (such as those for security vulnerabilities and other important issues) for the duration of deployments.
+
+Windows 10 Enterprise LTSB supports release deployment by using Windows Update, Windows Server Update Services, Configuration Manager, and other configuration management systems:
+
+-   When IT administrators use Windows Update to manage deployments, Windows Update will install only servicing updates, and do so as soon as they are published by Microsoft in the Windows Update service. Windows Update does not install feature upgrades on devices configured for long-term servicing.
+
+-   When devices are being managed using Windows Server Update Services, the same workflows are executed as with Windows Update except IT administrators must approve releases before installations begin.
+
+-   When using configuration management systems such as System Center Configuration Manager to manage deployments, IT administrators should make sure to obtain and deploy all servicing updates published by Microsoft as soon as possible.
+
+**Note**  
+It is important to note again that not all feature upgrades will have an LTSB. The initial release of Windows 10, published in July 2015, has an LTSB and Microsoft expects to designate one additional feature upgrade in the next 12 months for long-term support. After that, Microsoft expects to publish feature upgrades with long-term servicing support approximately every two to three years. Microsoft will provide additional information in advance of publishing new feature upgrades so that IT administrators can make informed deployment planning decisions.
+
+ 
+
+### <a href="" id="servicing-only"></a>
+
+**Considerations when configuring devices for servicing updates only**
+
+Before deciding to configure a device for LTSB-based servicing, IT administrators should carefully consider the implications of changing to a different servicing option later, and the effect of using Windows 10 Enterprise LTSB on the availability of *in-box* applications.
+
+Regarding edition changes, it is possible to reconfigure a device running Windows 10 Enterprise LTSB to run Windows 10 Enterprise while preserving the data and applications already on the device. Reconfiguring a device running Windows 10 Enterprise LTSB to run other editions of Windows 10 may require IT administrators to restore data and/or reinstall applications on the device after the other edition has been installed.
+
+Regarding in-box applications, Windows 10 Enterprise LTSB does not include all the universal apps that are included with other Windows 10 editions. This is because the universal apps included with Windows 10 will be continually upgraded by Microsoft, and new releases of in-box universal apps are unlikely to remain compatible with a feature upgrade of Windows 10 Enterprise LTSB for the duration of its servicing lifetime. Examples of apps that Windows 10 Enterprise LTSB does not include are Microsoft Edge, Windows Store Client, Cortana (limited search capabilities remain available), Outlook Mail, Outlook Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock.
+
+Windows 10 Enterprise LTSB does include Internet Explorer 11, and is compatible with Windows 32 versions of Microsoft Office. IT administrators can also install universal apps on devices when apps are compatible with the feature upgrades running on the device. They should do so with care, however, as servicing updates targeted for devices running Windows 10 Enterprise LTSB will not include security or non-security fixes for universal apps. Additionally, Microsoft will not provide servicing updates for specific releases of apps on any Windows 10 edition after the feature upgrade of Windows 10 with which the apps were included reaches the end of its servicing lifetime.
+
+**Servicing option summary**
+
+Table 2. Servicing option summary
+
+<table>
+<tr>
+<th rowspan="2">Comparison</th>
+<th colspan="3">Windows 10 servicing options</th>
+</tr>
+<tr>
+<th>Current Branch (CB)</th>
+<th>Current Branch for Business (CBB)</th>
+<th>Long-Term Servicing Branch (LTSB)</th>
+</tr>
+<tr>
+<td><b>Availability of new feature upgrades for installation</b></td>
+<td>Immediate</td>
+<td>Deferred by ~4 months</td>
+<td>Not applicable</td>
+</tr>
+<tr>
+<td><b>Supported editions</b></td>
+<td>Windows 10 Home, Windows 10 Pro, Windows 10 Education, Windows 10 Enterprise, Windows 10 Mobile, 
+IoT Core, IoT Core Pro</td>
+<td>Windows 10 Pro, 
+Windows 10 Education,
+Windows 10 Enterprise, Windows 10 Mobile Enterprise, 
+IoT Core Pro</td>
+<td>Windows 10 Enterprise LTSB</td>
+</tr>
+<tr>
+<td><b>Minimum length of servicing lifetime</b></td>
+<td>Approximately 4 Months</td>
+<td>Approximately 8 months</td>
+<td>10 years</td>
+</tr>
+<tr>
+<td><b>Ongoing installation of new feature upgrades required to receive servicing updates</b></td>
+<td>Yes</td>
+<td>Yes</td>
+<td>No</td>
+</tr>
+<tr>
+<td><b>Supports Windows Update for release deployment</b></td>
+<td>Yes</td>
+<td>Yes</td>
+<td>Yes</td>
+</tr>
+<tr>
+<td><b>Supports Windows Server Update Services for release deployment</b></td>
+<td>Yes
+(excludes Home)
+</td>
+<td>Yes</td>
+<td>Yes</td>
+</tr>
+<tr>
+<td><b>Supports Configuration Manager/configuration management systems for release deployment</b></td>
+<td>Yes
+(excludes Home)
+</td>
+<td>Yes</td>
+<td>Yes</td>
+</tr>
+<tr>
+<td><b>First party browsers included</b></td>
+<td>Microsoft Edge,
+Internet Explorer 11</td>
+<td>Microsoft Edge,
+IE11</td>
+<td>IE11</td>
+</tr>
+<tr>
+<td><b>Notable Windows
+system apps removed
+</b></td>
+<td>None</td>
+<td>None</td>
+<td>Microsoft Edge, Windows Store Client, Cortana (limited search available)</td>
+</tr>
+<tr>
+<td><b>Notable Windows
+universal apps removed
+</b></td>
+<td>None</td>
+<td>None</td>
+<td>Outlook Mail/Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, Clock</td>
+</tr>
+</table>
+ 
+
+## Related topics
+
+
+[Plan for Windows 10 deployment](../plan/index.md)
+
+[Deploy Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=624776)
+
+[Manage and update Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=624796)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
new file mode 100644
index 0000000000..cd798c3163
--- /dev/null
+++ b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
@@ -0,0 +1,203 @@
+---
+title: Join Windows 10 Mobile to Azure Active Directory (Windows 10)
+description: Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE).
+ms.assetid: 955DD9EC-3519-4752-827E-79CEB1EC8D6B
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Join Windows 10 Mobile to Azure Active Directory
+
+
+**Applies to**
+
+-   Windows 10 Mobile
+
+Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). This article describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.
+
+## Why join Windows 10 Mobile to Azure AD
+
+
+When a device running Windows 10 Mobile is joined to Azure AD, the device can exclusively use a credential owned by your organization, and you can ensure users sign in using the sign-in requirements of your organization. Joining a Windows 10 Mobile device to Azure AD provides many of the same benefits as joining desktop devices, such as:
+
+-   Single sign-on (SSO) in applications like Mail, Word, and OneDrive using resources backed by Azure AD.
+
+-   SSO in Microsoft Edge browser to Azure AD-connected web applications like Office 365 Portal, Visual Studio, and more than [2500 non-Microsoft apps](http://go.microsoft.com/fwlink/p/?LinkID=746211).
+
+-   SSO to resources on-premises.
+
+-   Automatically enroll in your mobile device management (MDM) service.
+
+-   Enable enterprise roaming of settings. (Not currently supported but on roadmap)
+
+-   Use Windows Store for Business to target applications to users.
+
+## <a href="" id="bkmk-upgrade"></a>Are you upgrading current devices to Windows 10 Mobile?
+
+
+Windows Phone 8.1 only supported the ability to connect the device to personal cloud services using a Microsoft account for authentication. This required creating Microsoft accounts to be used for work purposes. In Windows 10 Mobile, you have the ability to join devices directly to Azure AD without requiring a personal Microsoft account.
+
+If you have existing Windows Phone 8.1 devices, the first thing to understand is whether the devices you have can be upgraded to Windows 10 Mobile. Microsoft will be releasing more information about upgrade availability soon. As more information becomes available, it will be posted at [How to get Windows 10 Mobile]( http://go.microsoft.com/fwlink/p/?LinkId=746312). Premier Enterprise customers that have a business need to postpone Windows 10 Mobile upgrade should contact their Technical Account Manager to understand what options may be available.
+
+Before upgrading and joining devices to Azure AD, you will want to consider existing data usage. How users are using the existing devices and what data is stored locally will vary for every customer. Are text messages used for work purposes and need to be backed up and available after the upgrade? Are there photos stored locally or stored associated with an Microsoft account? Are there device and app settings that to be retained? Are there contacts stored in the SIM or associated with an Microsoft account? You will need to explore methods for capturing and storing the data that needs to be retained before you join the devices to Azure AD. Photos, music files, and documents stored locally on the device can be copied from the device using a USB connection to a PC.
+
+To join upgraded mobile devices to Azure AD, [the devices must be reset](reset-a-windows-10-mobile-device.md) to start the out-of-box experience for device setup. Joining a device to Azure AD is not a change that can be done while maintaining existing user data. This is similar to changing a device from personally owned to organizationally owned. When a user joins an organization’s domain, the user is then required to log in as the domain user and start with a fresh user profile. A new user profile means there would not be any persisted settings, apps, or data from the previous personal profile.
+
+If you want to avoid the device reset process, consider [adding work accounts](#add-work-account) rather than joining the devices to Azure AD.
+
+## <a href="" id="add-work-account"></a>The difference between "Add work account" and "Azure AD Join"
+
+
+Even though Azure AD Join on Windows 10 Mobile provides the best overall experience, there are two ways that you can use an added work account instead of joining the device to Azure AD due to organizational requirements.
+
+-   You can complete OOBE using the **Sign in later** option. This lets you start using Windows 10 Mobile with any connected Azure AD account or Microsoft account.
+
+-   You can add access to Azure AD-backed resources on the device without resetting the device.
+
+However, neither of these methods provides SSO in the Windows Store or SSO to resources on-premises, and does not provide the ability to roam settings based on the Azure AD account using enterprise roaming. [Learn about enterprise state roaming in Azure AD.](http://go.microsoft.com/fwlink/p/?LinkId=734996)
+
+Using **Settings** &gt; **Accounts** &gt; **Your email and accounts** &gt; **Add work or school account**, users can add their Azure AD account to the device. Alternatively, a work account can be added when the user signs in to an application like Mail, Word, etc. If you [enable auto-enrollment in your MDM settings](http://go.microsoft.com/fwlink/p/?LinkID=691615), the device will automatically be enrolled in MDM.
+
+An added work account provides the same SSO experience in browser apps like Office 365 (Office portal, Outlook Web Access, Calendar, People, OneDrive), Azure AD profile and change password app, and Visual Studio. You get SSO to built-in applications like Mail, Calendar, People, OneDrive and files hosted on OneDrive without prompts for a password. In Office apps like Microsoft Word, Microsoft Excel, etc., you simply select the Azure AD account and you are able to open files without entering a password.
+
+## Preparing for Windows 10 Mobile
+
+
+-   **Azure AD configuration**
+
+    Currently, Azure AD Join only supports self-provisioning, meaning the credentials of the user of the device must be used during the initial setup of the device. If your mobile operator prepares devices on your behalf, this will impact your ability to join the device to Azure AD. Many IT administrators may start with a desire to set up devices for their employees, but the Azure AD Join experience is optimized for end-users, including the option for automatic MDM enrollment.
+
+    By default, Azure AD is set up to allow devices to join and to allow users to use their corporate credentials on organizational-owned devices or personal devices. The blog post [Azure AD Join on Windows 10 devices](http://go.microsoft.com/fwlink/p/?LinkID=616791) has more information on where you can review your Azure AD settings. You can configure Azure AD to not allow anyone to join, to allow everyone in your organization to join, or you can select specific Azure AD groups which are allowed to join.
+
+-   **Device setup**
+
+    A device running Windows 10 Mobile can only join Azure AD during OOBE. New devices from mobile operators will be in this state when they are received. Windows Phone 8.1 devices that are [upgraded](#bkmk-upgrade) to Windows 10 Mobile will need to be reset to get back to OOBE for device setup.
+
+-   **Mobile device management**
+
+    An MDM service is required for managing Azure AD-joined devices. You can use MDM to push settings to devices, as well as application and certificates used by VPN, Wi-Fi, etc. Azure AD Premium or [Enterprise Mobility Suite (EMS)](http://go.microsoft.com/fwlink/p/?LinkID=723984) licenses are required to set up your Azure AD-joined devices to automatically enroll in MDM. [Learn more about setting up your Azure AD tenant for MDM auto-enrollment.](http://go.microsoft.com/fwlink/p/?LinkID=691615)
+
+-   **Microsoft Passport**
+
+    Creating a Microsoft Passport (PIN) is required on Windows 10 Mobile by default and cannot be disabled. [You can control Microsoft Passport policies](http://go.microsoft.com/fwlink/p/?LinkId=735079) using controls in MDM, such as Intune. Because the device is joined using organizational credentials, the device must have a PIN to unlock the device. Windows Hello (biometrics such as fingerprint or iris) can be used for Passport authentication. Creating a Microsoft Passport requires the user to perform an multi-factor authentication since the PIN is a strong authentication credential. [Learn more about Microsoft Passport for Azure AD.](http://go.microsoft.com/fwlink/p/?LinkId=735004)
+
+-   **Conditional access**
+
+    Conditional access policies are also applicable to Windows 10 Mobile. Multifactor authentication and device compliance policies can be applied to users or resources and require that the user or device satisfies these requirements before access to resources is allowed. Policies like **Domain Join** which support traditional domain joining only apply to desktop PC. Policies dependent on IP range will be tough to enforce on a phone as the IP address of the operator is used unless the user has connected to corporate Wi-Fi or a VPN.
+
+-   **Known issues**
+
+    -   The apps for **Device backup and restore** and to sync photos to OneDrive only work with the Microsoft account as the primary account—these apps won’t work on devices joined to Azure AD.
+
+    -   **Find my Phone** will work depending on how you add a Microsoft account to the device—for example, the Cortana application will sign in with your Microsoft account in a way that makes **Find my Phone** work. Cortana and OneNote both work with Azure AD accounts but must be set up with a Microsoft account first.
+
+    -   OneNote requires the user to sign in with a Microsoft account but will also provide access to Notebooks using the Azure AD account.
+
+    -   If your organization is configured to federate with Azure AD, your federation proxy will need to be Active Directory Federation Services (ADFS) or a 3rd party which supports WS-Trust endpoints just like ADFS does.
+
+## How to join Windows 10 Mobile to Azure AD
+
+
+1.  During OOBE, on the **Keep your life in sync** screen, choose the option **Sign in with a work account**, and then tap **Next**.
+
+    ![choose how to sign in](images/aadj1.jpg)
+
+2.  Enter your Azure AD account. If your Azure AD account is federated, you will be redirected to your organization's sign-in page; if not, you enter your password here.
+
+    ![sign in](images/aadj2.jpg)
+
+    If you are taken to your organization's sign-in page, you may be required to provide a second factor of authentication.
+
+    ![multi-factor authentication](images/aadj3.jpg)
+
+3.  After authentication completes, the device registration is complete. If your MDM service has a terms of use page, it would be seen here as well. Federated users are required to provide a password again to complete the authentication to Windows. Users with passwords managed in the cloud will not see this additional authentication prompt. This federated login requires your federation server to support a WS-Trust active endpoint.
+
+    ![enter password](images/aadj4.jpg)
+
+4.  Next, you set up a PIN.
+
+    ![set up a pin](images/aadjpin.jpg)
+
+    **Note**  To learn more about the PIN requirement, see [Why a PIN is better than a password](../keep-secure/why-a-pin-is-better-than-a-password.md).
+
+     
+
+**To verify Azure AD join**
+
+-   Go to **Settings** &gt; **Accounts** &gt; **Your email and accounts**. You will see your Azure AD account listed at the top and also listed as an account used by other apps. If auto-enrollment into MDM was configured, you will see in **Settings** &gt; **Accounts** &gt; **Work Access** that the device is correctly enrolled in MDM. If the MDM is pushing a certificate to be used by VPN, then **Settings** &gt; **Network & wireless** &gt; **VPN** will show the ability to connect to your VPN.
+
+    ![verify that device joined azure ad](images/aadjverify.jpg)
+
+## Set up mail and calendar
+
+
+Setting up email on your Azure AD joined device is simple. Launching the **Mail** app brings you to the **Accounts** page. Most users will have their email accounts hosted in Office 365 and will automatically start syncing. Just tap **Ready to go**.
+
+![email ready to go](images/aadjmail1.jpg)
+
+When email is hosted in on-premises Exchange, the user must provide credentials to establish a basic authentication connection to the Exchange server. Tap **Add account** to see the types of mail accounts you can add, including your Azure AD account.
+
+![email add an account](images/aadjmail2.jpg)
+
+After you select an account type, you provide credentials to complete setup for that mailbox.
+
+![set up email account](images/aadjmail3.jpg)
+
+Setup for the **Calendar** app is similar. Open the app and you'll see your Azure AD account listed -- just tap **Ready to go**.
+
+![calendar ready to go](images/aadjcal.jpg)
+
+Return to **Settings** &gt; **Accounts** &gt; **Your email and accounts**, and you will see your Azure AD account listed for **Email, calendar, and contacts**.
+
+![email, calendar, and contacts](images/aadjcalmail.jpg)
+
+## Use Office and OneDrive apps
+
+
+Office applications like Microsoft Word and Microsoft PowerPoint will automatically sign you in with your Azure AD account. When you open an Office app, you see a screen that allows you to choose between a Microsoft account and Azure AD account. Office shows this screen while it is automatically signing you in, so just be patient for a couple seconds and Office will automatically sign you in using your Azure AD account.
+
+Microsoft Word automatically shows the documents recently opened on other devices. Opening a document allows you to jump straight to the same section you were last editing on another device.
+
+![word](images/aadjword.jpg)
+
+Microsoft PowerPoint shows your recently opened slide decks.
+
+![powerpoint](images/aadjppt.jpg)
+
+The OneDrive application also uses SSO, showing you all your documents and enabling you to open them without any authentication experience.
+
+![onedrive](images/aadjonedrive.jpg)
+
+In addition to application SSO, Azure AD joined devices also get SSO for browser applications which trust Azure AD, such as web applications, Visual Studio, Office 365 portal, and OneDrive for Business.
+
+![browser apps](images/aadjbrowser.jpg)
+
+OneNote requires a Microsoft account, but you can use it with your Azure AD account as well.
+
+![sign in to onenote](images/aadjonenote.jpg)
+
+After you sign in to OneNote, go to Settings &gt; Accounts, and you will see that your Azure AD account is automatically added.
+
+![onenote settings](images/aadjonenote2.jpg)
+
+To see the Notebooks that your Azure AD account has access to, tap **More Notebooks** and select the Notebook you want to open.
+
+![see more notebooks](images/aadjonenote3.jpg)
+
+## Use Windows Store for Business
+
+
+[Windows Store for Business](windows-store-for-business.md) allows you to specify applications to be available to your users in the Windows Store application. These applications show up on a tab titled for your company. Applications approved in the Windows Store for Business portal can be installed by users.
+
+![company tab on store](images/aadjwsfb.jpg)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/lock-down-windows-10-to-specific-apps.md b/windows/manage/lock-down-windows-10-to-specific-apps.md
new file mode 100644
index 0000000000..095f7b1bbf
--- /dev/null
+++ b/windows/manage/lock-down-windows-10-to-specific-apps.md
@@ -0,0 +1,123 @@
+---
+title: Lock down Windows 10 to specific apps (Windows 10)
+description: Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps.
+ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
+keywords: ["lockdown", "app restrictions", "applocker"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Lock down Windows 10 to specific apps
+
+
+**Applies to**
+
+-   Windows 10
+
+Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.
+
+You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](../keep-secure/applocker-overview.md). AppLocker rules specify which apps are allowed to run on the device.
+
+AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](../keep-secure/how-applocker-works-techref.md).
+
+This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy.
+
+![install create lockdown customize](images/lockdownapps.png)
+
+## Install apps
+
+
+First, install the desired apps on the device for the target user account(s). This works for both Store and Win32. For Store apps, you must log on as that user for the app to install. For Win32 you can install an app for all users without logging on to the particular account.
+
+## Use AppLocker to set rules for apps
+
+
+After you install the desired apps, set up AppLocker rules to only allow specific apps, and block everything else.
+
+1.  Run Local Security Policy (secpol.msc) as an administrator.
+
+2.  Go to **Security Settings** &gt; **Application Control Policies** &gt; **AppLocker**, and select **Configure rule enforcement**.
+
+    ![configure rule enforcement](images/apprule.png)
+
+3.  Check **Configured** under **Executable rules**, and then click **OK**.
+
+4.  Right-click **Executable Rules** and then click **Automatically generate rules**.
+
+    ![automatically generate rules](images/genrule.png)
+
+5.  Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps.
+
+6.  Type a name to identify this set of rules, and then click **Next**.
+
+7.  On the **Rule Preferences** page, click **Next**. Be patient, it might take awhile to generate the rules.
+
+8.  On the **Review Rules** page, click **Create**. The wizard will now create a set of rules allowing the installed set of apps.
+
+9.  Read the message and click **Yes**.
+
+    ![default rules warning](images/appwarning.png)
+
+10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users.
+
+11. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting **Delete**.
+
+12. Before AppLocker will enforce rules, the **Application Identity** service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run:
+
+    ``` syntax
+    sc config appidsvc start=auto
+    ```
+
+13. Restart the device.
+
+## Other settings to lock down
+
+
+In addition to specifying the apps that users can run, you should also restrict some settings and functions on the device. For a more secure experience, we recommend that you make the following configuration changes to the device:
+
+-   Remove **All apps**.
+
+    Go to **Group Policy Editor** &gt; **User Configuration** &gt; **Administrative Templates\\Start Menu and Taskbar\\Remove All Programs list from the Start menu**.
+
+-   Hide **Ease of access** feature on the logon screen.
+
+    Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
+
+-   Disable the hardware power button.
+
+    Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
+
+-   Disable the camera.
+
+    Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
+
+-   Turn off app notifications on the lock screen.
+
+    Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
+
+-   Disable removable media.
+
+    Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
+
+    **Note**  
+    To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
+
+     
+
+To learn more about locking down features, see [Customizations for Windows 10 Enterprise](http://go.microsoft.com/fwlink/p/?LinkId=691442).
+
+## Customize Start screen layout for the device
+
+
+Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md
new file mode 100644
index 0000000000..ffe9e7c732
--- /dev/null
+++ b/windows/manage/lock-down-windows-10.md
@@ -0,0 +1,83 @@
+---
+title: Lock down Windows 10 (Windows 10)
+description: Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device.
+ms.assetid: 955BCD92-0A1A-4C48-98A8-30D7FAF2067D
+keywords: ["lockdown"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Lock down Windows 10
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Enterprises often need to manage how people use corporate devices. Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)</p></td>
+<td align="left"><p>You can configure a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)</p></td>
+<td align="left"><p>Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md)</p></td>
+<td align="left"><p>Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)</p></td>
+<td align="left"><p>IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)</p></td>
+<td align="left"><p>Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense.</p>
+<p>The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)</p></td>
+<td align="left"><p>Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)</p></td>
+<td align="left"><p>There are two methods for resetting a Windows 10 Mobile device: factory reset and &quot;wipe and persist&quot; reset.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Lockdown features from Windows Embedded Industry 8.1](../whats-new/lockdown-features-windows-10.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/lockdown-xml.md b/windows/manage/lockdown-xml.md
new file mode 100644
index 0000000000..4108cd3ae2
--- /dev/null
+++ b/windows/manage/lockdown-xml.md
@@ -0,0 +1,555 @@
+---
+title: Configure Windows 10 Mobile using Lockdown XML (Windows 10)
+description: Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device.
+ms.assetid: 22C8F654-2EC3-4E6D-8666-1EA9FCF90F5F
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Configure Windows 10 Mobile using Lockdown XML
+
+
+**Applies to**
+
+-   Windows 10 Mobile
+
+Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available.
+
+This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices.
+
+After you apply the lockdown settings, the lockdown configuration is stored in a wehlockdown.xml file on the device.
+
+For details on each of the configuration items, see the AssignedAccess/AssignedAccessXml section of the [EnterpriseAssignedAccess configuration service provider (CSP) reference](http://go.microsoft.com/fwlink/p/?LinkID=618601).
+
+## Order of lockdown settings
+
+
+The configuration items must be in the following order when you lock down settings:
+
+-   Default profile
+    -   ActionCenter
+    -   Apps
+        -   Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449)
+        -   App User Model ID, as described in [Configuring Multiple App Packages](#bmk-map)
+        -   PinToStart
+            -   Size
+            -   Location
+    -   Buttons
+        -   ButtonLockdownList
+            -   Button name
+        -   ButtonRemapList
+            -   Button name
+                -   Button event name
+                    -   Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449)
+    -   CSPRunner
+        -   SyncML
+    -   MenuItems
+        -   Disable menu items
+    -   Settings
+        -   System name, as described in [Settings and quick actions that can be locked down](settings-that-can-be-locked-down.md)
+    -   Tiles
+        -   Enable tile manipulation
+    -   StartScreenSize
+-   RoleList
+    -   Role (repeat for each role)
+        -   ActionCenter
+        -   Apps
+            -   Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449)
+            -   App User Model ID (AUMID), as described in [Configuring Multiple App Packages](#bmk-map)
+            -   PinToStart
+                -   Size
+                -   Location
+        -   Buttons
+            -   ButtonLockdownList
+                -   Button name
+            -   ButtonRemapList
+                -   Button name
+                    -   Button event name
+                        -   Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449)
+        -   CSPRunner
+            -   SyncML
+        -   MenuItems
+            -   Disable menu items
+        -   Settings
+            -   System name, as described in [Settings and quick actions that can be locked down](settings-that-can-be-locked-down.md)
+        -   Tiles
+            -   Enable tile manipulation
+        -   StartScreenSize
+
+## <a href="" id="bmk-map"></a>Configuring multiple app packages
+
+
+Multiple app packages enable multiple apps to exist inside the same package. Since product IDs identify packages and not applications, specifying a product ID is not enough to distinguish between individual apps inside a multiple app package. Trying to pin application tiles from a multiple app package with just a product ID can result in unexpected behavior.
+
+To support pinning applications in multiple app packages, an AUMID parameter can be specified in lockdown.xml.
+
+The following example shows how to pin both Outlook Mail and Outlook Calendar:
+
+```
+<Apps>
+    <!-- Outlook Calendar -->
+    <Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
+        <PinToStart>
+            <Size>Large</Size>
+            <Location>
+                <LocationX>1</LocationX>
+                <LocationY>4</LocationY>
+            </Location>
+        </PinToStart>
+    </Application>
+    <!-- Outlook Mail-->
+    <Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail">
+        <PinToStart>
+            <Size>Large</Size>
+            <Location>
+                <LocationX>1</LocationX>
+                <LocationY>6</LocationY>
+            </Location>
+        </PinToStart>
+    </Application>
+</Apps>
+```
+
+## Lockdown example to use in a lockdown XML file
+
+
+The XML example can be used as a lockdown file that is contained in a provisioning package created in Windows Imaging and Configuration Designer (ICD). However, if you use MDM to push the lockdown file directly to devices, the XML example must use escaped characters for lockdown (such as &lt; in place of &lt;) as a result of XML embedded in XML. You can easily find an online escape tool to help you with this process.
+
+```
+<?xml version="1.0" encoding="utf-8"?>
+<HandheldLockdown version="1.0" >
+    <Default>
+        <ActionCenter enabled="true" />
+        <Apps>
+            <!-- Settings -->
+            <Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
+                <PinToStart>
+                    <Size>Large</Size>
+                    <Location>
+                        <LocationX>0</LocationX>
+                        <LocationY>0</LocationY>
+                    </Location>
+                </PinToStart>
+            </Application>
+            <!-- Outlook Calendar -->
+            <Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
+                <PinToStart>
+                    <Size>Small</Size>
+                    <Location>
+                        <LocationX>0</LocationX>
+                        <LocationY>2</LocationY>
+                    </Location>
+                </PinToStart>
+            </Application>
+            <!-- Photos -->
+            <Application productId="{FCA55E1B-B9A4-4289-882F-084EF4145005}">
+                <PinToStart>
+                    <Size>Medium</Size>
+                    <Location>
+                        <LocationX>2</LocationX>
+                        <LocationY>2</LocationY>
+                    </Location>
+                </PinToStart>
+            </Application>
+            <!-- Edge -->
+            <Application productId="{395589FB-5884-4709-B9DF-F7D558663FFD}" />
+            <!-- Login App -->
+            <Application productId="{C85DC60D-30D4-4C67-A4B4-58282F1D152C}" />
+        </Apps>
+        <Buttons>
+            <ButtonLockdownList>
+                <!-- Lockdown all buttons -->
+                <Button name="Search">
+                </Button>
+                <Button name="Camera">
+                </Button>
+                <Button name="Custom1">
+                </Button>
+                <Button name="Custom2">
+                </Button>
+                <Button name="Custom3">
+                </Button>
+            </ButtonLockdownList>
+            <ButtonRemapList>
+                <Button name="Search">
+                    <ButtonEvent name="Press">
+                        <!-- Edge-->
+                        <Application productId="{395589FB-5884-4709-B9DF-F7D558663FFD}" parameters="" />
+                    </ButtonEvent>
+                </Button>
+            </ButtonRemapList>
+        </Buttons>
+        <CSPRunner>
+            <SyncML xmlns="SYNCML:SYNCML1.2">
+                <SyncBody>
+                    <Replace>
+                        <CmdID>1</CmdID>
+                        <Item>
+                            <Target>
+                                <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID</LocURI>
+                            </Target>
+                            <Meta>
+                                <Format xmlns="syncml:metinf">int</Format>
+                            </Meta>
+                            <!-- zero based index of available theme colors -->
+                            <Data>7</Data>
+                        </Item>
+                    </Replace>
+                    <Final/>
+                </SyncBody>
+            </SyncML>
+            <SyncML xmlns="SYNCML:SYNCML1.2">
+                <SyncBody>
+                    <Replace>
+                        <CmdID>1</CmdID>
+                        <Item>
+                            <Target>
+                                <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground</LocURI>
+                            </Target>
+                            <Meta>
+                                <Format xmlns="syncml:metinf">int</Format>
+                            </Meta>
+                            <!-- 0 for "light", 1 for "dark" -->
+                            <Data>1</Data>
+                        </Item>
+                    </Replace>
+                    <Final/>
+                </SyncBody>
+            </SyncML>
+            <SyncML xmlns="SYNCML:SYNCML1.2">
+                <SyncBody>
+                    <Replace>
+                        <CmdID>2</CmdID>
+                        <Item>
+                            <Target>
+                                <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName</LocURI>
+                            </Target>
+                            <Meta>
+                                <Format xmlns="syncml:metinf">chr</Format>
+                                <Type xmlns="syncml:metinf">text/plain</Type>
+                            </Meta>
+                            <Data>c:\windows\system32\lockscreen\480x800\Wallpaper_05.jpg</Data>
+                        </Item>
+                    </Replace>
+                    <Final/>
+                </SyncBody>
+            </SyncML>
+        </CSPRunner>
+        <MenuItems>
+            <DisableMenuItems/>
+        </MenuItems>
+        <Settings>
+            <!-- Quick actions: Brightness, Rotation -->
+            <System name="SystemSettings_System_Display_QuickAction_Brightness"/>
+            <System name="SystemSettings_System_Display_Internal_Rotation"/>
+            <!-- Brightness+Rotation, About -->
+            <System name="SettingsPageGroupPCSystem"/>
+            <System name="SettingsPageDisplay"/>
+            <System name="SettingsPagePCSystemInfo"/>
+            <!-- Ringtones, sounds -->
+            <System name="SettingsPageGroupPersonalization"/>
+            <System name="SettingsPageSounds"/>
+        </Settings>
+        <Tiles>
+            <EnableTileManipulation/>
+        </Tiles>
+        <StartScreenSize>Small</StartScreenSize>
+    </Default>
+    <RoleList>
+        <Role guid="{88501844-3b51-4c9f-9da7-7ca745e7da6b}" name="Associate">
+            <ActionCenter enabled="0"/>
+            <Apps>
+                <!-- Settings -->
+                <Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
+                    <PinToStart>
+                        <Size>Small</Size>
+                        <Location>
+                            <LocationX>0</LocationX>
+                            <LocationY>0</LocationY>
+                        </Location>
+                    </PinToStart>
+                </Application>
+                <!-- Outlook Calendar -->
+                <Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
+                    <PinToStart>
+                        <Size>Large</Size>
+                        <Location>
+                            <LocationX>0</LocationX>
+                            <LocationY>2</LocationY>
+                        </Location>
+                    </PinToStart>
+                </Application>
+                <!-- Login App -->
+                <Application productId="{C85DC60D-30D4-4C67-A4B4-58282F1D152C}" />
+            </Apps>
+            <Buttons />
+            <CSPRunner>
+                <SyncML xmlns="SYNCML:SYNCML1.2">
+                    <SyncBody>
+                        <Replace>
+                            <CmdID>1</CmdID>
+                            <Item>
+                                <Target>
+                                    <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID</LocURI>
+                                </Target>
+                                <Meta>
+                                    <Format xmlns="syncml:metinf">int</Format>
+                                </Meta>
+                                <!-- zero based index of available theme colors -->
+                                <Data>10</Data>
+                            </Item>
+                        </Replace>
+                        <Final/>
+                    </SyncBody>
+                </SyncML>
+                <SyncML xmlns="SYNCML:SYNCML1.2">
+                    <SyncBody>
+                        <Replace>
+                            <CmdID>1</CmdID>
+                            <Item>
+                                <Target>
+                                    <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground</LocURI>
+                                </Target>
+                                <Meta>
+                                    <Format xmlns="syncml:metinf">int</Format>
+                                </Meta>
+                                <!-- 0 for "light", 1 for "dark" -->
+                                <Data>0</Data>
+                            </Item>
+                        </Replace>
+                        <Final/>
+                    </SyncBody>
+                </SyncML>
+                <SyncML xmlns="SYNCML:SYNCML1.2">
+                    <SyncBody>
+                        <Replace>
+                            <CmdID>2</CmdID>
+                            <Item>
+                                <Target>
+                                    <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName</LocURI>
+                                </Target>
+                                <Meta>
+                                    <Format xmlns="syncml:metinf">chr</Format>
+                                    <Type xmlns="syncml:metinf">text/plain</Type>
+                                </Meta>
+                                <Data>c:\windows\system32\lockscreen\480x800\Wallpaper_08.jpg</Data>
+                            </Item>
+                        </Replace>
+                        <Final/>
+                    </SyncBody>
+                </SyncML>
+            </CSPRunner>
+            <MenuItems>
+                <DisableMenuItems/>
+            </MenuItems>
+            <Settings>
+                <!-- Brightness+Rotation, Notifications, About -->
+                <System name="SettingsPageGroupPCSystem"/>
+                <System name="SettingsPageAppsNotifications"/>
+                <System name="SettingsPageDisplay"/>
+                <System name="SettingsPagePCSystemInfo"/>
+                <!-- Ringtones, sounds -->
+                <System name="SettingsPageGroupPersonalization"/>
+                <System name="SettingsPageSounds"/>
+                <!-- Workplace -->
+                <System name="SettingsPageGroupAccounts"/>
+                <System name="SettingsPageAccountsWorkplace"/>
+            </Settings>
+        </Role>
+        <Role guid="{7bb62e8c-81ba-463c-b691-74af68230b42}" name="Manager">
+            <ActionCenter enabled="true" />
+            <Apps>
+                <!-- Alarms and Clock -->
+                <Application productId="{44F7D2B4-553D-4BEC-A8B7-634CE897ED5F}">
+                    <PinToStart>
+                        <Size>Small</Size>
+                        <Location>
+                            <LocationX>0</LocationX>
+                            <LocationY>0</LocationY>
+                        </Location>
+                    </PinToStart>
+                </Application>
+                <!-- Settings -->
+                <Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
+                    <PinToStart>
+                        <Size>Small</Size>
+                        <Location>
+                            <LocationX>1</LocationX>
+                            <LocationY>0</LocationY>
+                        </Location>
+                    </PinToStart>
+                </Application>
+                <!-- Outlook Calendar -->
+                <Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
+                    <PinToStart>
+                        <Size>Medium</Size>
+                        <Location>
+                            <LocationX>2</LocationX>
+                            <LocationY>0</LocationY>
+                        </Location>
+                    </PinToStart>
+                </Application>
+                <!-- Calculator -->
+                <Application productId="{B58171C6-C70C-4266-A2E8-8F9C994F4456}" />
+                <!-- Photos -->
+                <Application productId="{FCA55E1B-B9A4-4289-882F-084EF4145005}">
+                    <PinToStart>
+                        <Size>Small</Size>
+                        <Location>
+                            <LocationX>0</LocationX>
+                            <LocationY>2</LocationY>
+                        </Location>
+                    </PinToStart>
+                </Application>
+                <!-- Store -->
+                <Application productId="{7D47D89A-7900-47C5-93F2-46EB6D94C159}">
+                    <PinToStart>
+                        <Size>Medium</Size>
+                        <Location>
+                            <LocationX>2</LocationX>
+                            <LocationY>2</LocationY>
+                        </Location>
+                    </PinToStart>
+                </Application>
+                <!-- Login App -->
+                <Application productId="{C85DC60D-30D4-4C67-A4B4-58282F1D152C}" />
+            </Apps>
+            <Buttons />
+            <CSPRunner>
+                <SyncML xmlns="SYNCML:SYNCML1.2">
+                    <SyncBody>
+                        <Replace>
+                            <CmdID>1</CmdID>
+                            <Item>
+                                <Target>
+                                    <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID</LocURI>
+                                </Target>
+                                <Meta>
+                                    <Format xmlns="syncml:metinf">int</Format>
+                                </Meta>
+                                <!-- zero based index of available theme colors -->
+                                <Data>2</Data>
+                            </Item>
+                        </Replace>
+                        <Final/>
+                    </SyncBody>
+                </SyncML>
+                <SyncML xmlns="SYNCML:SYNCML1.2">
+                    <SyncBody>
+                        <Replace>
+                            <CmdID>1</CmdID>
+                            <Item>
+                                <Target>
+                                    <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground</LocURI>
+                                </Target>
+                                <Meta>
+                                    <Format xmlns="syncml:metinf">int</Format>
+                                </Meta>
+                                <!-- 0 for "light", 1 for "dark" -->
+                                <Data>1</Data>
+                            </Item>
+                        </Replace>
+                        <Final/>
+                    </SyncBody>
+                </SyncML>
+                <SyncML xmlns="SYNCML:SYNCML1.2">
+                    <SyncBody>
+                        <Replace>
+                            <CmdID>2</CmdID>
+                            <Item>
+                                <Target>
+                                    <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName</LocURI>
+                                </Target>
+                                <Meta>
+                                    <Format xmlns="syncml:metinf">chr</Format>
+                                    <Type xmlns="syncml:metinf">text/plain</Type>
+                                </Meta>
+                                <Data>c:\windows\system32\lockscreen\480x800\Wallpaper_015.jpg</Data>
+                            </Item>
+                        </Replace>
+                        <Final/>
+                    </SyncBody>
+                </SyncML>
+            </CSPRunner>
+            <MenuItems>
+                <DisableMenuItems/>
+            </MenuItems>
+            <Settings>
+                <!-- Allow all settings -->
+            </Settings>
+            <Tiles>
+                <EnableTileManipulation/>
+            </Tiles>
+        </Role>
+    </RoleList>
+</HandheldLockdown>
+```
+
+## Add lockdown XML to a provisioning package
+
+
+Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
+
+1.  Follow the instructions at [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651) to create a project, selecting **Common to all Windows mobile editions** for your project.
+
+2.  In **Available customizations**, go to **Runtime settings** &gt; **EmbeddedLockdownProfiles** &gt; **AssignedAccessXml**.
+
+3.  In the center pane, click **Browse** to locate and select the lockdown XML file that you created.
+
+    ![browse button](images/icdbrowse.png)
+
+4.  On the **File** menu, select **Save.**
+
+5.  On the **Export** menu, select **Provisioning package**.
+
+6.  Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+
+7.  Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+
+    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
+
+8.  Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
+
+    Optionally, you can click **Browse** to change the default output location.
+
+9.  Click **Next**.
+
+10. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
+
+    If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+11. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+
+    If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+After you build the provisioning package, follow the instructions for [applying a provisioning package at runtime to Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkID=619164).
+
+## Push lockdown XML using MDM
+
+
+After you deploy your devices, you can still configure lockdown settings through your MDM solution if it supports the [EnterpriseAssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=618601).
+
+To push lockdown settings to enrolled devices, use the AssignedAccessXML setting and use the lockdown XML as the value. The lockdown XML will be in a HandheldLockdown section that becomes XML embedded in XML, so the XML that you enter must use escaped characters (such as &lt; in place of &lt;). After the MDM provider pushes your lockdown settings to the device, the CSP processes the file and updates the device.
+
+## Related topics
+
+
+[Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)
+
+[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/manage-access-to-private-store.md b/windows/manage/manage-access-to-private-store.md
new file mode 100644
index 0000000000..c6bca23dc2
--- /dev/null
+++ b/windows/manage/manage-access-to-private-store.md
@@ -0,0 +1,42 @@
+---
+title: Manage access to private store (Windows 10)
+description: You can manage access to your private store in Windows Store for Business.
+ms.assetid: 4E00109C-2782-474D-98C0-02A05BE613A5
+author: TrudyHa
+---
+
+# Manage access to private store
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+You can manage access to your private store in Windows Store for Business.
+
+Organizations might want control the set of apps that are available to their employees, and not show the full set of applications that are in the Windows Store. Using the private store with the Store for Business, an administrator can curate the set of apps that are available to their employees.
+
+The private store is a feature in Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in the Windows Store, and is usually named for your company or organization. Only apps with online licenses can be added to the private store. Your private store looks something like this:
+
+![](images/wsfb-wsappprivatestore.png)
+
+Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports the Store for Business, the MDM can use the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#group-policy-table). More specifically, the **ApplicationManagement/RequirePrivateStoreOnly** policy.
+
+You can also prevent employees from using the Windows Store. For more information, see [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md).
+
+## Related topics
+
+
+[Distribute apps using your private store](distribute-apps-from-your-private-store.md)
+
+[Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/manage-apps-windows-store-for-business-overview.md b/windows/manage/manage-apps-windows-store-for-business-overview.md
new file mode 100644
index 0000000000..f763f788bf
--- /dev/null
+++ b/windows/manage/manage-apps-windows-store-for-business-overview.md
@@ -0,0 +1,64 @@
+---
+title: Manage apps in Windows Store for Business (Windows 10)
+description: Manage settings and access to apps in Windows Store for Business.
+ms.assetid: 2F65D4C3-B02C-41CC-92F0-5D9937228202
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Manage apps in Windows Store for Business
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Manage settings and access to apps in Windows Store for Business.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Manage access to private store](manage-access-to-private-store.md)</p></td>
+<td align="left"><p>You can manage access to your private store in Store for Business.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[App inventory managemement for Windows Store for Business](app-inventory-managemement-windows-store-for-business.md)</p></td>
+<td align="left"><p>You can manage all apps that you've acquired on your <strong>Inventory</strong> page.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Manage private store settings](manage-private-store-settings.md)</p></td>
+<td align="left"><p>The private store is a feature in the Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Configure MDM provider](configure-mdm-provider-windows-store-for-business.md)</p></td>
+<td align="left"><p>For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/manage-corporate-devices.md b/windows/manage/manage-corporate-devices.md
new file mode 100644
index 0000000000..dca8bf4608
--- /dev/null
+++ b/windows/manage/manage-corporate-devices.md
@@ -0,0 +1,130 @@
+---
+title: Manage corporate devices (Windows 10)
+description: You can use the same management tools to manage all device types running Windows 10 desktops, laptops, tablets, and phones.
+ms.assetid: 62D6710C-E59C-4077-9C7E-CE0A92DFC05D
+keywords: ["MDM", "device management"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Manage corporate devices
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions.
+
+There are several options for managing Windows 10 on corporate-owned devices in an enterprise.
+
+## Identity and management options
+
+
+Your employees using devices that are owned by the organization can connect to Active Directory or Azure Active Directory (Azure AD). Windows 10 does not require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain.
+
+![choose active directory or azure ad for identity](images/identitychoices.png)
+
+### Active Directory join
+
+You can join a device running Windows 10 to an on-premises Active Directory domain after the first-run experience (sometimes called out-of-box experience or OOBE). You can add devices running Windows 10 to your existing Active Directory infrastructure and manage them just as you've always been used to managing PCs running Windows.
+
+Desktop devices running Windows 10 that are joined to an Active Directory domain can be managed using Group Policy and System Center 2012 R2 Configuration Manager. The following table shows the management support for Windows 10 in Configuration Manager.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Product version</th>
+<th align="left">Windows 10 support</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Microsoft System Center Configuration Manager Technical Preview](http://go.microsoft.com/fwlink/p/?LinkId=613622)</p></td>
+<td align="left"><p>Client deployment, upgrade, and management with new and existing features</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Configuration Manager and Configuration Manager SP1</p></td>
+<td align="left"><p>Deployment, upgrade, and management with existing features</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Configuration Manager 2007</p></td>
+<td align="left"><p>Management with existing features</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### Azure AD join
+
+Devices joined to Azure AD can be managed using Microsoft Intune or other mobile device management (MDM) solutions. MDM infrastructure for Windows 10 is consistent across device types. Configuration capabilities may vary based on device platform.
+
+![mdm options for mobile, desktop, and iot through device lifecycle](images/mdm.png)
+
+For flexibility in identity and management, you can combine Active Directory and Azure AD. Learn about [integrating Active Directory and Azure Active Directory for a hybrid identity solution](http://go.microsoft.com/fwlink/p/?LinkId=613209).
+
+## How setting conflicts are resolved
+
+
+A device or user might receive policies from multiple sources, such as MDM, Exchange, or provisioning packages. In any policy conflict, the most secure policy value is applied. Policy settings take precedence over settings applied in a provisioning package.
+
+**Note**  
+Provisioning packages can be applied either during device setup or after setup for runtime configuration. For more information about runtime provisioning packages, see [Configure devices without MDM](configure-devices-without-mdm.md).
+
+ 
+
+When setting values that do not have a security implication conflict, last write wins. When settings are configured from both a provisioning package and another configuration source, the non-provisioning package configuration source has higher priority.
+
+![](images/configconflict.png)
+
+## MDM enrollment
+
+
+Devices running Windows 10 include a built-in agent that can be used by MDM servers to enroll and manage devices. MDM servers do not need to create a separate agent or client to install on devices running Windows 10.
+
+For more information about the MDM protocols, see [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkID=533172).
+
+## Learn more
+
+
+[Windows 10, Azure AD and Microsoft Intune: Automatic MDM Enrollment](http://go.microsoft.com/fwlink/p/?LinkId=623321)
+
+[Microsoft Intune End User Enrollment Guide](http://go.microsoft.com/fwlink/p/?LinkID=617169)
+
+[Azure AD Join on Windows 10 devices](http://go.microsoft.com/fwlink/p/?LinkId=616791)
+
+[Azure AD support for Windows 10](http://go.microsoft.com/fwlink/p/?LinkID=615765)
+
+[Windows 10 and Azure Active Directory: Embracing the Cloud](http://go.microsoft.com/fwlink/p/?LinkId=615768)
+
+[How to manage Windows 10 devices using Intune](http://go.microsoft.com/fwlink/p/?LinkId=613620)
+
+[Using Intune alone and with Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=613207)
+
+Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & Windows Intune](http://go.microsoft.com/fwlink/p/?LinkId=613208)
+
+## Related topics
+
+
+[New policies for Windows 10](new-policies-for-windows-10.md)
+
+[Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md)
+
+[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/manage-cortana-in-enterprise.md b/windows/manage/manage-cortana-in-enterprise.md
new file mode 100644
index 0000000000..f011f4fcae
--- /dev/null
+++ b/windows/manage/manage-cortana-in-enterprise.md
@@ -0,0 +1,73 @@
+---
+title: Cortana integration in your business or enterprise (Windows 10)
+description: The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.
+ms.assetid: db7b05da-186f-4628-806a-f8b134e2af2c
+author: eross-msft
+---
+
+# Cortana integration in your business or enterprise
+**Applies to:**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.
+
+## Cortana integration with Office 365
+Cortana in Windows 10 is already great at letting your employees quickly see what the day is going to look like, see where and when their meetings are going to be, get a sense of travel times to and from work, and even get updates from a calendar for upcoming trips.
+
+But Cortana works even harder when she connects to Office 365, helping employees prepare for meetings, learn about co-workers, and receive reminders about where they need to be so they won’t be late.
+
+**More info:**
+
+-   For specific info about what you need to know as a company administrator, including how to turn off Cortana with Office 365, see the [Cortana integration with Office 365](http://go.microsoft.com/fwlink/p/?LinkId=717378) support topic.
+
+-   For a quick review of the frequently asked questions about Cortana and Office 365 integration, see the blog post, [An early look at Cortana integration with Office 365](http://go.microsoft.com/fwlink/p/?LinkId=717379).
+
+## Cortana and Power BI
+Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana answers using the full capabilities of Power BI Desktop.
+
+**More info:**
+
+-   For specific info about how to start using Power BI and Cortana integration, how to customize your data results, and how to use the “Hey Cortana” functionality, see the [Power BI: Announcing Power BI integration with Cortana and new ways to quickly find insights in your data](http://go.microsoft.com/fwlink/p/?LinkId=717382) blog.
+
+## Cortana and Microsoft Dynamics CRM
+Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time.
+
+**More info:**
+-   For more info about Preview features, see [What are Preview features and how do I enable them?](http://go.microsoft.com/fwlink/p/?LinkId=746817).
+-   For more info about Cortana, see [What is Cortana?](http://go.microsoft.com/fwlink/p/?LinkId=746818).
+-   For more info about CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](http://go.microsoft.com/fwlink/p/?LinkId=746819).
+
+## Cortana and privacy
+We understand that there are concerns about Cortana and enterprise privacy, so we’ve put together the [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=717383) topic that covers many of the frequently asked questions. These questions include things such as what info is collected by Cortana, where the info is saved, how to manage what data is collected, how to turn Cortana off, how to opt completely out of data collection, and what info is shared with other Microsoft apps and services.
+
+## Set up Cortana using Group Policy and MDM policies
+Set up and manage Cortana by using the following Group Policy and mobile device management (MDM) policies.
+
+|Group policy |MDM policy |Description |
+|-------------|-----------|------------|
+|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.<p>**Note**<br>Employees can still perform searches even with Cortana turned off. |
+|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization |Privacy/AllowInput Personalization |Specifies whether to turn on automatic learning, which allows the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana.<p>**Important**<br>Cortana won’t work if this setting is turned off (disabled). |
+|None |System/AllowLocation |Specifies whether to allow app access to the Location service. |
+|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |None |Specifies whether search can perform queries on the web and if the web results are displayed in search.<p>**Important**<br>Cortana won’t work if this setting is turned off (disabled). |
+|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUse Location |Specifies whether search and Cortana can provide location aware search and Cortana results.<p>**Important**<br>Cortana won’t work if this setting is turned off (disabled). |
+|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearch Permissions |Specifies what level of safe search (filtering adult content) is required.<p>**Note**<br>This setting only applies to Windows 10 Mobile. |
+|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box |None |Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.<p>**Important**<br>Cortana won’t work if this setting is turned off (disabled). |
+|User Configuration\Administrative Templates\Start Menu and Taskbar\Do not search communications |None |Specifies whether the Start menu search box searches communications.<p>**Important**<br>Cortana won’t work if this setting is turned off (disabled). |
+
+**More info:**
+-   For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381).
+
+## Related topics
+- [Cortana and Windows](http://go.microsoft.com/fwlink/p/?LinkId=717384)
+- [Cortana for developers](http://go.microsoft.com/fwlink/p/?LinkId=717385)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/manage-private-store-settings.md b/windows/manage/manage-private-store-settings.md
new file mode 100644
index 0000000000..835535ff36
--- /dev/null
+++ b/windows/manage/manage-private-store-settings.md
@@ -0,0 +1,50 @@
+---
+title: Manage private store settings (Windows 10)
+description: The private store is a feature in the Windows Store for Business that organizations receive during the sign up process.
+ms.assetid: 2D501538-0C6E-4408-948A-2BF5B05F7A0C
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Manage private store settings
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+The private store is a feature in the Windows Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store.
+
+The name of your private store is shown on a tab in the Windows Store.
+
+![](images/wsfb-wsappprivatestore.png)
+
+You can change the name of your private store in Store for Business.
+
+**To change the name of your private store**
+
+1.  Sign in to Store for Business.
+
+2.  Click **Settings**, and then choose **Private store**.
+
+    You'll see your private store name.
+
+    ![](images/wsfb-privatestore.png)
+
+3.  Click **Change**.
+
+4.  Type a new display name for your private store, and click **Save**.
+
+    ![](images/wsfb-renameprivatestore.png)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/manage-settings-windows-store-for-business.md b/windows/manage/manage-settings-windows-store-for-business.md
new file mode 100644
index 0000000000..488b0f26ab
--- /dev/null
+++ b/windows/manage/manage-settings-windows-store-for-business.md
@@ -0,0 +1,56 @@
+---
+title: Manage settings for the Windows Store for Business (Windows 10)
+description: You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant.
+ms.assetid: E3283D77-4DB2-40A9-9479-DDBC33D5A895
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Manage settings for the Windows Store for Business
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md)</p></td>
+<td align="left"><p>The <strong>Account information</strong> page in Windows Store for Business shows information about your organization that you can update, including: country or region, organization name, default domain, and language preference. These are settings in the Azure AD directory that you used when signing up for Store for Business</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md)</p></td>
+<td align="left"><p>Store for Business manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-windows-store-for-business.md), but not to groups.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/manage-users-and-groups-windows-store-for-business.md b/windows/manage/manage-users-and-groups-windows-store-for-business.md
new file mode 100644
index 0000000000..8621faf1e6
--- /dev/null
+++ b/windows/manage/manage-users-and-groups-windows-store-for-business.md
@@ -0,0 +1,56 @@
+---
+title: Manage user accounts in Windows Store for Business (Windows 10)
+description: Windows Store for Business manages permissions with a set of roles. Currently, you can assign these roles to individuals in your organization, but not to groups.
+ms.assetid: 5E7FA071-CABD-4ACA-8AAE-F549EFCE922F
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Manage user accounts in Windows Store for Business
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Windows Store for Business manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-windows-store-for-business.md), but not to groups.
+
+## Why Azure AD accounts?
+
+
+For organizations planning to use the private store feature with Store for Business, we recommend that you also configure cloud domain join. This provides a seamless integration between the identity your admin and employees will use to sign in to Windows and the Store for Business.
+
+Azure AD is an Azure service that provides identity and access management capabilities using the cloud. It is primarily designed to provide this service for cloud- or web-based applications that need to access your local Active Directory information. Azure AD identity and access management includes:
+
+-   Single sign-on to any cloud and on-premises web app.
+
+-   Works with multiple platforms and devices.
+
+-   Integrate with on-premises Active Directory.
+
+For more information on Azure AD, see [About Office 365 and Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=708612), and [Intro to Azure: identity and access](http://go.microsoft.com/fwlink/p/?LinkId=708611).
+
+## Add user accounts to your Azure AD directory
+
+
+If you created a new Azure AD directory when you signed up for Store for Business, you'll have a directory set up with one user account - the global administrator. That global administrator can add user accounts to your Azure AD directory. However, adding user accounts to your Azure AD directory will not give those employees access to Store for Business. You'll need to assign Store for Business roles to your employees. For more information, see [Roles and permissions in the Store for Business.](roles-and-permissions-windows-store-for-business.md)
+
+You can use the [Office 365 admin dashboard](http://go.microsoft.com/fwlink/p/?LinkId=708616) or [Azure management portal](http://go.microsoft.com/fwlink/p/?LinkId=691086) to add user accounts to your Azure AD directory. If you'll be using Azure management portal, you'll need an active subscription to [Azure management portal](http://go.microsoft.com/fwlink/p/?LinkId=708617).
+
+For more information, see:
+
+-   [Add user accounts using Office 365 admin dashboard](http://go.microsoft.com/fwlink/p/?LinkId=708618)
+
+-   [Add user accounts using Azure management portal](http://go.microsoft.com/fwlink/p/?LinkId=708619)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/manage-wifi-sense-in-enterprise.md b/windows/manage/manage-wifi-sense-in-enterprise.md
new file mode 100644
index 0000000000..f51da76256
--- /dev/null
+++ b/windows/manage/manage-wifi-sense-in-enterprise.md
@@ -0,0 +1,119 @@
+---
+title: Manage Wi-Fi Sense in your company (Windows 10)
+description: Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places.
+ms.assetid: 1845e00d-c4ee-4a8f-a5e5-d00f2735a271
+keywords: ["WiFi Sense", "Shared networks"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: eross-msft
+---
+
+# Manage Wi-Fi Sense in your company
+**Applies to:**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense.
+
+The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.
+<p>**Note**<br>Wi-Fi Sense isn’t available in all countries or regions.
+
+## How does Wi-Fi Sense work?
+Wi-Fi Sense connects your employees to the available Wi-Fi networks, including:
+
+-   **Open Wi-Fi networks.** Wi-Fi Sense uses crowdsourcing to find the networks that other Windows users are connected to. Typically, these are the open (no password required) Wi-Fi hotspots you see when you’re out and about.
+
+-   **Shared Wi-Fi networks.** Wi-Fi Sense uses the Wi-Fi networks that your employee shares with Facebook friends, Outlook.com contacts, or Skype contacts. Sharing doesn’t happen automatically; an employee must connect to a network, enter the network password, and then choose the **Share network with my contacts** box before the network is shared.
+
+**Important**<br>Wi-Fi Sense lets your employees share your network access with their contacts, without telling their contacts the actual network password. Should the contact want to share your network with another contact, he or she would have to share the network directly, by providing the password and clicking to share the network.
+
+Employees can't share network info with their contacts for any company network using the IEEE 802.1X protocol.
+
+## How to manage Wi-Fi Sense in your company
+In a company environment, you will most likely deploy Windows 10 to your employees' PCs using your preferred deployment method and then manage their settings globally. With that in mind, you have a few options for managing how your employees will use Wi-Fi Sense.
+<p>**Important**<br>Turning off Wi-Fi Sense also turns off all related features, including: connecting automatically to open hotspots, connecting automatically to networks shared by contacts, and sharing networks with contacts.
+
+### Using Group Policy (available starting with Windows 10, version 1511)
+You can manage your Wi-Fi Sense settings by using Group Policy and your Group Policy editor.
+
+**To set up Wi-Fi Sense using Group Policy**
+
+1.  Open your Group Policy editor and go to the `Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services` setting.
+
+    ![Group Policy Editor, showing the Wi-Fi Sense setting](images/wifisense-grouppolicy.png)
+
+2.  Turn Wi-Fi Sense on (enabled) or off (disabled), based on your company's environment.
+
+### Using the Registry Editor
+You can manage your Wi-Fi Sense settings by using registry keys and the Registry Editor.
+
+**To set up Wi-Fi Sense using the Registry Editor**
+
+1.  Open your Registry Editor and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config\`
+
+2.  Create and set a new **DWORD (32-bit) Value** named, **AutoConnectAllowedOEM**, with a **Value data** of **0 (zero)**.
+<p>Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see [How to configure Wi-Fi Sense on Windows 10 in an enterprise](http://go.microsoft.com/fwlink/p/?LinkId=620959).
+
+    ![Registry Editor, showing the creation of a new DWORD value](images/wifisense-registry.png)
+
+### Using the Windows Provisioning settings
+You can manage your Wi-Fi Sense settings by changing the Windows provisioning setting, **WiFISenseAllowed**.
+
+**To set up Wi-Fi Sense using WiFISenseAllowed**
+
+-   Change the Windows Provisioning setting, **WiFISenseAllowed**, to **0**.
+<p>Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Windows Provisioning settings reference topic, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620909).
+
+### Using Unattended Windows Setup settings
+If your company still uses Unattend, you can manage your Wi-Fi Sense settings by changing the Unattended Windows Setup setting, **WiFiSenseAllowed**.
+
+**To set up Wi-Fi Sense using WiFISenseAllowed**
+
+-   Change the Unattended Windows Setup setting, **WiFISenseAllowed**, to **0**.
+<p>Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Unattended Windows Setup Reference topic, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620910).
+
+### How employees can change their own Wi-Fi Sense settings
+If you don’t turn off the ability for your employees to use Wi-Fi Sense, they can turn the settings on locally by selecting **Settings &gt; Network & Internet &gt; Wi-Fi &gt; Manage Wi-Fi settings**, and then changing one or both of these settings under **Wi-Fi Sense**:
+
+-   Connect to suggested open hotspots
+
+-   Connect to networks shared by my contacts
+
+    ![Wi-Fi Sense options shown to employees if it's not turned off](images/wifisense-settingscreens.png)
+
+## Important considerations
+Whether to allow your employees to share your password-protected Wi-Fi networks with their contacts to give them Internet access is completely up to you. However, if you decide to allow it, you should consider the following important info.
+
+### Network considerations
+-   Wi-Fi Sense is designed to block contacts given Internet access through your password-protected network from reaching your intranet sites and other devices or files on the shared network.
+
+-   Network info can only be shared with contacts using Wi-Fi Sense on PCs running Windows 10 or phones running Windows 10 Mobile. Wi-Fi Sense won’t work with any other operating system.
+
+### Security considerations
+-   Your employees must be connected using a Microsoft account to use Wi-Fi Sense.
+
+-   Your employees can’t pick individual contacts to share with. Instead, they must pick a group of contacts, such as their Skype contacts. In this case, all of the employee’s Skype contacts will be able to access the shared network.
+
+-   Wi-Fi Sense is designed to block contacts from seeing the Wi-Fi network password. For networks you choose to share access to, the password is sent over an encrypted connection, stored in an encrypted file on a Microsoft server, and then sent over an HTTPS connection to the contacts' PC or phone if they use Wi-Fi Sense.
+
+-   Access is only shared with your employee’s contacts. Wi-Fi Sense doesn't share networks with the contact's contacts. Should the contact want to share your network with another contact, he or she would have to share the network directly, by providing the password and clicking to share the network.
+
+### Sharing considerations
+-   Employees can't share network info with their contacts for any company network using the IEEE 802.1X protocol.
+
+-   Your employees can pick which Wi-Fi networks they want to share. The first time the employee connects to a password-protected Wi-Fi network, they’re presented with an option to share the network and to pick the contacts that should be given the info.
+
+## Related topics
+- [Wi-Fi Sense FAQ](http://go.microsoft.com/fwlink/p/?LinkId=620911)
+- [How to configure Wi-Fi Sense on Windows 10 in an enterprise](http://go.microsoft.com/fwlink/p/?LinkId=620959)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/new-policies-for-windows-10.md b/windows/manage/new-policies-for-windows-10.md
new file mode 100644
index 0000000000..7bc7dd8224
--- /dev/null
+++ b/windows/manage/new-policies-for-windows-10.md
@@ -0,0 +1,96 @@
+---
+title: New policies for Windows 10 (Windows 10)
+description: Windows 10 includes the following new policies for management, in addition to policies that were available for Windows 8.1 and Windows Phone 8.1.
+ms.assetid: 1F24ABD8-A57A-45EA-BA54-2DA2238C573D
+keywords: ["MDM", "Group Policy"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# New policies for Windows 10
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Windows 10 includes the following new policies for management, in addition to policies that were available for Windows 8.1 and Windows Phone 8.1. [Download the complete set of Administrative Template (.admx) files for Windows 10](http://go.microsoft.com/fwlink/p/?LinkID=625081).
+
+## New GPOs in Windows 10
+
+
+There are some new policy settings in Group Policy for devices running Windows 10 , such as:
+
+-   Microsoft Edge browser settings
+
+-   Universal Windows app settings, such as:
+
+    -   Disable deployment of Windows Store apps to non-system volumes
+
+    -   Restrict users' application data to always stay on the system volume
+
+    -   Allow applications to share app data between users
+
+-   [Start screen and Start menu layout](customize-windows-10-start-screens-by-using-group-policy.md)
+
+-   Windows Tips
+
+-   Consumer experiences, such as suggested apps in Start and app tiles from Microsoft dynamically inserted in the default Start menu
+
+-   [Microsoft Passport](http://go.microsoft.com/fwlink/p/?LinkId=623294)
+
+-   Windows Updates for Business
+
+For a spreadsheet of Group Policy settings included in Windows, see [Group Policy Settings Reference for Windows and Windows Server](http://go.microsoft.com/fwlink/p/?LinkId=613627).
+
+## New MDM policies
+
+
+Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile includes settings from Windows Phone 8.1, plus new or enhanced settings for Windows 10, such as:
+
+-   Defender (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education only)
+
+-   Enhanced Bluetooth policies
+
+-   Passport and Hello
+
+-   Device update
+
+-   Hardware-based device health attestation
+
+-   [Kiosk mode](set-up-a-device-for-anyone-to-use.md), start screen, start menu layout
+
+-   Security
+
+-   [VPN](http://go.microsoft.com/fwlink/p/?LinkId=623295) and enterprise Wi-Fi management
+
+-   Certificate management
+
+-   Windows Tips
+
+-   Consumer experiences, such as suggested apps in Start and app tiles from Microsoft dynamically inserted in the default Start menu
+
+If you use Microsoft Intune for MDM, you can [configure custom policies](http://go.microsoft.com/fwlink/p/?LinkId=616316) to deploy Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings that can be used to control features on Windows 10. For a list of OMA-URI settings, see [Custom URI settings for Windows 10 devices](http://go.microsoft.com/fwlink/p/?LinkId=616317).
+
+No new [Exchange ActiveSync policies](http://go.microsoft.com/fwlink/p/?LinkId=613264). For more information, see the [ActiveSync configuration service provider](http://go.microsoft.com/fwlink/p/?LinkId=618944) technical reference.
+
+## Related topics
+
+
+[Manage corporate devices](manage-corporate-devices.md)
+
+[Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md)
+
+[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/prerequisites-windows-store-for-business.md b/windows/manage/prerequisites-windows-store-for-business.md
new file mode 100644
index 0000000000..b3d9b02599
--- /dev/null
+++ b/windows/manage/prerequisites-windows-store-for-business.md
@@ -0,0 +1,77 @@
+---
+title: Prerequisites for Windows Store for Business (Windows 10)
+description: There are a few prerequisites for using Windows Store for Business.
+ms.assetid: CEBC6870-FFDD-48AD-8650-8B0DC6B2651D
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Prerequisites for Windows Store for Business
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+There are a few prerequisites for using Windows Store for Business.
+
+## Prerequisites
+
+
+You'll need this software to work with Store for Business.
+
+### Required
+
+-   IT Pros that are administering Store for Business need a browser compatible with Store for Business running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, Microsoft Edge, or current versions of Chrome or Firefox.
+
+-   Employees using apps from Store for Business need Windows 10, version 1511 running on a PC or mobile device.
+
+Microsoft Azure Active Directory (AD) accounts for your employees:
+
+-   IT Pros need Azure AD accounts to sign up for Store for Business, and then to sign in, get apps, distribute apps, and manage app licenses.
+
+-   Employees need Azure AD accounts when they access Store for Business content from Windows-based devices.
+
+-   If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account.
+
+For more information on Azure AD, see [About Office 365 and Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=708612), and [Intro to Azure: identity and access](http://go.microsoft.com/fwlink/p/?LinkId=708611).
+
+### Optional
+
+While not required, you can use a management tool to distribute and manage apps. Using a management tool allows you to distribute content, scope app availability, and control when app updates are installed. This might make sense for larger organizations that already use a management tool. If you're considering using management tools, check with the management tool vendor to see if they support Store for Business. The management tool will need to:
+
+-   Integrate with the Windows 10 management framework and Azure AD.
+
+-   Sync with the Store for Business inventory to distribute apps.
+
+### Proxy configuration
+
+If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Store for Business. Some of the Store for Business features use Windows Store app and Windows Store services. Devices using Store for Business – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy server to block traffic, your configuration needs to allow these URLs:
+
+-   login.live.com
+
+-   login.windows.net
+
+-   account.live.com
+
+-   clientconfig.passport.net
+
+-   windowsphone.com
+
+-   \*.wns.windows.com
+
+-   \*.microsoft.com
+
+-   \*.msftncsi.com/ncsi.txt
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/product-ids-in-windows-10-mobile.md b/windows/manage/product-ids-in-windows-10-mobile.md
new file mode 100644
index 0000000000..0dcbc397eb
--- /dev/null
+++ b/windows/manage/product-ids-in-windows-10-mobile.md
@@ -0,0 +1,260 @@
+---
+title: Product IDs in Windows 10 Mobile (Windows 10)
+description: You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user.
+ms.assetid: 31116BED-C16A-495A-BD44-93218A087A1C
+keywords: ["lockdown"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Product IDs in Windows 10 Mobile
+
+
+**Applies to**
+
+-   Windows 10 Mobile
+
+You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user.
+
+## Apps included in Windows 10 Mobile
+
+
+The following table lists the product ID and AUMID for each app that is included in Windows 10 Mobile.
+
+<table>
+
+<thead>
+<tr class="header">
+<th align="left">App</th>
+<th align="left">Product ID</th>
+<th align="left">AUMID</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">Alarms and clock</td>
+<td align="left">44F7D2B4-553D-4BEC-A8B7-634CE897ED5F</td>
+<td align="left">Microsoft.WindowsAlarms_8wekyb3d8bbwe!App</td>
+</tr>
+<tr class="even">
+<td align="left">Calculator</td>
+<td align="left">B58171C6-C70C-4266-A2E8-8F9C994F4456</td>
+<td align="left">Microsoft.WindowsCalculator_8wekyb3d8bbwe!App</td>
+</tr>
+<tr class="odd">
+<td align="left">Camera</td>
+<td align="left">F0D8FEFD-31CD-43A1-A45A-D0276DB069F1</td>
+<td align="left">Microsoft.WindowsCamera_8wekyb3d8bbwe!App</td>
+</tr>
+<tr class="even">
+<td align="left">Contact Support</td>
+<td align="left">0DB5FCFF-4544-458A-B320-E352DFD9CA2B</td>
+<td align="left">Windows.ContactSupport_cw5n1h2txyewy!App</td>
+</tr>
+<tr class="odd">
+<td align="left">Cortana</td>
+<td align="left">FD68DCF4-166F-4C55-A4CA-348020F71B94</td>
+<td align="left">Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI</td>
+</tr>
+<tr class="even">
+<td align="left">Excel</td>
+<td align="left">EAD3E7C0-FAE6-4603-8699-6A448138F4DC</td>
+<td align="left">Microsoft.Office.Excel_8wekyb3d8bbwe!microsoft.excel</td>
+</tr>
+<tr class="odd">
+<td align="left">Facebook</td>
+<td align="left">82A23635-5BD9-DF11-A844-00237DE2DB9E</td>
+<td align="left">Microsoft.MSFacebook_8wekyb3d8bbwe!x82a236355bd9df11a84400237de2db9e</td>
+</tr>
+<tr class="even">
+<td align="left">File Explorer</td>
+<td align="left">C5E2524A-EA46-4F67-841F-6A9465D9D515</td>
+<td align="left">c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy!App</td>
+</tr>
+<tr class="odd">
+<td align="left">FM Radio</td>
+<td align="left">F725010E-455D-4C09-AC48-BCDEF0D4B626</td>
+<td align="left">N/A</td>
+</tr>
+<tr class="even">
+<td align="left">Get Started</td>
+<td align="left">B3726308-3D74-4A14-A84C-867C8C735C3C</td>
+<td align="left">Microsoft.Getstarted_8wekyb3d8bbwe!App</td>
+</tr>
+<tr class="odd">
+<td align="left">Groove Music</td>
+<td align="left">D2B6A184-DA39-4C9A-9E0A-8B589B03DEC0</td>
+<td align="left">Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic</td>
+</tr>
+<tr class="even">
+<td align="left">Maps</td>
+<td align="left">ED27A07E-AF57-416B-BC0C-2596B622EF7D</td>
+<td align="left">Microsoft.WindowsMaps_8wekyb3d8bbwe!App</td>
+</tr>
+<tr class="odd">
+<td align="left">Messaging</td>
+<td align="left">27E26F40-E031-48A6-B130-D1F20388991A</td>
+<td align="left">Microsoft.Messaging_8wekyb3d8bbwe!x27e26f40ye031y48a6yb130yd1f20388991ax</td>
+</tr>
+<tr class="even">
+<td align="left">Microsoft Edge</td>
+<td align="left">395589FB-5884-4709-B9DF-F7D558663FFD</td>
+<td align="left">Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge</td>
+</tr>
+<tr class="odd">
+<td align="left">Money</td>
+<td align="left">1E0440F1-7ABF-4B9A-863D-177970EEFB5E</td>
+<td align="left">Microsoft.BingFinance_8wekyb3d8bbwe!AppexFinance</td>
+</tr>
+<tr class="even">
+<td align="left">Movies and TV</td>
+<td align="left">6AFFE59E-0467-4701-851F-7AC026E21665</td>
+<td align="left">Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo</td>
+</tr>
+<tr class="odd">
+<td align="left">News</td>
+<td align="left">9C3E8CAD-6702-4842-8F61-B8B33CC9CAF1</td>
+<td align="left">Microsoft.BingNews_8wekyb3d8bbwe!AppexNews</td>
+</tr>
+<tr class="even">
+<td align="left">OneDrive</td>
+<td align="left">AD543082-80EC-45BB-AA02-FFE7F4182BA8</td>
+<td align="left">Microsoft.MicrosoftSkydrive_8wekyb3d8bbwe!App</td>
+</tr>
+<tr class="odd">
+<td align="left">OneNote</td>
+<td align="left">CA05B3AB-F157-450C-8C49-A1F127F5E71D</td>
+<td align="left">Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim</td>
+</tr>
+<tr class="even">
+<td align="left">Outlook Calendar</td>
+<td align="left"><p>A558FEBA-85D7-4665-B5D8-A2FF9C19799B</p></td>
+<td align="left"><p>Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Calendar</p></td>
+</tr>
+<tr class="odd">
+<td align="left">Outlook Mail</td>
+<td align="left"><p>A558FEBA-85D7-4665-B5D8-A2FF9C19799B</p></td>
+<td align="left"><p>Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail</p></td>
+</tr>
+<tr class="even">
+<td align="left">People</td>
+<td align="left">60BE1FB8-3291-4B21-BD39-2221AB166481</td>
+<td align="left">Microsoft.People_8wekyb3d8bbwe!xb94d6231y84ddy49a8yace3ybc955e769e85x</td>
+</tr>
+<tr class="odd">
+<td align="left">Phone (dialer)</td>
+<td align="left">F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7</td>
+<td align="left">Microsoft.CommsPhone_8wekyb3d8bbwe!App</td>
+</tr>
+<tr class="even">
+<td align="left">Photos</td>
+<td align="left">FCA55E1B-B9A4-4289-882F-084EF4145005</td>
+<td align="left">Microsoft.Windows.Photos_8wekyb3d8bbwe!App</td>
+</tr>
+<tr class="odd">
+<td align="left">Podcasts</td>
+<td align="left">C3215724-B279-4206-8C3E-61D1A9D63ED3</td>
+<td align="left">Microsoft.MSPodcast_8wekyb3d8bbwe!xc3215724yb279y4206y8c3ey61d1a9d63ed3x</td>
+</tr>
+<tr class="even">
+<td align="left">Powerpoint</td>
+<td align="left">B50483C4-8046-4E1B-81BA-590B24935798</td>
+<td align="left">Microsoft.Office.PowerPoint_8wekyb3d8bbwe!microsoft.pptim</td>
+</tr>
+<tr class="odd">
+<td align="left">Settings</td>
+<td align="left">2A4E62D8-8809-4787-89F8-69D0F01654FB</td>
+<td align="left">2a4e62d8-8809-4787-89f8-69d0f01654fb_8wekyb3d8bbwe!App</td>
+</tr>
+<tr class="even">
+<td align="left">Skype</td>
+<td align="left">C3F8E570-68B3-4D6A-BDBB-C0A3F4360A51</td>
+<td align="left">Microsoft.SkypeApp_kzf8qxf38zg5c!Skype.AppId</td>
+</tr>
+<tr class="odd">
+<td align="left">Skype Video</td>
+<td align="left">27E26F40-E031-48A6-B130-D1F20388991A</td>
+<td align="left">Microsoft.Messaging_8wekyb3d8bbwe!App</td>
+</tr>
+<tr class="even">
+<td align="left">Sports</td>
+<td align="left">0F4C8C7E-7114-4E1E-A84C-50664DB13B17</td>
+<td align="left">Microsoft.BingSports_8wekyb3d8bbwe!AppexSports</td>
+</tr>
+<tr class="odd">
+<td align="left">Storage</td>
+<td align="left">5B04B775-356B-4AA0-AAF8-6491FFEA564D</td>
+<td align="left">N/A</td>
+</tr>
+<tr class="even">
+<td align="left">Store</td>
+<td align="left">7D47D89A-7900-47C5-93F2-46EB6D94C159</td>
+<td align="left">Microsoft.WindowsStore_8wekyb3d8bbwe!App</td>
+</tr>
+<tr class="odd">
+<td align="left">Voice recorder</td>
+<td align="left">7311B9C5-A4E9-4C74-BC3C-55B06BA95AD0</td>
+<td align="left">Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe!App</td>
+</tr>
+<tr class="even">
+<td align="left">Wallet</td>
+<td align="left">587A4577-7868-4745-A29E-F996203F1462</td>
+<td align="left">Microsoft.MicrosoftWallet_8wekyb3d8bbwe!App</td>
+</tr>
+<tr class="odd">
+<td align="left">Weather</td>
+<td align="left">63C2A117-8604-44E7-8CEF-DF10BE3A57C8</td>
+<td align="left">Microsoft.BingWeather_8wekyb3d8bbwe!App</td>
+</tr>
+<tr class="even">
+<td align="left">Windows Feedback</td>
+<td align="left">7604089D-D13F-4A2D-9998-33FC02B63CE3</td>
+<td align="left">Microsoft.WindowsFeedback_8wekyb3d8bbwe!App</td>
+</tr>
+<tr class="odd">
+<td align="left">Word</td>
+<td align="left">258F115C-48F4-4ADB-9A68-1387E634459B</td>
+<td align="left">Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word</td>
+</tr>
+<tr class="even">
+<td align="left">Xbox</td>
+<td align="left">B806836F-EEBE-41C9-8669-19E243B81B83</td>
+<td align="left">Microsoft.XboxApp_8wekyb3d8bbwe!Microsoft.XboxApp</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Get product ID and AUMID for other apps
+
+
+To get the product ID and AUMID for apps that are installed from Windows Store or installed locally ([side-loaded](http://go.microsoft.com/fwlink/p/?LinkID=623433)), use the following steps.
+
+**Prerequisites**: a device with an SD card inserted and all apps installed that you want to get IDs for
+
+1.  On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner**.
+
+2.  Tap **Apps**, tap to select the app that you want to get IDs for, and then tap done ![done button](images/doneicon.png)
+
+3.  Tap **advanced**, and then **tap export to SD card**.
+
+4.  Connect the device to a PC using USB, and then open the WEHLockdown.xml file on the SD card of the device to view the product ID and AUMID for each app.
+
+## Related topics
+
+
+[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
+
+[Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/reset-a-windows-10-mobile-device.md b/windows/manage/reset-a-windows-10-mobile-device.md
new file mode 100644
index 0000000000..40b79a96a5
--- /dev/null
+++ b/windows/manage/reset-a-windows-10-mobile-device.md
@@ -0,0 +1,92 @@
+---
+title: Reset a Windows 10 Mobile device (Windows 10)
+description: There are two methods for resetting a Windows 10 Mobile device factory reset and \ 0034;wipe and persist \ 0034; reset.
+ms.assetid: B42A71F4-DFEE-4D6E-A904-7942D1AAB73F
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Reset a Windows 10 Mobile device
+
+
+**Applies to**
+
+-   Windows 10 Mobile
+
+There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset.
+
+-   **Factory reset** restores the state of the device back to its first-boot state plus any update packages. The reset will not return device to the original factory state. To return the device to the original factory state, you must flash it with the original factory image.All the provisioning applied to the device by the enterprise will be lost and will need to be re-applied if needed. For details on what is removed or persists, see [Resetting a mobile device](http://go.microsoft.com/fwlink/p/?LinkID=703715).
+-   **"Wipe and persist" reset** preserves all the provisioning applied to the device before the reset. After the "wipe and persist" reset, all the preserved provisioning packages are automatically applied on the device and the data in the enterprise shared storage folder \\Data\\SharedData\\Enterprise\\Persistent is restored in that folder. For more information on the enterprise shared storage folder, see [EnterpriseExtFileSystem CSP](http://go.microsoft.com/fwlink/p/?LinkId=703716).
+
+You can trigger a reset using your mobile device management (MDM) service, or a user can trigger a reset in the user interface (UI) or by using hardware buttons.
+
+## Reset using MDM
+
+
+The remote wipe command is sent as an XML provisioning file to the device. Since the [RemoteWipe configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkId=703714) uses OMA DM and WAP, authentication between client and server and delivery of the XML provisioning file is handled by provisioning. The remote wipe command is implemented on the device by using the **ResetPhone** function. For more information about the data that is removed as a result of the remote wipe command, see [Resetting a mobile device](http://go.microsoft.com/fwlink/p/?LinkId=703715).
+
+To perform a factory reset, restoring the device back to its out-of-box state, use the following syncML.
+
+```
+<SyncML xmlns="SYNCML:SYNCML1.2">
+ <SyncBody>
+  <Exec>
+   <CmdID>3</CmdID>
+   <Item>
+    <Target><LocURI>./Vendor/MSFT/RemoteWipe/DoWipe</LocURI></Target>
+   </Item>
+  </Exec> 
+  <Final/>
+ </SyncBody>
+</SyncML>
+```
+
+To perform a "wipe and persist" reset, preserving the provisioning applied to the device before the reset and persisting data files locally, use the following syncML.
+
+```
+<SyncML xmlns="SYNCML:SYNCML1.2">
+    <SyncBody>
+        <Exec>
+            <CmdID>3</CmdID>
+            <Item>                
+                 <Target><LocURI>./Vendor/MSFT/RemoteWipe/DoWipePersistProvisionedData</LocURI></Target>
+            </Item>
+        </Exec>        
+        <Final/>
+ </SyncBody>
+</SyncML>
+```
+
+##  Reset using the UI
+
+
+1.  On your mobile device, go to **Settings** &gt; **System** &gt; **About** &gt; **Reset your Phone**
+
+2.  When you tap **Reset your phone**, the dialog box will present an option to **Also remove provisioned content** if:
+
+    -   At least one provisioning package has been applied, or
+    -   A file is present in the enterprise shared storage folder \\Data\\SharedData\\Enterprise\\Persistent.
+
+    If the option to **Also remove provisioned content** is selected, the reset that ensues is a regular factory reset. If the option is not selected, a "wipe and persist" reset is performed.
+
+## Reset using hardware buttons
+
+
+If your phone is unresponsive and you can't reach **Settings**, you may be able to reset your phone using the hardware buttons. Reset using hardware buttons does not give you the option to persist provisioned content. On Lumia phones (and some others), do the following to reset your phone:
+
+1.  Press and hold the **Volume down** and **Power** buttons at the same time until you feel a vibration (about 10–15 seconds).
+
+2.  When you feel the vibration, release the buttons, and then immediately press and hold the **Volume down** button until you see a large exclamation mark.
+
+3.  When the exclamation mark appears, press the following four buttons in this order: **Volume up**, **Volume down**, **Power**, **Volume down**. Your phone should now reset and restart itself. (It might take a while for the reset to finish.)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/roles-and-permissions-windows-store-for-business.md b/windows/manage/roles-and-permissions-windows-store-for-business.md
new file mode 100644
index 0000000000..fae343dfca
--- /dev/null
+++ b/windows/manage/roles-and-permissions-windows-store-for-business.md
@@ -0,0 +1,223 @@
+---
+title: Roles and permissions in Windows Store for Business (Windows 10)
+description: The first person to sign in to Windows Store for Business must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees.
+ms.assetid: CB6281E1-37B1-4B8B-991D-BC5ED361F1EE
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Roles and permissions in Windows Store for Business
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+The first person to sign in to Windows Store for Business must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees.
+
+Store for Business has a set of roles that help admins and employees manage access to apps and tasks for the Store for Business. Employees with these roles will need to use their Azure AD account to access the Store for Business. Global Administrators and global user accounts that are used with other Microsoft services, such as Azure, or Office 365 can sign in to Store for Business. Global user accounts have some permissions in the Store for Business. Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for the Store for Business.
+
+### Global user account permissions in Store for Business
+
+This table lists the global user accounts and the permissions they have in the Store for Business.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left"></th>
+<th align="left">Global Administrator</th>
+<th align="left">User Administrator</th>
+<th align="left">Billing Administrator</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Sign up for Store for Business</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+<td align="left"></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Assign roles</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Modify company profile settings</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+<td align="left"></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Manage Store for Business settings</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+<td align="left"></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Acquire apps</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Distribute apps</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+<td align="left"><p>X</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Sign policies and catalogs</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+<td align="left"></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+-   **Global Administrator** - IT Pros with this account have full access to Store for Business. They can do everything allowed in the Store for Business Admin role, plus they can sign up for the Store for Business, and assign Store for Business roles to other employees.
+
+-   **User Administrator** - IT Pros with this account can assign Store for Business roles to other employees, as long as the User Administrator also has the Store for Business Admin role.
+
+-   **Billing Administrator** - IT Pros with this account have the same permissions as the Store for Business Purchaser role.
+
+### Store for Business roles and permissions
+
+Store for Businesshas a set of roles that help IT admins and employees manage access to apps and tasks for the Store for Business. Employees with these roles will need to use their Azure AD account to access the Store for Business.
+
+This table lists the roles and their permissions.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left"></th>
+<th align="left">Admin</th>
+<th align="left">Purchaser</th>
+<th align="left">Device Guard signer</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Sign up for Store for Business</p></td>
+<td align="left"></td>
+<td align="left"></td>
+<td align="left"></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Assign roles</p></td>
+<td align="left"></td>
+<td align="left"></td>
+<td align="left"></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Modify company profile settings</p></td>
+<td align="left"></td>
+<td align="left"></td>
+<td align="left"></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Manage Store for Business settings</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+<td align="left"></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Acquire apps</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Distribute apps</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Sign policies and catalogs</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+<td align="left"></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Sign Device Guard changes</p></td>
+<td align="left"></td>
+<td align="left"></td>
+<td align="left"><p>X</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+These permissions allow people to:
+
+-   **Manage Store for Business settings** - Manage Store for Business settings:
+
+    -   Account information (view only)
+
+    -   Device Guard signing
+
+    -   LOB publishers
+
+    -   Management tools
+
+    -   Offline licensing
+
+    -   Permissions (view only)
+
+    -   Private store
+
+-   **Acquire apps** - Acquire apps from Store for Business and add them to your inventory.
+
+-   **Distribute apps** - Distribute apps that are in your inventory. You can distribute from inventory, private store, or management tool.
+
+**To assign roles to people**
+
+1.  Sign in to Store for Business.
+
+    **Note**  
+    You need to be a Global Administrator, or have the Store for Business Admin role to access the **Permissions** page.
+
+    To assign roles, you need to be a Global Administrator or a Store Administrator that is also a User Administrator.
+
+     
+
+2.  Click **Settings**, and then choose **Permissions**.
+
+    ![](images/wsfb-settings-permissions.png)
+
+3.  Click **Add people**, type a name, choose the role you want to assign, and click **Save** .
+
+    ![](images/wsfb-permissions-assignrole.png)
+
+4.  
+
+    If you are not finding the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in the Windows Store for Business.](manage-users-and-groups-windows-store-for-business.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/set-up-a-device-for-anyone-to-use.md b/windows/manage/set-up-a-device-for-anyone-to-use.md
new file mode 100644
index 0000000000..32c891b331
--- /dev/null
+++ b/windows/manage/set-up-a-device-for-anyone-to-use.md
@@ -0,0 +1,86 @@
+---
+title: Set up a device for anyone to use (kiosk mode) (Windows 10)
+description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app.
+ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8
+keywords: ["kiosk", "lockdown", "assigned access"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Set up a device for anyone to use (kiosk mode)
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+**Looking for Windows Embedded 8.1 Industry information?**
+
+-   [Assigned Access]( http://go.microsoft.com/fwlink/p/?LinkId=613653)
+
+You can configure a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select.
+
+Do you need a computer that can only do one thing? For example:
+
+-   A device in the lobby that customers can use to view your product catalog.
+
+-   A portable device that drivers can use to check a route on a map.
+
+-   A device that a temporary worker uses to enter data.
+
+The following table identifies the type of application that can be used on each Windows 10 edition to create a kiosk device.
+
+**Note**  
+A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
+
+ 
+
+| Windows 10 edition | Universal Windows app              | Classic Windows application          |
+|--------------------|------------------------------------|--------------------------------------|
+| Mobile             | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) |
+| Mobile Enterprise  | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) |
+| Pro                | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) |
+| Enterprise         | ![supported](images/checkmark.png) | ![supported](images/checkmark.png)   |
+| Education          | ![supported](images/checkmark.png) | ![supported](images/checkmark.png)   |
+
+ 
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)</p></td>
+<td align="left"><p>A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the <strong>assigned access</strong> feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use <strong>Shell Launcher</strong> to set a custom user interface as the shell.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)</p></td>
+<td align="left"><p>A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
new file mode 100644
index 0000000000..e4d8f2ceb8
--- /dev/null
+++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -0,0 +1,380 @@
+---
+title: Set up a kiosk on Windows 10 Pro, Enterprise, or Education (Windows 10)
+description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
+ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
+keywords: ["assigned access", "kiosk", "lockdown"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Set up a kiosk on Windows 10 Pro, Enterprise, or Education
+
+
+**Applies to**
+
+-   Windows 10
+
+**Looking for Windows Embedded 8.1 Industry information?**
+
+-   [Assigned Access]( http://go.microsoft.com/fwlink/p/?LinkId=613653)
+
+A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the **assigned access** feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use **Shell Launcher** to set a custom user interface as the shell. To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access).
+
+**Note**  
+A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
+
+ 
+
+## Other settings to lock down
+
+
+For a more secure kiosk experience, we recommend that you make the following configuration changes to the device:
+
+-   Put device in **Tablet mode**.
+
+    If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.**
+
+-   Hide **Ease of access** feature on the logon screen.
+
+    Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
+
+-   Disable the hardware power button.
+
+    Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
+
+-   Remove the power button from the sign-in screen.
+
+    Go to **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Local Policies** &gt;**Security Options** &gt; **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
+
+-   Disable the camera.
+
+    Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
+
+-   Turn off app notifications on the lock screen.
+
+    Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
+
+-   Disable removable media.
+
+    Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
+
+    **Note**  
+    To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
+
+     
+
+## <a href="" id="assigned-access-method"></a>Assigned access method for Universal Windows apps
+
+
+Using assigned access, Windows 10 runs the designated Universal Windows app above the lockscreen, so that the assigned access account has no access to any other functionality on the device. You have these choices for setting up assigned access:
+
+-   [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) - Windows 10 Pro, Enterprise, and Education
+
+-   [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) - Windows 10 Enterprise and Education
+
+-   [Create a provisioning package using Windows Imaging and Configuration Designer (ICD)](#icd) - Windows 10 Enterprise and Education
+
+-   [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) - Windows 10 Pro, Enterprise, and Education
+
+### Requirements
+
+-   A domain or local user account.
+
+    The user account must have logged on at least once before you set up assigned access, or no apps will be available for that account. To set up assigned access using MDM, you need the user account (domain\\account).
+
+-   A Universal Windows app that is installed for that account and is an above lock screen app. For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](http://go.microsoft.com/fwlink/p/?LinkId=708386).
+
+    The app can be your own company app that you have made available in your own app Store. To set up assigned access using MDM or PowerShell, you also need the Application User Model ID (AUMID) for the app. [Learn how to get the AUMID](http://go.microsoft.com/fwlink/p/?LinkId=614867).
+
+    The Universal Windows app must be able to handle multiple views and cannot launch other apps or dialogs.
+
+**Note**  
+Assigned access does not work on a device that is connected to more than one monitor.
+
+ 
+
+### Set up assigned access in PC settings
+
+1.  Go to **Start** &gt; **Settings** &gt; **Accounts** &gt; **Other users**.
+
+2.  Choose **Set up assigned access**.
+
+3.  Choose an account.
+
+4.  Choose an app. Only apps that can run above the lock screen will be displayed.
+
+5.  Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on.
+
+To remove assigned access, in step 3, choose **Don't use assigned access**.
+
+### Set up assigned access in MDM
+
+Assigned Access has one setting, KioskModeApp. In the KioskModeApp setting, you enter the user account name and AUMID for the app to run in kiosk mode.
+
+[Learn how to get the AUMID](http://go.microsoft.com/fwlink/p/?LinkId=614867).
+
+[See the technical reference for the Assigned Access configuration service provider.](http://go.microsoft.com/fwlink/p/?LinkId=626608)
+
+### <a href="" id="icd"></a>Set up assigned access using Windows Imaging and Configuration Designer (ICD)
+
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device as a kiosk. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
+
+**Create a provisioning package for a kiosk device**
+
+1.  Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
+
+2.  Choose **New provisioning package**.
+
+3.  Name your project, and click **Next**.
+
+4.  Choose **Common to all Windows desktop editions** and click **Next**.
+
+5.  On **New project**, click **Finish**. The workspace for your package opens.
+
+6.  Expand **Runtime settings** &gt; **AssignedAccess**, and click **AssignedAccessSettings**.
+
+7.  Enter a string to specify the user account and app (by AUMID). For example:
+
+    "Account":"contoso\\\\kiosk","AUMID":"8f82d991-f842-44c3-9a95-521b58fc2084"
+
+8.  On the **File** menu, select **Save.**
+
+9.  On the **Export** menu, select **Provisioning package**.
+
+10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+
+11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+
+    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
+
+12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
+
+    Optionally, you can click **Browse** to change the default output location.
+
+13. Click **Next**.
+
+14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
+
+    If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+
+    If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+**Apply the provisioning package**
+
+1.  Select the provisioning package that you want to apply, double-click the file, and then allow admin privileges.
+
+2.  Consent to allow the package to be installed.
+
+    After you allow the package to be installed, the settings will be applied to the device
+
+[Learn how to apply a provisioning package in audit mode or OOBE.](http://go.microsoft.com/fwlink/p/?LinkID=692012)
+
+### Set up assigned access using Windows PowerShell
+
+You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results.
+
+```
+Set-AssignedAccess -AppUserModelId <AUMID> -UserName <username>
+```
+
+```
+Set-AssignedAccess -AppUserModelId <AUMID> -UserSID <usersid>
+```
+
+```
+Set-AssignedAccess -AppName <CustomApp> -UserName <username>
+```
+
+```
+Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>
+```
+
+[Learn how to get the AUMID](http://go.microsoft.com/fwlink/p/?LinkId=614867).
+
+[Learn how to get the SID](http://go.microsoft.com/fwlink/p/?LinkId=615517).
+
+### Set up automatic logon
+
+When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically.
+
+Edit the registry to have an account automatically logged on.
+
+1.  Open Registry Editor (regedit.exe).
+
+    **Note**  
+    If you are not familiar with Registry Editor, [learn how to modify the Windows registry](http://go.microsoft.com/fwlink/p/?LinkId=615002).
+
+     
+
+2.  Go to
+
+    ****HKEY\_LOCAL\_MACHINE**\\**SOFTWARE**\\**Microsoft**\\**WindowsNT**\\**CurrentVersion**\\**Winlogon****
+
+3.  Set the values for the following keys.
+
+    -   *AutoAdminLogon*: set value as **1**.
+
+    -   *DefaultUserName*: set value as the account that you want logged in.
+
+    -   *DefaultPassword*: set value as the password for the account.
+
+        **Note**  
+        If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** &gt; **String Value**.
+
+         
+
+    -   *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key.
+
+4.  Close Registry Editor. The next time the computer restarts, the account will be logged on automatically.
+
+### Sign out of assigned access
+
+To sign out of an assigned access account, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched.
+
+If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
+
+****HKEY\_LOCAL\_MACHINE**\\**SOFTWARE**\\**Microsoft**\\**Windows**\\**CurrentVersion**\\**Authentication**\\**LogonUI****
+
+To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
+
+## <a href="" id="local-user-policy"></a>Shell Launcher for Classic Windows applications
+
+
+Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
+
+### Requirements
+
+-   A domain or local user account.
+
+-   A Classic Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer.
+
+[See the technical reference for the shell launcher component.](http://go.microsoft.com/fwlink/p/?LinkId=618603)
+
+### Configure Shell Launcher
+
+To set a Classic Windows application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell.
+
+**To turn on Shell Launcher in Windows features**
+
+1.  Go to Control Panel &gt; **Programs and Features** &gt; **Turn Windows features on or off**.
+2.  Select **Embedded Shell Launcher** and **OK**.
+
+Alternatively, you can turn on Shell Launcher using the Deployment Image Servicing and Management (DISM.exe) tool.
+
+**To turn on Shell Launcher using DISM**
+
+1.  Open a command prompt as an administrator.
+2.  Enter the following command.
+    <span codelanguage=""></span>
+    <table>
+    <colgroup>
+    <col width="100%" />
+    </colgroup>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><pre><code>Dism /online /Enable-Feature /FeatureName:Client-EmbeddedShellLauncher</code></pre></td>
+    </tr>
+    </tbody>
+    </table>
+
+**To set your custom shell**
+
+Modify the following PowerShell script as appropriate and run the script on the kiosk device.
+
+```
+    $COMPUTER = &quot;localhost&quot;
+    $NAMESPACE = &quot;root\standardcimv2\embedded&quot;
+
+    # Create a handle to the class instance so we can call the static methods.
+    $ShellLauncherClass = [wmiclass]&quot;\\$COMPUTER\${NAMESPACE}:WESL_UserSetting&quot;
+
+
+    # This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
+
+    $Admins_SID = &quot;S-1-5-32-544&quot;
+
+    # Create a function to retrieve the SID for a user account on a machine.
+
+    function Get-UsernameSID($AccountName) {
+
+        $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
+        $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
+
+        return $NTUserSID.Value
+        
+    }
+
+    # Get the SID for a user account named &quot;Cashier&quot;. Rename &quot;Cashier&quot; to an existing account on your system to test this script.
+
+    $Cashier_SID = Get-UsernameSID(&quot;Cashier&quot;)
+
+    # Define actions to take when the shell program exits.
+
+    $restart_shell = 0
+    $restart_device = 1
+    $shutdown_device = 2
+
+    # Examples
+
+    # Set the command prompt as the default shell, and restart the device if it&#39;s closed.
+
+    $ShellLauncherClass.SetDefaultShell(&quot;cmd.exe&quot;, $restart_device)
+
+    # Display the default shell to verify that it was added correctly.
+
+    $DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
+
+    &quot;`nDefault Shell is set to &quot; + $DefaultShellObject.Shell + &quot; and the default action is set to &quot; + $DefaultShellObject.defaultaction
+
+    # Set Internet Explorer as the shell for &quot;Cashier&quot;, and restart the machine if it&#39;s closed.
+
+    $ShellLauncherClass.SetCustomShell($Cashier_SID, &quot;c:\program files\internet explorer\iexplore.exe www.microsoft.com&quot;, ($null), ($null), $restart_shell)
+
+    # Set Explorer as the shell for administrators.
+
+    $ShellLauncherClass.SetCustomShell($Admins_SID, &quot;explorer.exe&quot;)
+
+    # View all the custom shells defined.
+
+    &quot;`nCurrent settings for custom shells:&quot;
+    Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
+
+    # Enable Shell Launcher
+
+    $ShellLauncherClass.SetEnabled($TRUE)
+
+    &quot;`nEnabled is set to &quot; + $DefaultShellObject.IsEnabled()
+
+    # Remove the new custom shells.
+
+    $ShellLauncherClass.RemoveCustomShell($Admins_SID)
+
+    $ShellLauncherClass.RemoveCustomShell($Cashier_SID)
+    ```
+
+## Related topics
+
+
+[Set up a device for anyone to use](set-up-a-device-for-anyone-to-use.md)
+
+[Set up a kiosk for Windows 10 for mobile edition](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
+
+[Manage and update Windows 10](index.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
new file mode 100644
index 0000000000..bc918aae23
--- /dev/null
+++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
@@ -0,0 +1,193 @@
+---
+title: Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise (Windows 10)
+description: A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings.
+ms.assetid: 35EC82D8-D9E8-45C3-84E9-B0C8C167BFF7
+keywords: ["kiosk", "lockdown", "assigned access"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise
+
+
+**Applies to**
+
+-   Windows 10 Mobile
+
+A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience.
+
+**Note**  
+The specified app must be an above lock screen app. For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](http://go.microsoft.com/fwlink/p/?LinkId=708386).
+
+ 
+
+## Apps Corner
+
+
+Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or Windows 10 Mobile Enterprise device, where you can share only the apps you choose with the people you let use your device. You configure a device for kiosk mode by selecting a single app to use in Apps Corner.
+
+**To set up Apps Corner**
+
+1.  On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner**.
+
+2.  Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![](images/doneicon.png)
+
+3.  If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back](images/backicon.png) to the Apps Corner settings.
+
+4.  Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode.
+
+5.  Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them.
+
+6.  Press **Back** ![back](images/backicon.png) when you're done.
+
+**To use Apps Corner**
+
+1.  On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner** &gt; launch ![launch](images/launchicon.png).
+
+    **Tip**  
+    Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** &gt; **pin** to pin the Apps Corner tile to your Start screen.
+
+     
+
+2.  Give the device to someone else, so they can use the device and only the one app you chose.
+
+3.  When they're done and you get the device back, press and hold Power ![power](images/powericon.png), and then swipe right to exit Apps Corner.
+
+## Enterprise Assigned Access
+
+
+Enterprise Assigned Access allows you to lock down your Windows 10 Mobile or Windows 10 Mobile Enterprise device in kiosk mode by creating a user role that has only a single app, set to run automatically, in the Allow list.
+
+**Note**  The app can be a Universal Windows app, Universal Windows Phone 8 app, or a legacy Silverlight app.
+
+ 
+
+### Set up Enterprise Assigned Access in MDM
+
+In AssignedAccessXml, for Application, you enter the product ID for the app to run in kiosk mode. Find product IDs at [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md).
+
+[See the technical reference for the Enterprise Assigned Access configuration service provider (CSP).](http://go.microsoft.com/fwlink/p/?LinkID=618601)
+
+### Set up assigned access using Windows Imaging and Configuration Designer (ICD)
+
+**To create and apply a provisioning package for a kiosk device**
+
+1.  Create an *AssignedAccess*.xml file that specifies the app the device will run. (You can name use any file name.) For instructions on AssignedAccessXml, see [EnterpriseAssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=618601).
+
+    **Note**  
+    Do not escape the xml in *AssignedAccess*.xml file as Windows Imaging and Configuration Designer (ICD) will do that when building the package. Providing escaped xml in Windows ICD will cause building the package fail.
+
+     
+
+2.  Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
+
+3.  Choose **New provisioning package**.
+
+4.  Name your project, and click **Next**.
+
+5.  Choose **Common to all Windows mobile editions** and click **Next**.
+
+6.  On **New project**, click **Finish**. The workspace for your package opens.
+
+7.  Expand **Runtime settings** &gt; **EmbeddedLockdownProfiles**, and click **AssignedAccessXml**.
+
+8.  Click **Browse** to select the *AssignedAccess*.xml file.
+
+9.  On the **File** menu, select **Save.**
+
+10. On the **Export** menu, select **Provisioning package**.
+
+11. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+
+12. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+
+    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
+
+13. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
+
+    Optionally, you can click **Browse** to change the default output location.
+
+14. Click **Next**.
+
+15. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
+
+    If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+16. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+
+    If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+17. Select the **output location** link to go to the location of the package. You can distribute that .ppkg to mobile devices using any of the following methods:
+
+    -   Removable media (USB/SD)
+
+        **To apply a provisioning package from removable media**
+
+        1.  Copy the provisioning package file to the root directory on a micro SD card.
+
+        2.  On the device, insert the micro SD card containing the provisioning package.
+
+        3.  Go to **Settings** &gt; **Accounts** &gt; **Provisioning.**
+
+        4.  Tap **Add a package**.
+
+        5.  On the **Choose a method** screen, in the **Add from** dropdown menu, select **Removable Media**.
+
+        6.  Select a package will list all available provisioning packages on the micro SD card. Tap the desired package, and then tap **Add**.
+
+        7.  You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
+
+        8.  Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
+
+    -   Email
+
+        **To apply a provisioning package sent in email**
+
+        1.  Send the provisioning package in email to an account on the device.
+
+        2.  Open the email on the device, and then double-tap the attached file.
+
+        3.  You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
+
+        4.  Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
+
+    -   USB tether (mobile only)
+
+        **To apply a provisioning package using USB tether**
+
+        1.  Connect the device to your PC by USB.
+
+        2.  Select the provisioning package that you want to use to provision the device, and then drag and drop the file to your device.
+
+        3.  The provisioning package installation dialog will appear on the phone.
+
+        4.  You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
+
+        5.  Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
+
+        [Learn how to apply a provisioning package in audit mode or OOBE.](http://go.microsoft.com/fwlink/p/?LinkID=692012)
+
+## Related topics
+
+
+[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
+
+[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
+
+[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/settings-reference-windows-store-for-business.md b/windows/manage/settings-reference-windows-store-for-business.md
new file mode 100644
index 0000000000..35d9b8a61c
--- /dev/null
+++ b/windows/manage/settings-reference-windows-store-for-business.md
@@ -0,0 +1,41 @@
+---
+title: Settings reference Windows Store for Business (Windows 10)
+description: The Windows Store for Business has a group of settings that admins use to manage the store.
+ms.assetid: 34F7FA2B-B848-454B-AC00-ECA49D87B678
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Settings reference: Windows Store for Business
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+The Windows Store for Business has a group of settings that admins use to manage the store.
+
+|                      |                                                                                                                                                                                                                                                                                                                                                                                                                    |
+|----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Setting              | Description                                                                                                                                                                                                                                                                                                                                                                                                        |
+| Account information  | Provides info on these configured settings for your Store for Business account . These settings include: country or region, default domain, organization name, and language preference. You can make updates to these settings with Office 365 or Azure management portals. For more information, see [Manage settings for the Windows Store for Business](manage-settings-windows-store-for-business.md). |
+| Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md).                                                                                                                                                                                                 |
+| LOB publishers       | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md).                                                                                                                                                      |
+| Management tools     | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md).                                                                                                                                                                                       |
+| Offline licensing    | Configure whether or not to make offline-licensed apps available in the Store for Business. For more information, see [Distribute offline apps](distribute-offline-apps.md).                                                                                                                                                                                                                                      |
+| Permissions          | Manage permissions for your employees. For more information, see [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md).                                                                                                                                                                                                                           |
+| Private store        | Update the name for your private store. The new name will be displayed on a tab in the Store. For more information, see [Manage private store settings](manage-private-store-settings.md).                                                                                                                                                                                                                        |
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/settings-that-can-be-locked-down.md b/windows/manage/settings-that-can-be-locked-down.md
new file mode 100644
index 0000000000..09b88d9160
--- /dev/null
+++ b/windows/manage/settings-that-can-be-locked-down.md
@@ -0,0 +1,485 @@
+---
+title: Settings and quick actions that can be locked down in Windows 10 Mobile (Windows 10)
+description: This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile.
+ms.assetid: 69E2F202-D32B-4FAC-A83D-C3051DF02185
+keywords: ["lockdown"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Settings and quick actions that can be locked down in Windows 10 Mobile
+
+
+**Applies to**
+
+-   Windows 10 Mobile
+
+This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile.
+
+## Settings lockdown
+
+
+You can use Lockdown.xml to configure lockdown settings.
+
+The following table lists the settings pages and page groups. Use the page name in the Settings section of Lockdown.xml. The Settings section contains an allow list of pages in the Settings app.
+
+<table>
+
+<thead>
+<tr class="header">
+<th align="left">Main menu</th>
+<th align="left">Sub-menu</th>
+<th align="left">Page name</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">System</td>
+<td align="left"></td>
+<td align="left">SettingsPageGroupPCSystem</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Display</td>
+<td align="left">SettingsPageDisplay</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Notifications and actions</td>
+<td align="left">SettingsPageAppsNotifications</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Phone</td>
+<td align="left">SettingsPageCalls</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Message</td>
+<td align="left">SettingsPageMessaging</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Battery saver</td>
+<td align="left">SettingsPageBatterySaver</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Storage</td>
+<td align="left">SettingsPageStorageSenseStorageOverview</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Device encryption</td>
+<td align="left">SettingsPageGroupPCSystemDeviceEncryption</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Driving mode</td>
+<td align="left">SettingsPageDrivingMode</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Offline maps</td>
+<td align="left">SettingsPageMaps</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">About</td>
+<td align="left">SettingsPagePCSystemInfo</td>
+</tr>
+<tr class="even">
+<td align="left">Devices</td>
+<td align="left"></td>
+<td align="left">SettingsPageGroupDevices</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Default camera</td>
+<td align="left">SettingsPagePhotos</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Bluetooth</td>
+<td align="left">SettingsPagePCSystemBluetooth</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">NFC</td>
+<td align="left">SettingsPagePhoneNFC</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Mouse</td>
+<td align="left">SettingsPageMouseTouchpad</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">USB</td>
+<td align="left">SettingsPageUsb</td>
+</tr>
+<tr class="even">
+<td align="left">Network and wireless</td>
+<td align="left"></td>
+<td align="left">SettingsPageGroupNetwork</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Cellular and sim</td>
+<td align="left">SettingsPageNetworkCellular</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Wi-Fi</td>
+<td align="left">SettingsPageNetworkWiFi</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Airplane mode</td>
+<td align="left">SettingsPageNetworkAirplaneMode</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Data usage</td>
+<td align="left">SettingsPageDataSenseOverview</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Mobile hotspot</td>
+<td align="left">SettingsPageInternetSharing</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">VPN</td>
+<td align="left">SettingsPageNetworkVPN</td>
+</tr>
+<tr class="odd">
+<td align="left">Personalization</td>
+<td align="left"></td>
+<td align="left">SettingsPageGroupPersonalization</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Start</td>
+<td align="left">SettingsPageBackGround</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Colors</td>
+<td align="left">SettingsPageColors</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Sounds</td>
+<td align="left">SettingsPageSounds</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Lock screen</td>
+<td align="left">SettingsPageLockscreen</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Theme</td>
+<td align="left">SettingsPageStartTheme</td>
+</tr>
+<tr class="odd">
+<td align="left">Accounts</td>
+<td align="left"></td>
+<td align="left">SettingsPageGroupAccounts</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Your account</td>
+<td align="left">SettingsPageAccountsPicture</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Sign-in options</td>
+<td align="left">SettingsPageAccountsSignInOptions</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Work access</td>
+<td align="left">SettingsPageAccountsWorkplace</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Sync your settings</td>
+<td align="left">SettingsPageAccountsSync</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left"><p>Kid's corner</p>
+<p>(disabled in Assigned Access)</p></td>
+<td align="left">SettingsPageKidsCorner</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left"><p>Apps corner</p>
+<p>(disabled in Assigned Access)</p></td>
+<td align="left">SettingsPageAppsCorner</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Provisioning</td>
+<td align="left">SettingsPageProvisioningPage</td>
+</tr>
+<tr class="odd">
+<td align="left">Time and language</td>
+<td align="left"></td>
+<td align="left">SettingsPageGroupTimeRegion</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Date and time</td>
+<td align="left">SettingsPageTimeRegionDateTime</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Language</td>
+<td align="left">SettingsPageTimeLanguage</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Region</td>
+<td align="left">SettingsPageTimeRegion</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Keyboard</td>
+<td align="left">SettingsPageKeyboard</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Speech</td>
+<td align="left">SettingsPageSpeech</td>
+</tr>
+<tr class="odd">
+<td align="left">Ease of access</td>
+<td align="left"></td>
+<td align="left">SettingsPageGroupEaseOfAccess</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Narrator</td>
+<td align="left">SettingsPageEaseoOfAccessNarrator</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Magnifier</td>
+<td align="left">SettingsPageEaseoOfAccessMagnifier</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">High contracts</td>
+<td align="left">SettingsPageEaseoOfAccessHighContrast</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Closed captions</td>
+<td align="left">SettingsPageEaseoOfAccessClosedCaptioning</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">More options</td>
+<td align="left">SettingsPageEaseoOfAccessMoreOptions</td>
+</tr>
+<tr class="odd">
+<td align="left">Privacy</td>
+<td align="left"></td>
+<td align="left">SettingsPageGroupPrivacy</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Location</td>
+<td align="left">SettingsPagePrivacyLocation</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Camera</td>
+<td align="left">SettingsPagePrivacyWebcam</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Microphone</td>
+<td align="left">SettingsPagePrivacyMicrophone</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Motion</td>
+<td align="left">SettingsPagePrivacyMotionData</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Speech inking and typing</td>
+<td align="left">SettingsPagePrivacyPersonalization</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Account info</td>
+<td align="left">SettingsPagePrivacyAccountInfo</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Contacts</td>
+<td align="left">SettingsPagePrivacyContacts</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Calendar</td>
+<td align="left">SettingsPagePrivacyCalendar</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Messaging</td>
+<td align="left">SettingsPagePrivacyMessaging</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Radios</td>
+<td align="left">SettingsPagePrivacyRadios</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Background apps</td>
+<td align="left">SettingsPagePrivacyBackgroundApps</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Accessory app0s</td>
+<td align="left">SettingsPagePrivacyAccessories</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Advertising ID</td>
+<td align="left">SettingsPagePrivacyAdvertisingId</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Other devices</td>
+<td align="left">SettingsPagePrivacyCustomPeripherals</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Feedback and diagnostics</td>
+<td align="left">SettingsPagePrivacySIUFSettings</td>
+</tr>
+<tr class="odd">
+<td align="left">Update and security</td>
+<td align="left"></td>
+<td align="left">SettingsPageGroupRestore</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Phone update</td>
+<td align="left">SettingsPageRestoreMusUpdate</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Backup</td>
+<td align="left">SettingsPageRestoreOneBackup</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Find my phone</td>
+<td align="left">SettingsPageFindMyDevice</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">For developers</td>
+<td align="left">SettingsSystemDeveloperOptions</td>
+</tr>
+<tr class="even">
+<td align="left">OEM</td>
+<td align="left"></td>
+<td align="left">SettingsPageGroupExtensibility</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Extensibility</td>
+<td align="left">SettingsPageExtensibility</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Quick actions lockdown
+
+
+Quick action buttons are locked down in exactly the same way as Settings pages/groups. By default they are always conditional.
+
+You can specify the quick actions as follows:
+
+``` syntax
+<Settings>
+    <System name="SystemSettings_System_Display_QuickAction_Brightness"/>
+    <System name="SystemSettings_System_Display_Internal_Rotation"/>
+    <System name="SystemSettings_QuickAction_WiFi"/>
+    <System name="SystemSettings_QuickAction_InternetSharing"/>
+    <System name="SystemSettings_QuickAction_CellularData"/>
+    <System name="SystemSettings_QuickAction_AirplaneMode"/>
+    <System name="SystemSettings_Privacy_LocationEnabledUserPhone"/>
+    <System name="SystemSettings_Network_VPN_QuickAction"/>
+    <System name="SystemSettings_Flashlight_Toggle"/>
+    <System name="SystemSettings_QuickAction_Bluetooth"/>
+    <System name="SystemSettings_BatterySaver_LandingPage_OverrideControl" />
+    <System name="SystemSettings_QuickAction_QuietHours" />
+    <System name="SystemSettings_QuickAction_Camera" />
+</Settings> 
+```
+
+The following quick actions buttons are not conditional and will always be displayed:
+
+-   QuickActions\_Launcher\_AllSettings
+-   SystemSettings\_Launcher\_QuickNote
+-   QuickActions\_Launcher\_DeviceDiscovery
+
+Some quick actions are dependent on related settings pages/page groups. When a dependent page/group is not available, then the corresponding quick action will also be hidden.
+
+**Note**  
+Dependent settings group/pages will be automatically enabled when a quick action is specified in the lockdown xml file. For example, if the Rotation quick setting is specified, the following group and page will automatically be added to the allow list: “SettingsPageSystemDisplay” and “SettingsPageDisplay”.
+
+ 
+
+The following table lists the dependencies between quick actions and Settings groups/pages.
+
+| Quick action                                               | Settings group                                   | Settings page                      |
+|------------------------------------------------------------|--------------------------------------------------|------------------------------------|
+| SystemSettings\_System\_Display\_QuickAction\_Brightness   | SettingsPageSystemDisplay                        | SettingsPageDisplay                |
+| SystemSettings\_System\_Display\_Internal\_Rotation        | SettingsPageSystemDisplay                        | SettingsPageDisplay                |
+| SystemSettings\_QuickAction\_WiFi                          | SettingsPageNetworkWiFi                          | SettingsPageNetworkWiFi            |
+| SystemSettings\_QuickAction\_InternetSharing               | SettingsPageNetworkInternetSharing               | SettingsPageNetworkInternetSharing |
+| SystemSettings\_QuickAction\_CellularData                  | SettingsGroupCellular                            | SettingsPageNetworkCellular        |
+| SystemSettings\_QuickAction\_AirplaneMode                  | SettingsPageNetworkAirplaneMode                  | SettingsPageNetworkAirplaneMode    |
+| SystemSettings\_Privacy\_LocationEnabledUserPhone          | SettingsGroupPrivacyLocationGlobals              | SettingsPagePrivacyLocation        |
+| SystemSettings\_Network\_VPN\_QuickAction                  | SettingsPageNetworkVPN                           | SettingsPageNetworkVPN             |
+| SystemSettings\_Launcher\_QuickNote                        | N/A                                              | N/A                                |
+| SystemSettings\_Flashlight\_Toggle                         | N/A                                              | N/A                                |
+| SystemSettings\_QuickAction\_Bluetooth                     | SettingsPagePCSystemBluetooth                    | SettingsPagePCSystemBluetooth      |
+| SystemSettings\_BatterySaver\_LandingPage\_OverrideControl | BatterySaver\_LandingPage\_SettingsConfiguration | SettingsPageBatterySaver           |
+| QuickActions\_Launcher\_DeviceDiscovery                    | N/A                                              | N/A                                |
+| QuickActions\_Launcher\_AllSettings                        | N/A                                              | N/A                                |
+| SystemSettings\_QuickAction\_QuietHours                    | N/A                                              | N/A                                |
+| SystemSettings\_QuickAction\_Camera                        | N/A                                              | N/A                                |
+
+ 
+
+## Related topics
+
+
+[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
+
+[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md b/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md
new file mode 100644
index 0000000000..45cf03f80d
--- /dev/null
+++ b/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md
@@ -0,0 +1,53 @@
+---
+title: Sign code integrity policy with Device Guard signing (Windows 10)
+description: Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal.
+ms.assetid: 63B56B8B-2A40-44B5-B100-DC50C43D20A9
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Sign code integrity policy with Device Guard signing
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal.
+
+## Sign your code integrity policy
+
+
+Before you get started, be sure to review these best practices:
+
+**Best practices**
+
+-   Test your code integrity policies on a group of devices before deploying them to a large group of devices.
+
+-   Use rule options 9 and 10 during testing. For more information, see the section Code integrity policy rules in the [Device Guard deployment guide](https://technet.microsoft.com/library/mt463091.aspx).
+
+**To sign a code integrity policy**
+
+1.  Sign in to the Windows Store for Business
+
+2.  Click **Settings**, and then choose **Device Guard signing**.
+
+3.  Click **Upload** to upload your code integrity policy.
+
+4.  After the files are uploaded, click **Sign** to sign the code integrity policy.
+
+5.  Click **Download** to download the signed code integrity policy.
+
+    When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then resign the policy.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/sign-up-windows-store-for-business-overview.md b/windows/manage/sign-up-windows-store-for-business-overview.md
new file mode 100644
index 0000000000..382b317a88
--- /dev/null
+++ b/windows/manage/sign-up-windows-store-for-business-overview.md
@@ -0,0 +1,64 @@
+---
+title: Sign up and get started (Windows 10)
+description: IT admins can sign up for the Windows Store for Business, and get started working with apps.
+ms.assetid: 87C6FA60-3AB9-4152-A85C-6A1588A20C7B
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Sign up and get started
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+IT admins can sign up for the Windows Store for Business, and get started working with apps.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md)</p></td>
+<td align="left"><p>There are a few prerequisites for using Store for Business.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Sign up for Windows Store for Business](sign-up-windows-store-for-business.md)</p></td>
+<td align="left"><p>Before you sign up for Store for Business, at a minimum, you'll need an Azure Active Directory (AD) account for your organization, and you'll need to be the global administrator for your organization. If your organization is already using Azure AD, you can go ahead and sign up for Store for Business. If not, we'll help you create an Azure AD account and directory as part of the sign up process.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md)</p></td>
+<td align="left"><p>The first person to sign in to Store for Business must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md)</p></td>
+<td align="left"><p>The Store for Business has a group of settings that admins use to manage the store.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/sign-up-windows-store-for-business.md b/windows/manage/sign-up-windows-store-for-business.md
new file mode 100644
index 0000000000..bbbb7df639
--- /dev/null
+++ b/windows/manage/sign-up-windows-store-for-business.md
@@ -0,0 +1,99 @@
+---
+title: Sign up for Windows Store for Business (Windows 10)
+description: Before you sign up for Windows Store for Business, at a minimum, you'll need an Azure Active Directory (AD) account for your organization, and you'll need to be the global administrator for your organization.
+ms.assetid: 296AAC02-5C79-4999-B221-4F5F8CEA1F12
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Sign up for Windows Store for Business
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Before you sign up for Windows Store for Business, at a minimum, you'll need an Azure Active Directory (AD) account for your organization, and you'll need to be the global administrator for your organization. If your organization is already using Azure AD, you can go ahead and sign up for Store for Business. If not, we'll help you create an Azure AD account and directory as part of the sign up process.
+
+## Sign up for Store for Business
+
+
+Before signing up for the Store for Business, make sure you're the global administrator for your organization.
+
+**To sign up for the Store for Business**
+
+1.  Go to [https://www.microsoft.com/business-store](http://go.microsoft.com/fwlink/p/?LinkId=691845), and click **Sign up**.
+
+    -   If you start the Store for Business sign up process, and don't have an Azure AD directory for your organization, we'll help you create one. For more info, see [Sign up for Azure AD accounts](#o365-welcome).
+
+    <!-- -->
+
+    -   If you already have an Azure AD directory, you'll [sign in to Store for Business](#sign-in), and then accept Store for Business terms.
+
+    ![](images/wsfb-landing.png)
+
+    **To sign up for Azure AD accounts through Office 365 for Business**
+
+    -   <a href="" id="o365-welcome"></a>Signing up for Store for Business will create an Azure AD directory and global administrator account for you. There are just a few steps.
+
+        Step 1: About you.
+
+        Type the required info and click **Next.**
+
+        ![](images/wsfb-onboard-1.png)
+
+    -   Step 2: Create an ID.
+
+        We'll use info you provided on the previous page to build your user ID. Check the info and click **Next**.
+
+        ![](images/wsfb-onboard-2.png)
+
+    -   Step 3: You're in.
+
+        Let us know how you'd like to receive a verification code, and click either **Text me**, or **Call me**. We'll send you a verification code
+
+        ![](images/wsfb-onboard-3.png)
+
+    -   Verification.
+
+        Type your verification code and click **Create my account**.
+
+        ![](images/wsfb-onboard-4.png)
+
+    -   Save this info.
+
+        Be sure to save the portal sign-in page and your user ID info. Click **You're ready to go**.
+
+        ![](images/wsfb-onboard-5.png)
+
+    -   At this point, you'll have an Azure AD directory created with one user account. That user account is the global administrator. You can use that account to sign in to Store for Business.
+
+2.  <a href="" id="sign-in"></a>Sign in with your Azure AD account.
+
+    ![](images/wsfb-onboard-7.png)
+
+3.  <a href="" id="accept-terms"></a>Read through and accept Store for Business terms.
+
+4.  Welcome to the Store for Business. Click **Next** to continue.
+
+    ![](images/wsfb-firstrun.png)
+
+### Next steps
+
+After signing up for Store for Business, you can:
+
+-   **Add users to your Azure AD directory**. If you created your Azure AD directory during Store for Business sign up, additional user accounts are required for employees to install apps you assign to them, or to browse the private store. For more information, see [Manage user accounts in Store for Business](manage-users-and-groups-windows-store-for-business.md).
+
+-   **Assign roles to employees**. For more information, see [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/stop-employees-from-using-the-windows-store.md b/windows/manage/stop-employees-from-using-the-windows-store.md
new file mode 100644
index 0000000000..a8e3f58f0b
--- /dev/null
+++ b/windows/manage/stop-employees-from-using-the-windows-store.md
@@ -0,0 +1,100 @@
+---
+title: Configure access to Windows Store (Windows 10)
+description: IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.
+ms.assetid: 7AA60D3D-2A69-45E7-AAB0-B8AFC29C2E97
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Configure access to Windows Store
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.
+
+## Options to configure access to Windows Store
+
+
+You can use these tools to configure access to Windows Store: AppLocker or Group Policy. For Windows 10, this is only supported on Windows 10 Enterprise edition.
+
+## <a href="" id="block-store-applocker"></a>Block Windows Store using AppLocker
+
+
+Applies to: Windows 10 Enterprise, Windows 10 Mobile
+
+AppLocker provides policy-based access control management for applications. You can block access to Windows Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Windows Store app as the packaged app that you want to block from client computers.
+
+For more information on AppLocker, see [What is AppLocker?](../keep-secure/what-is-applocker.md) For more information on creating an AppLocker rule for app packages, see [Create a rule for packaged apps](../keep-secure/create-a-rule-for-packaged-apps.md).
+
+**To block Windows Store using AppLocker**
+
+1.  Type secpol in the search bar to find and start AppLocker.
+
+2.  In the console tree of the snap-in, click **Application Control Policies**, click **AppLocker**, and then click **Packaged app Rules**.
+
+3.  On the **Action** menu, or by right-clicking on **Packaged app Rules**, click **Create New Rule**.
+
+4.  On **Before You Begin**, click **Next**.
+
+5.  On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**.
+
+6.  On **Publisher**, you can select **Use an installed app package as a reference**, and then click **Select**.
+
+7.  On **Select applications**, find and click **Store** under **Applications** column, and then click **OK**. Click **Next**.
+
+    [Create a rule for packaged apps](../keep-secure/create-a-rule-for-packaged-apps.md) has more information on reference options and setting the scope on packaged app rules.
+
+8.  Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**.
+
+## <a href="" id="block-store-group-policy"></a>Block Windows Store using Group Policy
+
+
+Applies to: Windows 10 Enterprise, version 1511
+
+You can also use Group Policy to manage access to Windows Store.
+
+**To block Windows Store using Group Policy**
+
+1.  Type gpedit in the search bar to find and start Group Policy Editor.
+
+2.  In the console tree of the snap-in, click **Computer Configuration**, click **Administrative Templates** , click **Windows Components**, and then click **Store**.
+
+3.  In the Setting pane, click **Turn off Store application**, and then click **Edit policy setting**.
+
+4.  On the **Turn off Store application** setting page, click **Enabled**, and then click **OK**.
+
+## <a href="" id="block-store-mdm"></a>Block Windows Store using management tool
+
+
+Applies to: Windows 10 Mobile
+
+If you have mobile devices in your organization that you upgraded from earlier versions of Windows Phone 8 to Windows 10 Mobile, existing policies created using the Windows Phone 8.1 configuration service providers (CSP) with your MDM tool will continue to work on Windows 10 Mobile. If you are starting with Windows 10 Mobile, we recommend using [AppLocker](#block-store-applocker) to manage access to Windows Store app.
+
+When your MDM tool supports Windows Store for Business, the MDM can use these CSPs to block Windows Store app:
+
+-   [Policy](http://go.microsoft.com/fwlink/p/?LinkId=717030)
+
+-   [EnterpriseAssignedAccess](https://msdn.microsoft.com/library/windows/hardware/mt157024.aspx) (Windows 10 Mobile, only)
+
+For more information, see [Configure an MDM provider](configure-mdm-provider-windows-store-for-business.md).
+## Related topics
+
+
+[Distribute apps using your private store](distribute-apps-from-your-private-store.md)
+
+[Manage access to private store](manage-access-to-private-store.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/troubleshoot-windows-store-for-business.md b/windows/manage/troubleshoot-windows-store-for-business.md
new file mode 100644
index 0000000000..0c9404bb5a
--- /dev/null
+++ b/windows/manage/troubleshoot-windows-store-for-business.md
@@ -0,0 +1,59 @@
+---
+title: Troubleshoot Windows Store for Business (Windows 10)
+description: Troubleshooting topics for Windows Store for Business.
+ms.assetid: 243755A3-9B20-4032-9A77-2207320A242A
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Troubleshoot Windows Store for Business
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Troubleshooting topics for Windows Store for Business.
+
+## Can't find apps in private store
+
+
+The private store for your organization is a page in the Windows Store app that contains apps that are private to your organization. After your organization acquires an app, your Store for Business admin can add it to your organization's private store. Your private store usually has a name that is close to the name of your organization or company. If you can't see your private store, there are a couple of things to check:
+
+-   **No apps in the private store** - The private store page is only available in the Windows Store app if there are apps added to your private store. You won't see your private store page with no apps listed on it. If your Store for Business admin has added an app to the private store, and the private store page is still not available, they can check the private store status for the app on the **Inventory** page. If the status is **Add in progress**, wait and check back.
+
+-   **Signed in with the wrong account** - If you have multiple accounts that you use in your organization, you might be signed in with the wrong account. Or, you might not be signed in. Use this procedure to sign in with your organization account.
+
+**To sign in with organization account in Windows Store app**
+
+1.  Click the people icon in Windows Store app, and click **Sign in**.
+
+    ![](images/wsfb-wsappsignin.png)
+
+2.  Click **Add account**, and then click **Work or school account**.
+
+    ![](images/wsfb-wsappaddacct.png)
+
+3.  Type the email account and password, and click **Sign in**.
+
+    ![](images/wsfb-wsappworkacct.png)
+
+4.  You should see the private store for your organization. In our example, the page is named **Contoso publishing**.
+
+    ![](images/wsfb-wsappprivatestore.png)
+
+    Click the private store to see apps in your private store.
+
+    ![](images/wsfb-privatestoreapps.png)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/update-windows-store-for-business-account-settings.md b/windows/manage/update-windows-store-for-business-account-settings.md
new file mode 100644
index 0000000000..04f6c8e8a7
--- /dev/null
+++ b/windows/manage/update-windows-store-for-business-account-settings.md
@@ -0,0 +1,54 @@
+---
+title: Update Windows Store for Business account settings (Windows 10)
+description: The Account information page in Windows Store for Business shows information about your organization that you can update, including country or region, organization name, default domain, and language preference.
+ms.assetid: CEFFF451-D7D2-4A35-AF28-4A72B9582585
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Update Windows Store for Business account settings
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+The **Account information** page in Windows Store for Business shows information about your organization that you can update, including: country or region, organization name, default domain, and language preference. These are settings in the Azure AD directory that you used when signing up for Store for Business
+
+If you need to change any of these settings, you can use Office 365 admin portal, or Azure admin portal.
+
+**To make updates to Store for Business directory settings in Office 365**
+
+1.  [Sign in to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=708616) with your work or school account.
+
+2.  Go to the [Office 365 admin center](http://go.microsoft.com/fwlink/p/?LinkId=708620).
+
+3.  Select your organization's name on the right side of the page.
+
+4.  Change the information you want to update, and then click **Save.**
+
+For more information about updating organization information, see [Change your organization's address, technical contact email, and other information](http://go.microsoft.com/fwlink/p/?LinkId=708621).
+
+**To make updates to Store for Business directory settings in Azure management portal**
+
+1.  Sign in to the Azure Portal as Administrator.
+
+2.  Click **Active Directory**.
+
+3.  On the **Directory** tab, choose your directory
+
+4.  Click the **Configure** tab.
+
+For more information about updating organization information, see [Add your own domain name in Azure AD](http://go.microsoft.com/fwlink/p/?LinkId=708622).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/windows-10-mobile-and-mdm.md b/windows/manage/windows-10-mobile-and-mdm.md
new file mode 100644
index 0000000000..0e347899ad
--- /dev/null
+++ b/windows/manage/windows-10-mobile-and-mdm.md
@@ -0,0 +1,1472 @@
+---
+title: Windows 10 Mobile and mobile device management (Windows 10)
+description: This guide provides an overview of the mobile device and app management technologies in the Windows 10 Mobile operating system.
+ms.assetid: 6CAA1004-CB65-4FEC-9B84-61AAD2125E5E
+keywords: ["telemetry", "BYOD", "MDM"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: AMeeus
+---
+
+# Windows 10 Mobile and mobile device management
+
+
+**Applies to**
+
+-   Windows 10 Mobile
+
+This guide provides an overview of the mobile device and app management technologies in the Windows 10 Mobile operating system. It describes how mobile device management (MDM) systems use the built-in device management client to deploy, configure, maintain, and support phones and small tablets running Windows 10 Mobile.
+
+Bring Your Own Device (BYOD—that is, personal devices) and corporate devices are key scenarios that Windows 10 Mobile MDM capabilities support. The operating system offers a flexible approach to registering devices with directory services and MDM systems, and IT organizations can provision comprehensive device-configuration profiles based on their company’s need to control and secure mobile business data.
+
+Windows 10 Mobile not only delivers more comprehensive, restrictive configuration settings than Windows Phone 8.1 did but also provides capabilities to deploy and manage apps built on the Universal Windows Platform (UWP). Companies can distribute apps directly from Windows Store or by using their MDM system. They can control and distribute custom line-of-business (LOB) apps the same way.
+
+## Overview
+
+
+Organizations’ users increasingly depend on their mobile devices, but phones and tablets bring new and unfamiliar challenges for IT departments. IT must be able to deploy and manage mobile devices and apps quickly to support the business while balancing the growing need to protect corporate data because of evolving laws, regulations, and cybercrime. IT must ensure that the apps and data on those mobile devices are safe, especially on personal devices. Windows 10 Mobile helps organizations address these challenges by providing a robust, flexible, built-in MDM client. IT departments can use the MDM system of their choice to manage this client.
+
+### <a href="" id="built-in-mdm-client--"></a>Built-in MDM client
+
+The built-in MDM client is common to all editions of the Windows 10 operating system, including desktop, mobile, and Internet of Things (IoT). The client provides a single interface through which you can manage any device that runs Windows 10. The client has two important roles: device enrollment in an MDM system and device management.
+
+-   **Device enrollment.** Users can enroll in the MDM system. On Windows 10, a user can register a device with Microsoft Azure Active Directory (Azure AD) and enroll in an MDM system at the same time so that the system can manage the device, the apps running on it, and the confidential data it holds. Enrollment establishes the management authority for the device. Only one management authority (or MDM enrollment) is possible at a time, which helps prevent unauthorized access to devices and ensures their stability and reliability.
+
+-   **Device management.** The MDM client allows the MDM system to configure policy settings; deploy apps and updates; and perform other management tasks, such as remotely wiping the device. The MDM system sends configuration requests and collects inventory through the MDM client. The client uses [configuration service providers (CSPs)](http://go.microsoft.com/fwlink/p/?LinkId=734049) to configure and inventory settings. A CSP is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. (The security architecture of Windows 10 Mobile prevents direct access to registry settings and operating system files. For more information, see the [Windows 10 Mobile security guide](../keep-secure/windows-10-mobile-security-guide.md).)
+
+The MDM client is an integral part of Windows 10 Mobile. As a result, there is no need for an additional, custom MDM app to enroll the device or to allow an MDM system to manage it. All MDM systems have equal access to Windows 10 Mobile MDM application programming interfaces (APIs), so you can choose Microsoft Intune or a third-party MDM product to manage Windows 10 Mobile devices. For more information about Windows 10 Mobile device management APIs, see [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=734050).
+
+### <a href="" id="mobile-edition"></a>Windows 10 Mobile editions
+
+Every device that runs Windows 10 Mobile includes all the enterprise mobile device security and management capabilities the MDM client provides. Microsoft also offers an Enterprise edition of Windows 10 Mobile, which includes three additional capabilities. To enable these capabilities, you can provision a license file without reinstalling the operating system:
+
+-   **Ability to postpone software updates.**Windows 10 Mobile gets software updates directly from Windows Update, and you cannot curate updates prior to deployment. Windows 10 Mobile Enterprise, however, allows you to curate and validate updates prior to deploying them.
+
+-   **No limit on the number of self-signed LOB apps that you can deploy to a single device.** To use an MDM system to deploy LOB apps directly to devices, you must cryptographically sign the software packages with a code signing certificate that your organization’s certificate authority (CA) generates. You can deploy a maximum of 20 self-signed LOB apps to a Windows 10 Mobile device, more than 20 if your organization’s devices run Windows 10 Mobile Enterprise.
+
+-   **Set telemetry to security level.** The telemetry security level configures the operating system to gather only the telemetry information required to keep devices secured.
+
+**Note**  
+Your organization can opt to purchase a code signing certificate from Verisign to sign LOB apps or use [Windows Store for Business](windows-store-for-business.md) to obtain apps. With either method, you can distribute more than 20 apps to a single device without activating Windows 10 Mobile Enterprise on that device by using your MDM system.
+
+ 
+
+To activate Windows 10 Mobile Enterprise on any Windows 10 Mobile device, use your company’s MDM system or a provisioning package to inject a license onto the device. You can download a Windows 10 Mobile Enterprise license from the Business Support Portal.
+
+### <a href="" id="lifecycle-management--"></a>Lifecycle management
+
+Windows 10 Mobile supports end-to-end lifecycle device management to give companies control of their devices, data, and apps. Comprehensive MDM systems use the built-in MDM client to manage devices throughout their lifecycle, as Figure 1 illustrates. The remainder of this guide describes the operating system’s mobile device and app management capabilities through each phase of the lifecycle, showing how MDM systems use specific features.
+
+![figure 1](images/win10-mobile-mdm-fig1.png)
+
+Figure 1. Device management lifecycle
+
+## <a href="" id="device-deployment--"></a>Device deployment
+
+
+Device deployment includes the initial registration and configuration of the device, including its enrollment with an MDM system. Sometimes, companies preinstall apps. The major factors in how you deploy devices and which controls you put in place are device ownership and how the user will use the device. This guide covers two scenarios:
+
+1.  Companies allow users to personalize their devices because the users own the devices or because company policy doesn’t require tight controls (defined as *personal devices* in this guide).
+
+2.  Companies don’t allow users to personalize their devices or they limit personalization, usually because the organization owns the devices and security considerations are high (defined as *corporate devices* in this guide).
+
+Often, employees can choose devices from a list of supported models, or companies provide devices that they preconfigure, or bootstrap, with a baseline configuration.
+
+Microsoft recommends Azure AD Join and MDM enrollment and management for corporate devices and Azure AD Registration and MDM enrollment and management for personal devices.
+
+### <a href="" id="deployment-scenarios--"></a>Deployment scenarios
+
+Most organizations support both personal and corporate device scenarios. The infrastructure for these scenarios is similar, but the deployment process and configuration policies differ. Table 1 describes characteristics of the personal and corporate device scenarios. Activation of a device with an organizational identity is unique to Windows 10 Mobile.
+
+Table 1. Characteristics of personal and corporate device scenarios
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Personal devices</td>
+<td align="left">Corporate devices</td>
+</tr>
+<tr class="even">
+<td align="left">Ownership</td>
+<td align="left">User</td>
+<td align="left">Organization</td>
+</tr>
+<tr class="odd">
+<td align="left">Primary use</td>
+<td align="left">Personal</td>
+<td align="left">Work</td>
+</tr>
+<tr class="even">
+<td align="left">Deployment</td>
+<td align="left">The primary identity on the device is a personal identity. A Microsoft account is the default option for Windows 10 Mobile.</td>
+<td align="left">The primary identity on the device is an organizational identity. An Azure AD account is the default option for Windows 10 Mobile.</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="identity-management--"></a>Identity management
+
+People can use only one account to activate a device, so it’s imperative that your organization control which account you enable first. The account you choose will determine who controls the device and influence your management capabilities. The following list describes the impact that users’ identities have on management (Table 2 summarizes these considerations):
+
+-   **Personal identity.** In this scenario, employees use their Microsoft account to activate the device. Then, they use their Azure AD account (organizational identity) to register the device in Azure AD and enroll it with the company’s MDM solution. You can apply policies to help protect and contain corporate apps and data on the devices, designed to prevent intellectual property leaks, but users keep full control over personal activities, such as downloading and installing apps and games.
+
+-   **Organizational identity.** In this scenario, employees use their Azure AD account to register the device to Azure AD and automatically enroll it with the organization’s MDM solution. In this case, companies can block personal use of devices. Using organizational Identities to initialize devices gives organizations complete control over devices and allows them to prevent personalization.
+
+Table 2. Personal vs. organizational identity
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Personal identity</td>
+<td align="left">Corporate identity</td>
+</tr>
+<tr class="even">
+<td align="left">First account on the device</td>
+<td align="left">Microsoft account</td>
+<td align="left">Azure AD account</td>
+</tr>
+<tr class="odd">
+<td align="left">Device sign-in</td>
+<td align="left">Users cannot sign in to devices with Azure AD credentials, even if they add the credentials after initial activation with a Microsoft account.</td>
+<td align="left">Users can unlock devices with an Azure AD account. Organizations can block the addition of a personal identity.</td>
+</tr>
+<tr class="even">
+<td align="left">User settings and data roaming across devices</td>
+<td align="left">User and app settings roam across devices activated with the same personal identity over personal OneDrive.</td>
+<td align="left">Windows 10 Mobile currently does not support users and app settings roaming over the enterprise cloud. It can block the roaming of personal cloud settings.</td>
+</tr>
+<tr class="odd">
+<td align="left">Ability to block the use of a personal identity on the device</td>
+<td align="left">No</td>
+<td align="left">Yes</td>
+</tr>
+<tr class="even">
+<td align="left">Level of control</td>
+<td align="left"><p>Organization can apply most* restrictive policies to devices, but they cannot remove the Microsoft account from them. Device users can reclaim full control over their devices by un-enrolling them from the organization’s MDM solution.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>* MDM functionality on personal devices might be limited in the future.</p>
+</div>
+<div>
+ 
+</div></td>
+<td align="left">Organizations are free to apply the restrictive policies to devices that policy standards and compliance regulations require and prevent the user from un-enrolling the device from the enterprise.</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="infrastructure-requirements--"></a>Infrastructure requirements
+
+For both device scenarios, the essential infrastructure and tools required to deploy and manage Windows 10 Mobile devices include an Azure AD subscription and an MDM system.
+
+Azure AD is a cloud-based directory service that provides identity and access management. You can integrate it with existing on-premises directories to create a hybrid solution. Azure AD has three editions: Free, Basic, and Premium (see [Azure Active Directory editions](http://go.microsoft.com/fwlink/p/?LinkId=723980)). All editions support Azure AD device registration, but the Premium edition is required to enable MDM auto-enrollment and conditional access based on device state. Organizations that use Microsoft Office 365 or Intune are already using Azure AD.
+
+**Note**  
+Most industry-leading MDM vendors already support integration with Azure AD or are working on integration. You can find the MDM vendors that support Azure AD in [Azure Marketplace](http://go.microsoft.com/fwlink/p/?LinkId=723981).
+
+ 
+
+Users can enroll Windows 10 Mobile devices in third-party MDM systems without using an Azure AD organizational account. (By default, Intune uses Azure AD and includes a license). If your organization doesn’t use Azure AD, you must use a personal identity to activate devices and enable common scenarios, such as downloading apps from Windows Store.
+
+Multiple MDM systems that support Windows 10 Mobile are available. Most support personal and corporate device deployment scenarios. Microsoft offers [Intune](http://go.microsoft.com/fwlink/p/?LinkId=723983), which is part of the [Enterprise Mobility Suite](http://go.microsoft.com/fwlink/p/?LinkId=723984) and a cloud-based MDM system that manages devices off premises. Like Office 365, Intune uses Azure AD for identity management, so employees use the same credentials to enroll devices in Intune or sign in to Office 365. Intune supports devices that run other operating systems, as well, such as iOS and Android, to provide a complete MDM solution.
+
+You can also integrate Intune with System Center Configuration Manager to gain a single console in which to manage all devices—in the cloud and on premises. For more information, see [Manage Mobile Devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=734051). For guidance on choosing between a stand-alone Intune installation and Intune integrated with Configuration Manager, see [Choose between Intune by itself or integrating Intune with System Center Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=723985).
+
+In addition to Intune, other MDM providers support Windows 10 Mobile. Currently, the following MDM systems claim to support Windows 10 and Windows 10 Mobile: [AirWatch](http://go.microsoft.com/fwlink/p/?LinkId=723986), [Citrix](http://go.microsoft.com/fwlink/p/?LinkId=723987), [Lightspeed Systems](http://go.microsoft.com/fwlink/p/?LinkId=723988), [Matrix42](http://go.microsoft.com/fwlink/p/?LinkId=723989), [MobileIron](http://go.microsoft.com/fwlink/p/?LinkId=723990), [SAP](http://go.microsoft.com/fwlink/p/?LinkId=723991), [SOTI](http://go.microsoft.com/fwlink/p/?LinkId=723992), and [Symantec](http://go.microsoft.com/fwlink/p/?LinkId=723993).
+
+All MDM vendors have equal access to the [Windows 10 MDM APIs](http://go.microsoft.com/fwlink/p/?LinkId=734050). The extent to which they implement these APIs depends on the vendor. Contact your preferred MDM vendor to determine its level of support.
+
+**Note**  
+Although not covered in this guide, you can use Exchange ActiveSync (EAS) to manage mobile devices instead of using a full-featured MDM system. EAS is available in Microsoft Exchange Server 2010 or later and Office 365.
+
+In addition, Microsoft recently added MDM capabilities powered by Intune to Office 365. MDM for Office 365 supports mobile devices only, such as those running Windows 10 Mobile, iOS, and Android. MDM for Office 365 offers a subset of the management capabilities found in Intune, including the ability to remotely wipe a device, block a device from accessing Exchange Server email, and configure device policies (for example, passcode requirements). For more information about MDM for Office 365 capabilities, see [Overview of Mobile Device Management for Office 365](http://go.microsoft.com/fwlink/p/?LinkId=734052).
+
+ 
+
+### <a href="" id="provisioning--"></a>Provisioning
+
+Provisioning is new to Windows 10 and uses the MDM client in Windows 10 Mobile. You can create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10.
+
+To assist users with MDM system enrollment, use a provisioning package. To do so, use the [Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=733911) to create a provisioning package, and then install that package on the device.
+
+Users can perform self-service MDM enrollment based on the following deployment scenarios:
+
+-   **Corporate device.** During the out-of-the-box experience (OOBE), you can instruct the user to select **This device is owned by my organization** and join the device to Azure AD and the MDM system.
+
+-   **Personal device.** The user activates the device with a Microsoft account, but you can instruct him or her to register the device with Azure AD and enroll in Intune. To do so in Windows 10 Mobile, the user clicks, **Settings**, clicks **Accounts**, and then clicks **Work access**.
+
+To automate MDM enrollment, use provisioning packages as follows:
+
+-   **Corporate device.** You can create a provisioning package and apply it to a corporate device before delivery to the user, or instruct the user to apply the package during OOBE. After application of the provisioning package, the OOBE process automatically chooses the enterprise path and requires the user to register the device with Azure AD and enroll it in the MDM system.
+
+-   **Personal device.** You can create a provisioning package and make it available to users who want to enroll their personal device in the enterprise. The user enrolls the device in the corporate MDM for further configuration by applying the provisioning package. To do so in Windows 10 Mobile, the user clicks **Settings**, clicks **Accounts**, and then clicks **Provisioning**).
+
+Distribute provisioning packages to devices by publishing them in an easily accessible location (e.g., an email attachment or a web page). You can cryptographically sign or encrypt provisioning packages and require that the user enter a password to apply them.
+
+See [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkId=734054) for more information on creating provisioning packages.
+
+## Device configuration
+
+
+The following sections describe the device configuration capabilities of the built-in Windows 10 Mobile MDM client. This client exposes the capabilities to any MDM system compatible with Windows 10. Configurable settings include:
+
+-   [Email accounts](#email)
+
+-   [Account restrictions](#restrictions)
+
+-   [Device lock restrictions](#device-lock)
+
+-   [Hardware restrictions](#hardware)
+
+-   [Certificate management](#certificate)
+
+-   [Wi-Fi](#wifi)
+
+-   [Proxy](#proxy)
+
+-   [Virtual private network (VPN)](#vpn)
+
+-   [Access point name (APN) profiles](#apn)
+
+-   [Data leak prevention](#data)
+
+-   [Storage management](#storage)
+
+**Note**  
+Although all the MDM settings this section describes are available in Windows 10 Mobile, not all MDM systems may show them in their user interface. In addition, naming may vary among MDM systems. Consult your MDM system’s documentation for more information.
+
+ 
+
+### <a href="" id="email"></a>Email accounts
+
+You can use your corporate MDM system to manage corporate email accounts. Define email account profiles in the MDM system, and then deploy them to devices. You would usually deploy these settings immediately after enrollment, regardless of scenario.
+
+This capability extends to email systems that use EAS. Table 3 lists settings that you can configure in EAS email profiles.
+
+Table 3. Windows 10 Mobile settings for EAS email profiles
+
+| Setting                    | Description                                                                                                                                                                                |
+|----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Email Address              | The email address associated with the EAS account                                                                                                                                          |
+| Domain                     | The domain name of the Exchange Server instance                                                                                                                                            |
+| Account Name               | A user-friendly name for the email account on the device                                                                                                                                   |
+| Password                   | The password for the email account                                                                                                                                                         |
+| Server Name                | The server name that the email account uses                                                                                                                                                |
+| User Name                  | The user name for the email account                                                                                                                                                        |
+| Calendar Age Filter        | The age of calendar items to be synchronized with the device (for example, synchronizing calendar items within the past 7 days)                                                            |
+| Logging                    | The level of diagnostic logging                                                                                                                                                            |
+| Mail Body Type             | The email body format type: text, HTML, RTF, or Multipurpose Internet Mail Extensions                                                                                                      |
+| Mail HTML Truncation       | The maximum size of an HTML-formatted email message before the message is synchronized to the device (Any HTML-formatted email message that exceeds this size is automatically truncated.) |
+| Mail Plain Text Truncation | The maximum size of a text-formatted email message before the message is synchronized to the device (Any text-formatted email message that exceeds this size is automatically truncated.)  |
+| Schedule                   | The schedule for synchronizing email between the Exchange Server instance and the device                                                                                                   |
+| Use SSL                    | Establishes whether Secure Sockets Layer (SSL) is required when syncing                                                                                                                    |
+| Mail Age Filter            | The age of messages to be synchronized with the device (for example, synchronizing messages within the past 7 days)                                                                        |
+| Content Types              | The content type that is synchronized (e.g., email, contacts, calendar, task items)                                                                                                        |
+
+ 
+
+Table 4 lists settings that you can configure in other email profiles.
+
+Table 4. Windows 10 Mobile settings for other email profiles
+
+| Setting                                   | Description                                                                                                                                          |
+|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|
+| User logon name                           | The user logon name for the email account                                                                                                            |
+| Outgoing authentication required          | Whether the outgoing server requires authentication                                                                                                  |
+| Password                                  | The password for the account in the **User logon name** field                                                                                        |
+| Domain                                    | The domain name for the account in the **User logon name** field                                                                                     |
+| Days to download                          | How much email (measured in days) should be downloaded from the server                                                                               |
+| Incoming server                           | The incoming server name and port number, where the value format is *server\_name:port\_number* (The port number is optional.)                       |
+| Send and receive schedule                 | The length of time (in minutes) between email send-and-receive updates                                                                               |
+| IMAP4 maximum attachment size             | The maximum size for message attachments for Internet Message Access Protocol version 4 (IMAP4) accounts                                             |
+| Send mail display name                    | The name of the sender displayed on a sent email                                                                                                     |
+| Outgoing server                           | The outgoing server name and port number, where the value format is *server\_name:port\_number* (The port number is optional.)                       |
+| Reply address                             | The user’s reply email address                                                                                                                       |
+| Email service name                        | The name of the email service                                                                                                                        |
+| Email service type                        | The email service type (for example, POP3, IMAP4).                                                                                                   |
+| Maximum receive message size              | The maximum size (in bytes) of messages retrieved from the incoming email server (Messages that exceed this size are truncated to the maximum size.) |
+| Delete message action                     | How messages are deleted on the server (Messages can either be permanently deleted or sent to the Trash folder.)                                     |
+| Use cellular only                         | Whether the account should be used only with cellular connections and not Wi-Fi connections                                                          |
+| Content types to synchronize              | The content types supported for synchronization (in other words, mail messages, contacts, calendar items)                                            |
+| Content synchronization server            | The name of the content synchronization server, if it’s different from the email server                                                              |
+| Calendar synchronization server           | The name of the calendar synchronization server, if it’s different from the email server                                                             |
+| Contact server requires SSL               | Whether the contact server requires an SSL connection                                                                                                |
+| Calendar server requires SSL              | Whether the calendar server requires an SSL connection                                                                                               |
+| Contact items synchronization schedule    | The schedule for syncing contact items                                                                                                               |
+| Calendar items synchronization schedule   | The schedule for syncing calendar items                                                                                                              |
+| Alternative SMTP email account            | The display name associated with a user’s alternative Simple Mail Transfer Protocol (SMTP) email account                                             |
+| Alternate SMTP domain name                | The domain name for the user’s alternative SMTP email account                                                                                        |
+| Alternate SMTP account enabled            | Whether the user’s alternative SMTP account is enabled                                                                                               |
+| Alternate SMTP password                   | The password for the user’s alternative SMTP account                                                                                                 |
+| Incoming and outgoing servers require SSL | A group of properties that specify whether the incoming and outgoing email servers use SSL                                                           |
+
+ 
+
+### <a href="" id="restrictions"></a>Account restrictions
+
+On a corporate device registered with Azure AD and enrolled in the MDM system, you can control whether users can use a Microsoft account or add other consumer email accounts. Table 5 lists the settings that you can use to manage accounts on Windows 10 Mobile devices.
+
+Table 5. Windows 10 Mobile account management settings
+
+| Setting                             | Description                                                                                                                                                                                                                                                                                                                                                                                        |
+|-------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Allow Microsoft Account             | Specifies whether users are allowed to add a Microsoft account to the device after MDM enrollment and use this account for connection authentication and services, such as purchasing apps in Windows Store, or cloud-based consumer services, such as Xbox or Groove. If a device was activated with a Microsoft account, the MDM system would not be able to block that account from being used. |
+| Allow Adding Non Microsoft Accounts | Specifies whether users are allowed to add email accounts other than Microsoft accounts after MDM enrollment. If **Allow Microsoft Account** is applied, user can also not use a Microsoft account.                                                                                                                                                                                                |
+| Allow “Your Account”                | Specifies whether users are able to change account configuration in the **Your Email and Accounts** panel in Settings.                                                                                                                                                                                                                                                                             |
+
+ 
+
+### <a href="" id="device-lock"></a>Device lock restrictions
+
+It’s common sense to lock a device when it is not in use. Microsoft recommends that you secure Windows 10 Mobile devices and implement a device lock policy. A device password or PIN lock is a best practice for securing apps and data on devices. [Windows Hello](http://go.microsoft.com/fwlink/p/?LinkId=723994) is the name given to the new biometric sign-in option that allows users to use their face, iris, or fingerprints to unlock their compatible device, all of which Windows 10 supports.
+
+**Note**  
+In addition to the device lock restrictions discussed in this section, Windows 10 supports Microsoft Passport for Work, which lets you access apps and services without a password.
+
+ 
+
+Table 6 lists the MDM settings in Windows 10 Mobile that you can use to configure device lock restrictions.
+
+Table 6. Windows 10 Mobile device lock restrictions
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">Device Password Enabled</td>
+<td align="left"><p>Specifies whether users are required to use a device lock password</p>
+<div class="alert">
+<strong>Note</strong>  
+<p></p>
+<ul>
+<li><p>When a device is registered with Azure AD and automatic MDM enrollment is not configured, the user will automatically be prompted to set a password PIN of at least six digits (simple PINs are not allowed).</p></li>
+<li><p>If the device is capable of using biometric authentication, the user will be able to enroll an iris or other biometric gesture (depending on hardware) for device lock purposes. When a user uses a biometric gesture, he or she can still use the PIN as a fallback mechanism (for example, if the iris-recognition camera fails).</p></li>
+</ul>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left">Allow Simple Device Password</td>
+<td align="left">Whether users can use a simple password (for example, 1111 or 1234)</td>
+</tr>
+<tr class="odd">
+<td align="left">Alphanumeric Device Password Required</td>
+<td align="left">Whether users need to use an alphanumeric password When configured, Windows prompts the user with a full device keyboard to enter a complex password. When not configured, the user will be able to enter a numeric PIN on the keyboard.</td>
+</tr>
+<tr class="even">
+<td align="left">Min Device Password Complex Characters</td>
+<td align="left">The number of password element types (in other words, uppercase letters, lowercase letters, numbers, or punctuation) required to create strong passwords</td>
+</tr>
+<tr class="odd">
+<td align="left">Device Password Expiration</td>
+<td align="left">The number of days before a password expires (Biometric data does not expire.)</td>
+</tr>
+<tr class="even">
+<td align="left">Device Password History</td>
+<td align="left">The number of passwords Windows 10 Mobile remembers in the password history (Users cannot reuse passwords in the history to create new passwords.)</td>
+</tr>
+<tr class="odd">
+<td align="left">Min Device Password Length</td>
+<td align="left">The minimum number of characters required to create new passwords</td>
+</tr>
+<tr class="even">
+<td align="left">Max Inactivity Time Device Lock</td>
+<td align="left">The number of minutes of inactivity before devices are locked and require a password to unlock</td>
+</tr>
+<tr class="odd">
+<td align="left">Allow Idle Return Without Password</td>
+<td align="left">Whether users are required to re-authenticate when their devices return from a sleep state, before the inactivity time was reached</td>
+</tr>
+<tr class="even">
+<td align="left">Max Device Password Failed Attempts</td>
+<td align="left">The number of authentication failures allowed before a device is wiped (A value of zero disables device wipe functionality.)</td>
+</tr>
+<tr class="odd">
+<td align="left">Screen Timeout While Locked</td>
+<td align="left">The number of minutes before the lock screen times out (This policy influences the device’s power management.)</td>
+</tr>
+<tr class="even">
+<td align="left">Allow Screen Timeout While Locked User Configuration</td>
+<td align="left">Whether users can manually configure screen timeout while the device is on the lock screen (Windows 10 Mobile ignores the <strong>Screen Timeout While Locked</strong> setting if you disable this setting.)</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="hardware"></a>Hardware restrictions
+
+Windows 10 Mobile devices use state-of-the-art technology that includes popular hardware features such as cameras, global positioning system (GPS) sensors, microphones, speakers, near-field communication (NFC) radios, storage card slots, USB interfaces, Bluetooth interfaces, cellular radios, and Wi-Fi. You can also use hardware restrictions to control the availability of these features. Table 7 lists the MDM settings that Windows 10 Mobile supports to configure hardware restrictions.
+
+**Note**  
+Some of these hardware restrictions provide connectivity and assist in data protection. Enterprise data protection is currently being tested in select customer evaluation programs.
+
+ 
+
+Table 7. Windows 10 Mobile hardware restrictions
+
+| Setting                                    | Description                                                                                                                   |
+|--------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
+| Allow NFC                                  | Whether the NFC radio is enabled                                                                                              |
+| Allow USB Connection                       | Whether the USB connection is enabled (this setting doesn’t affect USB charging)                                              |
+| Allow Bluetooth                            | Whether users can enable and use the Bluetooth radio on their devices                                                         |
+| Allow Bluetooth Advertising                | Whether the device can act as a source for Bluetooth advertisements and be discoverable to other devices                      |
+| Allow Bluetooth Discoverable Mode          | Whether the device can discover other devices (for example, headsets)                                                         |
+| Bluetooth Services Allowed List            | The list of Bluetooth services and profiles to which the device can connect                                                   |
+| Set Bluetooth Local Device Name            | The local Bluetooth device name                                                                                               |
+| Allow Wi-Fi                                | Whether the Wi-Fi radio is enabled                                                                                            |
+| Allow Auto Connect to Wi-Fi Sense Hotspots | Whether the device can automatically connect to Wi-Fi hotspots and friends’ home networks that are shared through Wi-Fi Sense |
+| Allow Manual Wi-Fi Configuration           | Whether users can manually connect to Wi-Fi networks not specified in the MDM system’s list of configured Wi-Fi networks      |
+| WLAN Scan Mode                             | How actively the device scans for Wi-Fi networks (This setting is hardware dependent.)                                        |
+| Allow Camera                               | Whether the camera is enabled                                                                                                 |
+| Allow Storage Card                         | Whether the storage card slot is enabled                                                                                      |
+| Allow Voice Recording                      | Whether the user can use the microphone to create voice recordings                                                            |
+| Allow Location                             | Whether the device can use the GPS sensor or other methods to determine location so applications can use location information |
+
+ 
+
+### <a href="" id="certificate"></a>Certificate management
+
+Managing certificates can be difficult for users, but certificates are pervasive for a variety of uses, including, account authentication, Wi-Fi authentication, VPN encryption, and SSL encryption of web content. Although users could manage certificates on devices manually, it’s a best practice to use your MDM system to manage those certificates for their entire life cycle, from enrollment through renewal to revocation. You can use the Simple Certificate Enrollment Protocol (SCEP) and Personal Information Exchange (PFX) certificates files to install certificates on Windows 10 Mobile. Certificate management through SCEP and MDM systems is fully transparent to users and requires no user intervention, so it helps improve user productivity and reduce support calls. Your MDM system can automatically deploy these certificates to the devices’ certificate stores after you enroll the device. Table 8 lists the SCEP settings that the MDM client in Windows 10 Mobile provides.
+
+Table 8. Windows 10 Mobile SCEP certificate enrollment settings
+
+| Setting                                              | Description                                                                                                                                                                                                                               |
+|------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Certificate enrollment server URLs                   | The certificate enrollment servers (to specify multiple server URLs, separate the URLs with semicolons \[;\])                                                                                                                             |
+| SCEP enrollment challenge                            | The Base64-encoded SCEP enrollment challenge                                                                                                                                                                                              |
+| Extended key use object identifiers                  | The object identifiers (OIDs) for extended key use                                                                                                                                                                                        |
+| Key usage                                            | The key usage bits for the certificate in decimal format                                                                                                                                                                                  |
+| Subject name                                         | The certificate subject name                                                                                                                                                                                                              |
+| Private key storage                                  | Where to store the private key (in other words, the Trusted Platform Module \[TPM\], a software key storage provider \[KSP\], or the Microsoft Passport KSP)                                                                              |
+| Pending retry delay                                  | How long the device will wait to retry when the SCEP server sends a pending status                                                                                                                                                        |
+| Pending retry count                                  | The number of times a device will retry when the SCEP server sends a pending status                                                                                                                                                       |
+| Template name                                        | The OID of the certificate template name                                                                                                                                                                                                  |
+| Private key length                                   | The private key length (in other words, 1024, 2048, or 4096 bits; Microsoft Passport supports only the 2048 key length)                                                                                                                   |
+| Certificate hash algorithm                           | The hash algorithm family (in other words, SHA-1, SHA-2, SHA-3; multiple hash algorithm families are separated by plus signs \[+\])                                                                                                       |
+| Root CA thumbprint                                   | The root CA thumbprint                                                                                                                                                                                                                    |
+| Subject alternative names                            | Subject alternative names for the certificate (Use semicolons to separate multiple subject alternative names.)                                                                                                                            |
+| Valid period                                         | The unit of measure for the period of time the certificate is considered valid (in other words, days, months, or years)                                                                                                                   |
+| Valid period units                                   | The number of units of time that the certificate is considered valid (Use this setting with the **Valid Period** setting. For example, if this setting is **3** and **Valid Period** is **Years**, the certificate is valid for 3 years.) |
+| Custom text to show in Microsoft Passport PIN prompt | The custom text to show on the Microsoft Passport PIN prompt during certificate enrollment                                                                                                                                                |
+| Thumbprint                                           | The current certificate thumbprint, if certificate enrollment succeeds                                                                                                                                                                    |
+
+ 
+
+In addition to SCEP certificate management, Windows 10 Mobile supports deployment of PFX certificates. Table 9 lists the Windows 10 Mobile PFX certificate deployment settings.
+
+Table 9. Windows 10 Mobile PFX certificate deployment settings
+
+| Setting                           | Description                                                                                                                                                                  |
+|-----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Private key storage               | Where to store the private key (in other words, the TPM, a software KSP, or the Microsoft Passport KSP)                                                                      |
+| Microsoft Passport container name | The tenant identifier of the Azure AD tenant from which the Microsoft Passport is derived, required only if you select **Microsoft Passport KSP** in **Private key storage** |
+| PFX packet                        | The PFX packet with the exported and encrypted certificates and keys in Binary64 format                                                                                      |
+| PFX packet password               | The password that protects the PFX blob specified in **PFX packet**                                                                                                          |
+| PFX packet password encryption    | Whether the MDM system encrypts the PFX certificate password with the MDM certificate                                                                                        |
+| PFX private key export            | Whether the PFX private key can be exported                                                                                                                                  |
+| Thumbprint                        | The thumbprint of the installed PFX certificate                                                                                                                              |
+
+ 
+
+Use the **Allow Manual Root Certificate Installation** setting to prevent users from manually installing root and intermediate CA certificates intentionally or accidently.
+
+**Note**  
+To diagnose certificate-related issues on Windows 10 Mobile devices, use the free [Certificates app](http://go.microsoft.com/fwlink/p/?LinkId=723996) in Windows Store. This Windows 10 Mobile app can help you:
+
+-   View a summary of all personal certificates.
+
+-   View the details of individual certificates.
+
+-   View the certificates used for VPN, Wi-Fi, and email authentication.
+
+-   Identify which certificates may have expired.
+
+-   Verify the certificate path and confirm that you have the correct intermediate and root CA certificates.
+
+-   View the certificate keys stored in the device TPM.
+
+ 
+
+### <a href="" id="wifi"></a>Wi-Fi
+
+People use Wi-Fi on their mobile devices as much as or more than cellular data. Most corporate Wi-Fi networks require certificates and other complex information to restrict and secure user access. This advanced Wi-Fi information is difficult for typical users to configure, but you can use your MDM system to fully configure Wi-Fi settings without user intervention.
+
+Table 10 lists the Windows 10 Mobile Wi-Fi connection profile settings. Use the information in this table to help you create Wi-Fi connection profiles in your MDM system.
+
+Table 10. Windows 10 Mobile Wi-Fi connection profile settings
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">SSID</td>
+<td align="left">The case-sensitive name of the Wi-Fi network (service set identifier [SSID])</td>
+</tr>
+<tr class="even">
+<td align="left">Security type</td>
+<td align="left">The type of security the Wi-Fi network uses; can be one of the following authentication types:
+<ul>
+<li><p>Open 802.11</p></li>
+<li><p>Shared 802.11</p></li>
+<li><p>WPA-Enterprise 802.11</p></li>
+<li><p>WPA-Personal 802.11</p></li>
+<li><p>WPA2-Enterprise 802.11</p></li>
+<li><p>WPA2-Personal 802.11</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left">Authentication encryption</td>
+<td align="left">The type of encryption the authentication uses; can be one of the following encryption methods:
+<ul>
+<li><p>None (no encryption)</p></li>
+<li><p>Wired Equivalent Privacy</p></li>
+<li><p>Temporal Key Integrity Protocol</p></li>
+<li><p>Advanced Encryption Standard (AES)</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left">Extensible Authentication Protocol Transport Layer Security (EAP-TLS)</td>
+<td align="left">WPA-Enterprise 802.11 and WPA2-Enterprise 802.11 security types can use EAP-TLS with certificates for authentication</td>
+</tr>
+<tr class="odd">
+<td align="left">Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2)</td>
+<td align="left">WPA-Enterprise 802.11 and WPA2-Enterprise 802.11 security types can use PEAP-MSCHAPv2 with a user name and password for authentication</td>
+</tr>
+<tr class="even">
+<td align="left">Shared key</td>
+<td align="left">WPA-Personal 802.11 and WPA2-Personal 802.11 security types can use a shared key for authentication.</td>
+</tr>
+<tr class="odd">
+<td align="left">Proxy</td>
+<td align="left">The configuration of any network proxy that the Wi-Fi connection requires (To specify the proxy server, use its fully qualified domain name [FQDN], Internet Protocol version 4 [IPv4] address, IP version 6 [IPv6] address, or IPvFuture address.)</td>
+</tr>
+<tr class="even">
+<td align="left">Disable Internet connectivity checks</td>
+<td align="left">Whether the Wi-Fi connection should check for Internet connectivity</td>
+</tr>
+<tr class="odd">
+<td align="left">Proxy auto-configuration URL</td>
+<td align="left">A URL that specifies the proxy auto-configuration file</td>
+</tr>
+<tr class="even">
+<td align="left">Enable Web Proxy Auto-Discovery Protocol (WPAD)</td>
+<td align="left">Specifies whether WPAD is enabled</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+Table 11 lists the Windows 10 Mobile settings for managing Wi-Fi connectivity.
+
+Table 11. Windows 10 Mobile Wi-Fi connectivity settings
+
+| Setting                                    | Configuration                                                              |
+|--------------------------------------------|----------------------------------------------------------------------------|
+| Allow Auto Connect To Wi-Fi Sense Hotspots | Whether the device will automatically detect and connect to Wi-Fi networks |
+| Allow Manual Wi-Fi Configuration           | Whether the user can manually configure Wi-Fi settings                     |
+| Allow Wi-Fi                                | Whether the Wi-Fi hardware is enabled                                      |
+| WLAN Scan Mode                             | How actively the device scans for Wi-Fi networks                           |
+
+ 
+
+### Proxy
+
+Apps running on Windows 10 Mobile (for example, Microsoft Edge) can use proxy connections to access Internet content, but Wi-Fi connections on the corporate intranet most typically use proxy connections, instead. You can define multiple proxies in Windows 10 Mobile.
+
+**Note**  
+Windows 10 Mobile also supports proxy auto-configuration (PAC) files, which can automatically configure proxy settings. The Web Proxy Auto-Discovery Protocol (WPAD) lets apps use Dynamic Host Configuration Protocol and Domain Name System (DNS) lookups to locate the PAC file.
+
+ 
+
+Table 12 lists the Windows 10 Mobile settings for proxy connections.
+
+Table 12. Windows 10 Mobile proxy connection settings
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Settings</th>
+<th align="left">Configuration</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">Proxy name</td>
+<td align="left">The unique name of the proxy connection</td>
+</tr>
+<tr class="even">
+<td align="left">Proxy ID</td>
+<td align="left">The unique identifier for the proxy connection</td>
+</tr>
+<tr class="odd">
+<td align="left">Name</td>
+<td align="left">The user-friendly name of the proxy connection</td>
+</tr>
+<tr class="even">
+<td align="left">Server address</td>
+<td align="left">The address of the proxy server, which can be the server FQDN or IP address</td>
+</tr>
+<tr class="odd">
+<td align="left">IP address type</td>
+<td align="left">The IP address type that identifies the proxy server, which can be one of the following values:
+<ul>
+<li><p><strong>IPV4</strong></p></li>
+<li><p><strong>IPV6</strong></p></li>
+<li><p><strong>E164</strong></p></li>
+<li><p><strong>ALPHA</strong></p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left">Proxy connection type</td>
+<td align="left">The proxy connection type, which can be one of the following values:
+<ul>
+<li><p><strong>ISA</strong></p></li>
+<li><p><strong>WAP</strong></p></li>
+<li><p><strong>SOCKS</strong></p></li>
+<li><p><strong>NULL</strong></p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left">Ports</td>
+<td align="left">The port information for the proxy connection; includes the following settings:
+<ul>
+<li><p><strong>Port Name.</strong> The unique name of a port that the proxy connection uses, such as <strong>PORT0</strong> or <strong>PORT1</strong></p></li>
+<li><p><strong>Port Name/Port Nbr.</strong> The proxy connection port number for this port</p></li>
+<li><p><strong>Port Name/Services.</strong> The services that use this proxy connection port</p></li>
+<li><p><strong>Services/Service Name.</strong> The name of a service that uses the proxy connection</p></li>
+<li><p><strong>Services/<em>Service Name</em>/Service Name.</strong> The protocol associated with the parent port connection</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left">Configuration reference</td>
+<td align="left">The connection reference information for the proxy connection. The corporation determines the information in this optional setting.</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### VPN
+
+In addition to Wi-Fi, users often use a VPN to securely access apps and resources on their company’s intranet behind a firewall. Windows 10 Mobile supports several VPN vendors in addition to native Microsoft VPNs (such as Point to Point Tunneling Protocol \[PPTP\], Layer 2 Tunneling Protocol \[L2TP\], and Internet Key Exchange Protocol version 2 \[IKEv2\]), including:
+
+-   IKEv2
+
+-   IP security
+
+-   SSL VPN connections (which require a downloadable plug-in from the VPN server vendor)
+
+You can configure Windows 10 Mobile to use auto-triggered VPN connections, as well. You define a VPN connection for each app that requires intranet connectivity. When users switch between apps, the operating system automatically establishes the VPN connection for that app. In the event the device drops the VPN connection, Windows 10 Mobile automatically reconnects to the VPN without user intervention.
+
+With always-on VPN, Windows 10 Mobile can automatically start a VPN connection when a user signs-in, as well. The VPN stays connected until the user manually disconnects it.
+
+MDM support for VPN connections in Windows 10 Mobile includes provisioning and updating VPN connection profiles and associating VPN connections with apps. You can create and provision VPN connection profiles, and then deploy them to managed devices that run Windows 10 Mobile. Table 13 lists the Windows 10 Mobile fields for VPN connection profiles.
+
+Table 13. Windows 10 Mobile VPN connection profile settings
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">Native VPN protocol profile</td>
+<td align="left"><p>The configuration information when the VPN uses native Windows 10 Mobile VPN protocols (such as IKEv2, PPTP, or L2TP); includes the following settings:</p>
+<ul>
+<li><p><strong>Servers.</strong> The VPN server for the VPN profile</p></li>
+<li><p><strong>Routing policy type.</strong> The type of routing policy the VPN profile uses; can be set to one of the following values:</p>
+<ul>
+<li><p><strong>Split tunnel.</strong> Only network traffic destined to the intranet goes through the VPN connection.</p></li>
+<li><p><strong>Force tunnel.</strong> All traffic goes through the VPN connection.</p></li>
+</ul></li>
+<li><p><strong>Tunneling protocol type.</strong> The tunneling protocol used for VPN profiles that use native Windows 10 Mobile VPN protocols; can be one the following values:</p>
+<ul>
+<li><p><strong>PPTP</strong></p></li>
+<li><p><strong>L2TP</strong></p></li>
+<li><p><strong>IKEv2</strong></p></li>
+<li><p><strong>Automatic</strong></p></li>
+</ul></li>
+<li><p><strong>User authentication method.</strong> The user authentication method for the VPN connection; can have a value of <strong>EAP</strong> or <strong>MSChapv2</strong>. Windows 10 Mobile does not support the value <strong>MSChapv2</strong> for IKEv2-based VPN connections.</p></li>
+<li><p><strong>Machine certificate.</strong> The machine certificate used for IKEv2-based VPN connections.</p></li>
+<li><p><strong>EAP configuration.</strong> An HTML-encoded XML blob of the EAP configuration. For more information about creating the EAP configuration XML blob, see [EAP configuration](http://go.microsoft.com/fwlink/p/?LinkId=734055). You can use the XML blob these steps create in the MDM system to create the VPN profile.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left">VPN plugin profile</td>
+<td align="left">Windows Store–based VPN plug-ins for the VPN connection; includes the following settings:
+<ul>
+<li><p><strong>VPN servers.</strong> A comma-separated list of VPN servers; you can specify the servers with a URL, fully qualified host name, or IP address.</p></li>
+<li><p><strong>Custom configuration.</strong> An HTML-encoded XML blob for SSL–VPN plug-in–specific configuration information (e.g., authentication information) that the plug-in provider requires.</p></li>
+<li><p><strong>Windows Store VPN plugin family name.</strong> Specifies the Windows Store package family name for the Windows Store–based VPN plug-in.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left">Always on connection</td>
+<td align="left">Whether the VPN connects at user sign-in and stays connected until the user manually disconnects the VPN connection.</td>
+</tr>
+<tr class="even">
+<td align="left">App trigger list</td>
+<td align="left">A list of apps that automatically initiate the VPN connection. Each app trigger in the list includes the following settings:
+<ul>
+<li><p><strong>App ID.</strong> The app identity for the app that automatically initiates the VPN connection Any apps in this list can send data through the VPN connection; set it to one of the following values:</p>
+<ul>
+<li><p>Unique name of the Windows Store app (<strong>Package Family Name</strong>). The package family name is a unique name for each app. For example, the package family name for the Skype app is <em>Microsoft.SkypeApp_kzf8qxf38zg5c</em>.</p></li>
+<li><p>Fully qualified path to the app (such as C:\Windows\System\Notepad.exe).</p></li>
+<li><p>Kernel driver name.</p></li>
+</ul></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left">DNS suffixes</td>
+<td align="left">A comma-separated list of DNS suffixes for the VPN connection. Any DNS suffixes in this list are automatically added to <strong>Suffix Search List</strong>.</td>
+</tr>
+<tr class="even">
+<td align="left">LockDown VPN profile</td>
+<td align="left">Whether this VPN connection is a LockDown profile. A LockDown VPN profile has the following characteristics:
+<ul>
+<li><p>It is an always-on VPN profile.</p></li>
+<li><p>It can never be disconnected.</p></li>
+<li><p>If the VPN profile is not connected, the user has no network connectivity.</p></li>
+<li><p>No other VPN profiles can be connected or modified.</p></li>
+</ul>
+<p>You must delete a LockDown VPN profile before you can add, remove, or connect other VPN profiles.</p></td>
+</tr>
+<tr class="odd">
+<td align="left">Name Resolution Policy Table rules</td>
+<td align="left">A list of Name Resolution Policy Table rules for the VPN connection. Each rule in the list includes the following settings:
+<ul>
+<li><p><strong>Domain name.</strong> The namespace for the policy; can be an FQDN or a domain suffix.</p></li>
+<li><p><strong>Domain name type.</strong> The type of namespace in <strong>Domain name</strong>; has a value of either <strong>FQDN</strong> or <strong>Suffix</strong>.</p></li>
+<li><p>DNS servers. A comma-separated list of DNS server IP addresses to use for the namespace specified in <strong>Domain name</strong>.</p></li>
+<li><p><strong>Web proxy servers</strong>. The IP address for the web proxy server (if the intranet redirects traffic through a web proxy server).</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left">Proxy</td>
+<td align="left">Any post connection proxy support required for the VPN connection; includes the following settings:
+<ul>
+<li><p><strong>Proxy server.</strong> Specifies the fully qualified host name or IP address of the proxy server when a specific proxy server is required.</p></li>
+<li><p><strong>Automatic proxy configuration URL.</strong> Specifies the URL for automatically retrieving proxy server settings.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left">Remember credentials</td>
+<td align="left">Whether the VPN connection caches credentials.</td>
+</tr>
+<tr class="even">
+<td align="left">Route list</td>
+<td align="left">A list of routes to add to the routing table for the VPN connection. Each route in the list includes the following settings:
+<ul>
+<li><p><strong>Address.</strong> The destination subnet address in IPv4 or IPv6 format (such as <em>192.168.0.0</em>).</p></li>
+<li><p><strong>Prefix size.</strong> The portion of the address used to identify the destination subnet address (such as <em>16</em> to produce the subnet <em>192.168.0.0/16</em>).</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left">Traffic filter list</td>
+<td align="left">A list of traffic rules that define the traffic that can be sent through the VPN connection. Each rule in the list includes the following settings:
+<ul>
+<li><p><strong>App ID.</strong> The app identity for the traffic filter based on a specific app (app-based traffic filter). Any apps in this list can send data through the VPN connection; set to one of the following values:</p>
+<ul>
+<li><p>Unique name of the Windows Store app (<strong>Package Family Name</strong>). The package family name is a unique name for each app. For example, the package family name for the Skype app is Microsoft.<em>SkypeApp_kzf8qxf38zg5c</em>.</p></li>
+<li><p>Fully qualified path to the app (such as C:\Windows\System\Notepad.exe).</p></li>
+<li><p>Kernel driver name.</p></li>
+</ul></li>
+<li><p><strong>Protocol.</strong> The IP protocol to use for the traffic filter rule (for example, TCP = 6, UDP = 17).</p></li>
+<li><p><strong>Local port ranges.</strong> Specifies a comma-separated list of local IP port ranges (for example, 100–180, 200, 300–350).</p></li>
+<li><p><strong>Remote port ranges.</strong> A comma-separated list of remote IP port ranges (for example, 100–180, 200, 300–350).</p></li>
+<li><p><strong>Local address ranges.</strong> A comma-separated list of local IP address ranges that are allowed to use the VPN connection (for example, 192.168.0.1–192.168.0.255, 172.16.10.0–172.16.10.255).</p></li>
+<li><p><strong>Remote address ranges.</strong> A comma-separated list of remote IP address ranges that are allowed to use the VPN connection (for example, 192.168.0.1–192.168.0.255, 172.16.10.0–172.16.10.255).</p></li>
+<li><p><strong>Routing policy type.</strong> The type of IP tunnel for the VPN connection; set to one of the following:</p>
+<ul>
+<li><p><strong>Split tunnel.</strong> Only traffic destined for the intranet is sent through the VPN connection.</p></li>
+<li><p><strong>Force tunnel.</strong> All traffic is sent through the VPN connection.</p></li>
+</ul></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left">Trusted network detection</td>
+<td align="left">A comma-separated list of trusted networks that causes the VPN not to connect when the intranet is directly accessible.</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+Table 14 lists the Windows 10 Mobile settings for managing VPN connections. These settings help you manage VPNs over cellular data connections, which in turn help reduce costs associated with roaming or data plan charges.
+
+Table 14. Windows 10 Mobile VPN management settings
+
+| Setting                              | Description                                                                     |
+|--------------------------------------|---------------------------------------------------------------------------------|
+| Allow VPN                            | Whether users can change VPN settings                                           |
+| Allow VPN Over Cellular              | Whether users can establish VPN connections over cellular networks              |
+| Allow VPN Over Cellular when Roaming | Whether users can establish VPN connections over cellular networks when roaming |
+
+ 
+
+### <a href="" id="apn"></a>APN profiles
+
+An APN defines network paths for cellular data connectivity. Typically, you define just one APN for a device in collaboration with a mobile operator, but you can define multiple APNs if your company uses multiple mobile operators.
+
+An APN provides a private connection to the corporate network that is unavailable to other companies on the mobile operator network. Corporations in Europe and the Asia-Pacific use APNs, but they are not common in the United States.
+
+You can define and deploy APN profiles in MDM systems that configure cellular data connectivity for Windows 10 Mobile. Devices running Windows 10 Mobile can have only one APN profile. Table 15 lists the MDM settings that Windows 10 Mobile supports for APN profiles.
+
+Table 15. Windows 10 Mobile APN profile settings
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">APN name</td>
+<td align="left">The APN name</td>
+</tr>
+<tr class="even">
+<td align="left">IP connection type</td>
+<td align="left">The IP connection type; set to one of the following values:
+<ul>
+<li><p><strong>IPv4 only</strong></p></li>
+<li><p><strong>IPv6 only</strong></p></li>
+<li><p><strong>IPv4 and IPv6 concurrently</strong></p></li>
+<li><p><strong>IPv6 with IPv4 provided by 46xlat</strong></p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left">LTE attached</td>
+<td align="left">Whether the APN should be attached as part of an LTE Attach</td>
+</tr>
+<tr class="even">
+<td align="left">APN class ID</td>
+<td align="left">The globally unique identifier that defines the APN class to the modem</td>
+</tr>
+<tr class="odd">
+<td align="left">APN authentication type</td>
+<td align="left">The APN authentication type; set to one of the following values:
+<ul>
+<li><p><strong>None</strong></p></li>
+<li><p><strong>Auto</strong></p></li>
+<li><p><strong>PAP</strong></p></li>
+<li><p><strong>CHAP</strong></p></li>
+<li><p><strong>MSCHAPv2</strong></p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left">User name</td>
+<td align="left">The user account when users select Password Authentication Protocol (PAP), CHAP, or MSCHAPv2 authentication in <strong>APN authentication type</strong></td>
+</tr>
+<tr class="odd">
+<td align="left">Password</td>
+<td align="left">The password for the user account specified in <strong>User name</strong></td>
+</tr>
+<tr class="even">
+<td align="left">Integrated circuit card ID</td>
+<td align="left">The integrated circuit card ID associated with the cellular connection profile</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="data"></a>Data leak protection
+
+Some user experiences can risk corporate data stored on corporate devices. For example, allowing users to copy and paste information out of the organization’s LOB app can put data at risk. To mitigate the risk, you can restrict the Windows 10 Mobile user experience to help protect corporate data and prevent data leaks. For example, you can prevent settings synchronization, copy-and-paste operations, and screen captures. Table 16 lists the MDM settings in Windows 10 Mobile that you can use to help prevent data leaks.
+
+Table 16. Windows 10 Mobile data leak protection settings
+
+| Setting                                      | Description                                                                                                                                                                                                              |
+|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Allow copy and paste                         | Whether users can copy and paste content                                                                                                                                                                                 |
+| Allow Cortana                                | Whether users can use Cortana on the device, where available                                                                                                                                                             |
+| Allow device discovery                       | Whether the device discovery user experience is available on the lock screen (For example, this setting can control whether a device could discover a projector \[or other devices\] when the lock screen is displayed.) |
+| Allow input personalization                  | Whether personally identifiable information can leave the device or be saved locally (for example, Cortana learning, inking, dictation)                                                                                  |
+| Allow manual MDM unenrollment                | Whether users are allowed to delete the workplace account (in other words, unenroll the device from the MDM system)                                                                                                      |
+| Allow screen capture                         | Whether users are allowed to capture screenshots on the device                                                                                                                                                           |
+| Allow SIM error dialog prompt                | Specifies whether to display a dialog prompt when no SIM card is installed                                                                                                                                               |
+| Allow sync my settings                       | Whether the user experience settings are synchronized between devices (works with Microsoft accounts only)                                                                                                               |
+| Allow toasts notifications above lock screen | Whether users are able to view toast notification on the device lock screen                                                                                                                                              |
+| Allow voice recording                        | Whether users are allowed to perform voice recordings.                                                                                                                                                                   |
+
+ 
+
+### <a href="" id="storage"></a>Storage management
+
+Protecting the apps and data stored on a device is critical to device security. One method for helping protect your apps and data is to encrypt internal device storage by using the device encryption in Windows 10 Mobile. This encryption helps protect corporate data against unauthorized access, even when an unauthorized user has physical possession of the device.
+
+A feature in Windows 10 Mobile is the ability to install apps on a secure digital (SD) card. The operating system stores apps on a partition specifically designated for that purpose. This feature is always on, so you don’t need to set a policy explicitly to enable it.
+
+The SD card is uniquely paired with a device. No other devices can see the apps or data on the encrypted partition, but they can access the data stored on the unencrypted partition of the SD card, such as music or photos.
+
+You can disable the **Allow Storage Card** setting to prevent users from using SD cards altogether, but the primary advantage of the SD card app partition–encryption feature is that organizations can give users the flexibility to use an SD card while still protecting the confidential apps and data on it.
+
+If you don’t encrypt storage, you can help protect your corporate apps and data by using the **Restrict app data to the system volume** and **Restrict apps to the system volume** settings. They help ensure that users cannot copy your apps and data to SD cards.
+
+Table 17 lists the MDM storage-management settings that Windows 10 Mobile provides.
+
+Table 17. Windows 10 Mobile storage management settings
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">Allow Storage Card</td>
+<td align="left">Whether users can use storage cards for device storage (This setting does not prevent programmatic access to the storage cards.)</td>
+</tr>
+<tr class="even">
+<td align="left">Require Device Encryption</td>
+<td align="left">Whether internal storage is encrypted (When a device is encrypted, you cannot use a policy to turn encryption off.)</td>
+</tr>
+<tr class="odd">
+<td align="left">Encryption method</td>
+<td align="left">Specifies the BitLocker drive encryption method and cipher strength; can be one of the following values:
+<ul>
+<li><p>AES-Cipher Block Chaining (CBC) 128-bit</p></li>
+<li><p>AES-CBC 256-bit</p></li>
+<li><p>XEX-based tweaked-codebook mode with cipher text stealing (XTS)–AES (XTS-AES) 128-bit (this is the default)</p></li>
+<li><p>XTS-AES-256-bit</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left">Allow Federal Information Processing Standard (FIPS) algorithm policy</td>
+<td align="left">Whether the device allows or disallows the FIPS algorithm policy</td>
+</tr>
+<tr class="odd">
+<td align="left">SSL cipher suites</td>
+<td align="left">Specifies a list of the allowed cryptographic cipher algorithms for SSL connections</td>
+</tr>
+<tr class="even">
+<td align="left">Restrict app data to the system volume</td>
+<td align="left">Specifies whether app data is restricted to the system drive</td>
+</tr>
+<tr class="odd">
+<td align="left">Restrict apps to the system volume</td>
+<td align="left">Specifies whether apps are restricted to the system drive</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="--app-management"></a> App management
+
+
+Apps help improve user productivity on mobile devices. New to Windows 10 is the ability for organizations purchase apps from Windows Store for their employees and deploy those apps from Windows Store or an MDM system. App management is becoming a key capability of MDM systems, helping reduce the effort required to perform common app-related tasks, such as distributing apps, and protecting data through app policies. This section describes the app management features in Windows 10 Mobile and includes the following topics:
+
+-   [Universal Windows Platform (UWP)](#uwp)
+
+-   [Sourcing the right app](#sourcing)
+
+-   [Windows Store for Business](#store)
+
+-   [Mobile application management (MAM) policies](#mam)
+
+-   [Microsoft Edge](#edge)
+
+### <a href="" id="uwp"></a>Universal Windows Platform
+
+Windows 10 introduces UWP, converging the application platform for all devices running some edition of Windows 10. UWP apps run without modification on all editions of Windows 10, and Windows Store now has apps that you can license and purchased for all your Windows 10 devices. Windows Phone 8.1 and Windows 8.1 apps still run on Windows 10 devices, but the MAM improvements in Windows 10 work only with UWP apps. See the [Guide to Universal Windows Platform (UWP) apps](http://go.microsoft.com/fwlink/p/?LinkId=734056) for additional information.
+
+### <a href="" id="sourcing"></a>Sourcing the right app
+
+The first step in app management is to obtain the apps your users need, and you can now acquire apps from Windows Store. Developers can also create apps specific to an organization, known as *line-of-business (LOB) apps* (the developers of these apps are *LOB publishers*). An LOB developer (internal or external) can now publish these apps to Windows Store at your request, or you can obtain the app packages offline and distribute them through your MDM system.
+
+To install Windows Store or LOB apps, use the Windows Store cloud service or your MDM system to distribute the app packages. Your MDM system can deploy apps online by redirecting the user to a licensed app in Windows Store or offline by distributing a package that you downloaded from Windows Store (also called *sideloading*) on Windows 10 Mobile devices. You can fully automate the app deployment process so that no user intervention is required.
+
+IT administrators can obtain apps through Store for Business. Most apps can be distributed online, meaning that the user must be logged in to the device with an Azure AD account and have Internet access at the time of installation. To distribute an app offline, the developer must opt in. If the app developer doesn’t allow download of the app from Windows Store, then you must obtain the files directly from the developer or use the online method. See [Windows Store for Business](windows-store-for-business.md) for additional information about apps obtained through Store for Business.
+
+Windows Store apps are automatically trusted. For custom LOB apps developed internally or by a trusted software vendor, ensure that the device trusts the app signing certificate. There are two ways to establish this trust: use a signing certificate from a trusted source, or generate your own signing certificate and add your chain of trust to the trusted certificates on the device. You can install up to 20 self-signed apps on a Windows 10 Mobile device. When you purchase a signing certificate from a public CA, you can install more than 20 apps on a device, although you can install more than 20 self-signed apps per device with [Windows 10 Mobile Enterprise](#mobile-edition).
+
+Users can install apps from Windows Store that the organization purchases through the Store app on their device. If you allow your users to log in with a Microsoft account, the Store app on the device provides a unified method for installing personal and corporate apps.
+
+### <a href="" id="store"></a>Store for Business
+
+[Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910) is a web portal that IT pros and purchasers use to find, acquire, manage, and distribute apps to Windows 10 devices. This online portal gives Azure AD authenticated managers access to Store for Business functionality and settings. Store managers can create a private section of Windows Store in which organizations can manage apps specific and private to them. Store for Business allows organizations to make apps available to their users and purchase app licenses for them. They can also integrate their Store for Business subscriptions with their MDM systems, so the MDM system can deploy apps from their free Store for Business subscription.
+
+The process for using Store for Business is as follows:
+
+1.  Create a Store for Business subscription for your organization.
+
+2.  In the Store for Business portal, acquire apps from Windows Store (only free apps are available at this time).
+
+3.  In Store for Business, distribute apps to users, and manage the app licenses for the apps acquired in the previous step.
+
+4.  Integrate your MDM system with your organization’s Store for Business subscription.
+
+5.  Use your MDM system to deploy the apps.
+
+For more information about Store for Business, see [Windows Store for Business](windows-store-for-business.md).
+
+### <a href="" id="mam"></a>Mobile application management (MAM) policies
+
+With MDM, you can manage Device Guard on Windows 10 Mobile and create an allow (whitelist) or deny (blacklist) list of apps. This capability extends to built-in apps, as well, such as phone, text messaging, email, and calendar. The ability to allow or deny apps helps to ensure that people use their mobile devices for their intended purposes.
+
+You can also control users’ access to Windows Store and whether the Store service updates apps automatically. You can manage all these capabilities through your MDM system. Table 18 lists the Windows 10 Mobile app management settings.
+
+Table 18. Windows 10 Mobile app management settings
+
+| Setting                                        | Description                                                                                                                                                                          |
+|------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Allow All Trusted Apps                         | Whether users can sideload apps on the device                                                                                                                                        |
+| Allow App Store Auto Update                    | Whether automatic updates of apps from Windows Store are allowed                                                                                                                     |
+| Allow Developer Unlock                         | Whether developer unlock is allowed                                                                                                                                                  |
+| Allow Shared User App Data                     | Whether multiple users of the same app can share data                                                                                                                                |
+| Allow Store                                    | Whether Windows Store app is allowed to run                                                                                                                                          |
+| Allow Windows Bridge For Android App Execution | Whether the Windows Bridge for Android app is allowed to run                                                                                                                         |
+| Application Restrictions                       | An XML blob that defines the app restrictions for a device (The XML blob can contain an app allow or deny list. You can allow or deny apps based on their app ID or publisher.)      |
+| Require Private Store Only                     | Whether the private store is exclusively available to users (If enabled, only the private store is available. If disabled, the retail catalog and private store are both available.) |
+| Restrict App Data To System Volume             | Whether app data is allowed only on the system drive                                                                                                                                 |
+| Restrict App To System Volume                  | Whether app installation is allowed only to the system drive                                                                                                                         |
+| Start screen layout                            | An XML blob used to configure the Start screen (See [Start layout for Windows 10 Mobile editions](http://go.microsoft.com/fwlink/p/?LinkId=734057) for more information.)            |
+
+ 
+
+One potential security issue is that users can register as Windows 10 Mobile app developers and turn on developer features on their device, potentially installing apps from unknown sources and opening the device to malware threats. To prevent users from turning on developer features on their devices, set the **Disable development unlock (side loading)** policy, which you can configure through your MDM system.
+
+### <a href="" id="edge"></a>Microsoft Edge
+
+MDM systems give you the ability to manage Microsoft Edge on mobile devices. Table 19 lists the Microsoft Edge settings for Windows 10 Mobile.
+
+Table 19. Microsoft Edge settings for Windows 10 Mobile
+
+| Setting                                         | Description                                                                                           |
+|-------------------------------------------------|-------------------------------------------------------------------------------------------------------|
+| Allow Active Scripting                          | Whether active scripting is allowed                                                                   |
+| Allow Autofill                                  | Whether values are automatically filled on websites                                                   |
+| Allow Browser                                   | Whether Internet Explorer is allowed on the device                                                    |
+| Allow Cookies                                   | Whether cookies are allowed                                                                           |
+| Allow Do Not Track headers                      | Whether Do Not Track headers are allowed                                                              |
+| Allow InPrivate                                 | Whether users can use InPrivate browsing                                                              |
+| Allow Password Manager                          | Whether users can use Password Manager to save and manage passwords locally                           |
+| Allow Search Suggestions in Address Bar         | Whether search suggestions are shown in the address bar                                               |
+| Allow SmartScreen                               | Whether SmartScreen Filter is enabled                                                                 |
+| First Run URL                                   | The URL to open when a user launches Microsoft Edge for the first time                                |
+| Include Sites Bypassing Proxy In Intranet Sites | Whether websites that bypass the proxy server are able to use the Intranet security zone              |
+| Include UNC Paths In Intranet Sites             | Whether URL paths can represent Universal Naming Convention (UNC) paths in the Intranet security zone |
+| Intranet Sites                                  | A list of the websites that are in the Intranet security zone                                         |
+| Prevent Smart Screen Prompt Override For Files  | Whether users can override the SmartScreen Filter warnings about downloading unverified files         |
+
+ 
+
+## Device operations
+
+
+In this section, you learn how MDM settings in Windows 10 Mobile enable the following scenarios:
+
+-   [Device update](#device-update)
+
+-   [Device compliance monitoring](#device-comp)
+
+-   [Device inventory](#data-inv)
+
+-   [Remote assistance](#remote-assist)
+
+-   [Cloud services](#cloud-serv)
+
+### Device update
+
+To help protect mobile devices and their data, you must keep those devices updated. Windows Update automatically installs updates and upgrades when they become available.
+
+The device update features described in this section are available only in [Windows 10 Mobile Enterprise](#mobile-edition). You can use your MDM system to postpone system upgrades when you activate an Enterprise license on managed Windows 10 Mobile devices and control how updates and upgrades are applied. For example, you can disable updates altogether, defer updates and upgrades, and schedule the day and time to install updates, as you would with Windows Server Update Services (WSUS) on Windows 10 desktops running the [Current Branch for Business](introduction-to-windows-10-servicing.md). Table 20 lists the Windows 10 Mobile Enterprise settings that you can use to configure updates and upgrades.
+
+Table 20. Windows 10 Mobile Enterprise update management settings
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">Allow automatic update</td>
+<td align="left">The automatic update behavior for scanning, downloading, and installing updates; the behavior can be one of the following:
+<ul>
+<li><p>Notify users prior to downloading updates.</p></li>
+<li><p>Automatically install updates, and then notify users to schedule a restart (this is the default behavior).</p></li>
+<li><p>Automatically install and restart devices with user notification.</p></li>
+<li><p>Automatically install and restart devices at a specified time.</p></li>
+<li><p>Automatically install and restart devices without user interaction.</p></li>
+<li><p>Turn off automatic updates.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left">Allow non Microsoft signed update</td>
+<td align="left">Whether automatic updates will accept updates that entities other than Microsoft have signed</td>
+</tr>
+<tr class="odd">
+<td align="left">Allow update service</td>
+<td align="left">Whether devices can obtain updates from Windows Update, WSUS, or Windows Store</td>
+</tr>
+<tr class="even">
+<td align="left">Monthly security updates deferred</td>
+<td align="left">Whether monthly updates (for example, security patches) are deferred (You can defer updates up to 4 weeks.)</td>
+</tr>
+<tr class="odd">
+<td align="left">Nonsecurity upgrades deferred</td>
+<td align="left">Whether nonsecurity upgrades are deferred (You can defer upgrades up to 8 months.)</td>
+</tr>
+<tr class="even">
+<td align="left">Pause update deferrals</td>
+<td align="left">Whether the device should skip an update cycle (This setting is valid only when you configure devices to defer updates or upgrades.)</td>
+</tr>
+<tr class="odd">
+<td align="left">Require update approval</td>
+<td align="left">Whether approval is required before updates can be installed on devices (If approval is required, any updates that have an End User License Agreement [EULA] are automatically accepted on the user’s behalf.)</td>
+</tr>
+<tr class="even">
+<td align="left">Schedule install time</td>
+<td align="left">The scheduled time at which updates are installed</td>
+</tr>
+<tr class="odd">
+<td align="left">Scheduled install day</td>
+<td align="left">The schedule of days on which updates are installed</td>
+</tr>
+<tr class="even">
+<td align="left">Update deferral period</td>
+<td align="left">How long updates should be deferred</td>
+</tr>
+<tr class="odd">
+<td align="left">Update service URL</td>
+<td align="left">The name of a WSUS server from which to download updates instead of Windows Update</td>
+</tr>
+<tr class="even">
+<td align="left">Upgrade deferral period</td>
+<td align="left">How long Windows 10 Mobile upgrades should be deferred</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+In addition to configuring how Windows 10 Mobile Enterprise obtains updates, you can manage individual Windows 10 Mobile updates. Table 21 provides information about approved updates to help you control the rollout of new updates to Windows 10 Mobile Enterprise devices.
+
+Table 21. Windows 10 Mobile Enterprise approved update information
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Setting</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">Approved updates</td>
+<td align="left">A list of approved updates. Each update in the list includes the <strong>Approved Time</strong> setting, which specifies the update approval time. Any approved updates automatically accept EULAs on behalf of users.</td>
+</tr>
+<tr class="even">
+<td align="left">Failed updates</td>
+<td align="left">A list of updates that failed during installation. Each update in the list includes the following settings:
+<ul>
+<li><p><strong>H Result.</strong> The update failure code</p></li>
+<li><p><strong>Status.</strong> The failed update state (for example, <strong>download</strong>, <strong>install</strong>)</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left">Installed updates</td>
+<td align="left">A list of updates that are installed on the device.</td>
+</tr>
+<tr class="even">
+<td align="left">Installable updates</td>
+<td align="left">A list of updates that are available for installation. Each update in the list includes the following settings:
+<ul>
+<li><p><strong>Type.</strong> The type of update available for installation, set to one of the following values:</p>
+<ul>
+<li><p><strong>0</strong> (no type)</p></li>
+<li><p><strong>1</strong> (security)</p></li>
+<li><p><strong>2</strong> (critical)</p></li>
+</ul></li>
+<li><p><strong>Revision Number.</strong> The revision number for the update used to get metadata for the update during synchronization.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left">Pending reboot updates</td>
+<td align="left">A list of updates that require a restart to complete update installation. Each update in the last has the <strong>Installed Time</strong> setting enabled, which specifies installation time for the update.</td>
+</tr>
+<tr class="even">
+<td align="left">Last successful scan time</td>
+<td align="left">The last time a successful update scan was completed.</td>
+</tr>
+<tr class="odd">
+<td align="left">Defer upgrade</td>
+<td align="left">Whether the upgrade is deferred until the next update cycle.</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="device-comp"></a>Device compliance monitoring
+
+You can use your MDM system to monitor compliance. Windows 10 Mobile provides audit information to track issues or perform remedial actions. This information helps you ensure that devices are configured to comply with organizational standards.
+
+You can also assess the health of devices that run Windows 10 Mobile and take enterprise policy actions. The process that the health attestation feature in Windows 10 Mobile uses is as follows:
+
+1.  The health attestation client collects data used to verify device health.
+
+2.  The client forwards the data to the Health Attestation Service (HAS).
+
+3.  The HAS generates a Health Attestation Certificate.
+
+4.  The client forwards the Health Attestation Certificate and related information to the MDM system for verification.
+
+For more information about health attestation in Windows 10 Mobile, see the [Windows 10 Mobile security guide](../keep-secure/windows-10-mobile-security-guide.md).
+
+Depending on the results of the health state validation, an MDM system can take one of the following actions:
+
+-   Allow the device to access resources.
+
+-   Allow the device to access resources but identify the device for further investigation.
+
+-   Prevent the device from accessing resources.
+
+Table 21 lists data points that the HAS collects and evaluates from devices that run Windows 10 Mobile to determine the action to perform. For most of these data points, the MDM system can take one of the following actions:
+
+-   Disallow all access.
+
+-   Disallow access to high-business-impact assets.
+
+-   Allow conditional access based on other data points that are present at evaluation time—for example, other attributes on the health certificate or a device’s past activities and trust history.
+
+-   Take one of the previous actions, and also place the device on a watch list to monitor it more closely for potential risks.
+
+-   Take corrective action, such as informing IT administrators to contact the owner and investigate the issue.
+
+Table 21. Windows 10 Mobile HAS data points
+
+| Data point                                               | Description                                                                                                                                                                                                                    |
+|----------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Attestation Identity Key (AIK) present                   | Indicates that an AIK is present (in other words, the device can be trusted more than a device without an AIK).                                                                                                                |
+| Data Execution Prevention (DEP) enabled                  | Whether a DEP policy is enabled for the device, indicating that the device can be trusted more than a device without a DEP policy.                                                                                             |
+| BitLocker status                                         | BitLocker helps protect the storage on the device. A device with BitLocker can be trusted more than a device without BitLocker.                                                                                                |
+| Secure Boot enabled                                      | Whether Secure Boot is enabled on the device. A device with Secure Boot enabled can be trusted more than a device without Secure Boot. Secure Boot is always enabled on Windows 10 Mobile devices.                             |
+| Code integrity enabled                                   | Whether the code integrity of a drive or system file is validated each time it’s loaded into memory. A device with code integrity enabled can be trusted more than a device without code integrity.                            |
+| Safe mode                                                | Whether Windows is running in safe mode. A device that is running Windows in safe mode isn’t as trustworthy as a device running in standard mode.                                                                              |
+| Running Windows Preinstallation Environment (Windows PE) | Whether the device is running Windows PE. A device running Windows PE isn’t as secure as a device running Windows 10 Mobile.                                                                                                   |
+| Boot debug enabled                                       | Whether the device has boot debug enabled. A device that has boot debug enabled is less secure (trusted) than a device without boot debug enabled.                                                                             |
+| OS kernel debugging enabled                              | Whether the device has operating system kernel debugging enabled. A device that has operating system kernel debugging enabled is less secure (trusted) than a device with operating system kernel debugging disabled.          |
+| Test signing enabled                                     | Whether test signing is disabled. A device that has test signing disabled is more trustworthy than a device that has test signing enabled.                                                                                     |
+| Boot Manager Version                                     | The version of the Boot Manager running on the device. The HAS can check this version to determine whether the most current Boot Manager is running, which is more secure (trusted).                                           |
+| Code integrity version                                   | Specifies the version of code that is performing integrity checks during the boot sequence. The HAS can check this version to determine whether the most current version of code is running, which is more secure (trusted).   |
+| Secure Boot Configuration Policy (SBCP) present          | Whether the hash of the custom SBCP is present. A device with an SBCP hash present is more trustworthy than a device without an SBCP hash.                                                                                     |
+| Boot cycle whitelist                                     | The view of the host platform between boot cycles as defined by the manufacturer compared to a published whitelist. A device that complies with the whitelist is more trustworthy (secure) than a device that is noncompliant. |
+
+ 
+
+### <a href="" id="data-inv"></a>Device inventory
+
+Device inventory helps organizations better manage devices because it provides in-depth information about those devices. MDM systems collect inventory information remotely, and you can use the system’s reporting capabilities to analyze device resources and information. With this information, you can determine the current hardware and software resources of the device (for example, installed updates).
+
+Table 22 lists examples of the Windows 10 Mobile software and hardware information that a device inventory provides. In addition to this information, the MDM system can read any of the configuration settings described in this guide.
+
+Table 22. Windows 10 Mobile software and hardware inventory examples
+
+| Setting                                                                                            | Description                                                                                                                                                                                                                     |
+|----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Installed enterprise apps                                                                          | List of the enterprise apps installed on the device                                                                                                                                                                             |
+| Device name                                                                                        | The device name configured for the device                                                                                                                                                                                       |
+| Firmware version                                                                                   | Version of firmware installed on the device                                                                                                                                                                                     |
+| Operating system version                                                                           | Version of the operating system installed on the device                                                                                                                                                                         |
+| Device local time                                                                                  | Local time on the device                                                                                                                                                                                                        |
+| Processor type                                                                                     | Processor type for the device                                                                                                                                                                                                   |
+| Device model                                                                                       | Model of the device as defined by the manufacturer                                                                                                                                                                              |
+| Device manufacturer                                                                                | Manufacturer of the device                                                                                                                                                                                                      |
+| Device processor architecture                                                                      | Processor architecture for the device                                                                                                                                                                                           |
+| Device language                                                                                    | Language in use on the device                                                                                                                                                                                                   |
+| Phone number                                                                                       | Phone number assigned to the device                                                                                                                                                                                             |
+| Roaming status                                                                                     | Indicates whether the device has a roaming cellular connection                                                                                                                                                                  |
+| International mobile equipment identity (IMEI) and international mobile subscriber identity (IMSI) | Unique identifiers for the cellular connection for the phone; Global System for Mobile Communications networks identify valid devices by using the IMEI, and all cellular networks use the IMSI to identify the device and user |
+| Wi-Fi IP address                                                                                   | IPv4 and IPv6 addresses currently assigned to the Wi-Fi adapter in the device                                                                                                                                                   |
+| Wi-Fi media access control (MAC) address                                                           | MAC address assigned to the Wi-Fi adapter in the device                                                                                                                                                                         |
+| Wi-Fi DNS suffix and subnet mask                                                                   | DNS suffix and IP subnet mask assigned to the Wi-Fi adapter in the device                                                                                                                                                       |
+| Secure Boot state                                                                                  | Indicates whether Secure Boot is enabled                                                                                                                                                                                        |
+| Enterprise encryption policy compliance                                                            | Indicates whether the device is encrypted                                                                                                                                                                                       |
+
+ 
+
+### <a href="" id="remote-assist"></a>Remote assistance
+
+The remote assistance features in Windows 10 Mobile help resolve issues that users might encounter even when the help desk does not have physical access to the device. These features include:
+
+-   **Remote lock.** Support personnel can remotely lock a device. This ability can help when a user loses his or her mobile device and can retrieve it but not immediately (for example, leaving the device at a customer site).
+
+-   **Remote PIN reset.** Support personnel can remotely reset the PIN, which helps when users forget their PIN and are unable to access their device. No corporate or user data is lost, and users are able to gain access to their devices quickly.
+
+-   **Remote ring.** Support personnel can remotely make devices ring. This ability can help users locate misplaced devices and, in conjunction with the Remote Lock feature, help ensure that unauthorized users are unable to access the device if they find it.
+
+-   **Remote find.** Support personnel can remotely locate a device on a map, which helps identify the geographic location of the device. To configure Windows 10 Mobile remote find, use the settings in Table 23. The remote find feature returns the most current latitude, longitude, and altitude of the device.
+
+These remote management features help organizations reduce the IT effort required to manage devices. They also help users quickly regain use of their device should they misplace it or forget the device password.
+
+Table 23. Windows 10 Mobile remote find settings
+
+| Setting                   | Description                                                                                                                     |
+|---------------------------|---------------------------------------------------------------------------------------------------------------------------------|
+| Desired location accuracy | The desired accuracy as a radius value in meters; has a value between 1 and 1,000 meters                                        |
+| Maximum remote find       | Maximum length of time in minutes that the server will accept a successful remote find; has a value between 0 and 1,000 minutes |
+| Remote find timeout       | The number of seconds devices should wait for a remote find to finish; has a value between 0 and 1,800 seconds                  |
+
+ 
+
+### <a href="" id="cloud-serv"></a>Cloud services
+
+On mobile devices that run Windows 10 Mobile, users can easily connect to apps and data. As a result, they frequently connect to cloud services that provide user notifications and collect telemetry (usage data). Windows 10 Mobile enables organizations to manage how devices consume these cloud services.
+
+**Manage push notifications**
+
+The Windows Push Notification Services enable software developers to send toast, tile, badge, and raw updates from their cloud services. It provides a mechanism to deliver updates to users in a power-efficient and dependable way.
+
+Push notifications can affect battery life, however, so the battery saver in Windows 10 Mobile limits background activity on the devices to extend battery life. Users can configure battery saver to turn on automatically when the battery drops below a set threshold. When battery saver is on, Windows 10 Mobile disables the receipt of push notifications to save energy.
+
+There is an exception to this behavior, however. In Windows 10 Mobile, the **Always allowed** battery saver settings (found in the Settings app) allow apps to receive push notifications even when battery saver is on. Users can manually configure this list, or you can use the MDM system to configure it—that is, you can use the battery saver settings URI scheme in Windows 10 Mobile (**ms-settings:batterysaver-settings**) to configure these settings.
+
+For more information about push notifications, see [Windows Push Notification Services (WNS) overview](http://go.microsoft.com/fwlink/p/?LinkId=734060).
+
+**Manage telemetry**
+
+As people use Windows 10 Mobile, it can collect performance and usage telemetry that helps Microsoft identify and troubleshoot problems as well as improve its products and services. Microsoft recommends that you select **Full** for this setting.
+
+Microsoft employees, contractors, vendors, and partners might have access to relevant portions of the information that Windows 10 Mobile collects, but they are permitted to use the information only to repair or improve Microsoft products and services or third-party software and hardware designed for use with Microsoft products and services.
+
+You can control the level of data that MDM systems collect. Table 24 lists the data levels that Windows 10 Mobile collects and provides a brief description of each. To configure devices, specify one of these levels in the **Allow Telemetry** setting.
+
+Table 24. Windows 10 Mobile data collection levels
+
+| Level of data | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
+|---------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Security      | Collects only the information required to keep Windows 10 Mobile enterprise-grade secure, including information about telemetry client settings, the Malicious Software Removal Tool, and Windows Defender. This level is available only on Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core. For Windows 10 Mobile, this setting disables Windows 10 Mobile telemetry.                                                                                                                    |
+| Basic         | Provides only the data vital to the operation of Windows 10 Mobile. This data level helps keep Windows 10 Mobile and apps running properly by letting Microsoft know the device’s capabilities, what’s installed, and whether Windows is operating correctly. This option also turns on basic error reporting back to Microsoft. By selecting this option, you allow Microsoft to provide updates through Windows Update, including malicious software protection through the Malicious Software Removal Tool. |
+| Enhanced      | Includes all Basic data plus data about how users use Windows 10 Mobile, such as how frequently or how long they use certain features or apps and which apps they use most often. This option also lets operating system collect enhanced diagnostic information, such as the memory state of a device when a system or app crash occurs, and measure reliability of devices, the operating system, and apps.                                                                                                  |
+| Full          | Includes all Basic and Enhanced data and also turns on advanced diagnostic features that collect additional data from devices, such as system files or memory snapshots, which may unintentionally include parts of documents user are working on when a problem occurred. This information helps Microsoft further troubleshoot and fix problems. If an error report contains personal data, Microsoft does not use that information to identify, contact, or target advertising to users.                    |
+
+ 
+
+## Device retirement
+
+
+Device retirement (unenrollment) is the last phase of the device life cycle. Historically, mobile device retirement has been a complex and difficult process for organizations. When the organization no longer needs devices, it must remove (wipe) corporate data from them. BYOD scenarios make retirement even more complex because users expect their personal apps and data to remain untouched. Therefore, organizations must remove their data without affecting users’ data.
+
+You can remotely remove all corporate data from devices that run Windows 10 Mobile without affecting existing user data (partial or enterprise wipe). The help desk or the devices’ users can initiate device retirement. When retirement is complete, Windows 10 Mobile returns the devices to a consumer state, as they were before enrollment. The following list summarizes the corporate data removed from a device when it’s retired:
+
+-   Email accounts
+
+-   Enterprise-issued certificates
+
+-   Network profiles
+
+-   Enterprise-deployed apps
+
+-   Any data associated with the enterprise-deployed apps
+
+**Note**  
+All these features are in addition to the device’s software and hardware factory reset features, which users can use to restore devices to their factory configuration.
+
+ 
+
+To specify whether users can delete the workplace account in Control Panel and unenroll from the MDM system, enable the **Allow Manual MDM Unenrollment** setting. Table 25 lists additional Windows 10 remote wipe settings that you can use the MDM system to configure.
+
+Table 25. Windows 10 Mobile remote wipe settings
+
+| Setting                       | Description                                                                                                          |
+|-------------------------------|----------------------------------------------------------------------------------------------------------------------|
+| Wipe                          | Specifies that a remote wipe of the device should be performed                                                       |
+| Allow manual MDM unenrollment | Whether users are allowed to delete the workplace account (in other words, unenroll the device from the MDM system)  |
+| Allow user to reset phone     | Whether users are allowed to use Control Panel or hardware key combinations to return the device to factory defaults |
+
+ 
+
+## Related topics
+
+
+[Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=734050)
+
+[Enterprise Mobility Suite](http://go.microsoft.com/fwlink/p/?LinkId=723984)
+
+[Overview of Mobile Device Management for Office 365](http://go.microsoft.com/fwlink/p/?LinkId=734052)
+
+[Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md
new file mode 100644
index 0000000000..142e4e88a6
--- /dev/null
+++ b/windows/manage/windows-10-start-layout-options-and-policies.md
@@ -0,0 +1,145 @@
+---
+title: Manage Windows 10 Start layout options (Windows 10)
+description: Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education.
+ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A
+keywords: ["start screen", "start menu"]
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Manage Windows 10 Start layout options
+
+
+**Applies to**
+
+-   Windows 10
+
+**Looking for consumer information?**
+
+-   [Customize the Start menu](http://go.microsoft.com/fwlink/p/?LinkId=623630)
+
+Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes.
+
+![start layout sections](images/startannotated.png)
+
+Some areas of Start can be managed using Group Policy. The layout of Start tiles can be managed using either Group Policy or Mobile Device Management (MDM) policy.
+
+The following table lists the different parts of Start and any applicable policy settings or Settings options. Group Policy settings are in the **User Configuration**\\**Administrative Templates**\\**Start Menu and Taskbar** path except where a different path is listed in the table.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Start</th>
+<th align="left">Policy</th>
+<th align="left">Setting</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">User tile</td>
+<td align="left">Group Policy: <strong>Remove Logoff on the Start menu</strong></td>
+<td align="left"></td>
+</tr>
+<tr class="even">
+<td align="left">Most used</td>
+<td align="left">Group Policy: <strong>Remove frequent programs from the Start menu</strong></td>
+<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Show most used apps</strong></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Suggestions</p>
+<p>-and-</p>
+<p>Dynamically inserted app tile</p></td>
+<td align="left"><p>MDM: <strong>Allow Windows Consumer Features</strong></p>
+<p>Group Policy: <strong>Computer Configuration</strong>\<strong>Administrative Templates</strong>\<strong>Windows Components</strong>\<strong>Cloud Content</strong>\<strong>Turn off Microsoft consumer experiences</strong></p>
+<div class="alert">
+<strong>Note</strong>  
+<p>This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu.</p>
+</div>
+<div>
+ 
+</div></td>
+<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Occasionally show suggestions in Start</strong></td>
+</tr>
+<tr class="even">
+<td align="left">Recently added</td>
+<td align="left"></td>
+<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Show recently added apps</strong></td>
+</tr>
+<tr class="odd">
+<td align="left">Pinned folders</td>
+<td align="left"></td>
+<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Choose which folders appear on Start</strong></td>
+</tr>
+<tr class="even">
+<td align="left">Power</td>
+<td align="left">Group Policy: <strong>Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands</strong></td>
+<td align="left">None</td>
+</tr>
+<tr class="odd">
+<td align="left">All apps</td>
+<td align="left">Group Policy: <strong>Remove All Programs list from the Start menu</strong></td>
+<td align="left">None</td>
+</tr>
+<tr class="even">
+<td align="left">Start layout</td>
+<td align="left"><p>MDM: <strong>Start layout</strong></p>
+<p>Group Policy: <strong>Start layout</strong></p>
+<p>Group Policy: <strong>Prevent users from customizing their Start Screen</strong></p>
+<div class="alert">
+<strong>Warning</strong>  
+<p><strong>Start layout</strong> can only be applied to a device using the same architecture (32-bit or 64-bit) as the device on which <strong>Start layout</strong> was created. When a Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the <strong>All Apps</strong> view, but they cannot pin any apps to the Start screen.</p>
+</div>
+<div>
+ 
+</div></td>
+<td align="left">None</td>
+</tr>
+<tr class="odd">
+<td align="left">Jump lists</td>
+<td align="left">Group Policy: <strong>Do not keep history of recently opened documents</strong></td>
+<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Show recently opened items in Jump Lists on Start or the taskbar</strong></td>
+</tr>
+<tr class="even">
+<td align="left">Start size</td>
+<td align="left"><p>MDM: <strong>Force Start size</strong></p>
+<p>Group Policy: <strong>Force Start to be either full screen size or menu size</strong></p></td>
+<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Use Start full screen</strong></td>
+</tr>
+<tr class="odd">
+<td align="left">All Settings</td>
+<td align="left">Group Policy: <strong>Prevent changes to Taskbar and Start Menu Settings</strong></td>
+<td align="left">None</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Customize and export Start layout](customize-and-export-start-layout.md)
+
+[Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+
+[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+
+[Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+
+[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/windows-store-for-business.md b/windows/manage/windows-store-for-business.md
new file mode 100644
index 0000000000..b718c7ace7
--- /dev/null
+++ b/windows/manage/windows-store-for-business.md
@@ -0,0 +1,76 @@
+---
+title: Windows Store for Business (Windows 10)
+description: Welcome to the Windows Store for Business You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization.
+ms.assetid: 527E611E-4D47-44F0-9422-DCC2D1ACBAB8
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Windows Store for Business
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Sign up and get started](sign-up-windows-store-for-business-overview.md)</p></td>
+<td align="left"><p>IT admins can sign up for the Store for Business, and get started working with apps.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Find and acquire apps](find-and-acquire-apps-overview.md)</p></td>
+<td align="left"><p>Use the Store for Business to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md)</p></td>
+<td align="left"><p>Distribute apps to your employees from Store for Business. You can assign apps to employees, or let employees install them from your private store.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Manage apps](manage-apps-windows-store-for-business-overview.md)</p></td>
+<td align="left"><p>Manage settings and access to apps in Store for Business.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Device Guard signing portal](device-guard-signing-portal.md)</p></td>
+<td align="left"><p>Device Guard signing is a Device Guard feature that is available in the Store for Business. It gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Manage settings in the Windows Store for Business](manage-settings-windows-store-for-business.md)</p></td>
+<td align="left"><p>You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md)</p></td>
+<td align="left"><p>Troubleshooting topics for Store for Business.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/manage/working-with-line-of-business-apps.md b/windows/manage/working-with-line-of-business-apps.md
new file mode 100644
index 0000000000..262e5704c5
--- /dev/null
+++ b/windows/manage/working-with-line-of-business-apps.md
@@ -0,0 +1,109 @@
+---
+title: Working with line-of-business apps (Windows 10)
+description: Your company can make line-of-business (LOB) applications available through Windows Store for Business. These apps are custom to your company – they might be internal business apps, or apps specific to your business or industry.
+ms.assetid: 95EB7085-335A-447B-84BA-39C26AEB5AC7
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Working with line-of-business apps
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Your company can make line-of-business (LOB) applications available through Windows Store for Business. These apps are custom to your company – they might be internal business apps, or apps specific to your business or industry.
+
+Developers within your own company, or ISVs that you invite, can become LOB publishers and submit apps to the Windows Store for your company. Once a LOB publisher submits an app for your company, the app is only available to your company. LOB publishers submit apps through the Windows Dev Center using the same process as all apps that are in the Store, and then can be managed or deployed using the same process as any other app that has been acquired through the Store.
+
+One advantage of making apps available through Store for Business is that the app has been signed by the Store, and uses the standard Store policies. For companies that can’t submit their application through the Windows Dev Center (for example, those needing additional capabilities or due to compliance purposes), [Sideloading](http://go.microsoft.com/fwlink/p/?LinkId=623433) is also supported in Windows 10.
+
+## <a href="" id="adding-lob-apps"></a>Adding LOB apps to your private store
+
+
+Your Store for Business admin and ISV each own different parts of the process for getting LOB apps created, submitted, and deployed to your employees. They’ll use the Store for Business portal, and the Windows Dev center on MSDN. Here’s what’s involved:
+
+-   The Store for Business admin invites a developer or ISV to become an LOB publisher for your company.
+
+-   LOB publisher develops and submits app to the Store, tagging the app so it is only available to your company.
+
+-   The Store for Business admin accepts the app and can distribute the app to employees in your company.
+
+What you'll have to set up:
+
+-   Your company needs to be signed up with Store for Business.
+
+-   LOB publishers need to have an active developer account. To learn more about account options, see [Ready to sign up](http://go.microsoft.com/fwlink/p/?LinkId=623432).
+
+-   LOB publishers need to have an app in the Store, or have an app ready to submit to the Store.
+
+### <a href="" id="add-lob-publisher"></a>Add an LOB publisher (admin)
+
+For developers within your own organization, or ISVs you're working with to create LOB apps, you'll need to invite them to become a LOB publisher.
+
+**To invite a developer to become an LOB publisher**
+
+1.  Sign in to the [Windows Store for Business]( http://go.microsoft.com/fwlink/p/?LinkId=623531).
+2.  Click **Settings**, and then choose **LOB publishers**.
+3.  On the Line-of business publishers page, click **Add** to complete a form and send an email invitation to a developer.
+
+### <a href="" id="submit-lob-app"></a>Submit apps (LOB publisher)
+
+The developer receives an email invite to become an LOB publisher for your company. Once they accept the invite, they can log in to the Windows Dev Center to create an app submission for your company. The info here assumes that devs or ISVs have an active developer account.
+
+After an app is published and available in the Store, ISVs publish an updated version by creating another submission in their dashboard. Creating a new submission allows the ISV to make the changes required to create a LOB app for your company. To learn more about updates to an app submission, see [App submissions](http://go.microsoft.com/fwlink/p/?LinkId=623463) and [Distributing LOB apps to enterprises](http://go.microsoft.com/fwlink/p/?LinkId=627543).
+
+**To create a new submission for an app**
+
+1.  Sign in to the [Windows Dev Center](http://go.microsoft.com/fwlink/p/?LinkId=623486), go to your Dashboard, and click the app you want to make available as an LOB app.
+2.  On the App overview page, under **Action**, click **Update**.
+
+    -OR-
+
+    Submit your app following the guidelines in [App submissions](http://go.microsoft.com/fwlink/p/?LinkId=623463). Be sure to completed steps 3 and 4 when you set app pricing and availability options.
+
+3.  On the **Pricing and availability** page, under **Distribution and visibility**, click **Line-of-business (LOB) distribution**, and then choose the enterprise(s) who will get the LOB app. No one else will have access to the app.
+4.  Under **Organizational licensing**, click **Show options**.
+
+    Organizational licensing options apply to all apps, not just LOB apps:
+
+    -   **Store-managed (online) volume licensing** - This is required. You must select this item to make your app available as an a LOB app. By default, it will be selected. This won't make the app available to anyone outside of the enterprise(s) that you selected in **Distribution and visibility**.
+
+    -   **Disconnected (offline) licensing** - This is optional for LOB apps.
+
+5.  Click **Save** to save your changes and start the app submission process.
+
+For more information, see [Organizational licensing options]( http://go.microsoft.com/fwlink/p/?LinkId=708615) and [Distributing LOB apps to enterprises](http://go.microsoft.com/fwlink/p/?LinkId=627543).
+
+### <a href="" id="add-lob-app-to-inventory"></a>Add app to inventory (admin)
+
+After an ISV submits the LOB app for your company, the Store for Businessadmin needs to accept the app.
+
+**To add the LOB app to your inventory**
+
+1.  Sign in to the Store for Business.
+2.  Click **Manage**, and then choose **New LOB apps**.
+3.  Click the ellipses under **Action** for the app you want to add to your inventory, and then choose **add to inventory**.
+
+After you add the app to your inventory, you can choose how to distribute the app. For more information, see:
+
+-   [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md)
+
+-   [Distribute apps from your private store](distribute-apps-from-your-private-store.md)
+
+-   [Assign apps to employees](assign-apps-to-employees.md)
+
+-   [Distribute offline apps](distribute-offline-apps.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/TOC.md b/windows/plan/TOC.md
new file mode 100644
index 0000000000..51db604bd5
--- /dev/null
+++ b/windows/plan/TOC.md
@@ -0,0 +1,114 @@
+# [Plan for Windows 10 deployment](index.md)
+## [Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md)
+## [Windows 10 servicing options](windows-10-servicing-options.md)
+## [Windows 10 deployment considerations](windows-10-deployment-considerations.md)
+## [Windows 10 compatibility](windows-10-compatibility.md)
+## [Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
+## [Windows Update for Business](windows-update-for-business.md)
+### [Setup and deployment](setup-and-deployment.md)
+### [Integration with management solutions](integration-with-management-solutions-.md)
+## [Guidance for education environments](windows-10-guidance-for-education-environments.md)
+### [Chromebook migration guide](chromebook-migration-guide.md)
+## [Windows To Go: feature overview](windows-to-go-overview.md)
+### [Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
+### [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
+### [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
+### [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
+### [Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
+## [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md)
+### [Welcome to ACT](welcome-to-act.md)
+#### [What's New in ACT 6.1](whats-new-in-act-60.md)
+#### [Software Requirements for ACT](software-requirements-for-act.md)
+#### [Software Requirements for RAP](software-requirements-for-rap.md)
+### [Configuring ACT](configuring-act.md)
+#### [ACT Tools, Packages, and Services](act-tools-packages-and-services.md)
+#### [ACT Deployment Options](act-deployment-options.md)
+#### [ACT Database Configuration](act-database-configuration.md)
+#### [ACT Database Migration](act-database-migration.md)
+#### [ACT LPS Share Permissions](act-lps-share-permissions.md)
+### [Using ACT](using-act.md)
+#### [Taking Inventory of Your Organization](taking-inventory-of-your-organization.md)
+##### [Identifying Computers for Inventory Collection](identifying-computers-for-inventory-collection.md)
+##### [Creating an Inventory-Collector Package](creating-an-inventory-collector-package.md)
+##### [Deploying an Inventory-Collector Package](deploying-an-inventory-collector-package.md)
+#### [Testing Compatibility on the Target Platform](testing-compatibility-on-the-target-platform.md)
+##### [Deciding Which Applications to Test](deciding-which-applications-to-test.md)
+##### [Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md)
+##### [Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md)
+##### [Deploying a Runtime-Analysis Package](deploying-a-runtime-analysis-package.md)
+##### [Compatibility Monitor User's Guide](compatibility-monitor-users-guide.md)
+###### [Using Compatibility Monitor to Send Feedback](using-compatibility-monitor-to-send-feedback.md)
+###### [Common Compatibility Issues](common-compatibility-issues.md)
+#### [Managing Your Data-Collection Packages](managing-your-data-collection-packages.md)
+##### [Log File Locations for Data-Collection Packages](log-file-locations-for-data-collection-packages.md)
+##### [Exporting a Data-Collection Package](exporting-a-data-collection-package.md)
+##### [Deleting a Data-Collection Package](deleting-a-data-collection-package.md)
+##### [Labeling Data in ACM](labeling-data-in-acm.md)
+#### [Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md)
+##### [Viewing Your Compatibility Reports](viewing-your-compatibility-reports.md)
+###### [&lt;OperatingSystem&gt; - Application Report](act-operatingsystem-application-report.md)
+####### [&lt;Application&gt; Dialog Box](application-dialog-box.md)
+###### [&lt;OperatingSystem&gt; - Computer Report](act-operatingsystem-computer-report.md)
+####### [&lt;Computer&gt; Dialog Box](computer-dialog-box.md)
+###### [&lt;OperatingSystem&gt; - Device Report](act-operatingsystem-device-report.md)
+####### [&lt;Device&gt; Dialog Box](device-dialog-box.md)
+###### [Internet Explorer - Web Site Report](internet-explorer-web-site-report.md)
+####### [&lt;WebsiteURL&gt; Dialog Box](websiteurl-dialog-box.md)
+###### [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md)
+###### [Customizing Your Report Views](customizing-your-report-views.md)
+##### [Organizing Your Compatibility Data](organizing-your-compatibility-data.md)
+###### [Organizational Tasks for Each Report Type](organizational-tasks-for-each-report-type.md)
+###### [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md)
+###### [Selecting Your Deployment Status](selecting-your-deployment-status.md)
+###### [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md)
+###### [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md)
+###### [Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md)
+###### [Creating and Editing Issues and Solutions](creating-and-editing-issues-and-solutions.md)
+####### [Adding or Editing an Issue](adding-or-editing-an-issue.md)
+####### [Adding or Editing a Solution](adding-or-editing-a-solution.md)
+####### [Resolving an Issue](resolving-an-issue.md)
+##### [Filtering Your Compatibility Data](filtering-your-compatibility-data.md)
+###### [Example Filter Queries](example-filter-queries.md)
+##### [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md)
+###### [Data Sent Through the Microsoft Compatibility Exchange](data-sent-through-the-microsoft-compatibility-exchange.md)
+###### [ACT Community Ratings and Process](act-community-ratings-and-process.md)
+#### [Fixing Compatibility Issues](fixing-compatibility-issues.md)
+##### [Deciding Whether to Fix an Application or Deploy a Workaround](deciding-whether-to-fix-an-application-or-deploy-a-workaround.md)
+##### [SUA User's Guide](sua-users-guide.md)
+###### [Using the SUA Wizard](using-the-sua-wizard.md)
+###### [Using the SUA Tool](using-the-sua-tool.md)
+####### [Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md)
+####### [Showing Messages Generated by the SUA Tool](showing-messages-generated-by-the-sua-tool.md)
+####### [Applying Filters to Data in the SUA Tool](applying-filters-to-data-in-the-sua-tool.md)
+####### [Fixing Applications by Using the SUA Tool](fixing-applications-by-using-the-sua-tool.md)
+##### [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+###### [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
+####### [Available Data Types and Operators in Compatibility Administrator](available-data-types-and-operators-in-compatibility-administrator.md)
+####### [Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md)
+####### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md)
+####### [Creating a Custom Compatibility Fix in Compatibility Administrator](creating-a-custom-compatibility-fix-in-compatibility-administrator.md)
+####### [Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)
+####### [Creating an AppHelp Message in Compatibility Administrator](creating-an-apphelp-message-in-compatibility-administrator.md)
+####### [Viewing the Events Screen in Compatibility Administrator](viewing-the-events-screen-in-compatibility-administrator.md)
+####### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md)
+####### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md)
+###### [Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
+####### [Understanding and Using Compatibility Fixes](understanding-and-using-compatibility-fixes.md)
+####### [Compatibility Fix Database Management Strategies and Deployment](compatibility-fix-database-management-strategies-and-deployment.md)
+####### [Testing Your Application Mitigation Packages](testing-your-application-mitigation-packages.md)
+###### [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md)
+### [Troubleshooting ACT](troubleshooting-act.md)
+#### [Troubleshooting the ACT Configuration Wizard](troubleshooting-the-act-configuration-wizard.md)
+#### [Troubleshooting the ACT Log Processing Service](troubleshooting-the-act-log-processing-service.md)
+#### [Troubleshooting ACT Database Issues](troubleshooting-act-database-issues.md)
+### [ACT User Interface Reference](act-user-interface-reference.md)
+#### [Toolbar Icons in ACM](act-toolbar-icons-in-acm.md)
+#### [Ratings Icons in ACM](ratings-icons-in-acm.md)
+#### [Activating and Closing Windows in ACM](activating-and-closing-windows-in-acm.md)
+#### [Settings for ACM](settings-for-acm.md)
+##### [Settings Dialog Box - Settings Tab](act-settings-dialog-box-settings-tab.md)
+##### [Settings Dialog Box - Preferences Tab](act-settings-dialog-box-preferences-tab.md)
+### [ACT Product and Documentation Resources](act-product-and-documentation-resources.md)
+### [ACT Glossary](act-glossary.md)
+### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
+
diff --git a/windows/plan/act-community-ratings-and-process.md b/windows/plan/act-community-ratings-and-process.md
new file mode 100644
index 0000000000..90c94ca481
--- /dev/null
+++ b/windows/plan/act-community-ratings-and-process.md
@@ -0,0 +1,47 @@
+---
+title: ACT Community Ratings and Process (Windows 10)
+description: The Application Compatibility Toolkit (ACT) Community uses the Microsoft® Compatibility Exchange to share compatibility ratings between all registered ACT Community members.
+ms.assetid: be6c8c71-785b-4adf-a375-64ca7d24e26c
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# ACT Community Ratings and Process
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The Application Compatibility Toolkit (ACT) Community uses the Microsoft® Compatibility Exchange to share compatibility ratings between all registered ACT Community members.
+
+When you access the Microsoft Compatibility Exchange as a registered ACT Community member, you can upload your compatibility data to the community and download issues from other ACT Community members. For information about how compatibility ratings are entered, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).
+
+ACT takes your information and combines it with all of the information provided by the other ACT Community users and shows the average rating as a color gradient from one to five bars.
+
+![act community](images/dep-win8-e-act-communityexample.gif)
+
+## Process for Synchronizing Compatibility Ratings
+
+
+The following diagram shows the process for synchronizing compatibility ratings with the ACT Community.
+
+You have the option to exclude applications from being shared with the Microsoft Compatibility Exchange. However, you will not get compatibility ratings from the ACT Community for any application that you exclude. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
+
+![act community workflow](images/dep-win8-l-act-communityworkflowdiagram.jpg)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/act-database-configuration.md b/windows/plan/act-database-configuration.md
new file mode 100644
index 0000000000..528cd9a8e2
--- /dev/null
+++ b/windows/plan/act-database-configuration.md
@@ -0,0 +1,84 @@
+---
+title: ACT Database Configuration (Windows 10)
+description: The Application Compatibility Toolkit (ACT) uses a Microsoft® SQL Server® database for storing and sharing compatibility issue data.
+ms.assetid: 032bbfe0-86fa-48ff-b638-b9d6a908c45e
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# ACT Database Configuration
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The Application Compatibility Toolkit (ACT) uses a Microsoft® SQL Server® database for storing and sharing compatibility issue data. If you do not use Microsoft SQL Server, you can download and install Microsoft SQL Server Express. For information about creating Microsoft SQL Server databases, see [Administering the Database Engine](http://go.microsoft.com/fwlink/p/?LinkId=64169).
+
+## ACT Database Creation
+
+
+You can create the ACT database by using one of the following methods:
+
+-   Run Application Compatibility Manager (ACM), and then use the ACT Configuration Wizard to create a new database.
+
+    -or-
+
+-   Run the CreateDB.sql file, located at %SYSTEMDRIVE%\\ProgramData\\Microsoft\\Application Compatibility Toolkit\\CreateDB.sql.
+
+### ACT Database Permissions
+
+You must assign the following database roles to the following accounts.
+
+-   To the user and local service accounts that will run the ACT Log Processing Service (LPS), assign the db\_datareader, db\_datawriter, and db\_owner database roles.
+
+-   To the user account that will run Application Compatibility Manager (ACM), assign the db\_datareader and db\_datawriter database roles.
+
+Alternatively, grant the following explicit permissions to each user that will run the ACT LPS or ACM.
+
+-   SELECT
+
+-   INSERT
+
+-   UPDATE
+
+-   DELETE
+
+-   EXECUTE
+
+### ACT Database Recommendations
+
+We also recommend that you make the following changes to the database as part of your deployment planning:
+
+-   **Create a larger database, including a larger log file–size setting, and then set the growth increments appropriately**. If you create a database with the default setting for data storage, the data portion of the database will have an initial size of 1 megabyte (MB), and a growth increment of 1 MB. If you create a database with the default setting for log file storage, the log file portion of the database will have an initial size of 1 MB and a growth increment of 10 percent. We recommend that you maintain a data-to-log file ratio of 5:1 or 4:1. For example, if your data portion is 5 gigabytes (GB), your log file portion should be 1 GB.
+
+-   **Change the recovery model of your database**. The default recovery model is **Full**, but we recommend that you change the recovery model to **Simple** to improve performance and reduce disk space requirements.
+
+-   **Store the data portion and log file portion of your ACT database on separate hard drives**. Unless otherwise specified by your SQL Administrator, the default is for the data and log files to be stored on the same hard drive. We recommend separating the data from the log files to reduce disk I/O contention.
+
+## Related topics
+
+
+[ACT Tools, Packages, and Services](act-tools-packages-and-services.md)
+
+[ACT Deployment Options](act-deployment-options.md)
+
+[ACT Database Migration](act-database-migration.md)
+
+[ACT LPS Share Permissions](act-lps-share-permissions.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/act-database-migration.md b/windows/plan/act-database-migration.md
new file mode 100644
index 0000000000..38d1886347
--- /dev/null
+++ b/windows/plan/act-database-migration.md
@@ -0,0 +1,67 @@
+---
+title: ACT Database Migration (Windows 10)
+description: The schema for an ACT database can change when ACT is updated or when a new version of ACT is released.
+ms.assetid: b13369b4-1fb7-4889-b0b8-6d0ab61aac3d
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# ACT Database Migration
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The schema for an ACT database can change when ACT is updated or when a new version of ACT is released. If the schema for an ACT database does not match the current schema, you can migrate the compatibility data to a new database. You can then use the current version of ACT to open the new database.
+
+To create the new database, you must have database-creation permissions on the instance of SQL Server.
+
+## Migrating Compatibility Data from an ACT Database
+
+
+You can migrate compatibility data from an ACT database to a new database by using one of the following methods:
+
+-   Run Application Compatibility Manager (ACM), and then use the ACT Configuration Wizard to open the database. The wizard guides you through migrating the compatibility data to a new database.
+
+-   Run the MigrateDB.sql file, located at %SYSTEMDRIVE%\\ProgramData\\Microsoft\\Application Compatibility Toolkit\\MigrateDB.sql.. The following table shows the location of the MigrateDB.sql file.
+
+## Database Migration from ACT 5.6
+
+
+When you migrate compatibility data from an ACT 5.6 database to a new database, the following information is excluded from the migration:
+
+-   Issues that were reported by ACT 5.6 data-collection packages (DCPs).
+
+-   Solutions that correspond to issues reported by ACT 5.6 DCPs.
+
+-   Lists of file names that ACT 5.6 associated with each application.
+
+You cannot migrate any compatibility data from ACT databases that were created on a version of ACT before ACT 5.6.
+
+## Related topics
+
+
+[ACT Tools, Packages, and Services](act-tools-packages-and-services.md)
+
+[ACT Deployment Options](act-deployment-options.md)
+
+[ACT Database Configuration](act-database-configuration.md)
+
+[ACT LPS Share Permissions](act-lps-share-permissions.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/act-deployment-options.md b/windows/plan/act-deployment-options.md
new file mode 100644
index 0000000000..bf817c11b1
--- /dev/null
+++ b/windows/plan/act-deployment-options.md
@@ -0,0 +1,60 @@
+---
+title: ACT Deployment Options (Windows 10)
+description: While planning your deployment of the Application Compatibility Toolkit (ACT), consider which computers you want running the various tools, packages, and services for ACT.
+ms.assetid: 90d56dd8-8d57-44e8-bf7a-29aabede45ba
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# ACT Deployment Options
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+While planning your deployment of the Application Compatibility Toolkit (ACT), consider which computers you want running the various tools, packages, and services for ACT.
+
+The following diagram shows supported deployment options for an ACT installation. The options listed first are the most highly recommended.
+
+![act supported topologies](images/dep-win8-l-act-supportedtopologies.jpg)
+
+## Collecting Data Across Domains
+
+
+If you plan to deploy inventory-collector packages to computers running Windows XP, where some of the computers are on a different domain than the ACT LPS share, do one of the following:
+
+-   Set up a separate ACT LPS share on each domain and configure the inventory-collector package to upload log files to the ACT LPS share on the same domain.
+
+-   Set up a single ACT LPS share on one computer. On the computer that hosts the share, use Group Policy to allow connections from anonymous users.
+
+These steps are not necessary if the computers where you deploy inventory-collector packages are running Windows Vista, Windows 7, Windows 8, Windows 8.1, or Windows 10.
+
+If you choose to have distributed logging with a subsequent step of moving log files to your central share, move the files to the central share before processing the files. You can move the files manually or use a technology like Distributed File-System Replication (DFSR).
+
+## Related topics
+
+
+[ACT Tools, Packages, and Services](act-tools-packages-and-services.md)
+
+[ACT Database Configuration](act-database-configuration.md)
+
+[ACT Database Migration](act-database-migration.md)
+
+[ACT LPS Share Permissions](act-lps-share-permissions.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/act-glossary.md b/windows/plan/act-glossary.md
new file mode 100644
index 0000000000..ed5fb09904
--- /dev/null
+++ b/windows/plan/act-glossary.md
@@ -0,0 +1,117 @@
+---
+title: ACT Glossary (Windows 10)
+description: The following table lists terms and definitions used by the Application Compatibility Toolkit (ACT).
+ms.assetid: 984d1cce-c1ac-4aa8-839a-a23e15da6f32
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# ACT Glossary
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The following table lists terms and definitions used by the Application Compatibility Toolkit (ACT).
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Term</th>
+<th align="left">Definition</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>ACT Community</p></td>
+<td align="left"><p>An online environment that enables ACT users to share issues and solution data with other registered ACT users.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>ACT Log Processing Service (LPS)</p></td>
+<td align="left"><p>The service that processes the log files uploaded from your client computers, adding the information to your ACT database.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>AppHelp message</p></td>
+<td align="left"><p>A type of compatibility fix. An AppHelp message is designed to appear when a user starts an application that has compatibility issues. The message can prevent the application from starting, or simply provide information about compatibility issues in the application.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Application Compatibility Manager (ACM)</p></td>
+<td align="left"><p>The user interface that enables you to view reports generated from the ACT database. This is also where you create data-collection packages.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Compatibility Administrator</p></td>
+<td align="left"><p>A tool that enables you to create and deploy compatibility fixes, compatibility modes, and AppHelp messages, to resolve your compatibility issues.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>compatibility fix</p></td>
+<td align="left"><p>A small piece of code that intercepts API calls from applications, transforming them so that Windows will provide the same product support for the application as previous versions of the operating system. Previously known as a &quot;shim&quot;.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>compatibility mode</p></td>
+<td align="left"><p>Group of compatibility fixes found to resolve many common application compatibility issues.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>compatibility solution</p></td>
+<td align="left"><p>The solution to a known compatibility issue, as entered by the user, Microsoft, or a vendor.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>data-collection package</p></td>
+<td align="left"><p>A Windows installer (.msi) file created by Application Compatibility Manager (ACM) for deploying to each of your client computers. Data-collection packages include inventory collection packages and runtime analysis packages.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>deployment</p></td>
+<td align="left"><p>The process of distributing and installing a software program throughout an entire organization. A deployment is not the same as a pilot, which is where you provide the software application to a smaller group of users to identify and evaluate problems that might occur during the actual deployment.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>independent software vendor (ISV)</p></td>
+<td align="left"><p>An individual or an organization that independently creates computer software.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>inventory-collector package</p></td>
+<td align="left"><p>A package that examines each of your organization's computers to identify the installed applications and system information. You can view the results on the Analyze screen in ACM.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Microsoft Compatibility Exchange</p></td>
+<td align="left"><p>A web service that transfers compatibility information between Microsoft and the ACT database.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>runtime-analysis package</p></td>
+<td align="left"><p>A data-collection package that you deploy to computers in a test environment for compatibility testing. The runtime-analysis package includes tools for monitoring applications for compatibility issues and submitting compatibility feedback.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>session 0</p></td>
+<td align="left"><p>The session that is used for all of the system services. Previously, users could run in Session 0 without issues; however, this was changed in Windows Vista so that all users are now required to run in Session 1 or later.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>shim</p></td>
+<td align="left"><p>See Other Term: compatibility fix</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>User Account Control (UAC)</p></td>
+<td align="left"><p>A security feature that helps prevent unauthorized changes to a computer, by asking the user for permission or administrator credentials before performing actions that could potentially affect the computer's operation or that change settings that affect multiple users.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/act-lps-share-permissions.md b/windows/plan/act-lps-share-permissions.md
new file mode 100644
index 0000000000..f9299c2fed
--- /dev/null
+++ b/windows/plan/act-lps-share-permissions.md
@@ -0,0 +1,75 @@
+---
+title: ACT LPS Share Permissions (Windows 10)
+description: To upload log files to the ACT Log Processing Service (LPS) share, certain permissions must be set at the share level and folder level.
+ms.assetid: 51f6ddf7-f424-4abe-a0e0-71fe616f9e84
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# ACT LPS Share Permissions
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+To upload log files to the ACT Log Processing Service (LPS) share, certain permissions must be set at the share level and folder level.
+
+## Share-Level Permissions
+
+
+The **Everyone** group must have **Change** and **Read** permissions to the ACT LPS share.
+
+**To set the share-level permissions**
+
+1.  Browse to the ACT LPS share, right-click the folder, and select **Properties**.
+
+2.  Click the **Sharing** tab, share the folder, and then click **Permissions**.
+
+3.  Add the **Everyone** group if it is not already listed, and then select the **Change** and **Read** check boxes in the **Allow** column.
+
+## Folder-Level Permissions (NTFS Only)
+
+
+The **Everyone** group must have **Write** access to the ACT LPS share.
+
+The ACT Log Processing Service account must have **List Folder Contents**, **Read**, and **Write** permissions.
+
+-   If the ACT Log Processing Service account is **Local System Account**, apply the permissions to the *&lt;domain&gt;*\\*&lt;computer&gt;*$ account.
+
+-   If the ACT Log Processing Service is a user account, apply the permissions to the specific user.
+
+**To set the folder-level permissions**
+
+1.  In Windows Explorer, right-click the folder for the ACT LPS share, and then click **Properties**.
+
+2.  Click the **Security** tab, add the account that runs the ACT Log Processing Service, and then select the **List Folder Contents**, **Read**, and **Write** check boxes in the **Allow** column.
+
+3.  Add the **Everyone** group if it is not already listed, and then select the **Write** check box in the **Allow** column.
+
+## Related topics
+
+
+[ACT Tools, Packages, and Services](act-tools-packages-and-services.md)
+
+[ACT Deployment Options](act-deployment-options.md)
+
+[ACT Database Configuration](act-database-configuration.md)
+
+[ACT Database Migration](act-database-migration.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/act-operatingsystem-application-report.md b/windows/plan/act-operatingsystem-application-report.md
new file mode 100644
index 0000000000..ef3cee87c4
--- /dev/null
+++ b/windows/plan/act-operatingsystem-application-report.md
@@ -0,0 +1,79 @@
+---
+title: OperatingSystem - Application Report (Windows 10)
+description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
+ms.assetid: 9721485b-6092-4974-8cfe-c84472237a57
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# &lt;OperatingSystem&gt; - Application Report
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
+
+The **&lt;OperatingSystem&gt; - Application Report** screen shows the following information for the applications from which you have collected data:
+
+-   The application name, application vendor, and application version.
+
+-   Your organization’s compatibility rating for the application.
+
+-   Compatibility ratings from users in your organization who are using a runtime analysis package to test the application.
+
+-   Whether the information for the application is included in the synchronization process with the Microsoft Compatibility Exchange.
+
+-   Compatibility information for the application from the application vendor.
+
+-   Compatibility ratings from the ACT Community, if you are a member of the ACT Community. To join the ACT Community, see [Settings Dialog Box - Preferences Tab](act-settings-dialog-box-preferences-tab.md).
+
+-   The count of active issues for the application.
+
+-   The count of computers in your organization on which the application is installed.
+
+**To open the &lt;OperatingSystem&gt; - Application Report screen**
+
+1.  In ACM, on the **Quick Reports** pane, click **Analyze**.
+
+2.  In the **Quick Reports** pane, under an operating system heading, click **Applications**.
+
+## <a href="" id="using-the--operatingsystem----application-report-screen"></a>Using the &lt;OperatingSystem&gt; - Application Report Screen
+
+
+On the **&lt;OperatingSystem&gt; - Application Report** screen, you can perform the following actions:
+
+-   Export the report data to a spreadsheet, or import a report. For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).
+
+-   Choose whether to synchronize data for each application with the Microsoft Compatibility Exchange. For more information, see [Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md).
+
+-   Synchronize your compatibility issues by using the Microsoft Compatibility Exchange. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
+
+-   Filter the report by using the query builder. For more information, see [Filtering Your Compatibility Data](filtering-your-compatibility-data.md).
+
+-   Select your compatibility rating for an application. For more information, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).
+
+-   Select your deployment status for an application. For more information, see [Selecting Your Deployment Status](selecting-your-deployment-status.md).
+
+-   Assign categories and subcategories to an application. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
+
+-   Specify the importance of an application to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
+
+-   Double-click an application name to view the associated dialog box. For more information, see [&lt;Application&gt; Dialog Box](application-dialog-box.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/act-operatingsystem-computer-report.md b/windows/plan/act-operatingsystem-computer-report.md
new file mode 100644
index 0000000000..4a49ff56db
--- /dev/null
+++ b/windows/plan/act-operatingsystem-computer-report.md
@@ -0,0 +1,61 @@
+---
+title: OperatingSystem - Computer Report (Windows 10)
+ms.assetid: ed0a56fc-9f2a-4df0-8cef-3a09d6616de8
+description: 
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# &lt;OperatingSystem&gt; - Computer Report
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The **&lt;OperatingSystem&gt; - Computer Report** screen shows the following information for each computer in your organization:
+
+-   The computer name, domain, and operating system.
+
+-   The count of applications and devices installed on the computer.
+
+-   The count of installed applications and devices that have issues.
+
+**To open the &lt;OperatingSystem&gt; - Computer Report screen**
+
+1.  In Application Compatibility Manager (ACM), on the **Quick Reports** pane, click **Analyze**.
+
+2.  In the **Quick Reports** pane, under an operating system heading, click **Computers**.
+
+## <a href="" id="using-the--operatingsystem----computer-report-screen"></a>Using the &lt;OperatingSystem&gt; - Computer Report Screen
+
+
+On the **&lt;OperatingSystem&gt; - Computer Report** screen, you can perform the following actions:
+
+-   Export the report data to a spreadsheet, or import a report. For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).
+
+-   Synchronize your compatibility issues by using the Microsoft Compatibility Exchange. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
+
+-   Filter the report by using the query builder. For more information, see [Filtering Your Compatibility Data](filtering-your-compatibility-data.md).
+
+-   Assign categories and subcategories to a computer. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
+
+-   Specify the importance of a computer to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
+
+-   Double-click a computer name to view its associated dialog box. For more information, see [&lt;Computer&gt; Dialog Box](computer-dialog-box.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/act-operatingsystem-device-report.md b/windows/plan/act-operatingsystem-device-report.md
new file mode 100644
index 0000000000..e4be3521b9
--- /dev/null
+++ b/windows/plan/act-operatingsystem-device-report.md
@@ -0,0 +1,63 @@
+---
+title: OperatingSystem - Device Report (Windows 10)
+ms.assetid: 8b5a936f-a92e-46a7-ac44-6edace262355
+description: 
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# &lt;OperatingSystem&gt; - Device Report
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The **&lt;OperatingSystem&gt; - Device Report** screen shows the following information for each device installed in your organization:
+
+-   The model and manufacturer of the device.
+
+-   The class of device, as reported by the device.
+
+-   An evaluation from the device manufacturer of whether the device works on a 32-bit operating system or a 64-bit operating system.
+
+-   The count of computers on which the device is installed.
+
+**To open the &lt;OperatingSystem&gt; - Device Report screen**
+
+1.  In Application Compatibility Manager (ACM), on the **Quick Reports** pane, click **Analyze**.
+
+2.  In the **Quick Reports** pane, under an operating system heading, click **Devices**.
+
+## <a href="" id="using-the--operatingsystem----device-report-screen"></a>Using the &lt;OperatingSystem&gt; - Device Report Screen
+
+
+On the **&lt;OperatingSystem&gt; - Device Report** screen, you can:
+
+-   Export the report data to a spreadsheet, or import a report. For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).
+
+-   Synchronize your compatibility issues by using the Microsoft Compatibility Exchange. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
+
+-   Filter the report by using the query builder. For more information, see [Filtering Your Compatibility Data](filtering-your-compatibility-data.md).
+
+-   Assign categories and subcategories to a device. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
+
+-   Specify the importance of a device to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
+
+-   Double-click a device name to view its associated dialog box. For more information, see [&lt;Device&gt; Dialog Box](device-dialog-box.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/act-product-and-documentation-resources.md b/windows/plan/act-product-and-documentation-resources.md
new file mode 100644
index 0000000000..54cb4635de
--- /dev/null
+++ b/windows/plan/act-product-and-documentation-resources.md
@@ -0,0 +1,66 @@
+---
+title: ACT Product and Documentation Resources (Windows 10)
+description: The following sections provide links to resources and reference material for the Application Compatibility Toolkit (ACT).
+ms.assetid: c7954b5a-164d-4548-af58-cd3a1de5cc43
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# ACT Product and Documentation Resources
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The following sections provide links to resources and reference material for the Application Compatibility Toolkit (ACT).
+
+## Information Related to the Application Compatibility Toolkit
+
+
+-   [Microsoft SQL Server](http://go.microsoft.com/fwlink/p/?LinkId=184584). Use Microsoft SQL Server to take full advantage of ACT features. Visit the SQL Server home page for product information, technical resources, and support.
+
+-   [Microsoft SQL Server Express Edition](http://go.microsoft.com/fwlink/p/?LinkId=690325). If you are not already running SQL Server, download a free version of SQL Server Express and its management tools.
+
+-   [Microsoft System Center Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=690326). Visit the System Center Configuration Manager home page for product information, technical resources, and support.
+
+-   [Microsoft Application Verifier](http://go.microsoft.com/fwlink/p/?LinkId=52529). Application Verifier is required by the Standard User Analyzer tool.
+
+## Information About Application Compatibility
+
+
+-   [Application Compatibility home page](http://go.microsoft.com/fwlink/p/?LinkId=184586). Go here for general application compatibility information, including videos, key resources, advice, and technical guidance.
+
+-   [Windows Developer Center home page](http://go.microsoft.com/fwlink/p/?LinkId=184587). Find information about the Windows SDK, including how to develop your application, how to get help with compatibility issues, and other development-related content.
+
+## Information About Windows Deployment
+
+
+-   [Microsoft Deployment Toolkit](http://go.microsoft.com/fwlink/p/?LinkId=618117). Download the latest version of the Microsoft Deployment Toolkit (MDT) to assist with image creation and automated installation, reduce deployment time, standardize desktop and server images, limit service disruptions, reduce post-deployment help desk costs, and improve security and ongoing configuration management.
+
+-   [Windows website](http://go.microsoft.com/fwlink/p/?LinkId=731). Visit the Windows home page for product information, technical resources, and support.
+
+## Related topics
+
+
+[Troubleshooting ACT](troubleshooting-act.md)
+
+[Using ACT](using-act.md)
+
+[Software Requirements for ACT](software-requirements-for-act.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/act-settings-dialog-box-preferences-tab.md b/windows/plan/act-settings-dialog-box-preferences-tab.md
new file mode 100644
index 0000000000..bfaea35f75
--- /dev/null
+++ b/windows/plan/act-settings-dialog-box-preferences-tab.md
@@ -0,0 +1,64 @@
+---
+title: Settings Dialog Box - Preferences Tab (Windows 10)
+description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings.
+ms.assetid: deae2100-4110-4d72-b5ee-7c167f80bfa4
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Settings Dialog Box - Preferences Tab
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+To display the **Settings** dialog box, in Application Compatibility Manager (ACM), on the **Tools** menu, click **Settings**.
+
+In the **Settings** dialog box, on the **Preferences** tab, use the following controls to join or leave the ACT Community, send ACT usage data to Microsoft, or be notified when there are updates available for ACT.
+
+<a href="" id="yes--i-want-to-join-the-act-community"></a>**Yes, I want to join the ACT Community**  
+If this check box is selected, you are a member of the ACT Community and can share application compatibility data with other ACT users.
+
+If this check box is cleared, you still receive compatibility data from the Microsoft compatibility database, but not from other ACT users.
+
+For more information about the ACT Community, see [ACT Community Ratings and Process](act-community-ratings-and-process.md).
+
+<a href="" id="send-act-usage-data-to-microsoft"></a>**Send ACT usage data to Microsoft**  
+If this check box is selected, the following ACT usage data is sent to Microsoft:
+
+-   The version of SQL Server being used by the ACT database.
+
+-   The count of 32-bit or 64-bit computers in your organization.
+
+-   The count of computers running a Windows operating system.
+
+-   The operating systems you intend to deploy into your organization.
+
+-   The count of computers to which you deployed data-collection packages.
+
+If this check box is cleared, your ACT usage data is not sent to Microsoft.
+
+<a href="" id="notify-me-when-a-newer-version-of-act-is-available--recommended-"></a>**Notify me when a newer version of ACT is available (recommended)**  
+If this check box is selected, ACM notifies you when an update is available for ACT.
+
+## Related topics
+
+
+[Settings Dialog Box - Settings Tab](act-settings-dialog-box-settings-tab.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/act-settings-dialog-box-settings-tab.md b/windows/plan/act-settings-dialog-box-settings-tab.md
new file mode 100644
index 0000000000..411450f21f
--- /dev/null
+++ b/windows/plan/act-settings-dialog-box-settings-tab.md
@@ -0,0 +1,65 @@
+---
+title: Settings Dialog Box - Settings Tab (Windows 10)
+description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings.
+ms.assetid: aeec1647-cf91-4f8b-9f6d-dbf4b898d901
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Settings Dialog Box - Settings Tab
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+To display the **Settings** dialog box, in Application Compatibility Manager (ACM), on the **Tools** menu, click **Settings**.
+
+In the **Settings** dialog box, on the **Settings** tab, use the following controls to modify the settings for your ACT database and ACT Log Processing Service.
+
+<a href="" id="sql-server"></a>**SQL Server**  
+Lists the database server name for the SQL Server database server that contains your ACT database.
+
+Click **Browse** to search for available database servers. A **Select Server** dialog box appears from which you can select the database server that contains your ACT database.
+
+<a href="" id="database"></a>**Database**  
+Lists the database name of your ACT database.
+
+<a href="" id="change"></a>**Change**  
+Opens the user interface where you can create, open, or migrate an ACT database.
+
+<a href="" id="this-computer-is-configured-as-a-log-processing-service"></a>**This computer is configured as a Log Processing Service**  
+If selected, indicates that this computer is used for the ACT Log Processing Service. Clear this check box to use a different computer to process the logs.
+
+If there is no designated ACT Log Processing Service, log processing defaults to the local computer.
+
+<a href="" id="log-processing-service-account"></a>**Log Processing Service Account**  
+Specifies the account information, including the account type and account credentials, to be used to start the ACT Log Processing Service.
+
+The account must have read and write access to the ACT database. For information about setting up database permissions for the ACT Log Processing Service, see [Troubleshooting ACT Database Issues](troubleshooting-act-database-issues.md).
+
+<a href="" id="log-share"></a>**Log Share**  
+Specifies the absolute path to the ACT Log Processing Service share where log files are processed. Click **Browse** to search for a location. The **Share as** box automatically updates to show the directory name.
+
+For information about ensuring that all computers can access the share, see [Troubleshooting the ACT Log Processing Service](troubleshooting-the-act-log-processing-service.md).
+
+## Related topics
+
+
+[Settings Dialog Box - Preferences Tab](act-settings-dialog-box-preferences-tab.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/act-technical-reference.md b/windows/plan/act-technical-reference.md
new file mode 100644
index 0000000000..6544f9dc8e
--- /dev/null
+++ b/windows/plan/act-technical-reference.md
@@ -0,0 +1,88 @@
+---
+title: Application Compatibility Toolkit (ACT) Technical Reference (Windows 10)
+description: The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system.
+ms.assetid: d90d38b2-2718-4481-90eb-4480719627ba
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Application Compatibility Toolkit (ACT) Technical Reference
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system.
+
+By using ACT, you can obtain compatibility information from Microsoft and software vendors, identify compatibility issues within your own organization, and share compatibility ratings with other ACT users. The tools in ACT help you analyze and mitigate compatibility issues before you deploy a version of Windows to your organization.
+
+ACT is available in the [Windows Assessment and Deployment Kit (ADK) for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=526740).
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Welcome to ACT](welcome-to-act.md)</p></td>
+<td align="left"><p>The Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. With ACT, you can obtain compatibility information from Microsoft and software vendors, identify compatibility issues within your own organization, and share compatibility ratings with other ACT users. The tools in ACT help you analyze and mitigate compatibility issues before deploying a version of Windows to your organization.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Configuring ACT](configuring-act.md)</p></td>
+<td align="left"><p>This section provides information about setting up the Application Compatibility Toolkit (ACT) in your organization.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Using ACT](using-act.md)</p></td>
+<td align="left"><p>This section describes how to use the Application Compatibility Toolkit (ACT) in your organization.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Troubleshooting ACT](troubleshooting-act.md)</p></td>
+<td align="left"><p>This section provides troubleshooting information for the Application Compatibility Toolkit (ACT).</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[ACT User Interface Reference](act-user-interface-reference.md)</p></td>
+<td align="left"><p>This section contains information about the user interface for Application Compatibility Manager (ACM), which is a tool in the Application Compatibility Toolkit (ACT).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[ACT Product and Documentation Resources](act-product-and-documentation-resources.md)</p></td>
+<td align="left"><p>The following sections provide links to resources and reference material for the Application Compatibility Toolkit (ACT).</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[ACT Glossary](act-glossary.md)</p></td>
+<td align="left"><p>The following table lists terms and definitions used by the Application Compatibility Toolkit (ACT).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)</p></td>
+<td align="left"><p>You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/act-toolbar-icons-in-acm.md b/windows/plan/act-toolbar-icons-in-acm.md
new file mode 100644
index 0000000000..1620557d16
--- /dev/null
+++ b/windows/plan/act-toolbar-icons-in-acm.md
@@ -0,0 +1,232 @@
+---
+title: Toolbar Icons in ACM (Windows 10)
+description: The following table shows icons that appear on toolbars and navigational elements in Application Compatibility Manager (ACM).
+ms.assetid: 44872da1-c7ad-41b9-8323-d3c3f49b2706
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Toolbar Icons in ACM
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The following table shows icons that appear on toolbars and navigational elements in Application Compatibility Manager (ACM).
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left"><strong>Icon</strong></th>
+<th align="left"><strong>Description</strong></th>
+<th align="left"><strong>Location</strong></th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><img src="images/dep-win8-e-act-home.gif" alt="ACT home icon" /></td>
+<td align="left"><p>Opens the <strong>Application Compatibility Manager Overview</strong> screen.</p></td>
+<td align="left"><ul>
+<li><p><strong>Collect</strong> toolbar</p></li>
+<li><p><strong>Analyze</strong> toolbar</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><img src="images/dep-win8-e-act-createnewdcp.gif" alt="ACT Create new DCP" /></td>
+<td align="left"><p>Opens the <strong>New Data Collection Package</strong> dialog box.</p>
+<p>For more information, see [Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md).</p></td>
+<td align="left"><ul>
+<li><p><strong>Collect</strong> toolbar</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><img src="images/dep-win8-e-act-exportdcp.gif" alt="ACT export DCP" /></td>
+<td align="left"><p>Exports your data-collection package settings.</p>
+<p>For more information, see [Exporting a Data-Collection Package](exporting-a-data-collection-package.md).</p></td>
+<td align="left"><ul>
+<li><p><strong>Collect</strong> toolbar</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><img src="images/dep-win8-e-act-delete.gif" alt="ACT delete icon" /></td>
+<td align="left"><p>Deletes a data-collection package that has not yet run on your client computers.</p>
+<p>For more information, see [Deleting a Data-Collection Package](deleting-a-data-collection-package.md).</p></td>
+<td align="left"><ul>
+<li><p><strong>Collect</strong> toolbar</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><img src="images/dep-win8-e-act-open.gif" alt="ACT open icon" /></td>
+<td align="left"><p>Imports an existing compatibility report.</p>
+<p>For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).</p></td>
+<td align="left"><ul>
+<li><p><strong>Analyze</strong> toolbar</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><img src="images/dep-win8-e-act-savereport.gif" alt="ACT save report" /></td>
+<td align="left"><p>Saves a compatibility report, including your preferences and settings.</p>
+<p>For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).</p></td>
+<td align="left"><ul>
+<li><p><strong>Analyze</strong> toolbar</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><img src="images/dep-win8-e-act-exportreportdata.gif" alt="ACT export report data" /></td>
+<td align="left"><p>Exports your report data to a Microsoft® Excel® spreadsheet (.xls) file.</p>
+<p>For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).</p></td>
+<td align="left"><ul>
+<li><p><strong>Analyze</strong> toolbar</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><img src="images/dep-win8-e-act-sendandreceive.gif" alt="ACT send and receive" /></td>
+<td align="left"><p>Synchronizes your compatibility data with the Microsoft Compatibility Exchange.</p>
+<p>For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).</p></td>
+<td align="left"><ul>
+<li><p><strong>Analyze</strong> toolbar</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><img src="images/dep-win8-e-act-filterdata.gif" alt="ACT filter data" /></td>
+<td align="left"><p>Turns the query builder on or off.</p>
+<p>For more information, see [Filtering Your Compatibility Data](filtering-your-compatibility-data.md).</p></td>
+<td align="left"><ul>
+<li><p><strong>Analyze</strong> toolbar</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><img src="images/dep-win8-e-act-riskassessment.gif" alt="ACT Risk Assessment" /></td>
+<td align="left"><p>Opens the <strong>Set Assessment</strong> dialog box.</p>
+<p>For more information, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).</p></td>
+<td align="left"><ul>
+<li><p><strong>Analyze</strong> toolbar</p></li>
+<li><p><strong>Report Details</strong> toolbar</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><img src="images/dep-win8-e-act-deploymentstatus.gif" alt="ACT deployment status" /></td>
+<td align="left"><p>Opens the <strong>Set Deployment Status</strong> dialog box.</p>
+<p>For more information, see [Selecting Your Deployment Status](selecting-your-deployment-status.md).</p></td>
+<td align="left"><ul>
+<li><p><strong>Analyze</strong> toolbar</p></li>
+<li><p><strong>Report Details</strong> toolbar</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><img src="images/dep-win8-e-act-categorize.gif" alt="ACT categorize icon" /></td>
+<td align="left"><p>Opens the <strong>Assign Categories</strong> dialog box.</p>
+<p>For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).</p></td>
+<td align="left"><ul>
+<li><p><strong>Analyze</strong> toolbar</p></li>
+<li><p><strong>Report Details</strong> toolbar</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><img src="images/dep-win8-e-act-prioritize.gif" alt="ACT prioritize icon" /></td>
+<td align="left"><p>Opens the <strong>Assign Priorities</strong> dialog box.</p>
+<p>For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).</p></td>
+<td align="left"><ul>
+<li><p><strong>Analyze</strong> toolbar</p></li>
+<li><p><strong>Report Details</strong> toolbar</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><img src="images/dep-win8-e-act-sendandreceiveicon.gif" alt="ACT send and receive icon" /></td>
+<td align="left"><p>Opens the <strong>Send and Receive Status</strong> dialog box.</p>
+<p>For more information, see [Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md).</p></td>
+<td align="left"><ul>
+<li><p><strong>Analyze</strong> toolbar</p></li>
+<li><p><strong>Report Details</strong> toolbar</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><img src="images/dep-win8-e-act-addissue.gif" alt="ACT Add issue icon" /></td>
+<td align="left"><p>Opens the <strong>Add Issue</strong> dialog box.</p>
+<p>For more information, see [Adding or Editing an Issue](adding-or-editing-an-issue.md).</p></td>
+<td align="left"><ul>
+<li><p><strong>Report Details</strong> toolbar</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><img src="images/dep-win8-e-act-addsolution.gif" alt="ACT add solution" /></td>
+<td align="left"><p>Opens the <strong>Add Solution</strong> dialog box.</p>
+<p>For more information, see [Adding or Editing a Solution](adding-or-editing-a-solution.md).</p></td>
+<td align="left"><ul>
+<li><p><strong>Report Details</strong> toolbar</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><img src="images/dep-win8-e-act-save.gif" alt="ACT Save icon" /></td>
+<td align="left"><p>Saves a compatibility issue.</p></td>
+<td align="left"><ul>
+<li><p><strong>Add Issue</strong> dialog box</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><img src="images/dep-win8-e-act-reactivate-resolved-issue.gif" alt="ACT Reactivate resolved issue icon" /></td>
+<td align="left"><p>Reactivates a resolved compatibility issue.</p>
+<p>For more information, see [Resolving an Issue](resolving-an-issue.md).</p></td>
+<td align="left"><ul>
+<li><p><strong>Add Issue</strong> dialog box</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><img src="images/dep-win8-e-act-refresh.gif" alt="ACT refresh icon" /></td>
+<td align="left"><p>Refreshes the screen. If you are using the query builder, updates the screen with the query results.</p></td>
+<td align="left"><ul>
+<li><p><strong>Collect</strong> toolbar</p></li>
+<li><p><strong>Analyze</strong> toolbar</p></li>
+<li><p><strong>Data Collection Package - Status</strong> toolbar</p></li>
+<li><p><strong>Report Details</strong> toolbar</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><img src="images/dep-win8-e-act-moveupanddown.gif" alt="ACT move up and down icons" /></td>
+<td align="left"><p>Enables you to scroll up and down the screen or dialog box information, showing the related details.</p>
+<p>This button may not be available for all issues or information.</p></td>
+<td align="left"><ul>
+<li><p><strong>Report Details</strong> toolbar</p></li>
+<li><p><strong>Add Issue</strong> dialog box</p></li>
+<li><p><strong>New Data Collection Package</strong> dialog box</p></li>
+<li><p><strong>Data Collection Package - Status</strong> toolbar</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><img src="images/dep-win8-e-act-help.gif" alt="ACT help icon" /></td>
+<td align="left"><p>Opens the online Help system.</p></td>
+<td align="left"><ul>
+<li><p>All screens</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Ratings Icons in ACM](ratings-icons-in-acm.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/act-tools-packages-and-services.md b/windows/plan/act-tools-packages-and-services.md
new file mode 100644
index 0000000000..5d3ef9ba47
--- /dev/null
+++ b/windows/plan/act-tools-packages-and-services.md
@@ -0,0 +1,59 @@
+---
+title: ACT Tools, Packages, and Services (Windows 10)
+description: The Application Compatibility Toolkit is included with the Windows ADK. Download the Windows ADK.
+ms.assetid: f5a16548-7d7b-4be9-835e-c06158dd0b89
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# ACT Tools, Packages, and Services
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The Application Compatibility Toolkit is included with the Windows ADK. [Download the Windows ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
+
+ACT includes the following:
+
+-   **Application Compatibility Manager (ACM):** A tool that you can use to create your data-collection packages and analyze the collected inventory and compatibility data.
+
+-   **Inventory-collector package:** A data-collection package that can be deployed to computers to gather inventory data that will be uploaded to the ACT database.
+
+-   **Runtime-analysis package:** A data-collection package that can be deployed to computers in a test environment for compatibility testing on the new operating system.
+
+-   **ACT Log Processing Service (LPS):** A service that is used to process the ACT log files uploaded from the computers where your data-collection packages have been installed. The service adds the information to your ACT database.
+
+-   **ACT LPS share:** A file share that is accessed by the ACT LPS, to store the log files that will be processed and added to the ACT database.
+
+-   **ACT database:** A Microsoft® SQL Server database that stores the collected inventory and compatibility data. You can use ACM to view the information stored in the ACT database.
+
+-   **Microsoft Compatibility Exchange:** A web service that propagates application-compatibility issues.
+
+## Related topics
+
+
+[ACT Deployment Options](act-deployment-options.md)
+
+[ACT Database Configuration](act-database-configuration.md)
+
+[ACT Database Migration](act-database-migration.md)
+
+[ACT LPS Share Permissions](act-lps-share-permissions.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/act-user-interface-reference.md b/windows/plan/act-user-interface-reference.md
new file mode 100644
index 0000000000..80687eea7c
--- /dev/null
+++ b/windows/plan/act-user-interface-reference.md
@@ -0,0 +1,73 @@
+---
+title: ACT User Interface Reference (Windows 10)
+description: This section contains information about the user interface for Application Compatibility Manager (ACM), which is a tool in the Application Compatibility Toolkit (ACT).
+ms.assetid: 303d3dd7-2cc1-4f5f-b032-b7e288b04893
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# ACT User Interface Reference
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+This section contains information about the user interface for Application Compatibility Manager (ACM), which is a tool in the Application Compatibility Toolkit (ACT).
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Toolbar Icons in ACM](act-toolbar-icons-in-acm.md)</p></td>
+<td align="left"><p>The following table shows icons that appear on toolbars and navigational elements in Application Compatibility Manager (ACM).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Ratings Icons in ACM](ratings-icons-in-acm.md)</p></td>
+<td align="left"><p>Compatibility ratings can originate from Microsoft, the application vendor, your organization, and from the Application Compatibility Toolkit (ACT) community.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Activating and Closing Windows in ACM](activating-and-closing-windows-in-acm.md)</p></td>
+<td align="left"><p>The <strong>Windows</strong> dialog box shows the windows that are open in Application Compatibility Manager (ACM).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Settings for ACM](settings-for-acm.md)</p></td>
+<td align="left"><p>This section provides information about settings that you can configure in Application Compatibility Manager (ACM).</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Using ACT](using-act.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/activating-and-closing-windows-in-acm.md b/windows/plan/activating-and-closing-windows-in-acm.md
new file mode 100644
index 0000000000..3e7eaaef87
--- /dev/null
+++ b/windows/plan/activating-and-closing-windows-in-acm.md
@@ -0,0 +1,51 @@
+---
+title: Activating and Closing Windows in ACM (Windows 10)
+description: The Windows dialog box shows the windows that are open in Application Compatibility Manager (ACM).
+ms.assetid: 747bf356-d861-4ce7-933e-fa4ecfac7be5
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Activating and Closing Windows in ACM
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The **Windows** dialog box shows the windows that are open in Application Compatibility Manager (ACM).
+
+**To view a list of the open windows in ACM**
+
+-   On the **Window** menu, click **Windows**.
+
+**To show an open window in ACM**
+
+-   In the **Windows** dialog box, click the window name from the list of open windows, and then click **Activate**.
+
+    The selected window appears on top of any others on your screen.
+
+**To close one or more windows in ACM**
+
+-   In the **Windows** dialog box, click one or more window names from the list of open windows, and then click **Close Window(s)**.
+
+## Related topics
+
+
+[Managing Your Data-Collection Packages](managing-your-data-collection-packages.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/adding-or-editing-a-solution.md b/windows/plan/adding-or-editing-a-solution.md
new file mode 100644
index 0000000000..a3ebf8c8ff
--- /dev/null
+++ b/windows/plan/adding-or-editing-a-solution.md
@@ -0,0 +1,104 @@
+---
+title: Adding or Editing a Solution (Windows 10)
+description: If you find your own solutions to compatibility issues, you can enter the solutions in Application Compatibility Manager (ACM). You can use the Microsoft Compatibility Exchange to upload solutions to Microsoft Corporation.
+ms.assetid: 86cb8804-d577-4af6-b96f-5e0409784a23
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Adding or Editing a Solution
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+If you find your own solutions to compatibility issues, you can enter the solutions in Application Compatibility Manager (ACM). You can use the Microsoft Compatibility Exchange to upload solutions to Microsoft Corporation.
+
+## Adding Solutions for Compatibility Issues with Your Applications and Websites
+
+
+You can view or add solutions only for applications or websites.
+
+**Note**  
+The following examples use the **&lt;Application\_Name&gt;** dialog box. The procedures for websites are similar.
+
+ 
+
+**To add a solution**
+
+1.  On the **&lt;Operating\_System&gt; - Application Report** screen, double-click the name of the application to display the **&lt;Application\_Name&gt;** dialog box.
+
+2.  Click the **Issues** tab.
+
+3.  On the **Actions** menu, click **Add Solution**.
+
+4.  Enter the information from the following table, and then click **Save**.
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Field</th>
+    <th align="left">Description</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>Title</p></td>
+    <td align="left"><p>Can be up to 100 characters in length.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Solution Type</p></td>
+    <td align="left"><p>You must select a value from the list.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>Solution Details</p></td>
+    <td align="left"><p>Information about your solution, including the steps to reproduce your fix.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Solution Details URL</p></td>
+    <td align="left"><p>URL for a page that shows more information about the solution.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+**To edit an existing solution**
+
+1.  On the **&lt;Operating\_System&gt; - Application Report** screen, double-click the name of the application to display the &lt;Application\_Name&gt; dialog box.
+
+2.  Click the **Issues** tab.
+
+3.  Double-click the issue that includes the solution that you want to modify.
+
+4.  Click the **Solutions** tab.
+
+5.  Double-click the solution to edit.
+
+6.  Modify the information about the solution, and then click **Save**.
+
+    **Note**  
+    You can only modify your own solutions. You cannot modify solutions entered by other users.
+
+     
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/adding-or-editing-an-issue.md b/windows/plan/adding-or-editing-an-issue.md
new file mode 100644
index 0000000000..51a8522a05
--- /dev/null
+++ b/windows/plan/adding-or-editing-an-issue.md
@@ -0,0 +1,114 @@
+---
+title: Adding or Editing an Issue (Windows 10)
+description: In Application Compatibility Manager (ACM), you can enter information about the compatibility issues that you discover.
+ms.assetid: 8a9fff79-9f88-4ce2-a4e6-b9382f28143d
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Adding or Editing an Issue
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+In Application Compatibility Manager (ACM), you can enter information about the compatibility issues that you discover.
+
+You can use the Microsoft Compatibility Exchange to share compatibility information with others. For information about the Microsoft Compatibility Exchange, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
+
+## Adding Issues for Your Applications and Websites
+
+
+You can view or add issues only for applications or websites.
+
+**Note**  
+The following examples use the **&lt;Application\_Name&gt;** dialog box. The procedures are similar for websites.
+
+ 
+
+**To add an issue**
+
+1.  On the **&lt;Operating\_System&gt; - Application Report** screen, double-click the name of the application to display the **&lt;Application\_Name&gt;** dialog box.
+
+2.  On the **Actions** menu, click **Add Issue**.
+
+3.  Enter the information from the following table, and then click **Save**.
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Field</th>
+    <th align="left">Description</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>Title</p></td>
+    <td align="left"><p>Can be up to 256 characters in length.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Priority</p></td>
+    <td align="left"><p>You must select a value from the list.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>Severity</p></td>
+    <td align="left"><p>You must select a value from the list.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Symptom</p></td>
+    <td align="left"><p>You must select a value from the list.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>Cause</p></td>
+    <td align="left"><p>You must select a value from the list.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Affected Operating Systems</p></td>
+    <td align="left"><p>Operating systems on which the issue occurs. You must select at least one operating system.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p>Issue Description</p></td>
+    <td align="left"><p>Description of the issue, including the steps to reproduce the problem.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Link to More Information</p></td>
+    <td align="left"><p>URL for a page that shows more information about the issue.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+**To edit an existing issue**
+
+1.  On the **&lt;Operating\_System&gt; - Application Report** screen, double-click the name of the application that includes the issue you want to modify.
+
+2.  In the **&lt;Application\_Name&gt;** dialog box, click the **Issues** tab, and then double-click the specific issue to be edited.
+
+3.  Modify the issue information, and then click **Save**.
+
+    **Note**  
+    You can modify your own issues. You cannot modify issues entered by another user.
+
+     
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/analyzing-your-compatibility-data.md b/windows/plan/analyzing-your-compatibility-data.md
new file mode 100644
index 0000000000..4b145ad92f
--- /dev/null
+++ b/windows/plan/analyzing-your-compatibility-data.md
@@ -0,0 +1,79 @@
+---
+title: Analyzing Your Compatibility Data (Windows 10)
+description: This section provides information about viewing and working with your compatibility data in Application Compatibility Manager (ACM).
+ms.assetid: b98f3d74-fe22-41a2-afe8-2eb2799933a1
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Analyzing Your Compatibility Data
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+This section provides information about viewing and working with your compatibility data in Application Compatibility Manager (ACM).
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Viewing Your Compatibility Reports](viewing-your-compatibility-reports.md)</p></td>
+<td align="left"><p>This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Organizing Your Compatibility Data](organizing-your-compatibility-data.md)</p></td>
+<td align="left"><p>This section provides step-by-step instructions for organizing your compatibility data in Application Compatibility Manager (ACM).</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Filtering Your Compatibility Data](filtering-your-compatibility-data.md)</p></td>
+<td align="left"><p>You can use Query Builder to filter your compatibility-issue data or reports by selecting specific restriction criteria.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md)</p></td>
+<td align="left"><p>The Microsoft® Compatibility Exchange is a web service that propagates application compatibility issues between various data sources, for example Microsoft Corporation, independent software vendors (ISVs) and the ACT Community. This process involves checking for updated compatibility information from Microsoft over the Internet. You can send and receive data to keep Application Compatibility Manager (ACM) updated with the latest compatibility information.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Taking Inventory of Your Organization](taking-inventory-of-your-organization.md)
+
+[Testing Compatibility on the Target Platform](testing-compatibility-on-the-target-platform.md)
+
+[Managing Your Data-Collection Packages](managing-your-data-collection-packages.md)
+
+[Fixing Compatibility Issues](fixing-compatibility-issues.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/application-dialog-box.md b/windows/plan/application-dialog-box.md
new file mode 100644
index 0000000000..1700305f86
--- /dev/null
+++ b/windows/plan/application-dialog-box.md
@@ -0,0 +1,125 @@
+---
+title: Application Dialog Box (Windows 10)
+description: In Application Compatibility Manager (ACM), the Application dialog box shows information about the selected application.
+ms.assetid: a43e85a6-3cd4-4235-bc4d-01e4d097db7e
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# &lt;Application&gt; Dialog Box
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+In Application Compatibility Manager (ACM), the *&lt;Application&gt;* dialog box shows information about the selected application.
+
+**To open the &lt;Application&gt; dialog box**
+
+1.  In ACM, in the **Quick Reports** pane, click **Analyze**.
+
+2.  Under an operating system heading, click **Applications**.
+
+3.  Double-click the name of an application.
+
+## <a href="" id="tabs-in-the--application--dialog-box"></a>Tabs in the &lt;Application&gt; dialog box
+
+
+The following table shows the information available in the *&lt;Application&gt;* dialog box.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Tab</th>
+<th align="left">Information</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Assessment</p></td>
+<td align="left"><p>Shows the compatibility ratings for the application from the application vendor, your internal organization, and the ACT Community.</p>
+<p>For more information, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Issues</p></td>
+<td align="left"><p>For each issue associated with the selected application, shows:</p>
+<ul>
+<li><p>The issue status, either active (a red X) or resolved (a green check mark).</p></li>
+<li><p>The provider who created the record of the issue.</p></li>
+<li><p>The severity of the issue as entered by the provider.</p></li>
+<li><p>The symptom of the issue as entered by the provider.</p></li>
+<li><p>The date on which the issue was added to the ACT database.</p></li>
+</ul>
+<p>For more information, see [Creating and Editing Issues and Solutions](creating-and-editing-issues-and-solutions.md).</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Application Properties</p></td>
+<td align="left"><p>Shows the following properties for the selected application:</p>
+<ul>
+<li><p><strong>MSI</strong>. Shows the installer name, vendor, version, language, and so on.</p></li>
+<li><p><strong>Add/Remove Programs</strong>. Shows the application name that appears in Control Panel, vendor, registry path, and string for uninstalling.</p></li>
+<li><p><strong>Shell</strong>. Shows the shortcuts for the application and where the shortcuts appear on the <strong>Start</strong> menu.</p></li>
+<li><p><strong>Registry</strong>. Shows the registry name for the application, registry path, file name, and so on.</p></li>
+<li><p><strong>Service Control Manager</strong>. Shows the entries in the <strong>Services</strong> console that correspond to the application.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Computers</p></td>
+<td align="left"><p>Shows the following information for each of the computers that have the specified application installed:</p>
+<ul>
+<li><p>Computer name, domain, and operating system.</p></li>
+<li><p>Media Access Control (MAC) address for the computer.</p></li>
+<li><p>Manufacturer of the computer.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Labels</p></td>
+<td align="left"><p>Shows the label for the selected application.</p>
+<p>For information about labels, see [Labeling Data in ACM](labeling-data-in-acm.md).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Feedback</p></td>
+<td align="left"><p>Shows feedback that your testers have submitted to the ACT database for the selected application.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="using-the--application--dialog-box"></a>Using the &lt;Application&gt; Dialog Box
+
+
+In the **&lt;Application&gt;** dialog box, you can perform the following actions:
+
+-   Select your compatibility rating for the application. For more information, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).
+
+-   Select your deployment status for the application. For more information, see [Selecting Your Deployment Status](selecting-your-deployment-status.md).
+
+-   Assign categories and subcategories to the application. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
+
+-   Specify the importance of the application to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
+
+-   Choose whether to synchronize data for the application with the Microsoft Compatibility Exchange. For more information, see [Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md).
+
+-   Add, edit, or resolve an issue for the selected application, and add or edit solutions. For more information, see [Creating and Editing Issues and Solutions](creating-and-editing-issues-and-solutions.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/applying-filters-to-data-in-the-sua-tool.md b/windows/plan/applying-filters-to-data-in-the-sua-tool.md
new file mode 100644
index 0000000000..7f960b8cf6
--- /dev/null
+++ b/windows/plan/applying-filters-to-data-in-the-sua-tool.md
@@ -0,0 +1,94 @@
+---
+title: Applying Filters to Data in the SUA Tool (Windows 10)
+description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply filters to the issues that the tool has found so that you can view only the information that interests you.
+ms.assetid: 48c39919-3501-405d-bcf5-d2784cbb011f
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Applying Filters to Data in the SUA Tool
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+On the user interface for the Standard User Analyzer (SUA) tool, you can apply filters to the issues that the tool has found so that you can view only the information that interests you.
+
+**To apply filters to data in the SUA tool**
+
+1.  Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md).
+
+2.  After you finish testing, in the SUA tool, click a tab that shows issues that the SUA tool has found. All tabs except the **App Info** tab can show issues.
+
+3.  On the **Options** menu, click a command that corresponds to the filter that you want to apply. The following table describes the commands.
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Options menu command</th>
+    <th align="left">Description</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><strong>Filter Noise</strong></p></td>
+    <td align="left"><p>Filters noise from the issues.</p>
+    <p>This command is selected by default.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><strong>Load Noise Filter File</strong></p></td>
+    <td align="left"><p>Opens the <strong>Open Noise Filter File</strong> dialog box, in which you can load an existing noise filter (.xml) file.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><strong>Export Noise Filter File</strong></p></td>
+    <td align="left"><p>Opens the <strong>Save Noise Filter File</strong> dialog box, in which you can save filter settings as a noise filter (.xml) file.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><strong>Only Display Records with Application Name in StackTrace</strong></p></td>
+    <td align="left"><p>Filters out records that do not have the application name in the stack trace.</p>
+    <p>However, because the SUA tool captures only the first 32 stack frames, this command can also filter out real issues with the application where the call stack is deeper than 32 frames.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><strong>Show More Details in StackTrace</strong></p></td>
+    <td align="left"><p>Shows additional stack frames that are related to the SUA tool, but not related to the diagnosed application.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><strong>Warn Before Deleting AppVerifier Logs</strong></p></td>
+    <td align="left"><p>Displays a warning message before the SUA tool deletes all of the existing SUA-related log files on the computer.</p>
+    <p>This command is selected by default.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><strong>Logging</strong></p></td>
+    <td align="left"><p>Provides the following logging-related options:</p>
+    <ul>
+    <li><p>Show or hide log errors.</p></li>
+    <li><p>Show or hide log warnings.</p></li>
+    <li><p>Show or hide log information.</p></li>
+    </ul>
+    <p>To maintain a manageable file size, we recommend that you do not select the option to show informational messages.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md b/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md
new file mode 100644
index 0000000000..bc5e40d571
--- /dev/null
+++ b/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md
@@ -0,0 +1,235 @@
+---
+title: Available Data Types and Operators in Compatibility Administrator (Windows 10)
+description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
+ms.assetid: 67d9c03e-ab9d-4fda-8a55-8c5b90266d3b
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Available Data Types and Operators in Compatibility Administrator
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
+
+## Available Data Types
+
+
+Customized-compatibility databases in Compatibility Administrator contain the following data types.
+
+-   **Integer**. A numerical value with no fractional part. All integers are unsigned because none of the attributes can have a negative value.
+
+-   **String**. A series of alphanumeric characters manipulated as a group.
+
+-   **Boolean**. A value of True or False.
+
+## Available Attributes
+
+
+The following table shows the attributes you can use for querying your customized-compatibility databases in Compatibility Administrator.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Attribute</th>
+<th align="left">Description</th>
+<th align="left">Data type</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>APP_NAME</p></td>
+<td align="left"><p>Name of the application.</p></td>
+<td align="left"><p>String</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DATABASE_GUID</p></td>
+<td align="left"><p>Unique ID for your compatibility database.</p></td>
+<td align="left"><p>String</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>DATABASE_INSTALLED</p></td>
+<td align="left"><p>Specifies if you have installed the database.</p></td>
+<td align="left"><p>Boolean</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DATABASE_NAME</p></td>
+<td align="left"><p>Descriptive name of your database.</p></td>
+<td align="left"><p>String</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>DATABASE_PATH</p></td>
+<td align="left"><p>Location of the database on your computer.</p></td>
+<td align="left"><p>String</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>FIX_COUNT</p></td>
+<td align="left"><p>Number of compatibility fixes applied to a specific application.</p></td>
+<td align="left"><p>Integer</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>FIX_NAME</p></td>
+<td align="left"><p>Name of your compatibility fix.</p></td>
+<td align="left"><p>String</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>MATCH_COUNT</p></td>
+<td align="left"><p>Number of matching files for a specific, fixed application.</p></td>
+<td align="left"><p>Integer</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>MATCHFILE_NAME</p></td>
+<td align="left"><p>Name of a matching file used to identify a specific, fixed application.</p></td>
+<td align="left"><p>String</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>MODE_COUNT</p></td>
+<td align="left"><p>Number of compatibility modes applied to a specific, fixed application.</p></td>
+<td align="left"><p>Integer</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>MODE_NAME</p></td>
+<td align="left"><p>Name of your compatibility mode.</p></td>
+<td align="left"><p>String</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>PROGRAM_APPHELPTYPE</p></td>
+<td align="left"><p>Type of AppHelp message applied to an entry. The value can be 1 or 2, where 1 enables the program to run and 2 blocks the program.</p></td>
+<td align="left"><p>Integer</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>PROGRAM_DISABLED</p></td>
+<td align="left"><p>Specifies if you disabled the compatibility fix for an application. If True, Compatibility Administrator does not apply the fixes to the application.</p></td>
+<td align="left"><p>Boolean</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>PROGRAM_GUID</p></td>
+<td align="left"><p>Unique ID for an application.</p></td>
+<td align="left"><p>String</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>PROGRAM_NAME</p></td>
+<td align="left"><p>Name of the application that you are fixing.</p></td>
+<td align="left"><p>String</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Available Operators
+
+
+The following table shows the operators that you can use for querying your customized-compatibility databases in the Compatibility Administrator.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Symbol</th>
+<th align="left">Description</th>
+<th align="left">Data type</th>
+<th align="left">Precedence</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>&gt;</p></td>
+<td align="left"><p>Greater than</p></td>
+<td align="left"><p>Integer or string</p></td>
+<td align="left"><p>1</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>&gt;=</p></td>
+<td align="left"><p>Greater than or equal to</p></td>
+<td align="left"><p>Integer or string</p></td>
+<td align="left"><p>1</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>&lt;</p></td>
+<td align="left"><p>Less than</p></td>
+<td align="left"><p>Integer or string</p></td>
+<td align="left"><p>1</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>&lt;=</p></td>
+<td align="left"><p>Less than or equal to</p></td>
+<td align="left"><p>Integer or string</p></td>
+<td align="left"><p>1</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>&lt;&gt;</p></td>
+<td align="left"><p>Not equal to</p></td>
+<td align="left"><p>Integer or string</p></td>
+<td align="left"><p>1</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>=</p></td>
+<td align="left"><p>Equal to</p></td>
+<td align="left"><p>Integer, string, or Boolean</p></td>
+<td align="left"><p>1</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>HAS</p></td>
+<td align="left"><p>A special SQL operator used to check if the left-hand operand contains a substring specified by the right-hand operand.</p></td>
+<td align="left"><p><strong>Left-hand operand</strong>. MATCHFILE_NAME, MODE_NAME, FIX_NAME</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>Only the HAS operator can be applied to the MATCHFILE_NAME, MODE_NAME, and FIX_NAME attributes.</p>
+</div>
+<div>
+ 
+</div>
+<p><strong>Right-hand operand</strong>. String</p></td>
+<td align="left"><p>1</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>OR</p></td>
+<td align="left"><p>Logical OR operator</p></td>
+<td align="left"><p>Boolean</p></td>
+<td align="left"><p>2</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>AND</p></td>
+<td align="left"><p>Logical AND operator</p></td>
+<td align="left"><p>Boolean</p></td>
+<td align="left"><p>2</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/best-practice-recommendations-for-windows-to-go.md b/windows/plan/best-practice-recommendations-for-windows-to-go.md
new file mode 100644
index 0000000000..8ab55ac121
--- /dev/null
+++ b/windows/plan/best-practice-recommendations-for-windows-to-go.md
@@ -0,0 +1,55 @@
+---
+title: Best practice recommendations for Windows To Go (Windows 10)
+description: Best practice recommendations for Windows To Go
+ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86
+keywords: ["best practices, USB, device, boot"]
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Best practice recommendations for Windows To Go
+
+
+**Applies to**
+
+-   Windows 10
+
+The following are the best practice recommendations for using Windows To Go:
+
+-   Always shut down Windows and wait for shutdown to complete before removing the Windows To Go drive.
+
+-   Do not insert the Windows To Go drive into a running computer.
+
+-   Do not boot the Windows To Go drive from a USB hub. Always insert the Windows To Go drive directly into a port on the computer.
+
+-   If available, use a USB 3.0 port with Windows To Go.
+
+-   Do not install non-Microsoft core USB drivers on Windows To Go.
+
+-   Suspend BitLocker on Windows host computers before changing the BIOS settings to boot from USB and then resume BitLocker protection.
+
+Additionally, we recommend that when you plan your deployment you should also plan a standard operating procedure for answering questions about which USB drives can be used for Windows To Go and how to enable booting from USB to assist your IT department or help desk in supporting users and work groups that want to use Windows To Go. It may be very helpful for your organization to work with your hardware vendors to create an IT standard for USB drives for use with Windows To Go, so that if groups within your organization want to purchase drives they can quickly determine which ones they should obtain.
+
+## More information
+
+
+[Windows To Go: feature overview](windows-to-go-overview.md)
+
+[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
+
+[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
+
+[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
+
+[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/categorizing-your-compatibility-data.md b/windows/plan/categorizing-your-compatibility-data.md
new file mode 100644
index 0000000000..637af36069
--- /dev/null
+++ b/windows/plan/categorizing-your-compatibility-data.md
@@ -0,0 +1,89 @@
+---
+title: Categorizing Your Compatibility Data (Windows 10)
+ms.assetid: 6420f012-316f-4ef0-bfbb-14baaa664e6e
+description: 
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Categorizing Your Compatibility Data
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+To customize and filter your compatibility reports, you can create categories and subcategories to assign to your applications, computers, devices, and websites. By default, Microsoft provides the following categories:
+
+-   **Software Vendor**. In this category, you can, for example, create a subcategory for each vendor. You can then use this category to generate reports by software vendor, which can be helpful when having discussions with a specific vendor or evaluating the vendor’s performance relative to your compatibility requirements.
+
+-   **Test Complexity**. You can use this category to help with planning and assigning test resources. You can, for example, create subcategories like Critical and Nice-to-Have.
+
+Categories are extensible, multiple-selection string values, so you can use them for almost anything. For example, you can create a category for signoff from multiple owners so that software can be authorized only when all categories have been selected, indicating that each group has signed off.
+
+As another example, you can create a category for unit of deployment. You can use subcategories such as Division and Region. You can use this category to track the software needs of a specific deployment unit. This way, you can see when the software required by the unit has been tested, approved, and is ready for deployment to the unit.
+
+**Note**  
+The following examples use the **&lt;Operating\_System&gt; - Application Report** screen. You can alternatively use the **&lt;Application\_Name&gt;** dialog box. You can also complete these procedures in the reports for computers, devices, and websites.
+
+ 
+
+## Creating, Renaming, or Deleting Categories and Subcategories
+
+
+You can manage your categories and subcategories from both the report screen and report-details screen.
+
+**To create, rename, or delete a category or subcategory**
+
+1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click any application name.
+
+2.  On the **Actions** menu, click **Assign Categories**.
+
+3.  Click **Category List**.
+
+4.  In the **Categories** or **Subcategories** area, do any or all of the following:
+
+    -   Add a category or subcategory, by clicking **Add**. Type the name of your new category or subcategory, and then click outside the active text area.
+
+        You must create at least one subcategory before a category will appear in the **Assign Categories** dialog box.
+
+    -   Rename a category or subcategory, by selecting the item and then clicking **Rename**. Type the new name, and then click outside the active text area.
+
+    -   Delete a category or subcategory, by selecting the item and then clicking **Remove**.
+
+5.  After you have finished adding, renaming, and deleting categories and subcategories, click **OK** to close the **Category List** dialog box.
+
+## Assigning Data to a Category and Subcategory
+
+
+You can assign categories and subcategories from both the report screen and report-details screen.
+
+**To assign and unassign categories and subcategories**
+
+1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click the application name.
+
+2.  On the **Actions** menu, click **Assign Categories**.
+
+3.  To assign a category, select the check box next to the applicable category or subcategory.
+
+    To unassign a category, clear the check box.
+
+4.  Click **OK**.
+
+    You can use the query builder to filter based on this information.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/change-history-for-plan-for-windows-10-deployment.md b/windows/plan/change-history-for-plan-for-windows-10-deployment.md
new file mode 100644
index 0000000000..82a16df6da
--- /dev/null
+++ b/windows/plan/change-history-for-plan-for-windows-10-deployment.md
@@ -0,0 +1,54 @@
+---
+title: Change history for Plan for Windows 10 deployment (Windows 10)
+description: This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for Windows 10 and Windows 10 Mobile.
+ms.assetid: 70D9F4F8-F2A4-4FB4-9459-5B2BE7BCAC66
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Change history for Plan for Windows 10 deployment
+
+
+This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+
+## December 2015
+
+
+| New or changed topic                                                                                                                             | Description |
+|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
+| [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) | New         |
+
+ 
+
+## November 2015
+
+
+| New or changed topic                                                                             | Description |
+|--------------------------------------------------------------------------------------------------|-------------|
+| [Chromebook migration guide](chromebook-migration-guide.md)                                     | New         |
+| [Windows Update for Business](windows-update-for-business.md) (multiple topics)                 | New         |
+| [Windows To Go: feature overview](windows-to-go-overview.md) (multiple topics) | Updated     |
+
+ 
+
+## Related topics
+
+
+[Change history for What's new in Windows 10](../whats-new/change-history-for-what-s-new-in-windows-10.md)
+
+[Change history for Deploy Windows 10](../deploy/change-history-for-deploy-windows-10.md)
+
+[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
+
+[Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/chromebook-migration-guide.md b/windows/plan/chromebook-migration-guide.md
new file mode 100644
index 0000000000..87c111f100
--- /dev/null
+++ b/windows/plan/chromebook-migration-guide.md
@@ -0,0 +1,962 @@
+---
+title: Chromebook migration guide (Windows 10)
+description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment.
+ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA
+keywords: ["migrate", "automate", "device"]
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Chromebook migration guide
+
+
+**Applies to**
+
+-   Windows 10
+
+In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You will learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You will then learn the best method to perform the migration by using automated deployment and migration tools.
+
+## <a href="" id="plan-migration"></a>Plan Chromebook migration
+
+
+Before you begin to migrate Chromebook devices, plan your migration. As with most projects, there can be an urge to immediately start doing before planning. When you plan your Chromebook migration before you perform the migration, you can save countless hours of frustration and mistakes during the migration process.
+
+In the planning portion of this guide, you will identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you will have a list of information you need to collect and what you need to do with the information. You will be ready to perform your Chromebook migration.
+
+## <a href="" id="plan-app-migrate-replace"></a>Plan for app migration or replacement
+
+
+App migration or replacement is an essential part of your Chromebook migration. In this section you will plan how you will migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you will have a list of the active Chrome OS apps and the Windows app counterparts.
+
+**Identify the apps currently in use on Chromebook devices**
+
+Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You will create a list of apps that are currently in use (also called an app portfolio).
+
+**Note**  
+The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section.
+
+ 
+
+You can divide the apps into the following categories:
+
+-   **Apps installed and managed by the institution.** These apps are typically managed in the Apps section in the Google Admin Console. You can record the list of these apps in your app portfolio.
+
+-   **Apps installed by faculty or students.** Faculty or students might have installed these apps as a part of a classroom curriculum. Obtain the list of these apps from faculty or students. Ensure you only record apps that are legitimately used as a part of classroom curriculum (and not for personal entertainment or use).
+
+Record the following information about each app in your app portfolio:
+
+-   App name
+
+-   App type (such as offline app, online app, web app, and so on)
+
+-   App publisher or developer
+
+-   App version currently in use
+
+-   App priority (how necessary is the app to the day-to-day process of the institution or a classroom? Rank as high, medium, or low)
+
+Throughout the entire app migration or replacement process, focus on the higher priority apps. Focus on lower priority apps only after you have determined what you will do with the higher priority apps.
+
+### <a href="" id="select-googleapps"></a>
+
+**Select Google Apps replacements**
+
+Table 1 lists the Windows device app replacements for the common Google Apps on Chromebook devices. If your users rely on any of these Google Apps, use the corresponding app on the Windows device. Use the information in Table 1 to select the Google App replacement on a Windows device.
+
+Table 1. Google App replacements
+
+| If you use this Google app on a Chromebook | Use this app on a Windows device     |
+|--------------------------------------------|--------------------------------------|
+| Google Docs                                | Word 2016 or Word Online             |
+| Google Sheets                              | Excel 2016 or Excel Online           |
+| Google Slides                              | PowerPoint 2016 or PowerPoint Online |
+| Google Apps Gmail                          | Outlook 2016 or Outlook Web App      |
+| Google Hangouts                            | Microsoft Skype for Business         |
+| Chrome                                     | Microsoft Edge                       |
+| Google Drive                               | Microsoft OneDrive for Business      |
+
+ 
+
+It may be that you will decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide.
+
+**Find the same or similar apps in the Windows Store**
+
+In many instances, software vendors will create a version of their app for multiple platforms. You can search the Windows Store to find the same or similar apps to any apps not identified in the [Select Google Apps replacements](#select-googleapps) section.
+
+In other instances, the offline app does not have a version written for the Windows Store or is not a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher does not have a version for Windows devices. Search the Windows Store for a graphing calculator app that provides similar features and functionality. Use that Windows Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS.
+
+Record the Windows app that replaces the Chromebook app in your app portfolio.
+
+### <a href="" id="perform-testing-webapps"></a>
+
+**Perform app compatibility testing for web apps**
+
+The majority of Chromebook apps are web apps. Because you cannot run native offline Chromebook apps on a Windows device, there is no reason to perform app compatibility testing for offline Chromebook apps. However, you may have a number of web apps that will run on both platforms.
+
+Ensure that you test these web apps in Microsoft Edge. Record the level of compatibility for each web app in Microsoft Edge in your app portfolio.
+
+## <a href="" id="plan-migrate-user-device-settings"></a>Plan for migration of user and device settings
+
+
+Some institutions have configured the Chromebook devices to make the devices easier to use by using the Google Chrome Admin Console. You have also probably configured the Chromebook devices to help ensure the user data access and ensure that the devices themselves are secure by using the Google Chrome Admin Console.
+
+However, in addition to your centralized configuration in the Google Admin Console, Chromebook users have probably customized their device. In some instances, users may have changed the web content that is displayed when the Chrome browser starts. Or they may have bookmarked websites for future reference. Or users may have installed apps for use in the classroom.
+
+In this section, you will identify the user and device configuration settings for your Chromebook users and devices. Then you will prioritize these settings to focus on the configuration settings that are essential to your educational institution.
+
+At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, as well as a level of priority for each setting. You may discover at the end of this section that you have few or no higher priority settings to be migrated. If this is the case, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide.
+
+**Identify Google Admin Console settings to migrate**
+
+You use the Google Admin Console (as shown in Figure 1) to manage user and device settings. These settings are applied to all the Chromebook devices in your institution that are enrolled in the Google Admin Console. Review the user and device settings in the Google Admin Console and determine which settings are appropriate for your Windows devices.
+
+![figure 1](images/chromebook-fig1-googleadmin.png)
+
+Figure 1. Google Admin Console
+
+Table 2 lists the settings in the Device Management node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows.
+
+Table 2. Settings in the Device Management node in the Google Admin Console
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Section</th>
+<th align="left">Settings</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">Network</td>
+<td align="left"><p>These settings configure the network connections for Chromebook devices and include the following settings categories:</p>
+<ul>
+<li><p><strong>Wi-Fi.</strong> Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.</p></li>
+<li><p><strong>Ethernet.</strong> Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.</p></li>
+<li><p><strong>VPN.</strong> Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.</p></li>
+<li><p><strong>Certificates.</strong> Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left">Mobile</td>
+<td align="left"><p>These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:</p>
+<ul>
+<li><p><strong>Device management settings.</strong> Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.</p></li>
+<li><p><strong>Device activation.</strong> Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.</p></li>
+<li><p><strong>Managed devices.</strong> Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.</p></li>
+<li><p><strong>Set Up Apple Push Certificate.</strong> Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.</p></li>
+<li><p><strong>Set Up Android for Work.</strong> Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left">Chrome management</td>
+<td align="left"><p>These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:</p>
+<ul>
+<li><p><strong>User settings.</strong> Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.</p></li>
+<li><p><strong>Public session settings.</strong> Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.</p></li>
+<li><p><strong>Device settings.</strong> Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.</p></li>
+<li><p><strong>Devices.</strong> Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices.</p></li>
+<li><p><strong>App Management.</strong> Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices.</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows.
+
+Table 3. Settings in the Security node in the Google Admin Console
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Section</th>
+<th align="left">Settings</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Basic settings</p></td>
+<td align="left"><p>These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.</p>
+<p>Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Password monitoring</p></td>
+<td align="left"><p>This section is used to monitor the strength of user passwords. You don’t need to migrate any settings in this section.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>API reference</p></td>
+<td align="left"><p>This section is used to enable access to various Google Apps Administrative APIs. You don’t need to migrate any settings in this section.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Set up single sign-on (SSO)</p></td>
+<td align="left"><p>This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Advanced settings</p></td>
+<td align="left"><p>This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Identify locally-configured settings to migrate**
+
+In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you will migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2).
+
+![figure 2](images/fig2-locallyconfig.png)
+
+Figure 2. Locally-configured settings on Chromebook
+
+Table 4. Locally-configured settings
+
+| Section                | Settings                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
+|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Internet connections   | These settings configure the Internet connection for the devices, such as Wi-Fi and VPN connections. Record the network connection currently in use and configure the Windows device to use the same network connection settings.                                                                                                                                                                                                                                                                                            |
+| Appearances            | These settings affect the appearance of the desktop. Record the wallpaper image file that is used. Migrate the image file to the Windows device and configure as the user’s wallpaper to maintain similar user experience.                                                                                                                                                                                                                                                                                                   |
+| Search                 | These settings configure which search engine is used to search for content. Record this setting so that you can use as the search engine on the Windows device.                                                                                                                                                                                                                                                                                                                                                              |
+| Advanced sync settings | These settings configure which user settings are synchronized with the Google cloud, such as Apps, Extensions, History, Passwords, Settings, and so on. Record these settings and configure the Windows device with the same settings if you decide to continue to use Google Apps and other cloud services after you migrate to Windows devices.                                                                                                                                                                            |
+| Date and time          | These settings configure the time zone and if 24-hour clock time should be used. Record these settings and configure the Windows device to use these settings.                                                                                                                                                                                                                                                                                                                                                               |
+| Privacy                | These settings configure Google Chrome web browser privacy settings (such as prediction service, phishing and malware protection, spelling errors, resource pre-fetch, and so on). Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings.                                                                                                                                                                                                             |
+| Bluetooth              | This setting configures whether or not Bluetooth is enabled on the device. Record this setting and configure the Windows device similarly.                                                                                                                                                                                                                                                                                                                                                                                   |
+| Passwords and forms    | These settings configure Google Chrome web browser to enable autofill of web forms and to save web passwords. Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings.                                                                                                                                                                                                                                                                                  |
+| Smart lock             | These settings configure the Chromebook when the user’s Android phone is nearby and unlocked, which eliminates the need to type a password. You don’t need to migrate settings in this section.                                                                                                                                                                                                                                                                                                                              |
+| Web content            | These settings configure how the Chrome web browser displays content (such as font size and page zoom). Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings.                                                                                                                                                                                                                                                                                        |
+| Languages              | These settings configure the language in use for the Chromebook. Record these settings and configure the Windows device to support the same language.                                                                                                                                                                                                                                                                                                                                                                        |
+| Downloads              | These settings configure the default folder for file download, if the user should be prompted where to save files, and if the Google Drive account should be disconnected. Record these settings and configure the Windows device with similar settings.                                                                                                                                                                                                                                                                     |
+| HTTPS/SSL              | These settings configure client-side certificates that are used to authenticate the device. Depending on the services or apps that use these certificates, you may need to export and then migrate these certificates to the Windows device. Contact the service or app provider to determine if you can use the existing certificate or if a new certificate needs to be issued. Record these settings and migrate the certificate to the Windows device or enroll for a new certificate as required by the service or app. |
+| Google Cloud Print     | These settings configure the printers that are available to the user. Record the list of printers available to the user and configure the Windows device to have the same printers available. Ensure that the user-friendly printer names in Windows are the same as for the Chromebook device. For example, if the Chromebook device has a printer named “Laser Printer in Registrar’s Office”, use that same name in Windows.                                                                                              |
+| On startup             | These settings configure which web pages are opened when the Chrome web browser starts. Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings.                                                                                                                                                                                                                                                                                                        |
+| Accessibility          | These settings configure the Chromebook ease of use (such as display of large mouse cursor, use of high contrast mode, enablement of the screen magnifier, and so on). Record these settings and configure the Windows device with similar settings.                                                                                                                                                                                                                                                                         |
+| Powerwash              | This action removes all user accounts and resets the Chromebook device back to factory settings. You don’t have to migrate any settings in this section.                                                                                                                                                                                                                                                                                                                                                                     |
+| Reset settings         | This action retains all user accounts, but restores all settings back to their default values. You don’t have to migrate any settings in this section.                                                                                                                                                                                                                                                                                                                                                                       |
+
+ 
+
+Determine how many users have similar settings and then consider managing those settings centrally. For example, a large number of users may have many of the same Chrome web browser settings. You can centrally manage these settings in Windows after migration.
+
+Also, as a part of this planning process, consider settings that may not be currently managed centrally, but should be managed centrally. Record the settings that are currently being locally managed, but you want to manage centrally after the migration.
+
+**Prioritize settings to migrate**
+
+After you have collected all the Chromebook user, app, and device settings that you want to migrate, you need to prioritize each setting. Evaluate each setting and assign a priority to the setting based on the levels of high, medium, and low.
+
+Assign the setting-migration priority based on how critical the setting is to the faculty performing their day-to-day tasks and how the setting affects the curriculum in the classrooms. Focus on the migration of higher priority settings and put less effort into the migration of lower priority settings. There may be some settings that are not necessary at all and can be dropped from your list of settings entirely. Record the setting priority in the list of settings you plan to migrate.
+
+## <a href="" id="plan-email-migrate"></a>Plan for email migration
+
+
+Many of your users may be using Google Apps Gmail to manage their email, calendars, and contacts. You need to create the list of users you will migrate and the best time to perform the migration.
+
+Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information, see [Migrate Google Apps mailboxes to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690252).
+
+**Identify the list of user mailboxes to migrate**
+
+In regards to creating the list of users you will migrate, it might seem that the answer “all the users” might be the best one. However, depending on the time you select for migration, only a subset of the users may need to be migrated. For example, you may not persist student email accounts between semesters or between academic years. In this case you would only need to migrate faculty and staff.
+
+Also, when you perform a migration it is a great time to verify that all user mailboxes are active. In many environments there are a significant number of mailboxes that were provisioned for users that are no longer a part of the institution (such as interns or student assistants). You can eliminate these users from your list of user mailboxes to migrate.
+
+Create your list of user mailboxes to migrate in Excel 2016 based on the format described in step 7 in [Create a list of Gmail mailboxes to migrate](http://go.microsoft.com/fwlink/p/?LinkId=690253). If you follow this format, you can use the Microsoft Excel spreadsheet to perform the actual migration later in the process.
+
+**Identify companion devices that access Google Apps Gmail**
+
+In addition to Chromebook devices, users may have companion devices (smartphones, tablets, desktops, laptops, and so on) that also access the Google Apps Gmail mailbox. You will need to identify those companion devices and identify the proper configuration for those devices to access Office 365 mailboxes.
+
+After you have identified each companion device, verify the settings for the device that are used to access Office 365. You only need to test one type of each companion device. For example, if users use Android phones to access Google Apps Gmail mailboxes, configure the device to access Office 365 and then record those settings. You can publish those settings on a website or to your helpdesk staff so that users will know how to access their Office 365 mailbox.
+
+In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify this on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690254).
+
+**Identify the optimal timing for the migration**
+
+Typically, the best time to perform the migration is between academic years or during semester breaks. Select the time of least activity for your institution. And during that time, the optimal time to perform the migration might be during an evening or over a weekend.
+
+Ensure that you communicate the time the migration will occur to your users well in advance. Also, ensure that users know how to access their Office 365 email after the migration is complete. Finally, ensure that your users know how to perform the common tasks they performed in Google Apps Gmail in Office 365 and/or Outlook 2016.
+
+## <a href="" id="plan-cloud-storage-migration"></a>Plan for cloud storage migration
+
+
+Chromebook devices have limited local storage. So, most of your users will store data in cloud storage, such as Google Drive. You will need to plan how to migrate your cloud storage as a part of the Chromebook migration process.
+
+In this section, you will create a list of the existing cloud services, select the Microsoft cloud services that best meet your needs, and then optimize your cloud storage services migration plan.
+
+**Identify cloud storage services currently in use**
+
+Typically, most Chromebook users use Google Drive for cloud storage services because your educational institution purchased other Google cloud services and Google Drive is a part of those services. However, some users may use cloud storage services from other vendors. For each member of your faculty and staff and for each student, create a list of cloud storage services that includes the following:
+
+-   Name of the cloud storage service
+
+-   Cloud storage service vendor
+
+-   Associated licensing costs or fees
+
+-   Approximate storage currently in use per user
+
+Use this information as the requirements for your cloud storage services after you migrate to Windows devices. If at the end of this discovery you determine there is no essential data being stored in cloud storage services that requires migration, then you can skip to the [Plan for cloud services migration](#plan-cloud-services) section.
+
+**Optimize cloud storage services migration plan**
+
+Now that you know the current cloud storage services configuration, you need to optimize your cloud storage services migration plan for Microsoft OneDrive for Business. Optimization helps ensure that your use only the cloud storage services resources that are necessary for your requirements.
+
+Consider the following to help optimize your cloud storage services migration plan:
+
+-   **Eliminate inactive user storage.** Before you perform the cloud storage services migration, identify cloud storage that is currently allocated to inactive users. Remove this storage from your list of cloud storage to migrate.
+
+-   **Eliminate or archive inactive files.** Review cloud storage to identify files that are inactive (have not been accessed for some period of time). Eliminate or archive these files so that they do not consume cloud storage.
+
+-   **Consolidate cloud storage services.** If multiple cloud storage services are in use, reduce the number of cloud storage services and standardize on one cloud storage service. This will help reduce management complexity, support time, and typically will reduce cloud storage costs.
+
+Record your optimization changes in your cloud storage services migration plan.
+
+## <a href="" id="plan-cloud-services"></a>Plan for cloud services migration
+
+
+Many of your users may use cloud services on their Chromebook device, such as Google Apps, Google Drive, or Google Apps Gmail. You have planned for these individual cloud services in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections.
+
+In this section, you will create a combined list of these cloud services and then select the appropriate strategy to migrate these cloud services.
+
+### <a href="" id="identify-cloud-services-inuse"></a>
+
+**Identify cloud services currently in use**
+
+You have already identified the individual cloud services that are currently in use in your educational institution in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. Create a unified list of these cloud services and record the following about each service:
+
+-   Cloud service name
+
+-   Cloud service provider
+
+-   Number of users that use the cloud service
+
+**Select cloud services to migrate**
+
+One of the first questions you should ask after you identify the cloud services currently in use is, “Why do we need to migrate from these cloud services?” The answer to this question largely comes down to finances and features.
+
+Here is a list of reasons that describe why you might want to migrate from an existing cloud service to Microsoft cloud services:
+
+-   **Better integration with Office 365.** If your long-term strategy is to migrate to Office 365 apps (such as Word 2016 or Excel 2016) then a migration to Microsoft cloud services will provide better integration with these apps. The use of existing cloud services may not be as intuitive for users. For example, Office 365 apps will integrate better with OneDrive for Business compared to Google Drive.
+
+-   **Online apps offer better document compatibility.** Microsoft Office online apps (such as Word Online and Excel Online) provide the highest level of compatibility with Microsoft Office documents. The Office online apps allow you to open and edit documents directly from SharePoint or OneDrive for Business. Users can access the Office online app from any device with Internet connectivity.
+
+-   **Reduce licensing costs.** If you pay for Office 365 licenses, then Office 365 apps and cloud storage are included in those licenses. Although you could keep existing cloud services, you probably would pay more to keep those services.
+
+-   **Improve storage capacity and cross-platform features.** Microsoft cloud services provide competitive storage capacity and provide more Windows-centric features than other cloud services providers. While the Microsoft cloud services user experience is highly optimized for Windows devices, Microsoft cloud services are also highly optimized for companion devices (such as iOS or Android devices).
+
+Review the list of existing cloud services that you created in the [Identify cloud services currently in use](#identify-cloud-services-inuse) section and identify the cloud services that you want to migrate to Microsoft cloud services. If you determine at the end of this task that there are no cloud services to be migrated, then skip to the [Plan for Windows device deployment](#plan-windevice-deploy) section. Also, skip the [Perform cloud services migration](#perform-cloud-services-migration) section later in this guide.
+
+**Prioritize cloud services**
+
+After you have created your aggregated list of cloud services currently in use by Chromebook users, prioritize each cloud service. Evaluate each cloud service and assign a priority based on the levels of high, medium, and low.
+
+Assign the priority based on how critical the cloud service is to the faculty and staff performing their day-to-day tasks and how the cloud service affects the curriculum in the classrooms. Also, make cloud services that are causing pain for the users a higher priority. For example, if users experience outages with a specific cloud service, then make migration of that cloud service a higher priority.
+
+Focus on the migration of higher priority cloud services first and put less effort into the migration of lower priority cloud services. There may be some cloud services that are unnecessary and you can remove them from your list of cloud services to migrate entirely. Record the cloud service migration priority in the list of cloud services you plan to migrate.
+
+### <a href="" id="select-cs-migrationstrat"></a>
+
+**Select cloud services migration strategy**
+
+When you deploy the Windows devices, should you migrate the faculty, staff, and students to the new cloud services? Perhaps. But, in most instances you will want to select a migration strategy that introduces a number of small changes over a period of time.
+
+Consider the following when you create your cloud services migration strategy:
+
+-   **Introduce small changes.** The move from Chrome OS to Windows will be simple for most users as most will have exposure to Windows from home, friends, or family. However, users may not be as familiar with the apps or cloud services. Consider the move to Windows first, and then make other changes as time progresses.
+
+-   **Start off by using existing apps and cloud services.** Immediately after the migration to Windows devices, you may want to consider running the existing apps and cloud services (such Google Apps, Google Apps Gmail, and Google Drive). This gives users a familiar method to perform their day-to-day tasks.
+
+-   **Resolve pain points.** If some existing apps or cloud services cause problems, you may want to migrate them sooner rather than later. In most instances, users will be happy to go through the learning curve of a new app or cloud service if it is more reliable or intuitive for them to use.
+
+-   **Migrate classrooms or users with common curriculum.** Migrate to Windows devices for an entire classroom or for multiple classrooms that share common curriculum. You must ensure that the necessary apps and cloud services are available for the curriculum prior to the migration of one or more classrooms.
+
+-   **Migrate when the fewest number of active users are affected.** Migrate your cloud services at the end of an academic year or end of a semester. This will ensure you have minimal impact on faculty, staff, and students. Also, a migration during this time will minimize the learning curve for users as they are probably dealing with new curriculum for the next semester. Also, you may not need to migrate student apps and data because many educational institutions do not preserve data between semesters or academic years.
+
+-   **Overlap existing and new cloud services.** For faculty and staff, consider overlapping the existing and new cloud services (having both services available) for one business cycle (end of semester or academic year) after migration. This allows you to easily recover any data that might not have migrated successfully from the existing cloud services. At a minimum, overlap the user of existing and new cloud services until the user can verify the migration. Of course, the tradeoff for using this strategy is the cost of the existing cloud services. However, depending on when license renewal occurs, the cost may be minimal.
+
+## <a href="" id="plan-windevice-deploy"></a>Plan for Windows device deployment
+
+
+You need to plan for Windows device deployment to help ensure that the devices are successfully installed and configured to replace the Chromebook devices. Even if the vendor that provides the devices pre-loads Windows 10 on them, you still will need to perform other tasks.
+
+In this section you will select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Azure AD services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation.
+
+### <a href="" id="select-windows-device-deploy"></a>
+
+**Select a Windows device deployment strategy**
+
+What decisions need to be made about Windows device deployment? You just put the device on a desk, hook up power, connect to Wi-Fi, and then let the users operate the device, right? That is essentially correct, but depending on the extent of your deployment and other factors, you need to consider different deployment strategies.
+
+For each classroom that has Chromebook devices, select a combination of the following device deployment strategies:
+
+-   **Deploy one classroom at a time.** In most cases you will want to perform your deployment in batches of devices and a classroom is an excellent way to batch devices. You can treat each classroom as a unit and check each classroom off your list after you have deployed the devices.
+
+-   **Deploy based on curriculum.** Deploy the Windows devices after you have confirmed that the curriculum is ready for the Windows devices. If you deploy Windows devices without the curriculum installed and tested, you could significantly reduce the ability for students and teachers to perform effectively in the classroom. Also, deployment based on curriculum has the advantage of letting you move from classroom to classroom quickly if multiple classrooms use the same curriculum.
+
+-   **Deploy side-by-side.** In some instances you may need to have both the Chromebook and Windows devices in one or more classrooms. You can use this strategy if some of the curriculum only works on Chromebook and other parts of the curriculum works on Windows devices. This is a good method to help prevent delays in Windows device deployment, while ensuring that students and teachers can make optimal use of technology in their curriculum.
+
+-   **Deploy after apps and cloud services migration.** If you deploy a Windows device without the necessary apps and cloud services to support the curriculum, this provides only a portion of your complete solution. Ensure that the apps and cloud services are tested, provisioned, and ready for use prior to the deployment of Windows devices.
+
+-   **Deploy after the migration of user and device settings.** Ensure that you have identified the user and device settings that you plan to migrate and that those settings are ready to be applied to the new Windows devices. For example, you would want to create Group Policy Objects (GPOs) to apply the user and device settings to Windows devices.
+
+    If you ensure that Windows devices closely mirror the Chromebook device configuration, you will ease user learning curve and create a sense of familiarity. Also, when you have the settings ready to be applied to the devices, it helps ensure you will deploy your new Windows devices in a secure configuration.
+
+Record the combination of Windows device deployment strategies that you selected.
+
+### <a href="" id="plan-adservices"></a>
+
+**Plan for AD DS and Azure AD services**
+
+The next decision you will need to make concerns AD DS and Azure AD services. You can run AD DS on-premises, in the cloud by using Azure AD, or a combination of both (hybrid). The decision about which of these options is best is closely tied to how you will manage your users, apps, and devices and if you will use Office 365 and other Azure-based cloud services.
+
+In the hybrid configuration, your on-premises AD DS user and group objects are synchronized with Azure AD (including passwords). The synchronization happens both directions so that changes are made in both your on-premises AD DS and Azure AD.
+
+Table 5 is a decision matrix that helps you decide if you can use only on-premises AD DS, only Azure AD, or a combination of both (hybrid). If the requirements you select from the table require on-premises AD DS and Azure AD, then you should select hybrid. For example, if you plan to use Office 365 and use Group Policy for management, then you would select hybrid. However, if you plan to use Office 365 and use Intune for management, then you would select only Azure AD.
+
+Table 5. Select on-premises AD DS, Azure AD, or hybrid
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">If you plan to...</th>
+<th align="left">On-premises AD DS</th>
+<th align="left">Azure AD</th>
+<th align="left">Hybrid</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">Use Office 365</td>
+<td align="left"></td>
+<td align="left">X</td>
+<td align="left">X</td>
+</tr>
+<tr class="even">
+<td align="left">Use Intune for management</td>
+<td align="left"></td>
+<td align="left">X</td>
+<td align="left">X</td>
+</tr>
+<tr class="odd">
+<td align="left">Use System Center 2012 R2 Configuration Manager for management</td>
+<td align="left">X</td>
+<td align="left"></td>
+<td align="left">X</td>
+</tr>
+<tr class="even">
+<td align="left">Use Group Policy for management</td>
+<td align="left">X</td>
+<td align="left"></td>
+<td align="left">X</td>
+</tr>
+<tr class="odd">
+<td align="left">Have devices that are domain-joined</td>
+<td align="left">X</td>
+<td align="left"></td>
+<td align="left">X</td>
+</tr>
+<tr class="even">
+<td align="left">Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined</td>
+<td align="left"></td>
+<td align="left">X</td>
+<td align="left">X</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+### <a href="" id="plan-userdevapp-manage"></a>
+
+**Plan device, user, and app management**
+
+You may ask the question, “Why plan for device, user, and app management before you deploy the device?” The answer is that you will only deploy the device once, but you will manage the device throughout the remainder of the device's lifecycle.
+
+Also, planning management before deployment is essential to being ready to support the devices as you deploy them. You want to have your management processes and technology in place when the first teachers, facility, or students start using their new Windows device.
+
+Table 6 is a decision matrix that lists the device, user, and app management products and technologies and the features supported by each product or technology. The primary device, user, and app management products and technologies include Group Policy, System Center Configuration Manager, Intune, and the Microsoft Deployment Toolkit (MDT). Use this decision matrix to help you select the right combination of products and technologies for your plan.
+
+Table 6. Device, user, and app management products and technologies
+
+<table style="width:100%;">
+<colgroup>
+<col width="14%" />
+<col width="14%" />
+<col width="14%" />
+<col width="14%" />
+<col width="14%" />
+<col width="14%" />
+<col width="14%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Desired feature</th>
+<th align="left">Windows provisioning packages</th>
+<th align="left">Group Policy</th>
+<th align="left">Configuration Manager</th>
+<th align="left">Intune</th>
+<th align="left">MDT</th>
+<th align="left">Windows Software Update Services</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">Deploy operating system images</td>
+<td align="left">X</td>
+<td align="left"></td>
+<td align="left">X</td>
+<td align="left"></td>
+<td align="left">X</td>
+<td align="left"></td>
+</tr>
+<tr class="even">
+<td align="left">Deploy apps during operating system deployment</td>
+<td align="left">X</td>
+<td align="left"></td>
+<td align="left">X</td>
+<td align="left"></td>
+<td align="left">X</td>
+<td align="left"></td>
+</tr>
+<tr class="odd">
+<td align="left">Deploy apps after operating system deployment</td>
+<td align="left">X</td>
+<td align="left">X</td>
+<td align="left">X</td>
+<td align="left"></td>
+<td align="left"></td>
+<td align="left"></td>
+</tr>
+<tr class="even">
+<td align="left">Deploy software updates during operating system deployment</td>
+<td align="left"></td>
+<td align="left"></td>
+<td align="left">X</td>
+<td align="left"></td>
+<td align="left">X</td>
+<td align="left"></td>
+</tr>
+<tr class="odd">
+<td align="left">Deploy software updates after operating system deployment</td>
+<td align="left">X</td>
+<td align="left">X</td>
+<td align="left">X</td>
+<td align="left">X</td>
+<td align="left"></td>
+<td align="left">X</td>
+</tr>
+<tr class="even">
+<td align="left">Support devices that are domain-joined</td>
+<td align="left">X</td>
+<td align="left">X</td>
+<td align="left">X</td>
+<td align="left">X</td>
+<td align="left">X</td>
+<td align="left"></td>
+</tr>
+<tr class="odd">
+<td align="left">Support devices that are not domain-joined</td>
+<td align="left">X</td>
+<td align="left"></td>
+<td align="left"></td>
+<td align="left">X</td>
+<td align="left">X</td>
+<td align="left"></td>
+</tr>
+<tr class="even">
+<td align="left">Use on-premises resources</td>
+<td align="left">X</td>
+<td align="left">X</td>
+<td align="left">X</td>
+<td align="left"></td>
+<td align="left">X</td>
+<td align="left"></td>
+</tr>
+<tr class="odd">
+<td align="left">Use cloud-based services</td>
+<td align="left"></td>
+<td align="left"></td>
+<td align="left"></td>
+<td align="left">X</td>
+<td align="left"></td>
+<td align="left"></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution.
+
+Record the device, user, and app management products and technologies that you selected.
+
+### <a href="" id="plan-network-infra-remediation"></a>
+
+**Plan network infrastructure remediation**
+
+In addition to AD DS, Azure AD, and management components, there are other network infrastructure services that Windows devices need. In most instances, Windows devices have the same network infrastructure requirements as the existing Chromebook devices.
+
+Examine each of the following network infrastructure technologies and services and determine if any remediation is necessary:
+
+-   **Domain Name System (DNS)** provides translation between a device name and its associated IP address. For Chromebook devices, public facing, Internet DNS services are the most important. For Windows devices that only access the Internet, they have the same requirements.
+
+    However, if you intend to communicate between Windows devices (peer-to-peer or client/server) then you will need local DNS services. Windows devices will register their name and IP address with the local DNS services so that Windows devices can locate each other.
+
+-   **Dynamic Host Configuration Protocol (DHCP)** provides automatic IP configuration for devices. Your existing Chromebook devices probably use DHCP for configuration. If you plan to immediately replace the Chromebook devices with Windows devices, then you only need to release all the DHCP reservations for the Chromebook devices prior to the deployment of Windows devices.
+
+    If you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your DHCP service has adequate IP addresses available for both sets of devices.
+
+-   **Wi-Fi.** Chromebook devices are designed to connect to Wi-Fi networks. Windows devices are the same. Your existing Wi-Fi network for the Chromebook devices should be adequate for the same number of Windows devices.
+
+    If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that Wi-Fi network can support the number of devices.
+
+-   **Internet bandwidth.** Chromebook devices consume more Internet bandwidth (up to 700 times more) than Windows devices. This means that if your existing Internet bandwidth is adequate for the Chromebook devices, then the bandwidth will be more than adequate for Windows devices.
+
+    However, if you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your Internet connection can support the number of devices.
+
+    For more information that compares Internet bandwidth consumption for Chromebook and Windows devices, see the following resources:
+
+    -   [Chromebook vs. Windows Notebook Network Traffic Analysis](http://go.microsoft.com/fwlink/p/?LinkId=690255)
+
+    -   [Hidden Cost of Chromebook Deployments](http://go.microsoft.com/fwlink/p/?LinkId=690256)
+
+    -   [Microsoft Windows 8.1 Notebook vs. Chromebooks for Education](http://go.microsoft.com/fwlink/p/?LinkId=690257)
+
+-   **Power.** Although not specifically a network infrastructure, you need to ensure your classrooms have adequate power. Chromebook and Windows devices should consume similar amounts of power. This means that your existing power outlets should support the same number of Windows devices.
+
+    If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, you need to ensure that the power outlets, power strips, and other power management components can support the number of devices.
+
+At the end of this process, you may determine that no network infrastructure remediation is necessary. If so, you can skip the [Perform network infrastructure remediation](#network-infra-remediation) section of this guide.
+
+## Perform Chromebook migration
+
+
+Thus far, planning has been the primary focus. Believe it or not most of the work is now done. The rest of the Chromebook migration is just the implementation of the plan you have created.
+
+In this section you will perform the necessary steps for the Chromebook device migration. You will perform the migration based on the planning decision that you made in the [Plan Chromebook migration](#plan-migration) section earlier in this guide.
+
+You must perform some of the steps in this section in a specific sequence. Each section has guidance about when to perform a step. You can perform other steps before, during, or after the migration. Again, each section will tell you if the sequence is important.
+
+## <a href="" id="network-infra-remediation"></a>Perform network infrastructure remediation
+
+
+The first migration task is to perform any network infrastructure remediation. In the [Plan network infrastructure remediation](#plan-network-infra-remediation) section, you determined the network infrastructure remediation (if any) that you needed to perform.
+
+It is important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each.
+
+Table 7. Network infrastructure products and technologies and deployment resources
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Product or technology</th>
+<th align="left">Resources</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">DHCP</td>
+<td align="left"><ul>
+<li><p>[Core Network Guide](http://go.microsoft.com/fwlink/p/?LinkId=733920)</p></li>
+<li><p>[DHCP Deployment Guide](http://go.microsoft.com/fwlink/p/?LinkId=734021)</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left">DNS</td>
+<td align="left"><ul>
+<li><p>[Core Network Guide](http://go.microsoft.com/fwlink/p/?LinkId=733920)</p></li>
+<li><p>[Deploying Domain Name System (DNS)](http://go.microsoft.com/fwlink/p/?LinkId=734022)</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section.
+
+## Perform AD DS and Azure AD services deployment or remediation
+
+
+It is important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations.
+
+In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both.
+
+Table 8. AD DS, Azure AD and deployment resources
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Product or technology</th>
+<th align="left">Resources</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">AD DS</td>
+<td align="left"><ul>
+<li><p>[Core Network Guide](http://go.microsoft.com/fwlink/p/?LinkId=733920)</p></li>
+<li><p>[Active Directory Domain Services Overview](http://go.microsoft.com/fwlink/p/?LinkId=733909)</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left">Azure AD</td>
+<td align="left"><ul>
+<li><p>[Azure Active Directory documentation](http://go.microsoft.com/fwlink/p/?LinkId=690258)</p></li>
+<li><p>[Manage and support Azure Active Directory Premium](http://go.microsoft.com/fwlink/p/?LinkId=690259)</p></li>
+<li><p>[Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](http://go.microsoft.com/fwlink/p/?LinkId=690260)</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps.
+
+## Prepare device, user, and app management systems
+
+
+In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you will use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You will use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings.
+
+Table 9 lists the Microsoft management systems and the deployment resources for each. Use the resources in this table to prepare (deploy or remediate) these management systems.
+
+Table 9. Management systems and deployment resources
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Management system</th>
+<th align="left">Resources</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">Windows provisioning packages</td>
+<td align="left"><ul>
+<li><p>[Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkId=733918)</p></li>
+<li><p>[Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=733911)</p></li>
+<li><p>[Step-By-Step: Building Windows 10 Provisioning Packages](http://go.microsoft.com/fwlink/p/?LinkId=690261)</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left">Group Policy</td>
+<td align="left"><ul>
+<li><p>[Core Network Companion Guide: Group Policy Deployment](http://go.microsoft.com/fwlink/p/?LinkId=733915)</p></li>
+<li><p>[Deploying Group Policy](http://go.microsoft.com/fwlink/p/?LinkId=734024)</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left">Configuration Manager</td>
+<td align="left"><ul>
+<li><p>[Site Administration for System Center 2012 Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733914)</p></li>
+<li><p>[Deploying Clients for System Center 2012 Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733919)</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left">Intune</td>
+<td align="left"><ul>
+<li><p>[Set up and manage devices with Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=690262)</p></li>
+<li><p>[Smoother Management Of Office 365 Deployments with Windows Intune](http://go.microsoft.com/fwlink/p/?LinkId=690263)</p></li>
+<li><p>[System Center 2012 R2 Configuration Manager &amp; Windows Intune](http://go.microsoft.com/fwlink/p/?LinkId=690264)</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left">MDT</td>
+<td align="left"><ul>
+<li><p>[MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](http://go.microsoft.com/fwlink/p/?LinkId=690324)</p></li>
+<li><p>[Step-By-Step: Installing Windows 8.1 From A USB Key](http://go.microsoft.com/fwlink/p/?LinkId=690265)</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
+
+## <a href="" id="perform-app-migration-or-replacement-"></a>Perform app migration or replacement
+
+
+In the [Plan for app migration or replacement](#plan-app-migrate-replace) section, you identified the apps currently in use on Chromebook devices and selected the Windows apps that will replace the Chromebook apps. You also performed app compatibility testing for web apps to ensure that web apps on the Chromebook devices would run on Microsoft Edge and Internet Explorer.
+
+In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Table 10 lists the Microsoft management systems and the app deployment resources for each. Use the resources in this table to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide.
+
+Table 10. Management systems and app deployment resources
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Management system</th>
+<th align="left">Resources</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">Group Policy</td>
+<td align="left"><ul>
+<li><p>[Editing an AppLocker Policy](http://go.microsoft.com/fwlink/p/?LinkId=734025)</p></li>
+<li><p>[Group Policy Software Deployment Background](http://go.microsoft.com/fwlink/p/?LinkId=734026)</p></li>
+<li><p>[Assigning and Publishing Software](http://go.microsoft.com/fwlink/p/?LinkId=734027)</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left">Configuration Manager</td>
+<td align="left"><ul>
+<li><p>[How to Deploy Applications in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733917)</p></li>
+<li><p>[Application Management in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733907)</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left">Intune</td>
+<td align="left"><ul>
+<li><p>[Deploy apps to mobile devices in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=733913)</p></li>
+<li><p>[Manage apps with Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=733910)</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
+
+## <a href="" id="migrate-user-device-settings"></a>Perform migration of user and device settings
+
+
+In the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, you determined the user and device settings that you want to migrate. You selected settings that are configured in the Google Admin Console and locally on the Chromebook device.
+
+Perform the user and device setting migration by using the following steps:
+
+1.  From the list of institution-wide settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure as many as possible in your management system (such as Group Policy, Configuration Manager, or Intune).
+
+2.  From the list of device-specific settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure device-specific setting for higher priority settings.
+
+3.  From the list of user-specific settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure user-specific setting for higher priority settings.
+
+4.  Verify that all higher-priority user and device settings have been configured in your management system.
+
+If you do no want to migrate any user or device settings from the Chromebook devices to the Windows devices, you can skip this section.
+
+## Perform email migration
+
+
+In the [Plan for email migration](#plan-email-migrate) section, you identified the user mailboxes to migrate, identified the companion devices that access Google Apps Gmail, and identified the optimal timing for migration. You can perform this migration before or after you deploy the Windows devices.
+
+Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information on how to automate the migration from Google Apps Gmail to Office 365, see [Migrate Google Apps mailboxes to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690252).
+
+Alternatively, if you want to migrate to Office 365 from:
+
+-   **On-premises Microsoft Exchange Server.** Use the following resources to migrate to Office 365 from an on-premises Microsoft Exchange Server:
+
+    -   [Cutover Exchange Migration and Single Sign-On](http://go.microsoft.com/fwlink/p/?LinkId=690266)
+
+    -   [Step-By-Step: Migration of Exchange 2003 Server to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690267)
+
+    -   [Step-By-Step: Migrating from Exchange 2007 to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690268)
+
+-   **Another on-premises or cloud-based email service.** Follow the guidance from that vendor.
+
+## Perform cloud storage migration
+
+
+In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you will use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices.
+
+Manually migrate the cloud storage migration by using the following steps:
+
+1.  Install both Google Drive app and OneDrive for Business or OneDrive app on a device.
+
+2.  Sign in as the user in the Google Drive app.
+
+3.  Sign in as the user in the OneDrive for Business or OneDrive app.
+
+4.  Copy the data from the Google Drive storage to the OneDrive for Business or OneDrive storage.
+
+5.  Optionally uninstall the Google Drive app.
+
+There are also a number of software vendors who provide software that helps automate the migration from Google Drive to OneDrive for Business, Office 365 SharePoint, or OneDrive. For more information about these automated migration tools, contact the vendors.
+
+## Perform cloud services migration
+
+
+In the [Plan for cloud services migration](#plan-cloud-services)section, you identified the cloud services currently in use, selected the cloud services that you want to migrate, prioritized the cloud services to migrate, and then selected the cloud services migration strategy. You can perform the cloud services migration before or after you deploy the Windows devices.
+
+Migrate the cloud services that you currently use to the Microsoft cloud services that you selected. For example, you could migrate from a collaboration website to Office 365 SharePoint. Perform the cloud services migration based on the existing cloud services and the Microsoft cloud services that you selected.
+
+There are also a number of software vendors who provide software that helps automate the migration from other cloud services to Microsoft cloud services. For more information about these automated migration tools, contact the vendors.
+
+## Perform Windows device deployment
+
+
+In the [Select a Windows device deployment strategy](#select-windows-device-deploy) section, you selected how you wanted to deploy Windows 10 devices. The other migration task that you designed in the [Plan for Windows device deployment](#plan-windevice-deploy) section have already been performed. Now it's time to deploy the actual devices.
+
+For example, if you selected to deploy Windows devices by each classroom, start with the first classroom and then proceed through all of the classrooms until you’ve deployed all Windows devices.
+
+In some instances, you may receive the devices with Windows 10 already deployed, and want to use provisioning packages. In other cases, you may have a custom Windows 10 image that you want to deploy to the devices by using Configuration Manager and/or MDT. For information on how to deploy Windows 10 images to the devices, see the following resources:
+
+-   [Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=733911)
+
+-   [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkId=733918)
+
+-   [MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](http://go.microsoft.com/fwlink/p/?LinkId=690324)
+
+-   [Step-By-Step: Installing Windows 8.1 From A USB Key](http://go.microsoft.com/fwlink/p/?LinkId=690265)
+
+-   [Operating System Deployment in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733916)
+
+In addition to the Windows 10 image deployment, you may need to perform the following tasks as a part of device deployment:
+
+-   Enroll the device with your management system.
+
+-   Ensure that Windows Defender is enabled and configured to receive updates.
+
+-   Ensure that Windows Update is enabled and configured to receive updates.
+
+-   Deploy any apps that you want the user to immediately be able to access when they start the device (such as Word 2016 or Excel 2016).
+
+After you complete these steps, your management system should take over the day-to-day maintenance tasks for the Windows 10 devices. Verify that the user and device settings migrated correctly as you deploy each batch of Windows 10 devices. Continue this process until you deploy all Windows 10 devices.
+
+## Related topics
+
+
+[Try it out: Windows 10 deployment (for education)](http://go.microsoft.com/fwlink/p/?LinkId=623254)
+
+[Try it out: Windows 10 in the classroom](http://go.microsoft.com/fwlink/p/?LinkId=623255)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/common-compatibility-issues.md b/windows/plan/common-compatibility-issues.md
new file mode 100644
index 0000000000..e9feba9487
--- /dev/null
+++ b/windows/plan/common-compatibility-issues.md
@@ -0,0 +1,57 @@
+---
+title: Common Compatibility Issues (Windows 10)
+ms.assetid: f5ad621d-bda2-45b5-ae85-bc92970f602f
+description: 
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Common Compatibility Issues
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+Compatibility issues tend to occur with the following technologies:
+
+-   **User Account Control (UAC)**: Adds security to Windows by limiting administrator-level access to the computer, restricting most users to running as Standard Users. UAC limits the context in which a process executes to minimize the ability of the user to inadvertently expose the computer to viruses or other malware. UAC affects any application installer or update that requires Administrator permissions to run, performs Administrator checks or actions, or attempts to write to a non-virtualized registry location.
+
+-   **Windows Resource Protection (WRP)**: Enables applications to function properly even if an application attempts to write to protected system files or registry locations. WRP creates a temporary work area and redirects write actions for the application session. WRP affects any application installation that attempts to replace, modify, or delete protected operating system files or registry keys. Attempts typically fail and return an Access Denied error.
+
+-   **Internet Explorer Protected Mode**: Helps to defend against elevation-of-privilege attacks by restricting the ability to write to any local-computer-zone resources other than temporary Internet files. This mode affects any website or web application that attempts to modify user files or registry keys or that attempts to open a new window in another domain.
+
+-   **Deprecation**: Any application that uses .dll files, executable (.exe) files, COM objects, registry keys, APIs, or other files that have been deprecated from previous versions of Windows may lose functionality or fail to start.
+
+-   **Graphical Identification and Authentication (GINA) DLL**: Prior to the release of Windows Vista, independent software vendors (ISVs) were able to modify authentication by installing a GINA DLL. The GINA DLL performed the user identification and authentication.
+
+    The current authentication model does not require the GINA DLL and ignores all previous GINA DLLs. This change affects any application or hardware component that attempts to log on by using customized logon applications, including biometric devices (fingerprint readers), customized user interfaces, and virtual private network (VPN) solutions for remote users with customized logon user interfaces.
+
+-   **Session 0**: Prior to the release of Windows Vista, the first user who logged on to a computer ran in Session 0, which is the same session that is used for system services. The current model requires all users to run in Session 1 or later so that no user runs in the same session as the system services. Applications will fail to start if they depend on *interactive services*. An interactive service is any service that attempts to send a window message, attempts to locate a window or additional service, or attempts to run any user processes that open the same named object, unless it is a globally named object.
+
+-   **Windows Filtering Platform (WFP)**: WFP is an API that enables developers to create code that interacts with the filtering that occurs at several layers in the networking stack and throughout the operating system. If you are using a previous version of the WFP API in your environment, you might experience failures when running network-scanning, antivirus, or firewall applications.
+
+-   **Operating System Version Changes**: The operating system version number changes with each operating system release. The **GetVersion** function returns the version number when queried by an application. This change affects any application or application installer that specifically checks for the operating system version and might prevent the installation from occurring or the application from running.
+
+-   **Windows 64-bit**: 64-bit versions of Windows use the Windows on Windows 64 (WOW64) emulator. This emulator enables the 64-bit operating system to run 32-bit applications. The use of this emulator might cause an application or a component that uses 16-bit executables or installers, or 32-bit kernel drivers, to fail to start or to function incorrectly.
+
+## Related topics
+
+
+[Using Compatibility Monitor to Send Feedback](using-compatibility-monitor-to-send-feedback.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/compatibility-administrator-users-guide.md b/windows/plan/compatibility-administrator-users-guide.md
new file mode 100644
index 0000000000..06246f50b6
--- /dev/null
+++ b/windows/plan/compatibility-administrator-users-guide.md
@@ -0,0 +1,79 @@
+---
+title: Compatibility Administrator User's Guide (Windows 10)
+ms.assetid: 0ce05f66-9009-4739-a789-60f3ce380e76
+description: 
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Compatibility Administrator User's Guide
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. Compatibility Administrator provides the following:
+
+-   Compatibility fixes, compatibility modes, and AppHelp messages that you can use to resolve specific compatibility issues.
+
+-   Tools for creating customized compatibility fixes, compatibility modes, AppHelp messages, and compatibility databases.
+
+-   A query tool that you can use to search for installed compatibility fixes on your local computers.
+
+The following flowchart shows the steps for using the Compatibility Administrator tool to create your compatibility fixes, compatibility modes, and AppHelp messages.
+
+![act compatibility admin flowchart](images/dep-win8-l-act-compatadminflowchart.jpg)
+
+**Important**  
+Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create and work with custom databases for 32-bit applications, and the 64-bit version to create and work with custom databases for 64-bit applications.
+
+ 
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)</p></td>
+<td align="left"><p>This section provides information about using the Compatibility Administrator tool.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)</p></td>
+<td align="left"><p>This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md)</p></td>
+<td align="left"><p>You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways, including by using a logon script, by using Group Policy, or by performing file copy operations.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md b/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md
new file mode 100644
index 0000000000..9abe28e94d
--- /dev/null
+++ b/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md
@@ -0,0 +1,174 @@
+---
+title: Compatibility Fix Database Management Strategies and Deployment (Windows 10)
+ms.assetid: fdfbf02f-c4c4-4739-a400-782204fd3c6c
+description: 
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Compatibility Fix Database Management Strategies and Deployment
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+After you determine that you will use compatibility fixes in your application-compatibility mitigation strategy, you must define a strategy to manage your custom compatibility-fix database. Typically, you can use one of two approaches:
+
+-   Deploying your compatibility fixes as part of an application-installation package.
+
+-   Deploying your compatibility fixes through a centralized compatibility-fix database.
+
+Regardless of which approach you decide to use in your organization, Microsoft provides the following general recommendations for improving the management of your custom compatibility-fix databases:
+
+-   **Define standards for when you will apply compatibility fixes.**
+
+    You must define the standards and scenarios for using compatibility fixes, based on your specific business and technology needs.
+
+-   **Define standards for your custom compatibility-fix databases.**
+
+    You must define how to associate your compatibility fixes to particular applications. For example, you might want to ensure that your compatibility fixes always include a version check, so that a fix will not be applied to newer versions of your applications.
+
+-   **Define your resources responsible for addressing questions and enforcing your standards.**
+
+    You must determine who will be responsible for staying current with the technology and standards related to your compatibility fixes and custom compatibility-fix databases. As your databases are managed over time, you must ensure that someone in your organization stays current with the relevant technology.
+
+## Strategies for Deploying Your Compatibility Fixes
+
+
+We recommend that you use one of two strategies to deploy your compatibility fixes into your organization. They are:
+
+-   Deploying your compatibility fixes as part of an application-installation package.
+
+-   Deploying your compatibility fixes through a centralized compatibility-fix database.
+
+You must determine which method best meets your organization's deployment needs.
+
+### Deploying Fixes as Part of an Application-Installation Package
+
+One strategy for deploying compatibility fixes is to create a custom compatibility-fix database that contains a single entry that is applied directly to the application-installation package. While this is the most straightforward method of deployment, it has been shown that this method can become overly complex, especially if you are fixing a large number of applications.
+
+If the following considerations apply to your organization, you should avoid this strategy and instead consider using a centralized compatibility-fix database, as described in the next section.
+
+-   **How many applications require compatibility fixes?**
+
+    Custom compatibility-fix databases are actual databases. Therefore, if you have 1000 applications to be fixed, it will take longer to open and query 1000 single-row databases for a match, instead of a single database with 1000 rows.
+
+-   **Will you be able to track which applications are installed on which computer?**
+
+    You might determine that your initial set of compatibility fixes is not comprehensive, and that you must deploy an updated version of the compatibility-fix database to resolve the additional issues. If you deployed the initial set by using the application-installation package, you will be required to locate each client computer that is running the application and replace the compatibility fix.
+
+### Deploying Fixes Through a Centralized Compatibility-Fix Database
+
+The other recommended strategy for deploying compatibility fixes into your organization is to create and manage either a single custom compatibility-fix database, or else to create and manage several custom databases for large subsets of your organization. This strategy will help to enforce your company policy and to provide consistent updates for application fixes that you discover later.
+
+This approach tends to work best for organizations that have a well-developed deployment infrastructure in place, with centralized ownership of the process. We recommend that you consider the following before using this approach:
+
+-   Does your organization have the tools required to deploy and update a compatibility-fix database for all of the effected computers?
+
+    If you intend to manage a centralized compatibility-fix database, you must verify that your organization has the required tools to deploy and update all of the affected computers in your organization.
+
+-   Do you have centralized resources that can manage and update the centralized compatibility-fix database?
+
+    You must ensure that you have identified the appropriate owners for the deployment process, for the applications, and for the database updates, in addition to determining the process by which compatibility issues can be deployed to specific computers.
+
+### Merging Centralized Compatibility-Fix Databases
+
+If you decide to use the centralized compatibility-fix database deployment strategy, you can merge any of your individual compatibility-fix databases. This enables you to create a single custom compatibility-fix database that can be used to search for and determine whether Windows® should apply a fix to a specific executable (.exe) file. We recommend merging your databases based on the following process.
+
+**To merge your custom-compatibility databases**
+
+1.  Verify that your application-compatibility testers are performing their tests on computers with the latest version of your compatibility-fix database. For example, Custom DB1.
+
+2.  If the tester determines that an application requires an additional compatibility fix that is not a part of the original compatibility-fix database, he or she must create a new custom compatibility database with all of the required information for that single fix. For example, Custom DB2.
+
+3.  The tester applies the new Custom DB2 information to the application and then tests for both the functionality and integration, to ensure that the compatibility issues are addressed.
+
+4.  After the application passes all of the required functionality and integration tests, the tester can send Custom DB2 to the team that manages the central compatibility-fix database.
+
+5.  The team that manages the centralized database opens Custom DB1 and uses the Compatibility Administrator to include the new compatibility fixes that were included in Custom DB2.
+
+    **Note**  
+    Custom DB1 contains a unique GUID that makes updating the database easier. For example, if you install a new version of the custom compatibility-fix database that uses the same GUID as the previous version, the computer will automatically uninstall the old version.
+
+     
+
+6.  The centralized management team then redeploys the new version of Custom DB1 to all of the end users in your organization.
+
+### Deploying Your Custom Compatibility-Fix Databases
+
+Deploying your custom compatibility-fix database into your organization requires you to perform the following actions:
+
+1.  Store your custom compatibility-fix database (.sdb file) in a location that is accessible to all of your organization’s computers.
+
+2.  Use the Sdbinst.exe command-line tool to install the custom compatibility-fix database locally.
+
+In order to meet the two requirements above, we recommend that you use one of the following two methods:
+
+-   **Using a Windows Installer package and a custom script**
+
+    You can package your .sdb file and a custom deployment script into an .msi file, and then deploy the .msi file into your organization.
+
+    **Important**  
+    You must ensure that you mark your custom script so that it does not impersonate the calling user. For example, if you use Microsoft® Visual Basic® Scripting Edition (VBScript), the custom action type would be:
+
+     
+
+    ``` syntax
+    msidbCustomActionTypeVBScript + msidbCustomActionTypeInScript + msidbCustomActionTypeNoImpersonate = 0x0006 + 0x0400 + 0x0800 = 0x0C06 = 3078 decimal)
+    ```
+
+-   **Using a network share and a custom script**
+
+You can store your .sdb file on your network share and then call to a script that resides on your specified computers.
+
+**Important**  
+You must ensure that you call the script at a time when it will receive elevated rights. For example, you should call the script by using computer startup scripts instead of a user logon script. You must also ensure that the installation of the custom compatibility-fix database occurs with Administrator rights.
+
+ 
+
+### Example Script for an Installation of the .sdb File based on an .msi File
+
+The following examples show an installation of a custom compatibility-fix database based on an .msi file.
+
+``` syntax
+'InstallSDB.vbs
+Function Install
+Dim WshShell
+Set WshShell = CreateObject("WScript.Shell")
+WshShell.Run "sdbinst.exe -q " & CHR(34) & "%ProgramFiles%\MyOrganizationSDB\MyOrg.sdb" & CHR(34), 0, true
+WshShell.Run "cmd.exe /c " & CHR(34) & "del " & CHR(34) & "%ProgramFiles%\MyOrganizationSDB\MyOrg.sdb" & CHR(34) & CHR(34), 0
+WshShell.Run "reg.exe delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{guidFromMyOrgsSdb}.sdb /f", 0
+End Function
+
+Function UnInstall
+Dim WshShell
+Set WshShell = CreateObject("WScript.Shell")
+WshShell.Run "sdbinst.exe -q -u -g {guidFromMyOrgsSdb}", 0
+End Function
+```
+
+### Initial Deployment and Updates
+
+Most of your testing of application-compatibility issues will happen prior to the deployment of a new Windows operating system into your environment. As such, a common approach is to include the custom compatibility-fix database, which includes all of your known issues, in your corporate image. Then, as you update your compatibility-fix database, you can provide the updates by using one of the two mechanisms described in the "Deploying Your Custom Compatibility Fix Databases" section earlier in this topic.
+
+## Related topics
+
+
+[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
new file mode 100644
index 0000000000..1efec32cb1
--- /dev/null
+++ b/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
@@ -0,0 +1,1022 @@
+---
+title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista (Windows 10)
+description: You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions.
+ms.assetid: cd51c824-557f-462a-83bb-54b0771b7dff
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions.
+
+**Important**  
+The Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator. You must use the 32-bit version for 32-bit applications and the 64-bit version to work for 64-bit applications. You will receive an error message if you try to use the wrong version.
+
+If you start the Compatibility Administrator as an Administrator (with elevated privileges), all repaired applications can run successfully; however, virtualization and redirection might not occur as expected. To verify that a compatibility fix addresses an issue, you must test the repaired application by running it under the destination user account.
+
+ 
+
+## Compatibility Fixes
+
+
+The following table lists the known compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10. The fixes are listed in alphabetical order.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Fix</th>
+<th align="left">Fix Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>8And16BitAggregateBlts</p></td>
+<td align="left"><p>Applications that are mitigated by 8/16-bit mitigation can exhibit performance issues. This layer aggregates all the blt operations and improves performance.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>8And16BitDXMaxWinMode</p></td>
+<td align="left"><p>Applications that use DX8/9 and are mitigated by the 8/16-bit mitigation are run in a maximized windowed mode. This layer mitigates applications that exhibit graphical corruption in full screen mode.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>8And16BitGDIRedraw</p></td>
+<td align="left"><p>This fix repairs applications that use GDI and that work in 8-bit color mode. The application is forced to repaint its window on RealizePalette.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>AccelGdipFlush</p></td>
+<td align="left"><p>This fix increases the speed of GdipFlush, which has perf issues in DWM.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>AoaMp4Converter</p></td>
+<td align="left"><p>This fix resolves a display issue for the AoA Mp4 Converter.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>BIOSRead</p></td>
+<td align="left"><p>This problem is indicated when an application cannot access the <strong>Device\PhysicalMemory</strong> object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems.</p>
+<p>The fix enables OEM executable (.exe) files to use the GetSystemFirmwareTable function instead of the NtOpenSection function when the BIOS is queried for the <strong>\\Device\Physical</strong> memory information..</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>BlockRunasInteractiveUser</p></td>
+<td align="left"><p>This problem occurs when <strong>InstallShield</strong> creates installers and uninstallers that fail to complete and that generate error messages or warnings.</p>
+<p>The fix blocks <strong>InstallShield</strong> from setting the value of <strong>RunAs</strong> registry keys to InteractiveUser Because InteractiveUser no longer has Administrator rights.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the BlockRunAsInteractiveUser Fix](http://go.microsoft.com/fwlink/p/?LinkId=690328).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>ChangeFolderPathToXPStyle</p></td>
+<td align="left"><p>This fix is required when an application cannot return shell folder paths when it uses the <strong>SHGetFolder</strong> API.</p>
+<p>The fix intercepts the <strong>SHGetFolder</strong> path request to the common <strong>appdata</strong> file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>ClearLastErrorStatusonIntializeCriticalSection</p></td>
+<td align="left"><p>This fix is indicated when an application fails to start.</p>
+<p>The fix modifies the InitializeCriticalSection function call so that it checks the NTSTATUS error code, and then sets the last error to ERROR_SUCCESS.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>CopyHKCUSettingsFromOtherUsers</p></td>
+<td align="left"><p>This problem occurs when an application's installer must run in elevated mode and depends on the HKCU settings that are provided for other users.</p>
+<p>The fix scans the existing user profiles and tries to copy the specified keys into the HKEY_CURRENT_USER registry area.</p>
+<p>You can control this fix further by entering the relevant registry keys as parameters that are separated by the ^ Symbol; for example: <code>Software\MyCompany\Key1^Software\MyCompany\Key2</code>.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the CopyHKCUSettingsFromOtherUsers Fix](http://go.microsoft.com/fwlink/p/?LinkId=690329).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>CorrectCreateBrushIndirectHatch</p></td>
+<td align="left"><p>The problem is indicated by an access violation error message that displays and when the application fails when you select or crop an image.</p>
+<p>The fix corrects the brush style hatch value, which is passed to the CreateBrushIndirect() function and enables the information to be correctly interpreted.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>CorrectFilePaths</p></td>
+<td align="left"><p>The problem is indicated when an application tries to write files to the hard disk and is denied access or receives a file not found or path not found error message.</p>
+<p>The fix modifies the file path names to point to a new location on the hard disk.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about the CorrectFilePaths application fix, see [Using the CorrectFilePaths Fix](http://go.microsoft.com/fwlink/p/?LinkId=690330). We recommend that you use this fix together with the CorrectFilePathsUninstall fix if you are applying it to a setup installation file.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>CorrectFilePathsUninstall</p></td>
+<td align="left"><p>This problem occurs when an uninstalled application leaves behind files, directories, and links.</p>
+<p>The fix corrects the file paths that are used by the uninstallation process of an application.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this fix, see [Using the CorrectFilePathsUninstall Fix](http://go.microsoft.com/fwlink/p/?LinkId=690331). We recommend that you use this fix together with the CorrectFilePaths fix if you are applying it to a setup installation file.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>CorrectShellExecuteHWND</p></td>
+<td align="left"><p>This problem occurs when you start an executable (.exe) and a taskbar item blinks instead of an elevation prompt being opened, or when the application does not provide a valid HWND value when it calls the ShellExecute(Ex) function.</p>
+<p>The fix intercepts the ShellExecute(Ex) calls, and then inspects the HWND value. If the value is invalid, this fix enables the call to use the currently active HWND value.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about the CorrectShellExecuteHWND application fix, see [Using the CorrectShellExecuteHWND Fix](http://go.microsoft.com/fwlink/p/?LinkId=690332).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>CustomNCRender</p></td>
+<td align="left"><p>This fix instructs DWM to not render the non-client area, thereby forcing the application to do its own NC rendering. This often gives windows an XP look.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DelayApplyFlag</p></td>
+<td align="left"><p>This fix applies a KERNEL, USER, or PROCESS flag if the specified DLL is loaded.</p>
+<p>You can control this fix further by typing the following command at the command prompt:</p>
+<p>DLL_Name;Flag_Type;Hexidecimal_Value</p>
+<p>Where the DLL_Name is the name of the specific DLL, including the file extension. Flag_Type is KERNEL, USER, or PROCESS, and a Hexidecimal_Value, starting with 0x and up to 64-bits long.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>The PROCESS flag type can have a 32-bit length only. You can separate multiple entries with a backslash ().</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>DeprecatedServiceShim</p></td>
+<td align="left"><p>The problem is indicated when an application tries to install a service that has a dependency on a deprecated service. An error message displays.</p>
+<p>The fix intercepts the CreateService function calls and removes the deprecated dependency service from the lpDependencies parameter.</p>
+<p>You can control this fix further by typing the following command at the command prompt:</p>
+<p>Deprecated_Service\App_Service/Deprecated_Service2 \App_Service2</p>
+<p>Where Deprecated_Service is the name of the service that has been deprecated and App_Service is the name of the specific application service that is to be modified; for example, NtLmSsp\WMI.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>If you do not provide an App_Service name, the deprecated service will be removed from all newly created services.</p>
+</div>
+<div>
+ 
+</div>
+<div class="alert">
+<strong>Note</strong>  
+<p>You can separate multiple entries with a forward slash (/).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DirectXVersionLie</p></td>
+<td align="left"><p>This problem occurs when an application fails because it does not find the correct version number for DirectX®.</p>
+<p>The fix modifies the DXDIAGN GetProp function call to return the correct DirectX version.</p>
+<p>You can control this fix further by typing the following command at the command prompt:</p>
+<p>MAJORVERSION.MINORVERSION.LETTER</p>
+<p>For example, <code>9.0.c</code>.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>DetectorDWM8And16Bit</p></td>
+<td align="left"><p>This fix offeres mitigation for applications that work in 8/16-bit display color mode because these legacy color modes are not supported in Windows 8 .</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Disable8And16BitD3D</p></td>
+<td align="left"><p>This fix improves performance of 8/16-bit color applications that render using D3D and do not mix directdraw.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Disable8And16BitModes</p></td>
+<td align="left"><p>This fix disables 8/16-bit color mitigation and enumeration of 8/16-bit color modes.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DisableDWM</p></td>
+<td align="left"><p>The problem occurs when some objects are not drawn or object artifacts remain on the screen in an application.</p>
+<p>The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the DisableDWM Fix]( http://go.microsoft.com/fwlink/p/?LinkId=690334).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>DisableFadeAnimations</p></td>
+<td align="left"><p>The problem is indicated when an application fade animations, buttons, or other controls do not function properly.</p>
+<p>The fix disables the fade animations functionality for unsupported applications.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DisableThemeMenus</p></td>
+<td align="left"><p>The problem is indicated by an application that behaves unpredictably when it tries to detect and use the correct Windows settings.</p>
+<p>The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>DisableWindowsDefender</p></td>
+<td align="left"><p>The fix disables Windows Defender for security applications that do not work with Windows Defender.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DWM8And16BitMitigation</p></td>
+<td align="left"><p>The fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes are not supported in Windows 8.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>DXGICompat</p></td>
+<td align="left"><p>The fix allows application-specific compatibility instructions to be passed to the DirectX engine.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>DXMaximizedWindowedMode</p></td>
+<td align="left"><p>Applications that use DX8/9 are run in a maximized windowed mode. This is required for applications that use GDI/DirectDraw in addition to Direct3D.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>ElevateCreateProcess</p></td>
+<td align="left"><p>The problem is indicated when installations, de-installations, or updates fail because the host process calls the CreateProcess function and it returns an ERROR_ELEVATION_REQUIRED error message.</p>
+<p>The fix handles the error code and attempts to recall the CreateProcess function together with requested elevation. If the fixed application already has a UAC manifest, the error code will be returned unchanged.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the ElevateCreateProcess Fix](http://go.microsoft.com/fwlink/p/?LinkId=690335).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>EmulateOldPathIsUNC</p></td>
+<td align="left"><p>The problem occurs when an application fails because of an incorrect UNC path.</p>
+<p>The fix changes the PathIsUNC function to return a value of True for UNC paths in Windows. </p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>EmulateGetDiskFreeSpace</p></td>
+<td align="left"><p>The problem is indicated when an application fails to install or to run, and it generates an error message that there is not enough free disk space to install or use the application, even though there is enough free disk space to meet the application requirements.</p>
+<p>The fix determines the amount of free space, so that if the amount of free space is larger than 2 GB, the compatibility fix returns a value of 2 GB, but if the amount of free space is smaller than 2 GB, the compatibility fix returns the actual free space amount.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the EmulateGetDiskFreeSpace Fix](http://go.microsoft.com/fwlink/p/?LinkId=690336).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>EmulateSorting</p></td>
+<td align="left"><p>The problem occurs when an application experiences search functionality issues.</p>
+<p>The fix forces applications that use the CompareStringW/LCMapString sorting table to use an older version of the table.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this e application fix, see [Using the EmulateSorting Fix](http://go.microsoft.com/fwlink/p/?LinkId=690337).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>EmulateSortingWindows61</p></td>
+<td align="left"><p>The fix emulates the sorting order of Windows 7 and Windows Server 2008 R2 for various APIs.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>EnableRestarts</p></td>
+<td align="left"><p>The problem is indicated when an application and computer appear to hang because processes cannot end to allow the computer to complete its restart processes.</p>
+<p>The fix enables the computer to restart and finish the installation process by verifying and enabling that the SeShutdownPrivilege service privilege exists.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the EnableRestarts Fix](http://go.microsoft.com/fwlink/p/?LinkId=690338).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>ExtraAddRefDesktopFolder</p></td>
+<td align="left"><p>The problem occurs when an application invokes the Release() method too many times and causes an object to be prematurely destroyed.</p>
+<p>The fix counteracts the application's tries to obtain the shell desktop folder by invoking the AddRef() method on the Desktop folder, which is returned by the SHGetDesktopFolder function.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>FailObsoleteShellAPIs</p></td>
+<td align="left"><p>The problem occurs when an application fails because it generated deprecated API calls.</p>
+<p>The fix either fully implements the obsolete functions or implements the obsolete functions with stubs that fail.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>You can type FailAll=1 at the command prompt to suppress the function implementation and force all functions to fail.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>FailRemoveDirectory</p></td>
+<td align="left"><p>The problem occurs when an application uninstallation process does not remove all of the application files and folders.</p>
+<p>This fix fails calls to RemoveDirectory() when called with a path matching the one specified in the shim command-line.  Only a single path is supported.  The path can contain environment variables, but must be an exact path – no partial paths are supported.</p>
+<p>The fix can resolve an issue where an application expects RemoveDirectory() to delete a folder immediately even though a handle is open to it.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>FakeLunaTheme</p></td>
+<td align="left"><p>The problem occurs when a theme application does not properly display: the colors are washed out or the user interface is not detailed.</p>
+<p>The fix intercepts the GetCurrentThemeName API and returns the value for the Windows XP default theme, (Luna).</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about the FakeLunaTheme application fix, see [Using the FakeLunaTheme Fix](http://go.microsoft.com/fwlink/p/?LinkId=690339).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>FlushFile</p></td>
+<td align="left"><p>This problem is indicated when a file is updated and changes do not immediately appear on the hard disk. Applications cannot see the file changes.</p>
+<p>The fix enables the WriteFile function to call to the FlushFileBuffers APIs, which flush the file cache onto the hard disk.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>FontMigration</p></td>
+<td align="left"><p>The fix replaces an application-requested font with a better font selection, to avoid text truncation.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>ForceAdminAccess</p></td>
+<td align="left"><p>The problem occurs when an application fails to function during an explicit administrator check.</p>
+<p>The fix allows the user to temporarily imitate being a part of the Administrators group by returning a value of True during the administrator check.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the ForceAdminAccess Fix](http://go.microsoft.com/fwlink/p/?LinkId=690342).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>ForceInvalidateOnClose</p></td>
+<td align="left"><p>The fix invalidates any windows that exist under a closing or hiding window for applications that rely on the invalidation messages.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>ForceLoadMirrorDrvMitigation</p></td>
+<td align="left"><p>The fix loads the Windows 8 mirror driver mitigation for applications where the mitigation is not automatically applied.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>FreestyleBMX</p></td>
+<td align="left"><p>The fix resolves an application race condition that is related to window message order.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>GetDriveTypeWHook</p></td>
+<td align="left"><p>The application presents unusual behavior during installation; for example, the setup program states that it cannot install to a user-specified location.</p>
+<p>The fix changes GetDriveType() so that only the root information appears for the file path. This is required when an application passes an incomplete or badly-formed file path when it tries to retrieve the drive type on which the file path exists.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>GlobalMemoryStatusLie</p></td>
+<td align="left"><p>The problem is indicated by a Computer memory full error message that displays when you start an application.</p>
+<p>The fix modifies the memory status structure, so that it reports a swap file that is 400 MB, regardless of the true swap file size.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>HandleBadPtr</p></td>
+<td align="left"><p>The problem is indicated by an access violation error message that displays because an API is performing pointer validation before it uses a parameter.</p>
+<p>The fix supports using lpBuffer validation from the InternetSetOptionA and InternetSetOptionW functions to perform the additional parameter validation.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>HandleMarkedContentNotIndexed</p></td>
+<td align="left"><p>The problem is indicated by an application that fails when it changes an attribute on a file or directory.</p>
+<p>The fix intercepts any API calls that return file attributes and directories that are invoked from the %TEMP% directory, and resets the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute to its original state.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>HeapClearAllocation</p></td>
+<td align="left"><p>The problem is indicated when the allocation process shuts down unexpectedly.</p>
+<p>The fix uses zeros to clear out the heap allocation for an application.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>IgnoreAltTab</p></td>
+<td align="left"><p>The problem occurs when an application fails to function when special key combinations are used.</p>
+<p>The fix intercepts the RegisterRawInputDevices API and prevents the delivery of the WM_INPUT messages. This delivery failure forces the included hooks to be ignored and forces DInput to use Windows-specific hooks.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the IgnoreAltTab Fix](http://go.microsoft.com/fwlink/p/?LinkId=690343).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>IgnoreChromeSandbox</p></td>
+<td align="left"><p>The fix allows Google Chrome to run on systems that have ntdll loaded above 4GB.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>IgnoreDirectoryJunction</p></td>
+<td align="left"><p>The problem is indicated by a read or access violation error message that displays when an application tries to find or open files.</p>
+<p>The fix links the FindNextFileW, FindNextFileA, FindFirstFileExW, FindFirstFileExA, FindFirstFileW and FindFirstFileA APIs to prevent them from returning directory junctions.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>Symbolic links appear starting in Windows Vista.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>IgnoreException</p></td>
+<td align="left"><p>The problem is indicated when an application stops functioning immediately after it starts, or the application starts with only a cursor appearing on the screen.</p>
+<p>The fix enables the application to ignore specified exceptions. By default, this fix ignores privileged-mode exceptions; however, it can be configured to ignore any exception.</p>
+<p>You can control this fix further by typing the following command at the command prompt:</p>
+<p>Exception1;Exception2</p>
+<p>Where Exception1 and Exception2 are specific exceptions to be ignored. For example: ACCESS_VIOLATION_READ:1;ACCESS_VIOLATION_WRITE:1.</p>
+<div class="alert">
+<strong>Important</strong>  
+<p>You should use this compatibility fix only if you are certain that it is acceptable to ignore the exception. You might experience additional compatibility issues if you choose to incorrectly ignore an exception.</p>
+</div>
+<div>
+ 
+</div>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the IgnoreException Fix](http://go.microsoft.com/fwlink/p/?LinkId=690344).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>IgnoreFloatingPointRoundingControl</p></td>
+<td align="left"><p>This fix enables an application to ignore the rounding control request and to behave as expected in previous versions of the application.</p>
+<p>Before floating point SSE2 support in the C runtime library, the rounding control request was being ignored which would use round to nearest option by default. This shim ignores the rounding control request to support applications relying on old behavior.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>IgnoreFontQuality</p></td>
+<td align="left"><p>The problem occurs when application text appears to be distorted.</p>
+<p>The fix enables color-keyed fonts to properly work with anti-aliasing.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>IgnoreMessageBox</p></td>
+<td align="left"><p>The problem is indicated by a message box that displays with debugging or extraneous content when the application runs on an unexpected operating system.</p>
+<p>The fix intercepts the MessageBox* APIs and inspects them for specific message text. If matching text is found, the application continues without showing the message box.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the IgnoreMessageBox Fix](http://go.microsoft.com/fwlink/p/?LinkId=690345).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>IgnoreMSOXMLMF</p></td>
+<td align="left"><p>The problem is indicated by an error message that states that the operating system cannot locate the MSVCR80D.DLL file.</p>
+<p>The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system any time that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix will just ignore the registered MSOXMLMF and fail the CoGetClassObject for its CLSID.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>IgnoreSetROP2</p></td>
+<td align="left"><p>The fix ignores read-modify-write operations on the desktop to avoid performance issues.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>InstallComponent</p></td>
+<td align="left"><p>The fix prompts the user to install.Net 3.5 or .Net 2.0 because .Net is not included with Windows 8.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>LoadLibraryRedirect</p></td>
+<td align="left"><p>The fix forces an application to load system versions of libraries instead of loading redistributable versions that shipped with the application.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>LocalMappedObject</p></td>
+<td align="left"><p>The problem occurs when an application unsuccessfully tries to create an object in the Global namespace.</p>
+<p>The fix intercepts the function call to create the object and replaces the word Global with Local.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the LocalMappedObject Fix](http://go.microsoft.com/fwlink/p/?LinkId=690346).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>MakeShortcutRunas</p></td>
+<td align="left"><p>The problem is indicated when an application fails to uninstall because of access-related errors.</p>
+<p>The fix locates any RunDLL.exe-based uninstallers and forces them to run with different credentials during the application installation. After it applies this fix, the installer will create a shortcut that specifies a matching string to run during the application installation, thereby enabling the uninstallation to occur later.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the MakeShortcutRunas Fix]( http://go.microsoft.com/fwlink/p/?LinkId=690347)</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>ManageLinks</p></td>
+<td align="left"><p>The fix intercepts common APIs that are going to a directory or to an executable (.exe) file, and then converts any symbolic or directory junctions before passing it back to the original APIs.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>MirrorDriverWithComposition</p></td>
+<td align="left"><p>The fix allows mirror drivers to work properly with acceptable performance with desktop composition.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>MoveToCopyFileShim</p></td>
+<td align="left"><p>The problem occurs when an application experiences security access issues during setup.</p>
+<p>The fix forces the CopyFile APIs to run instead of the MoveFile APIs. CopyFile APIs avoid moving the security descriptor, which enables the application files to get the default descriptor of the destination folder and prevents the security access issue.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>OpenDirectoryAcl</p></td>
+<td align="left"><p>The problem is indicated by an error message that states that you do not have the appropriate permissions to access the application.</p>
+<p>The fix reduces the security privilege levels on a specified set of files and folders.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the OpenDirectoryACL Fix](http://go.microsoft.com/fwlink/p/?LinkId=690348).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>PopCapGamesForceResPerf</p></td>
+<td align="left"><p>The fix resolves the performance issues in PopCap games like Bejeweled2. The performance issues are visible in certain low-end cards at certain resolutions where the 1024x768 buffer is scaled to fit the display resolution.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>PreInstallDriver</p></td>
+<td align="left"><p>The fix preinstalls drivers for applications that would otherwise try to install or start drivers during the initial start process.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>PreInstallSmarteSECURE</p></td>
+<td align="left"><p>The fix preinstalls computer-wide CLSIDs for applications that use SmartSECURE copy protection, which would otherwise try to install the CLSIDs during the initial start process.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>ProcessPerfData</p></td>
+<td align="left"><p>The problem is indicated by an Unhandled Exception error message because the application tried to read the process performance data registry value to determine if another instance of the application is running.</p>
+<p>The fix handles the failure case by passing a fake process performance data registry key, so that the application perceives that it is the only instance running.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>This issue seems to occur most frequently with .NET applications.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>PromoteDAM</p></td>
+<td align="left"><p>The fix registers an application for power state change notifications.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>PropagateProcessHistory</p></td>
+<td align="left"><p>The problem occurs when an application incorrectly fails to apply an application fix.</p>
+<p>The fix sets the _PROCESS_HISTORY environment variable so that child processes can look in the parent directory for matching information while searching for application fixes.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>ProtectedAdminCheck</p></td>
+<td align="left"><p>The problem occurs when an application fails to run because of incorrect Protected Administrator permissions.</p>
+<p>The fix addresses the issues that occur when applications use non-standard Administrator checks, thereby generating false positives for user accounts that are being run as Protected Administrators. In this case, the associated SID exists, but it is set as deny-only.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>RedirectCRTTempFile</p></td>
+<td align="left"><p>The fix intercepts failing CRT calls that try to create a temporary file at the root of the volume, thereby redirecting the calls to a temporary file in the user's temporary directory.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>RedirectHKCUKeys</p></td>
+<td align="left"><p>The problem occurs when an application cannot be accessed because of User Account Control (UAC) restrictions.</p>
+<p>The fix duplicates any newly created HKCU keys to other users' HKCU accounts. This fix is generic for UAC restrictions, whereby the HKCU keys are required, but are unavailable to an application at runtime.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>RedirectMP3Codec</p></td>
+<td align="left"><p>This problem occurs when you cannot play MP3 files.</p>
+<p>The fix intercepts the CoCreateInstance call for the missing filter and then redirects it to a supported version.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>RedirectShortcut</p></td>
+<td align="left"><p>The problem occurs when an application cannot be accessed by its shortcut, or application shortcuts are not removed during the application uninstallation process.</p>
+<p>The fix redirects all of the shortcuts created during the application setup to appear according to a specified path.</p>
+<ul>
+<li><p>Start Menu shortcuts: Appear in the \\ProgramData\Microsoft\Windows\Start Menu directory for all users.</p></li>
+<li><p>Desktop or Quick Launch shortcuts:You must manually place the shortcuts on the individual user's desktop or Quick Launch bar.</p></li>
+</ul>
+<p>This issue occurs because of UAC restrictions: specifically, when an application setup runs by using elevated privileges and stores the shortcuts according to the elevated user's context. In this situation, a restricted user cannot access the shortcuts.</p>
+<p>You cannot apply this fix to an .exe file that includes a manifest and provides a runlevel.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>RelaunchElevated</p></td>
+<td align="left"><p>The problem occurs when installers, uninstallers, or updaters fail when they are started from a host application.</p>
+<p>The fix enables a child .exe file to run with elevated privileges when it is difficult to determine the parent process with either the ElevateCreateProcess fix or by marking the .exe files to RunAsAdmin.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the RelaunchElevated Fix](http://go.microsoft.com/fwlink/p/?LinkId=690349).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>RetryOpenSCManagerWithReadAccess</p></td>
+<td align="left"><p>The problem occurs when an application tries to open the Service Control Manager (SCM) and receives an Access Denied error message.</p>
+<p>The fix retries the call and requests a more restricted set of rights that include the following:</p>
+<ul>
+<li><p>SC_MANAGER_CONNECT</p></li>
+<li><p>SC_MANAGER_ENUMERATE_SERVICE</p></li>
+<li><p>SC_MANAGER_QUERY_LOCK_STATUS</p></li>
+<li><p>STANDARD_READ_RIGHTS</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the RetryOpenSCManagerwithReadAccess Fix](http://go.microsoft.com/fwlink/p/?LinkId=690350).</p>
+</div>
+<div>
+ 
+</div></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>RetryOpenServiceWithReadAccess</p></td>
+<td align="left"><p>The problem occurs when an Unable to open service due to your application using the OpenService() API to test for the existence of a particular service error message displays.</p>
+<p>The fix retries the OpenService() API call and verifies that the user has Administrator rights, is not a Protected Administrator, and by using read-only access. Applications can test for the existence of a service by calling the OpenService() API but some applications ask for all access when making this check. This fix retries the call but only asking for read-only access. The user needs to be an administrator for this to work</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the RetryOpenServiceWithReadAccess Fix](http://go.microsoft.com/fwlink/p/?LinkId=690351).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>RunAsAdmin</p></td>
+<td align="left"><p>The problem occurs when an application fails to function by using the Standard User or Protected Administrator account.</p>
+<p>The fix enables the application to run by using elevated privileges. The fix is the equivalent of specifying requireAdministrator in an application manifest.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the RunAsAdmin Fix](http://go.microsoft.com/fwlink/p/?LinkId=690353).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>RunAsHighest</p></td>
+<td align="left"><p>The problem occurs when administrators cannot view the read/write version of an application that presents a read-only view to standard users.</p>
+<p>The fix enables the application to run by using the highest available permissions. This is the equivalent of specifying highestAvailable in an application manifest.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the RunAsHighest Fix](http://go.microsoft.com/fwlink/p/?LinkId=690355).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>RunAsInvoker</p></td>
+<td align="left"><p>The problem occurs when an application is not detected as requiring elevation.</p>
+<p>The fix enables the application to run by using the privileges that are associated with the creation process, without requiring elevation. This is the equivalent of specifying asInvoker in an application manifest.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the RunAsInvoker Fix](http://go.microsoft.com/fwlink/p/?LinkId=690356).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>SecuROM7</p></td>
+<td align="left"><p>The fix repairs applications by using SecuROM7 for copy protection.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>SessionShim</p></td>
+<td align="left"><p>The fix intercepts API calls from applications that are trying to interact with services that are running in another session, by using the terminal service name prefix (Global or Local) as the parameter.</p>
+<p>At the command prompt, you can supply a list of objects to modify, separating the values by a double backslash (\). Or, you can choose not to include any parameters, so that all of the objects are modified.</p>
+<div class="alert">
+<strong>Important</strong>  
+<p>Users cannot log in as Session 0 (Global Session) in Windows Vista and later. Therefore, applications that require access to Session 0 automatically fail.</p>
+</div>
+<div>
+ 
+</div>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the SessionShim Fix](http://go.microsoft.com/fwlink/p/?LinkId=690358).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>SetProtocolHandler</p></td>
+<td align="left"><p>The fix registers an application as a protocol handler.</p>
+<p>You can control this fix further by typing the following command at the command prompt:</p>
+<p>Client;Protocol;App</p>
+<p>Where the Client is the name of the email protocol, Protocol is mailto, and App is the name of the application.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>Only the mail client and the mailto protocol are supported. You can separate multiple clients by using a backslash ().</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>SetupCommitFileQueueIgnoreWow</p></td>
+<td align="left"><p>The problem occurs when a 32-bit setup program fails to install because it requires 64-bit drivers.</p>
+<p>The fix disables the Wow64 file system that is used by the 64-bit editions of Windows, to prevent 32-bit applications from accessing 64-bit file systems during the application setup.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>SharePointDesigner2007</p></td>
+<td align="left"><p>The fix resolves an application bug that severely slows the application when it runs in DWM.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>ShimViaEAT</p></td>
+<td align="left"><p>The problem occurs when an application fails, even after applying acompatibility fix that is known to fix an issue. Applications that use unicows.dll or copy protection often present this issue.</p>
+<p>The fix applies the specified compatibility fixes by modifying the export table and by nullifying the use of module inclusion and exclusion.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more information about this application fix, see [Using the ShimViaEAT Fix](http://go.microsoft.com/fwlink/p/?LinkId=690359).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>ShowWindowIE</p></td>
+<td align="left"><p>The problem occurs when a web application experiences navigation and display issues because of the tabbing feature.</p>
+<p>The fix intercepts the ShowWindow API call to address the issues that can occur when a web application determines that it is in a child window. This fix calls the real ShowWindow API on the top-level parent window.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>SierraWirelessHideCDROM</p></td>
+<td align="left"><p>The fix repairs the Sierra Wireless Driver installation, thereby preventing bugcheck.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Sonique2</p></td>
+<td align="left"><p>The application uses an invalid window style, which breaks in DWM. This fix replaces the window style with a valid value.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>SpecificInstaller</p></td>
+<td align="left"><p>The problem occurs when an application installation file fails to be picked up by the GenericInstaller function.</p>
+<p>The fix flags the application as being an installer file (for example, setup.exe), and then prompts for elevation.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the SpecificInstaller Fix]( http://go.microsoft.com/fwlink/p/?LinkId=690361).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>SpecificNonInstaller</p></td>
+<td align="left"><p>The problem occurs when an application that is not an installer (and has sufficient privileges) generates a false positive from the GenericInstaller function.</p>
+<p>The fix flags the application to exclude it from detection by the GenericInstaller function.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the SpecificNonInstaller Fix](http://go.microsoft.com/fwlink/p/?LinkId=690363).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>SystemMetricsLie</p></td>
+<td align="left"><p>The fix replaces SystemMetrics values and SystemParametersInfo values with the values of previous Windows versions.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>TextArt</p></td>
+<td align="left"><p>The application receives different mouse coordinates with DWM ON versus DWM OFF, which causes the application to hang. This fix resolves the issue.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>TrimDisplayDeviceNames</p></td>
+<td align="left"><p>The fix trims the names of the display devices that are returned by the EnumDisplayDevices API.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>UIPICompatLogging</p></td>
+<td align="left"><p>The fix enables the logging of Windows messages from Internet Explorer and other processes.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>UIPIEnableCustomMsgs</p></td>
+<td align="left"><p>The problem occurs when an application does not properly communicate with other processes because customized Windows messages are not delivered.</p>
+<p>The fix enables customized Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the RegisterWindowMessage function, followed by the ChangeWindowMessageFilter function in the code.</p>
+<p>You can control this fix further by typing the following command at the command prompt:</p>
+<p>MessageString1 MessageString2</p>
+<p>Where MessageString1 and MessageString2 reflect the message strings that can pass.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>Multiple message strings must be separated by spaces. For more detailed information about this application fix, see [Using the UIPIEnableCustomMsgs Fix](http://go.microsoft.com/fwlink/p/?LinkId=690365).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>UIPIEnableStandardMsgs</p></td>
+<td align="left"><p>The problem occurs when an application does not communicate properly with other processes because standard Windows messages are not delivered.</p>
+<p>The fix enables standard Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the ChangeWindowMessageFilter function in the code.</p>
+<p>You can control this fix further by typing the following command at the command prompt:</p>
+<p>1055 1056 1069</p>
+<p>Where 1055 reflects the first message ID, 1056 reflects the second message ID, and 1069 reflects the third message ID that can pass.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>Multiple messages can be separated by spaces. For more detailed information about this application fix, see [Using the UIPIEnableStandardMsgs Fix [act]](http://go.microsoft.com/fwlink/p/?LinkId=690367).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>VirtualizeDeleteFileLayer</p></td>
+<td align="left"><p>The fix virtualizes DeleteFile operations for applications that try to delete protected files.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>VirtualizeDesktopPainting</p></td>
+<td align="left"><p>This fix improves the performance of a number of operations on the Desktop DC while using DWM.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>VirtualRegistry</p></td>
+<td align="left"><p>The problem is indicated when a Component failed to be located error message displays when an application is started.</p>
+<p>The fix enables the registry functions to allow for virtualization, redirection, expansion values, version spoofing, the simulation of performance data counters, and so on.</p>
+<p>For more detailed information about this application fix, see [Using the VirtualRegistry Fix](http://go.microsoft.com/fwlink/p/?LinkId=690368).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>VirtualizeDeleteFile</p></td>
+<td align="left"><p>The problem occurs when several error messages display and the application cannot delete files.</p>
+<p>The fix makes the application's DeleteFile function call a virtual call in an effort to remedy the UAC and file virtualization issues that were introduced with Windows Vista. This fix also links other file APIs (for example, GetFileAttributes) to ensure that the virtualization of the file is deleted.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the VirtualizeDeleteFile Fix](http://go.microsoft.com/fwlink/p/?LinkId=690369).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>VirtualizeHKCRLite</p></td>
+<td align="left"><p>The problem occurs when an application fails to register COM components at runtime.</p>
+<p>The fix redirects the HKCR write calls (HKLM) to the HKCU hive for a per-user COM registration. This operates much like the VirtualRegistry fix when you use the VirtualizeHKCR parameter; however, VirtualizeHKCRLite provides better performance.</p>
+<p>HKCR is a virtual merge of the HKCU\Software\Classes and HKLM\Software\Classes directories. The use of HKCU is preferred if an application is not elevated and is ignored if the application is elevated.</p>
+<p>You typically will use this compatibility fix in conjunction with the VirtualizeRegisterTypeLib fix.</p>
+<p>For more detailed information about this application fix, see [Using the VirtualizeHKCRLite Fix](http://go.microsoft.com/fwlink/p/?LinkId=690370).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>VirtualizeRegisterTypeLib</p></td>
+<td align="left"><p>The fix, when it is used with the VirtualizeHKCRLite fix, ensures that the type library and the COM class registration happen simultaneously. This functions much like the RegistryTypeLib fix when the RegisterTypeLibForUser parameter is used.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the VirtualizeRegisterTypelib Fix](http://go.microsoft.com/fwlink/p/?LinkId=690371).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>WaveOutIgnoreBadFormat</p></td>
+<td align="left"><p>This problem is indicated by an error message that states: Unable to initialize sound device from your audio driver; the application then closes.</p>
+<p>The fix enables the application to ignore the format error and continue to function properly.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>WerDisableReportException</p></td>
+<td align="left"><p>The fix turns off the silent reporting of exceptions to the Windows Error Reporting tool, including those that are reported by Object Linking and Embedding-Database (OLE DB). The fix intercepts the RtlReportException API and returns a STATUS_NOT_SUPPORTED error message.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Win7RTM/Win8RTM</p></td>
+<td align="left"><p>The layer provides the application with Windows 7/Windows 8 compatibility mode.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>WinxxRTMVersionLie</p></td>
+<td align="left"><p>The problem occurs when an application fails because it does not find the correct version number for the required Windows operating system.</p>
+<p>All version lie compatibility fixes address the issue whereby an application fails to function because it is checking for, but not finding, a specific version of the operating system. The version lie fix returns the appropriate operating system version information. For example, the VistaRTMVersionLie returns the Windows Vista version information to the application, regardless of the actual operating system version that is running on the computer.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Wing32SystoSys32</p></td>
+<td align="left"><p>The problem is indicated by an error message that states that the WinG library was not properly installed.</p>
+<p>The fix detects whether the WinG32 library exists in the correct directory. If the library is located in the wrong location, this fix copies the information (typically during the runtime of the application) into the %WINDIR% \system32 directory.</p>
+<div class="alert">
+<strong>Important</strong>  
+<p>The application must have Administrator privileges for this fix to work.</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>WinSrv08R2RTM</p></td>
+<td align="left"><p></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>WinXPSP2VersionLie</p></td>
+<td align="left"><p>The problem occurs when an application experiences issues because of a VB runtime DLL.</p>
+<p>The fix forces the application to follow these steps:</p>
+<ol>
+<li><p>Open the Compatibility Administrator, and then select <strong>None</strong> for <strong>Operating System Mode</strong>.</p></li>
+<li><p>On the <strong>Compatibility Fixes</strong> page, click <strong>WinXPSP2VersionLie</strong>, and then click <strong>Parameters</strong>.</p>
+<p>The <strong>Options for &lt;fix_name&gt;</strong> dialog box appears.</p></li>
+<li><p>Type vbrun60.dll into the <strong>Module Name</strong> box, click <strong>Include</strong>, and then click <strong>Add</strong>.</p></li>
+<li><p>Save the custom database.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more information about the WinXPSP2VersionLie application fix, see [Using the WinXPSP2VersionLie Fix](http://go.microsoft.com/fwlink/p/?LinkId=690374).</p>
+</div>
+<div>
+ 
+</div></li>
+</ol></td>
+</tr>
+<tr class="even">
+<td align="left"><p>WRPDllRegister</p></td>
+<td align="left"><p>The application fails when it tries to register a COM component that is released together with Windows Vista and later.</p>
+<p>The fix skips the processes of registering and unregistering WRP-protected COM components when calling the DLLRegisterServer and DLLUnregisterServer functions.</p>
+<p>You can control this fix further by typing the following command at the command prompt:</p>
+<p>Component1.dll;Component2.dll</p>
+<p>Where Component1.dll and Component2.dll reflect the components to be skipped.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about this application fix, see [Using the WRPDllRegister Fix](http://go.microsoft.com/fwlink/p/?LinkId=690375).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>WRPMitigation</p></td>
+<td align="left"><p>The problem is indicated when an access denied error message displays when the application tries to access a protected operating system resource by using more than read-only access.</p>
+<p>The fix emulates the successful authentication and modification of file and registry APIs, so that the application can continue.</p>
+<div class="alert">
+<strong>Note</strong>  
+<p>For more detailed information about WRPMitigation, see [Using the WRPMitigation Fix](http://go.microsoft.com/fwlink/p/?LinkId=690376).</p>
+</div>
+<div>
+ 
+</div></td>
+</tr>
+<tr class="even">
+<td align="left"><p>WRPRegDeleteKey</p></td>
+<td align="left"><p>The problem is indicated by an access denied error message that displays when the application tries to delete a registry key.</p>
+<p>The fix verifies whether the registry key is WRP-protected. If the key is protected, this fix emulates the deletion process.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>XPAfxIsValidAddress</p></td>
+<td align="left"><p>The fix emulates the behavior of Windows XP for MFC42!AfxIsValidAddress.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Compatibility Modes
+
+
+The following table lists the known compatibility modes.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Compatibility Mode Name</th>
+<th align="left">Description</th>
+<th align="left">Included Compatibility Fixes</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>WinSrv03</p></td>
+<td align="left"><p>Emulates the Windows Server 2003 operating system.</p></td>
+<td align="left"><ul>
+<li><p>Win2k3RTMVersionLie</p></li>
+<li><p>VirtualRegistry</p></li>
+<li><p>ElevateCreateProcess</p></li>
+<li><p>EmulateSorting</p></li>
+<li><p>FailObsoleteShellAPIs</p></li>
+<li><p>LoadLibraryCWD</p></li>
+<li><p>HandleBadPtr</p></li>
+<li><p>GlobalMemoryStatus2GB</p></li>
+<li><p>RedirectMP3Codec</p></li>
+<li><p>EnableLegacyExceptionHandlinginOLE</p></li>
+<li><p>NoGhost</p></li>
+<li><p>HardwareAudioMixer</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>WinSrv03Sp1</p></td>
+<td align="left"><p>Emulates the Windows Server 2003 with Service Pack 1 (SP1) operating system.</p></td>
+<td align="left"><ul>
+<li><p>Win2K3SP1VersionLie</p></li>
+<li><p>VirtualRegistry</p></li>
+<li><p>ElevateCreateProcess</p></li>
+<li><p>EmulateSorting</p></li>
+<li><p>FailObsoleteShellAPIs</p></li>
+<li><p>LoadLibraryCWD</p></li>
+<li><p>HandleBadPtr</p></li>
+<li><p>EnableLegacyExceptionHandlinginOLE</p></li>
+<li><p>RedirectMP3Codec</p></li>
+<li><p>HardwareAudioMixer</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/compatibility-monitor-users-guide.md b/windows/plan/compatibility-monitor-users-guide.md
new file mode 100644
index 0000000000..f5b56c4858
--- /dev/null
+++ b/windows/plan/compatibility-monitor-users-guide.md
@@ -0,0 +1,71 @@
+---
+title: Compatibility Monitor User's Guide (Windows 10)
+description: Compatibility Monitor is a tool in the runtime analysis package that you can use to monitor applications for compatibility issues. You can also use the Compatibility Monitor tool to submit compatibility feedback.
+ms.assetid: 67d6eff0-1576-44bd-99b4-a3ffa5e205ac
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Compatibility Monitor User's Guide
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+Compatibility Monitor is a tool in the runtime analysis package that you can use to monitor applications for compatibility issues. You can also use the Compatibility Monitor tool to submit compatibility feedback.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Using Compatibility Monitor to Send Feedback](using-compatibility-monitor-to-send-feedback.md)</p></td>
+<td align="left"><p>The Microsoft Compatibility Monitor tool is installed as part of the runtime-analysis package. From the computers in your test environment, you can use Compatibility Monitor to submit compatibility information to the Application Compatibility Toolkit (ACT) database for your organization.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Common Compatibility Issues](common-compatibility-issues.md)</p></td>
+<td align="left"><p>Compatibility issues tend to occur with the following technologies:</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Deciding Which Applications to Test](deciding-which-applications-to-test.md)
+
+[Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md)
+
+[Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md)
+
+[Deploying a Runtime-Analysis Package](deploying-a-runtime-analysis-package.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/computer-dialog-box.md b/windows/plan/computer-dialog-box.md
new file mode 100644
index 0000000000..498f20d93c
--- /dev/null
+++ b/windows/plan/computer-dialog-box.md
@@ -0,0 +1,108 @@
+---
+title: Computer Dialog Box (Windows 10)
+description: In Application Compatibility Manager (ACM), the Computer dialog box shows information about the selected computer.
+ms.assetid: f89cbb28-adcd-41cd-9a54-402bc4aaffd9
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# &lt;Computer&gt; Dialog Box
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+In Application Compatibility Manager (ACM), the *&lt;Computer&gt;* dialog box shows information about the selected computer.
+
+**To open the &lt;Computer&gt; dialog box**
+
+1.  In ACM, in the **Quick Reports** pane, click **Analyze**.
+
+2.  Under an operating system heading, click **Computers**.
+
+3.  Double-click the name of a computer.
+
+## <a href="" id="tabs-in-the--computer--dialog-box"></a>Tabs in the &lt;Computer&gt; dialog box
+
+
+The following table shows the information available in the *&lt;Computer&gt;* dialog box.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Tab</th>
+<th align="left">Information</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Details</p></td>
+<td align="left"><p>Shows the following information for the selected computer:</p>
+<ul>
+<li><p>The computer name, operating system, architecture, and domain.</p></li>
+<li><p>The IP address, Media Access Control (MAC) address, and hardware identifier.</p></li>
+<li><p>The manufacturer, asset tag, and system number.</p></li>
+<li><p>The hardware specifications.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Applications</p></td>
+<td align="left"><p>Shows the following information for each of the applications installed on the selected computer:</p>
+<ul>
+<li><p>The application name, version number, and application vendor.</p></li>
+<li><p>The compatibility rating for the application as determined by your organization.</p></li>
+<li><p>The compatibility information from the application vendor.</p></li>
+<li><p>The compatibility information from the ACT Community, which you can view if you are a member of the ACT Community. For more information, see [Settings Dialog Box - Preferences Tab](act-settings-dialog-box-preferences-tab.md).</p></li>
+<li><p>The issues that have been opened for the application.</p></li>
+<li><p>The count of computers in your organization on which the application is installed.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Devices</p></td>
+<td align="left"><p>Shows the following information for each of the devices installed on the selected computer:</p>
+<ul>
+<li><p>The model and manufacturer of the device.</p></li>
+<li><p>An evaluation of whether the device works on a 32-bit operating system or a 64-bit operating system.</p></li>
+<li><p>The class of device, as reported by the device.</p></li>
+<li><p>The count of computers in your organization on which the device is installed.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Labels</p></td>
+<td align="left"><p>Shows the label for the selected computer.</p>
+<p>For information about labels, see [Labeling Data in ACM](labeling-data-in-acm.md).</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="using-the--computer--dialog-box"></a>Using the &lt;Computer&gt; Dialog Box
+
+
+In the *&lt;Computer&gt;* dialog box, you can perform the following actions:
+
+-   Assign categories and subcategories to the computer. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
+
+-   Specify the importance of the computer to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/configuring-act.md b/windows/plan/configuring-act.md
new file mode 100644
index 0000000000..ef72f68d43
--- /dev/null
+++ b/windows/plan/configuring-act.md
@@ -0,0 +1,89 @@
+---
+title: Configuring ACT (Windows 10)
+description: This section provides information about setting up the Application Compatibility Toolkit (ACT) in your organization.
+ms.assetid: aacbe35e-ea40-47ac-bebf-ed2660c8fd86
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Configuring ACT
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+This section provides information about setting up the Application Compatibility Toolkit (ACT) in your organization.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[ACT Tools, Packages, and Services](act-tools-packages-and-services.md)</p></td>
+<td align="left"><p>The Application Compatibility Toolkit is included with the Windows ADK. [Download the Windows ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[ACT Deployment Options](act-deployment-options.md)</p></td>
+<td align="left"><p>While planning your deployment of the Application Compatibility Toolkit (ACT), consider which computers you want running the various tools, packages, and services for ACT.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[ACT Database Configuration](act-database-configuration.md)</p></td>
+<td align="left"><p>The Application Compatibility Toolkit (ACT) uses a Microsoft® SQL Server® database for storing and sharing compatibility issue data. If you do not use Microsoft SQL Server, you can download and install Microsoft SQL Server Express. For information about creating Microsoft SQL Server databases, see [Administering the Database Engine](http://go.microsoft.com/fwlink/p/?LinkId=64169).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[ACT Database Migration](act-database-migration.md)</p></td>
+<td align="left"><p>The schema for an ACT database can change when ACT is updated or when a new version of ACT is released. If the schema for an ACT database does not match the current schema, you can migrate the compatibility data to a new database. You can then use the current version of ACT to open the new database.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[ACT LPS Share Permissions](act-lps-share-permissions.md)</p></td>
+<td align="left"><p>To upload log files to the ACT Log Processing Service (LPS) share, certain permissions must be set at the share level and folder level.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Welcome to ACT](welcome-to-act.md)
+
+[Using ACT](using-act.md)
+
+[Troubleshooting ACT](troubleshooting-act.md)
+
+[ACT User Interface Reference](act-user-interface-reference.md)
+
+[ACT Product and Documentation Resources](act-product-and-documentation-resources.md)
+
+[ACT Glossary](act-glossary.md)
+
+[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md b/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
new file mode 100644
index 0000000000..26d4a51ca0
--- /dev/null
+++ b/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
@@ -0,0 +1,82 @@
+---
+title: Creating a Custom Compatibility Fix in Compatibility Administrator (Windows 10)
+description: The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application.
+ms.assetid: e4f2853a-0e46-49c5-afd7-0ed12f1fe0c2
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Creating a Custom Compatibility Fix in Compatibility Administrator
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The Compatibility Administrator tool uses the term *fix* to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages.
+
+**Important**  
+Fixes apply to a single application only; therefore, you must create multiple fixes if you need to fix the same issue in multiple applications.
+
+ 
+
+## What is a Compatibility Fix?
+
+
+A compatibility fix, previously known as a shim, is a small piece of code that intercepts API calls from applications. The fix transforms the API calls so that the current version of the operating system supports the application in the same way as previous versions of the operating system. This can mean anything from disabling a new feature in the current version of the operating system to emulating a particular behavior of an older version of the Windows API.
+
+## Searching for Existing Compatibility Fixes
+
+
+The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new compatibility fix, you can search for an existing application and then copy and paste the known fixes into your customized database.
+
+**Important**  
+Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications.
+
+ 
+
+**To search for an existing application**
+
+1.  In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name.
+
+2.  Click the application name to view the preloaded compatibility fixes, compatibility modes, or AppHelp messages.
+
+## Creating a New Compatibility Fix
+
+
+If you are unable to find a preloaded compatibility fix for your application, you can create a new one for use by your customized database.
+
+**To create a new compatibility fix**
+
+1.  In the left-side pane of Compatibility Administrator underneath the **Custom Databases** heading, right-click the name of the database to which you want to apply the compatibility fix, click **Create New**, and then click **Application Fix**.
+
+2.  Type the name of the application to which the compatibility fix applies, type the name of the application vendor, browse to the location of the application file (.exe) on your computer, and then click **Next**.
+
+3.  Select the operating system for which your compatibility fix applies, click any applicable compatibility modes to apply to your compatibility fix, and then click **Next**.
+
+4.  Select any additional compatibility fixes to apply to your compatibility fix, and then click **Next**.
+
+5.  Select any additional criteria to use to match your applications to the AppHelp message, and then click **Finish**.
+
+    By default, Compatibility Administrator selects the basic matching criteria for your application. As a best practice, use a limited set of matching information to represent your application, because it reduces the size of the database. However, make sure you have enough information to correctly identify your application.
+
+## Related topics
+
+
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md b/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
new file mode 100644
index 0000000000..75f3706089
--- /dev/null
+++ b/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
@@ -0,0 +1,87 @@
+---
+title: Creating a Custom Compatibility Mode in Compatibility Administrator (Windows 10)
+description: Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues.
+ms.assetid: 661a1c0d-267f-4a79-8445-62a9a98d09b0
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Creating a Custom Compatibility Mode in Compatibility Administrator
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+Windows® provides several *compatibility modes*, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases.
+
+## What Is a Compatibility Mode?
+
+
+A compatibility mode is a group of compatibility fixes. A compatibility fix, previously known as a shim, is a small piece of code that intercepts API calls from applications. The fix transforms the API calls so that the current version of the operating system supports the application in the same way as previous versions of the operating system. This can be anything from disabling a new feature in Windows to emulating a particular behavior of an older version of the Windows API.
+
+## Searching for Existing Compatibility Modes
+
+
+The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new compatibility mode, you can search for an existing application and then copy and paste the known fixes into your custom database.
+
+**Important**  
+Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications.
+
+ 
+
+**To search for an existing application**
+
+1.  In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name.
+
+2.  Click the application name to view the preloaded compatibility modes, compatibility fixes, or AppHelp messages.
+
+## Creating a New Compatibility Mode
+
+
+If you are unable to find a preloaded compatibility mode for your application, you can create a new one for use by your custom database.
+
+**Important**  
+A compatibility mode includes a set of compatibility fixes and must be deployed as a group. Therefore, you should include only fixes that you intend to deploy together to the database.
+
+ 
+
+**To create a new compatibility mode**
+
+1.  In the left-side pane of Compatibility Administrator, underneath the **Custom Databases** heading, right-click the name of the database to which you will apply the compatibility mode, click **Create New**, and then click **Compatibility Mode**.
+
+2.  Type the name of your custom-compatibility mode into the **Name of the compatibility mode** text box.
+
+3.  Select each of the available compatibility fixes to include in your custom-compatibility mode and then click **&gt;**.
+
+    **Important**  
+    If you are unsure which compatibility fixes to add, you can click **Copy Mode**. The **Select Compatibility Mode** dialog box appears and enables you to select from the preloaded compatibility modes. After you select a compatibility mode and click **OK**, any compatibility fixes that are included in the preloaded compatibility mode will be automatically added to your custom-compatibility mode.
+
+     
+
+    If you have any compatibility fixes that require additional parameters, you can select the fix, and then click **Parameters**. The **Options for &lt;Compatibility\_Fix\_Name&gt;** dialog box appears, enabling you to update the parameter fields.
+
+4.  After you are done selecting the compatibility fixes to include, click **OK**.
+
+    The compatibility mode is added to your custom database.
+
+## Related topics
+
+
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/creating-a-runtime-analysis-package.md b/windows/plan/creating-a-runtime-analysis-package.md
new file mode 100644
index 0000000000..8246a9de4a
--- /dev/null
+++ b/windows/plan/creating-a-runtime-analysis-package.md
@@ -0,0 +1,61 @@
+---
+title: Creating a Runtime-Analysis Package (Windows 10)
+description: In Application Compatibility Manager (ACM), you can create runtime-analysis packages, which you can then deploy to computers for compatibility testing in your test environment.
+ms.assetid: 3c703ebe-46b3-4dcd-b355-b28344bc159b
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Creating a Runtime-Analysis Package
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+In Application Compatibility Manager (ACM), you can create runtime-analysis packages, which you can then deploy to computers for compatibility testing in your test environment.
+
+**To create a runtime-analysis package**
+
+1.  In ACM, click **Collect** to open the Collect screen.
+
+2.  On the **File** menu, click **New**.
+
+3.  Click **Runtime application testing**.
+
+4.  Provide the information that is requested for the package, and then click **Create**.
+
+5.  Navigate to the location where you want to save the Windows installer (.msi) file for the package.
+
+    This .msi file is the file that you can use to install the runtime-analysis package on each computer in your test environment.
+
+6.  Type a file name for the .msi file, and then click **Save**.
+
+7.  Click **Finish**.
+
+## Related topics
+
+
+[Deciding Which Applications to Test](deciding-which-applications-to-test.md)
+
+[Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md)
+
+[Deploying a Runtime-Analysis Package](deploying-a-runtime-analysis-package.md)
+
+[Compatibility Monitor User's Guide](compatibility-monitor-users-guide.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md b/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md
new file mode 100644
index 0000000000..4fc5707012
--- /dev/null
+++ b/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md
@@ -0,0 +1,102 @@
+---
+title: Creating an AppHelp Message in Compatibility Administrator (Windows 10)
+description: The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.
+ms.assetid: 5c6e89f5-1942-4aa4-8439-ccf0ecd02848
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Creating an AppHelp Message in Compatibility Administrator
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.
+
+## Blocking Versus Non-Blocking AppHelp Messages
+
+
+A blocking AppHelp message prevents the application from starting and displays a message to the user. You can define a specific URL where the user can download an updated driver or other fix to resolve the issue. When using a blocking AppHelp message, you must also define the file-matching information to identify the version of the application and enable the corrected version to continue.
+
+A non-blocking AppHelp message does not prevent the application from starting, but provides a message to the user including information such as security issues, updates to the application, or changes to the location of network resources.
+
+## Searching for Existing Compatibility Fixes
+
+
+The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new AppHelp message, you can search for an existing application and then copy and paste the known fixes into your custom database.
+
+**Important**  
+Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications.
+
+ 
+
+**To search for an existing application**
+
+1.  In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name.
+
+2.  Click the application name to view the preloaded AppHelp messages, compatibility fixes, and compatibility modes.
+
+## Creating a New AppHelp Message
+
+
+If you are unable to find a preloaded AppHelp message for your application, you can create a new one for use by your custom database.
+
+**To create a new AppHelp message**
+
+1.  In the left-side pane of Compatibility Administrator, below the **Custom Databases** heading, right-click the name of the database to which you will apply the AppHelp message, click **Create New**, and then click **AppHelp Message**.
+
+2.  Type the name of the application to which this AppHelp message applies, type the name of the application vendor, browse to the location of the application file (.exe) on your computer, and then click **Next**.
+
+    The wizard shows the known **Matching Information**, which is used for program identification.
+
+3.  Select any additional criteria to use to match your applications to the AppHelp message, and then click **Next**.
+
+    By default, Compatibility Administrator selects the basic matching criteria for your application.
+
+    The wizard shows the **Enter Message Type** options.
+
+4.  Click one of the following options:
+
+    -   **Display a message and allow this program to run**. This is a non-blocking message, which means that you can alert the user that there might be a problem, but the application is not prevented from starting.
+
+    -   **Display a message and do not allow this program to run**. This is a blocking message, which means that the application will not start. Instead, this message points the user to a location that provides more information about fixing the issue.
+
+5.  Click **Next**.
+
+    The wizard then shows the **Enter Message Information** fields.
+
+6.  Type the website URL and the message text to appear when the user starts the application, and then click **Finish**.
+
+## Issues with AppHelp Messages and Computers Running Windows 2000
+
+
+The following issues might occur with computers running Windows 2000:
+
+-   You might be unable to create a custom AppHelp message.
+
+-   The AppHelp message text used for system database entries might not appear.
+
+-   Copying an AppHelp entry for a system database or a custom-compatibility fix from a system database might cause Compatibility Administrator to hide the descriptive text.
+
+## Related topics
+
+
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md b/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md
new file mode 100644
index 0000000000..339ef48aaf
--- /dev/null
+++ b/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md
@@ -0,0 +1,114 @@
+---
+title: Creating an Enterprise Environment for Compatibility Testing (Windows 10)
+description: The goal of the test environment is to model the operating system that you want to deploy and assess compatibility before deploying the operating system to your production environment.
+ms.assetid: cbf6d8b6-7ebc-4faa-bbbd-e02653ed4adb
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Creating an Enterprise Environment for Compatibility Testing
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The goal of the test environment is to model the operating system that you want to deploy and assess compatibility before deploying the operating system to your production environment. Your test environment is composed of computers on which the new operating system is installed. Your test environment can be a long-term investment. Consider retaining the test environment after deployment to assist in future deployment projects.
+
+## Modeling the Production Environment
+
+
+We recommend the following practices for setting up your test environment:
+
+-   Physically separate your test environment from your production environment. Physical separation helps ensure that activity in the test environment does not affect the production environment.
+
+-   On the computers in your test environment, install the new operating system.
+
+-   Perform all of your tests by using accounts that have similar permissions to the accounts in your production environment. This approach helps to ensure that you can determine potential security issues.
+
+## Configuring the Test Environment for Automated Testing
+
+
+Typically, tests are run more than once, which requires being able to revert your test environment to a previous state. We recommend the following practices to ensure consistency in testing and consistency in restoring the state of your test environment:
+
+-   Use disk-imaging software to create physical disk images.
+
+-   Use software virtualization features to reverse changes to virtualized hard disks.
+
+## Determining When Virtualization Is Appropriate
+
+
+The following table shows some of the advantages and disadvantages of virtualization.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Advantages</th>
+<th align="left">Disadvantages</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><ul>
+<li><p>Supports a large number of servers in a limited amount of physical space. You can run as many virtual servers as the physical computer’s resources allow.</p></li>
+<li><p>Easily shares your test environment between teams. For example, your test team can create a virtualized test environment and then provide a copy to your development team for use in its development processes.</p></li>
+<li><p>Supports multiple users performing simultaneous testing, mimicking the ability for each user to have a dedicated test environment.</p></li>
+<li><p>Easily restores your environment to a previous state. For example, you can revert to a previous state by using the <strong>Undo Disks</strong> option.</p></li>
+</ul></td>
+<td align="left"><ul>
+<li><p>May reduce performance. Virtualized servers may be slower than their physical counterparts. The performance of virtualized servers is reduced because physical resources such as disks are virtualized.</p></li>
+<li><p>May not support all applications and device drivers. Some hardware-specific device drivers and applications are not supported in virtualized servers.</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Testing Methodology
+
+
+When testing an application in a new operating system, we recommend the following methods:
+
+-   Retain the default security-feature selections.
+
+-   Use test automation tools to run your test cases in a consistent, reproducible way.
+
+-   Use your application in the same way that you use it in your production environment.
+
+-   Use the Compatibility Monitor tool in the runtime-analysis package to gather compatibility feedback.
+
+-   Send and receive compatibility data to obtain data and solutions through the Microsoft Compatibility Exchange.
+
+-   When testing a website or a web application, include both intranet and extranet sites, prioritizing the list based on how critical the site or the application is to your organization.
+
+## Related topics
+
+
+[Deciding Which Applications to Test](deciding-which-applications-to-test.md)
+
+[Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md)
+
+[Deploying a Runtime-Analysis Package](deploying-a-runtime-analysis-package.md)
+
+[Compatibility Monitor User's Guide](compatibility-monitor-users-guide.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/creating-an-inventory-collector-package.md b/windows/plan/creating-an-inventory-collector-package.md
new file mode 100644
index 0000000000..01d9dcf89c
--- /dev/null
+++ b/windows/plan/creating-an-inventory-collector-package.md
@@ -0,0 +1,57 @@
+---
+title: Creating an Inventory-Collector Package (Windows 10)
+description: You can use Application Compatibility Manager (ACM) to create an inventory-collector package.
+ms.assetid: 61d041d6-e308-47b3-921b-709d72926d6d
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Creating an Inventory-Collector Package
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+You can use Application Compatibility Manager (ACM) to create an inventory-collector package. You can then deploy the inventory-collector package to other computers to gather inventory data. The package uploads inventory data to the Application Compatibility Toolkit (ACT) database.
+
+**To create an inventory-collector package**
+
+1.  In ACM, click **Collect** to open the **Collect** screen.
+
+2.  On the **File** menu, click **New**.
+
+3.  Click **Application inventory**.
+
+4.  Provide the information that is requested for the package, and then click **Create**.
+
+5.  Browse to the location where you want to save the Windows® Installer (.msi) file for the package.
+
+    You can use this .msi file to install the inventory-collector package on each computer for which you want to gather inventory data.
+
+6.  Type a file name for the .msi file, and then click **Save**.
+
+7.  Click **Finish**.
+
+## Related topics
+
+
+[Identifying Computers for Inventory Collection](identifying-computers-for-inventory-collection.md)
+
+[Deploying an Inventory-Collector Package](deploying-an-inventory-collector-package.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/creating-and-editing-issues-and-solutions.md b/windows/plan/creating-and-editing-issues-and-solutions.md
new file mode 100644
index 0000000000..d4e183c235
--- /dev/null
+++ b/windows/plan/creating-and-editing-issues-and-solutions.md
@@ -0,0 +1,64 @@
+---
+title: Creating and Editing Issues and Solutions (Windows 10)
+description: This section provides step-by-step instructions for adding and editing application compatibility issues and solutions. Your issue and solution data can be uploaded to Microsoft through the Microsoft® Compatibility Exchange.
+ms.assetid: b64fe4e0-24bd-4bbd-9645-80ae5644e774
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Creating and Editing Issues and Solutions
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+This section provides step-by-step instructions for adding and editing application compatibility issues and solutions. Your issue and solution data can be uploaded to Microsoft through the Microsoft® Compatibility Exchange.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Adding or Editing an Issue](adding-or-editing-an-issue.md)</p></td>
+<td align="left"><p>In Application Compatibility Manager (ACM), you can enter information about the compatibility issues that you discover.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Adding or Editing a Solution](adding-or-editing-a-solution.md)</p></td>
+<td align="left"><p>If you find your own solutions to compatibility issues, you can enter the solutions in Application Compatibility Manager (ACM). You can use the Microsoft Compatibility Exchange to upload solutions to Microsoft Corporation.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Resolving an Issue](resolving-an-issue.md)</p></td>
+<td align="left"><p>You can use Application Compatibility Manager (ACM) to flag issues as resolved. Resolving an issue changes the status of the issue from a red <strong>x</strong> to a green check mark on your report and report detail screens.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/customizing-your-report-views.md b/windows/plan/customizing-your-report-views.md
new file mode 100644
index 0000000000..97566482eb
--- /dev/null
+++ b/windows/plan/customizing-your-report-views.md
@@ -0,0 +1,148 @@
+---
+title: Customizing Your Report Views (Windows 10)
+description: You can customize how you view your report data in Application Compatibility Manager (ACM).
+ms.assetid: ba8da888-6749-43b4-8efb-4f26c7954721
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Customizing Your Report Views
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+You can customize how you view your report data in Application Compatibility Manager (ACM).
+
+## <a href="" id="modifying-the--operating-system--reports-view"></a>Modifying the &lt;Operating\_System&gt; Reports View
+
+
+You can choose which operating systems ACM shows in the compatibility reports. For operating systems that you exclude from the reports, the data continues to be collected but ACM does not display it.
+
+If you are using ACM on multiple computers that access the same ACT database, when you remove an operating system from your reports, all of the computers running ACM no longer show the operating system.
+
+**To add or remove an operating system from the Quick Reports pane**
+
+1.  On the **Analyze** screen, at the bottom of the **Quick Reports** pane, click **Customize this view**.
+
+2.  In the **Deployment Reports** area, select the check boxes for the operating systems you want to show in your reports, and then click **OK**.
+
+3.  Select the architectures, **32-bit**, **64-bit**, or **Both**, for which you want to see compatibility ratings in the report screens.
+
+## Adding and Removing Columns from the Report Views
+
+
+You can add and remove columns from most of the report screens. In the report dialog boxes, you cannot add or remove columns, but you can reorder the columns.
+
+**To add or remove a column**
+
+1.  On the selected report screen, right-click the column headings, and then click **Column Options**.
+
+2.  Select the check box next to any column that you want to add, and clear the check box next to any column that you want to remove.
+
+3.  If you want, reorder the columns by using the **Move Up** and **Move Down** buttons.
+
+4.  Click **OK**.
+
+### Columns by Screen
+
+The following table shows the columns that are available for each screen.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Screen</th>
+<th align="left">Default columns</th>
+<th align="left">Additional columns</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[&lt;OperatingSystem&gt; - Application Report](act-operatingsystem-application-report.md)</p></td>
+<td align="left"><ul>
+<li><p>Application Name</p></li>
+<li><p>Version</p></li>
+<li><p>Company</p></li>
+<li><p>My Assessment</p></li>
+<li><p>User Assessment</p></li>
+<li><p>Send/Receive Status</p></li>
+<li><p>Vendor Assessment</p></li>
+<li><p>Community Assessment</p></li>
+<li><p>Active Issues</p></li>
+<li><p>Computers</p></li>
+</ul></td>
+<td align="left"><ul>
+<li><p>Resolved Issues</p></li>
+<li><p>Language</p></li>
+<li><p>Priority</p></li>
+<li><p>Deployment Status</p></li>
+<li><p>Issues with Solutions</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[&lt;OperatingSystem&gt; - Computer Report](act-operatingsystem-computer-report.md)</p></td>
+<td align="left"><ul>
+<li><p>Computer Name</p></li>
+<li><p>Applications with Issues</p></li>
+<li><p>Devices with Issues</p></li>
+<li><p>Operating System</p></li>
+<li><p>Domain</p></li>
+<li><p>Applications</p></li>
+<li><p>Devices</p></li>
+</ul></td>
+<td align="left"><ul>
+<li><p>Priority</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[&lt;OperatingSystem&gt; - Device Report](act-operatingsystem-device-report.md)</p></td>
+<td align="left"><ul>
+<li><p>Model</p></li>
+<li><p>Manufacturer</p></li>
+<li><p>Assessment</p></li>
+<li><p>Device Class</p></li>
+<li><p>Computers</p></li>
+</ul></td>
+<td align="left"><ul>
+<li><p>Assessment</p></li>
+<li><p>Priority</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Internet Explorer - Web Site Report](internet-explorer-web-site-report.md)</p></td>
+<td align="left"><ul>
+<li><p>Web Site</p></li>
+<li><p>My Assessment</p></li>
+<li><p>Active Issues</p></li>
+<li><p>Resolved Issues</p></li>
+</ul></td>
+<td align="left"><ul>
+<li><p>None</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md b/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md
new file mode 100644
index 0000000000..4f5456aa5d
--- /dev/null
+++ b/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md
@@ -0,0 +1,238 @@
+---
+title: Data Sent Through the Microsoft Compatibility Exchange (Windows 10)
+description: The Microsoft Compatibility Exchange propagates data of various types between Microsoft Corporation, independent software vendors (ISVs) and the Application Compatibility Toolkit (ACT) Community.
+ms.assetid: 3ec61e33-9db8-4367-99d5-e05c2f50e144
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Data Sent Through the Microsoft Compatibility Exchange
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The Microsoft Compatibility Exchange propagates data of various types between Microsoft Corporation, independent software vendors (ISVs) and the Application Compatibility Toolkit (ACT) Community.
+
+## Data Sent to Microsoft
+
+
+During synchronization, the Microsoft Compatibility Exchange sends the following information to Microsoft Corporation:
+
+-   **Application information and properties**. This data includes the application name, the vendor, the version number, the language, and the deployment type.
+
+The data-synchronization process does not send your list of URLs visited as part of the information exchange.
+
+## Data Sent to the ACT Community
+
+
+The Microsoft Compatibility Exchange sends the following information to the ACT Community for each application that you decide to share with the ACT Community:
+
+-   **Application information and properties**. This data includes the application name, the vendor, the version number, the language, and the deployment type.
+
+-   **Miscellaneous data**. This data includes:
+
+    -   The database GUID that identifies the organization that is the source of the data.
+
+    -   The issue data.
+
+    -   The issue ID.
+
+    -   The platform and destination operating system.
+
+    -   The severity.
+
+    -   The cause.
+
+    -   The symptom.
+
+    -   The solution data.
+
+    -   The solution type.
+
+    -   The issue and solution provider.
+
+    -   The issue and solution subprovider.
+
+    -   The issue and solution published date.
+
+    -   Your risk assessment.
+
+The data-synchronization process does not send your list of URLs visited as part of the information exchange.
+
+## Data Matching
+
+
+After you send your data, the Microsoft Compatibility Exchange matches your application properties against the known issues listed in the Application Profile database. The Microsoft Compatibility Exchange downloads any issues and corresponding solutions that match your application set and then stores the information in your ACT database.
+
+## Data Sent From Microsoft and ISVs
+
+
+For each application that matches an application in the Application Profile database, the Microsoft Compatibility Exchange returns the following information, provided by authoritative sources including Microsoft Corporation and independent software vendors (ISVs).
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Data</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Risk assessment</p></td>
+<td align="left"><p>The determination of whether the application has compatibility issues.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Symptom</p></td>
+<td align="left"><p>Behavior exhibited by the application.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Cause</p></td>
+<td align="left"><p>Reason for the failure.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Provider and subprovider</p></td>
+<td align="left"><p>Source of the compatibility issue.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Issue ID</p></td>
+<td align="left"><p>A unique ID number for the compatibility issue.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Severity</p></td>
+<td align="left"><p>Impact this issue has on the application experience.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Priority</p></td>
+<td align="left"><p>Degree of impact that this issue has on your organization.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Published Date</p></td>
+<td align="left"><p>Date that the source entered the data into the database.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Operating system name</p></td>
+<td align="left"><p>Friendly name of the installed operating system.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Major version</p></td>
+<td align="left"><p>Major version number of the operating system.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Minor version</p></td>
+<td align="left"><p>Minor version number of the operating system.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Locale</p></td>
+<td align="left"><p>Language ID of the application to which the compatibility issue applies.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Title</p></td>
+<td align="left"><p>Short title of the compatibility issue.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Summary</p></td>
+<td align="left"><p>Description of the compatibility issue.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Service pack major</p></td>
+<td align="left"><p>Major version number of the operating system service pack.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Service pack minor</p></td>
+<td align="left"><p>Minor version number of the operating system service pack.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>URL HREF</p></td>
+<td align="left"><p>URL of any links provided for the compatibility issue.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Provider and subprovider IDs</p></td>
+<td align="left"><p>IDs for the source of the compatibility issue's solution.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Solution type</p></td>
+<td align="left"><p>Type of solution provided for the compatibility issue.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Locale</p></td>
+<td align="left"><p>Language ID of the application to which the solution applies.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Title</p></td>
+<td align="left"><p>Short title of the solution.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Details</p></td>
+<td align="left"><p>Description of the solution.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>URL HREF</p></td>
+<td align="left"><p>URL of any links provided for the compatibility issue solution.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Data Sent From the ACT Community
+
+
+For each application that matches an application in the Application Profile database, the Microsoft Compatibility Exchange returns the following ACT Community information, which you receive only if you are a member of the ACT Community:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Data</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Works</strong></p></td>
+<td align="left"><p>The count of <strong>Works</strong> ratings, for 32-bit and 64-bit operating systems.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>Works with Minor Issues or has Solutions</strong></p></td>
+<td align="left"><p>The count of <strong>Works with Minor Issues or has Solutions</strong> ratings, for 32-bit and 64-bit operating systems.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><strong>Does Not Work</strong></p></td>
+<td align="left"><p>The count of <strong>Does Not Work</strong> ratings, for 32-bit and 64-bit operating systems.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md)
+
+[Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md b/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md
new file mode 100644
index 0000000000..ed48afa8a9
--- /dev/null
+++ b/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md
@@ -0,0 +1,53 @@
+---
+title: Deciding Whether to Fix an Application or Deploy a Workaround (Windows 10)
+description: You can fix a compatibility issue by changing the code for the application or by deploying a workaround.
+ms.assetid: e495d0c8-bfba-4537-bccd-64c4b52206f1
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Deciding Whether to Fix an Application or Deploy a Workaround
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+You can fix a compatibility issue by changing the code for the application or by deploying a workaround.
+
+## Fixing an Application
+
+
+Fixing an application by changing the code is often the recommended way to address a compatibility issue. Although applying a fix to the code might involve higher initial costs or additional development time, it can limit long-term maintenance or operational costs. After you change the code, all users can use the application without encountering the issue.
+
+If you do not have access to the code, or if you do not have the time and resources to apply a fix, an alternative approach is to deploy a workaround.
+
+## Deploying a Workaround
+
+
+A workaround involves applying alternative registry settings to address a compatibility issue. Deploying a workaround might be quicker and easier than changing the code, but you can incur long-term maintenance or operational costs. For example, you must make sure that new users have the correct set of features enabled or disabled on their computers. Using a workaround might also make your application or systems less secure. However, the overall security enhancement associated with deploying the newer version of Windows® may more than offset this reduction in security.
+
+Consider changing registry settings as a short-term solution while you develop the long-term solution of changing the code.
+
+## Related topics
+
+
+[SUA User's Guide](sua-users-guide.md)
+
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/deciding-which-applications-to-test.md b/windows/plan/deciding-which-applications-to-test.md
new file mode 100644
index 0000000000..f5719dbdb7
--- /dev/null
+++ b/windows/plan/deciding-which-applications-to-test.md
@@ -0,0 +1,53 @@
+---
+title: Deciding Which Applications to Test (Windows 10)
+description: Before starting your compatibility testing on the version of Windows that you want to deploy, you can use the Application Compatibility Toolkit (ACT) to identify which applications should be the focus of your testing.
+ms.assetid: d7c1c28f-b7b4-43ac-bf87-2910a2b603bf
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Deciding Which Applications to Test
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+Before starting your compatibility testing on the version of Windows that you want to deploy, you can use the Application Compatibility Toolkit (ACT) to identify which applications should be the focus of your testing.
+
+**To choose the applications to include in compatibility testing**
+
+1.  Gather your application and device inventory. For more information, see [Taking Inventory of Your Organization](taking-inventory-of-your-organization.md).
+
+2.  Use the Microsoft Compatibility Exchange to get the latest compatibility ratings. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
+
+3.  Organize and group your applications, and determine which applications need to be tested. For more information, see [Organizing Your Compatibility Data](organizing-your-compatibility-data.md).
+
+    After completing these steps, you can then start creating and deploying your runtime-analysis packages to the test environment for your compatibility testing.
+
+## Related topics
+
+
+[Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md)
+
+[Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md)
+
+[Deploying a Runtime-Analysis Package](deploying-a-runtime-analysis-package.md)
+
+[Compatibility Monitor User's Guide](compatibility-monitor-users-guide.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/deleting-a-data-collection-package.md b/windows/plan/deleting-a-data-collection-package.md
new file mode 100644
index 0000000000..ade04833e1
--- /dev/null
+++ b/windows/plan/deleting-a-data-collection-package.md
@@ -0,0 +1,51 @@
+---
+title: Deleting a Data-Collection Package (Windows 10)
+description: In Application Compatibility Manager (ACM), you can delete any of your existing data-collection packages from the database.
+ms.assetid: 1b397d7a-7216-4078-93d9-47c7becbf73e
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Deleting a Data-Collection Package
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+In Application Compatibility Manager (ACM), you can delete any of your existing data-collection packages from the database.
+
+You cannot undo the deletion of a data-collection package. If you mistakenly delete a data-collection package, you must create a new package to replace the deleted package.
+
+**To delete a data-collection package**
+
+1.  In ACM, click **Collect** to open the Collect screen.
+
+2.  Select the data-collection package that you want to delete, and then press the DELETE key.
+
+3.  In the confirmation box, click **Yes**.
+
+## Related topics
+
+
+[Log File Locations for Data-Collection Packages](log-file-locations-for-data-collection-packages.md)
+
+[Exporting a Data-Collection Package](exporting-a-data-collection-package.md)
+
+[Labeling Data in ACM](labeling-data-in-acm.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/deploying-a-runtime-analysis-package.md b/windows/plan/deploying-a-runtime-analysis-package.md
new file mode 100644
index 0000000000..09c49b1cc9
--- /dev/null
+++ b/windows/plan/deploying-a-runtime-analysis-package.md
@@ -0,0 +1,47 @@
+---
+title: Deploying a Runtime-Analysis Package (Windows 10)
+description: When you deploy a runtime-analysis package, you are deploying it to your test environment for compatibility testing.
+ms.assetid: 304bf0be-0e7c-4c5f-baac-bed7f8bef509
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Deploying a Runtime-Analysis Package
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+When you deploy a runtime-analysis package, you are deploying it to your test environment for compatibility testing.
+
+For information about creating the test environment, see [Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md).
+
+To deploy a runtime-analysis package, you can use the same deployment methods that you might use to deploy an inventory-collector package. For information about deployment methods, see [Deploying an Inventory-Collector Package](deploying-an-inventory-collector-package.md).
+
+## Related topics
+
+
+[Deciding Which Applications to Test](deciding-which-applications-to-test.md)
+
+[Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md)
+
+[Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md)
+
+[Compatibility Monitor User's Guide](compatibility-monitor-users-guide.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/deploying-an-inventory-collector-package.md b/windows/plan/deploying-an-inventory-collector-package.md
new file mode 100644
index 0000000000..a3d471a410
--- /dev/null
+++ b/windows/plan/deploying-an-inventory-collector-package.md
@@ -0,0 +1,142 @@
+---
+title: Deploying an Inventory-Collector Package (Windows 10)
+ms.assetid: 8726ff71-0d17-4449-bdb7-66957ae51c62
+description: 
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Deploying an Inventory-Collector Package
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+You can use the following methods to deploy an inventory-collector package to the destination computers:
+
+-   **Group Policy Software Installation.** This is a feature of Active Directory Domain Services in Windows Server. All computers to which you deploy the package must be part of the Active Directory forest.
+
+-   **Logon script.** You can use Windows Script Host to create a logon script. Installing by using a logon script requires administrator credentials on the local computer.
+
+-   **Microsoft® System Center Configuration Manager.** For information about how to use System Center Configuration Manager, see the product documentation.
+
+-   **Manual distribution.** You can use a file server on the network as a software distribution point, or you can distribute removable media. User installation of an inventory-collector package requires administrator credentials on the local computer.
+
+**To deploy an inventory-collector package by using Group Policy Software Installation**
+
+1.  Ensure that the computers to which you want to deploy the inventory-collector package are members of the Active Directory forest.
+
+2.  Create a Group Policy Object (GPO) for publishing the inventory-collector package.
+
+3.  Assign the GPO to the organizational units (OUs) that contain the set of computers.
+
+4.  Create and publish a new software installation package by using Group Policy Software Installation.
+
+    For information about the Group Policy Software Installation process, see [Best practices for Group Policy Software Installation](http://go.microsoft.com/fwlink/p/?LinkId=87996).
+
+**To assign a logon script for installing an inventory-collector package to an organizational unit**
+
+1.  Create the logon script. The following script is an example.
+
+    ``` syntax
+    Set ws = WScript.CreateObject("WScript.Shell")
+    ws.Run("\\servername\collector\package_name.exe")
+    ```
+
+    To keep the installation from running repeatedly, your script must create a marker.
+
+    For more information about logon scripts, see [Assign a Logon Script to a User in the Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=87997).
+
+2.  Save your script in the SYSVOL\\Scripts folder.
+
+3.  Open the Active Directory Users and Computers console by clicking **Start**, clicking **All Programs**, clicking **Administrative Tools**, and then clicking **Active Directory Users and Computers**.
+
+4.  Right-click the OU to which you intend to assign the logon script, click **Properties**, and then click the **Group Policy** tab.
+
+5.  Click **New** to add a new GPO, or select an existing GPO and then click **Edit**.
+
+6.  In the left pane, expand the **User Configuration** object, expand the **Windows Setting** object, and then click **Scripts (Logon/Logoff)**.
+
+7.  In the right pane, double-click the **Logon** script.
+
+8.  Click **Add**.
+
+9.  Click **Browse**, browse to the \\\\*&lt;domain&gt;*\\Sysvol\\Scripts folder, select your script, and then click **Open**.
+
+10. Click **OK** to close the **Logon Properties** dialog box.
+
+11. Close the Group Policy Management console and the Active Directory Users and Computers console.
+
+12. On a computer that is a member of the domain and a part of the OU, log on as an OU user.
+
+13. Open a **Command Prompt** window, and then type `GPUPDATE /force` to force the update of the Group Policy setting.
+
+14. At the command prompt, type `RSOP.msc` to verify your Group Policy assignment.
+
+15. In the left pane, expand the **Computer Configuration** object, expand the **Windows Setting** object, and then click **Security Settings**.
+
+16. Expand **Account Policies**, click **Password Policy**, and verify the assigned Group Policy setting.
+
+17. Close the Resultant Set of Policy console and the **Command Prompt** window.
+
+**To deploy an inventory-collector package by using System Center Configuration Manager**
+
+1.  Verify that the computers to which you want to deploy the package are included in your Configuration Manager inventory.
+
+2.  Create a Configuration Manager computer collection that includes the computers.
+
+3.  Create a shared folder that contains the source image of the inventory-collector package.
+
+4.  Create a Configuration Manager package that is based on the source image from the shared folder.
+
+    For more information, see [How to Create a Package](http://go.microsoft.com/fwlink/p/?LinkId=131355).
+
+5.  Specify the Configuration Manager software distribution points.
+
+6.  Create a Configuration Manager program that includes the required commands and command-line options to deploy the inventory-collector package.
+
+    For more information, see [How to Create a Program](http://go.microsoft.com/fwlink/p/?LinkId=131356).
+
+7.  Create a Configuration Manager advertisement that instructs Configuration Manager clients to run the program that you specified in the previous step.
+
+    For more information, see [How to Create an Advertisement](http://go.microsoft.com/fwlink/p/?LinkId=131357).
+
+**To deploy an inventory-collector package from a network share**
+
+1.  Store your package (.msi) file in a shared folder on the network.
+
+2.  Notify the users of the computers that require the inventory-collector package to run the .msi file. For example, you might send an email message that includes a hyperlink to the shared folder.
+
+**To deploy an inventory-collector package to offline computers**
+
+1.  In your inventory-collector package, specify a local output path for the log file.
+
+2.  Burn your.msi file to removable media.
+
+3.  Send the removable media to users of the offline computers.
+
+4.  Instruct the users to run the .msi file and then return the generated log file. For example, the users might send the log file in an email message or place the file on a network share.
+
+## Related topics
+
+
+[Identifying Computers for Inventory Collection](identifying-computers-for-inventory-collection.md)
+
+[Creating an Inventory-Collector Package](creating-an-inventory-collector-package.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/deployment-considerations-for-windows-to-go.md b/windows/plan/deployment-considerations-for-windows-to-go.md
new file mode 100644
index 0000000000..473ff80e7e
--- /dev/null
+++ b/windows/plan/deployment-considerations-for-windows-to-go.md
@@ -0,0 +1,332 @@
+---
+title: Deployment considerations for Windows To Go (Windows 10)
+description: Deployment considerations for Windows To Go
+ms.assetid: dcfc5d96-b96b-44cd-ab65-416b5611c65e
+keywords: ["deploy, mobile, device, USB, boot, image, workspace, driver"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Deployment considerations for Windows To Go
+
+
+**Applies to**
+
+-   Windows 10
+
+From the start, Windows To Go was designed to minimize differences between the user experience of working on a laptop and Windows To Go booted from a USB drive. Given that Windows To Go was designed as an enterprise solution, extra consideration was given to the deployment workflows that enterprises already have in place. Additionally, there has been a focus on minimizing the number of differences in deployment between Windows To Go workspaces and laptop PCs.
+
+**Note**  
+Windows To Go does not support operating system upgrades. Windows To Go is designed as a feature that is managed centrally. IT departments that plan to transition from one operating system version to a later version will need to incorporate re-imaging their existing Windows To Go drives as part of their upgrade deployment process.
+
+ 
+
+The following sections discuss the boot experience, deployment methods, and tools that you can use with Windows To Go.
+
+-   [Initial boot experiences](#wtg-initboot)
+
+-   [Image deployment and drive provisioning considerations](#wtg-imagedep)
+
+-   [Application installation and domain join](#wtg-appinstall)
+
+-   [Management of Windows To Go using Group Policy](#bkmk-wtggp)
+
+-   [Supporting booting from USB](#wtg-bootusb)
+
+-   [Updating firmware](#stg-firmware)
+
+-   [Configure Windows To Go startup options](#wtg-startup)
+
+-   [Change firmware settings](#wtg-changefirmware)
+
+## <a href="" id="wtg-initboot"></a>Initial boot experiences
+
+
+The following diagrams illustrate the two different methods you could use to provide Windows To Go drives to your users. The experiences differ depending on whether the user will be booting the device initially on-premises or off-premises:
+
+![initial boot on-premises](images/wtg-first-boot-work.gif)
+
+When a Windows To Go workspace is first used at the workplace, the Windows To Go workspace can be joined to the domain through the normal procedures that occur when a new computer is introduced. It obtains a lease, applicable policies are applied and set, and user account tokens are placed appropriately. BitLocker protection can be applied and the BitLocker recovery key automatically stored in Active Directory Domain Services. The user can access network resources to install software and get access to data sources. When the workspace is subsequently booted at a different location either on or off premises, the configuration required for it to connect back to the work network using either DirectAccess or a virtual private network connection can be configured. It is not necessary to configure the workspace for offline domain join. DirectAccess can make connecting to organizational resources easier, but is not required.
+
+![initial boot off-premises](images/wtg-first-boot-home.gif)
+
+When the Windows To Go workspace is going to be used first on an off-premises computer, such as one at the employee’s home, then the IT professional preparing the Windows To Go drives should configure the drive to be able to connect to organizational resources and to maintain the security of the workspace. In this situation, the Windows To Go workspace needs to be configured for offline domain join and BitLocker needs to be enabled before the workspace has been initialized.
+
+**Tip**  
+Applying BitLocker Drive Encryption to the drives before provisioning is a much faster process than encrypting the drives after data has already been stored on them due to a new feature called used-disk space only encryption. For more information, see [What's New in BitLocker](http://go.microsoft.com/fwlink/p/?LinkId=619076).
+
+ 
+
+DirectAccess can be used to ensure that the user can login with their domain credentials without needing a local account. For instructions on setting up a DirectAccess solution, for a small pilot deployment see [Deploy a Single Remote Access Server using the Getting Started Wizard](http://go.microsoft.com/fwlink/p/?LinkId=619077) for a larger scale deployment, see [Deploy Remote Access in an Enterprise](http://go.microsoft.com/fwlink/p/?LinkId=619078). If you do not want to use DirectAccess as an alternative users could log on using a local user account on the Windows To Go workspace and then use a virtual private network for remote access to your organizational network.
+
+### <a href="" id="wtg-imagedep"></a>Image deployment and drive provisioning considerations
+
+The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. You must have local Administrator access and access to a Windows 10 Enterprise or Windows 10 Education image to create a Windows To Go workspace, or you must be using System Center Configuration Manager 2012 Service Pack 1 or later to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 10 Enterprise image (WIM) and turns it into a Windows To Go drive.
+
+![windows to go image deployment](images/wtg-image-deployment.gif)
+
+The simplest way to provision a Windows To Go drive is to use the Windows To Go Creator. After a single Windows To Go workspace has been created, it can be duplicated as many times as necessary using widely available USB duplicator products as long as the device has not been booted. After the Windows To Go drive is initialized, it should not be duplicated. Alternatively, Windows To Go Workspace Creator can be run multiple times to create multiple Windows To Go drives.
+
+**Tip**  
+When you create your Windows To Go image use sysprep /generalize, just as you do when you deploy Windows 10 to a standard PC. In fact, if appropriate, use the same image for both deployments.
+
+ 
+
+**Driver considerations**
+
+Windows includes most of the drivers that you will need to support a wide variety of host computers. However, you will occasionally need to download drivers from Windows Update to take advantage of the full functionality of a device. If you are using Windows To Go on a set of known host computers, you can add any additional drivers to the image used on Windows To Go to make Windows To Go drives more quickly usable by your employees. Especially ensure that network drivers are available so that the user can connect to Windows Update to get additional drivers if necessary.
+
+Wi-Fi network adapter drivers are one of the most important drivers to make sure that you include in your standard image so that users can easily connect to the internet for any additional updates. IT administrators that are attempting to build Windows 10 images for use with Windows To Go should consider adding additional Wi-Fi drivers to their image to ensure that their users have the best chance of still having basic network connectivity when roaming between systems.
+
+The following list of commonly used Wi-Fi network adapters that are not supported by the default drivers provided with Windows 10 is provided to help you ascertain whether or not you need to add drivers to your image.
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Vendor name</strong></p></td>
+<td align="left"><p><strong>Product description</strong></p></td>
+<td align="left"><p><strong>HWID</strong></p></td>
+<td align="left"><p><strong>Windows Update availability</strong></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Broadcom</p></td>
+<td align="left"><p>802.11abgn Wireless SDIO adapter</p></td>
+<td align="left"><p>sd\vid_02d0&amp;pid_4330&amp;fn_1</p></td>
+<td align="left"><p>Contact the system OEM or Broadcom for driver availability.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Broadcom</p></td>
+<td align="left"><p>802.11n Network Adapter</p></td>
+<td align="left"><p>pci\ven_14e4&amp;dev_4331&amp;subsys_00d6106b&amp;rev_02</p></td>
+<td align="left"><p>Contact the system OEM or Broadcom for driver availability.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Broadcom</p></td>
+<td align="left"><p>802.11n Network Adapter</p></td>
+<td align="left"><p>pci\ven_14e4&amp;dev_4331&amp;subsys_00f5106b&amp;rev_02</p></td>
+<td align="left"><p>Contact the system OEM or Broadcom for driver availability.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Broadcom</p></td>
+<td align="left"><p>802.11n Network Adapter</p></td>
+<td align="left"><p>pci\ven_14e4&amp;dev_4331&amp;subsys_00ef106b&amp;rev_02</p></td>
+<td align="left"><p>Contact the system OEM or Broadcom for driver availability.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Broadcom</p></td>
+<td align="left"><p>802.11n Network Adapter</p></td>
+<td align="left"><p>pci\ven_14e4&amp;dev_4331&amp;subsys_00f4106b&amp;rev_02</p></td>
+<td align="left"><p>Contact the system OEM or Broadcom for driver availability.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Broadcom</p></td>
+<td align="left"><p>802.11n Network Adapter</p></td>
+<td align="left"><p>pci\ven_14e4&amp;dev_4331&amp;subsys_010e106b&amp;rev_02</p></td>
+<td align="left"><p>Contact the system OEM or Broadcom for driver availability.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Broadcom</p></td>
+<td align="left"><p>802.11n Network Adapter</p></td>
+<td align="left"><p>pci\ven_14e4&amp;dev_4331&amp;subsys_00e4106b&amp;rev_02</p></td>
+<td align="left"><p>Contact the system OEM or Broadcom for driver availability.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Broadcom</p></td>
+<td align="left"><p>802.11n Network Adapter</p></td>
+<td align="left"><p>pci\ven_14e4&amp;dev_4331&amp;subsys_433114e4&amp;rev_02</p></td>
+<td align="left"><p>Contact the system OEM or Broadcom for driver availability.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Broadcom</p></td>
+<td align="left"><p>802.11n Network Adapter</p></td>
+<td align="left"><p>pci\ven_14e4&amp;dev_4331&amp;subsys_010f106b&amp;rev_02</p></td>
+<td align="left"><p>Contact the system OEM or Broadcom for driver availability.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Marvell</p></td>
+<td align="left"><p>Yukon 88E8001/8003/8010 PCI Gigabit Ethernet</p></td>
+<td align="left"><p>pci\ven_11ab&amp;dev_4320&amp;subsys_811a1043</p></td>
+<td align="left"><p>[32-bit driver](http://go.microsoft.com/fwlink/p/?LinkId=619080)</p>
+<p>[64-bit driver](http://go.microsoft.com/fwlink/p/?LinkId=619082)</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Marvell</p></td>
+<td align="left"><p>Libertas 802.11b/g Wireless</p></td>
+<td align="left"><p>pci\ven_11ab&amp;dev_1faa&amp;subsys_6b001385&amp;rev_03</p></td>
+<td align="left"><p>[32-bit driver](http://go.microsoft.com/fwlink/p/?LinkId=619128)</p>
+<p>[64-bit driver](http://go.microsoft.com/fwlink/p/?LinkId=619129)</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Qualcomm</p></td>
+<td align="left"><p>Atheros AR6004 Wireless LAN Adapter</p></td>
+<td align="left"><p>sd\vid_0271&amp;pid_0401</p></td>
+<td align="left"><p>[32-bit driver](http://go.microsoft.com/fwlink/p/?LinkId=619086)</p>
+<p>64-bit driver not available</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Qualcomm</p></td>
+<td align="left"><p>Atheros AR5BWB222 Wireless Network Adapter</p></td>
+<td align="left"><p>pci\ven_168c&amp;dev_0034&amp;subsys_20031a56</p></td>
+<td align="left"><p>[32-bit driver](http://go.microsoft.com/fwlink/p/?LinkId=619348)</p>
+<p>64-bit driver not available</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Qualcomm</p></td>
+<td align="left"><p>Atheros AR5BWB222 Wireless Network Adapter</p></td>
+<td align="left"><p>pci\ven_168c&amp;dev_0034&amp;subsys_020a1028&amp;rev_01</p></td>
+<td align="left"><p>Contact the system OEM or Qualcom for driver availability.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Qualcomm</p></td>
+<td align="left"><p>Atheros AR5005G Wireless Network Adapter</p></td>
+<td align="left"><p>pci\ven_168c&amp;dev_001a&amp;subsys_04181468&amp;rev_01</p></td>
+<td align="left"><p>[32-bit driver](http://go.microsoft.com/fwlink/p/?LinkId=619349)</p>
+<p>[64-bit driver](http://go.microsoft.com/fwlink/p/?LinkId=619091)</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Ralink</p></td>
+<td align="left"><p>Wireless-G PCI Adapter</p></td>
+<td align="left"><p>pci\ven_1814&amp;dev_0301&amp;subsys_00551737&amp;rev_00</p></td>
+<td align="left"><p>[32-bit driver](http://go.microsoft.com/fwlink/p/?LinkId=619092)</p>
+<p>[64-bit driver](http://go.microsoft.com/fwlink/p/?LinkId=619093)</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Ralink</p></td>
+<td align="left"><p>Turbo Wireless LAN Card</p></td>
+<td align="left"><p>pci\ven_1814&amp;dev_0301&amp;subsys_25611814&amp;rev_00</p></td>
+<td align="left"><p>[32-bit driver](http://go.microsoft.com/fwlink/p/?LinkId=619094)</p>
+<p>[64-bit driver](http://go.microsoft.com/fwlink/p/?LinkId=619095)</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Ralink</p></td>
+<td align="left"><p>Wireless LAN Card V1</p></td>
+<td align="left"><p>pci\ven_1814&amp;dev_0302&amp;subsys_3a711186&amp;rev_00</p></td>
+<td align="left"><p>[32-bit driver](http://go.microsoft.com/fwlink/p/?LinkId=619097)</p>
+<p>[64-bit driver](http://go.microsoft.com/fwlink/p/?LinkId=619098)</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Ralink</p></td>
+<td align="left"><p>D-Link AirPlus G DWL-G510 Wireless PCI Adapter(rev.C)</p></td>
+<td align="left"><p>pci\ven_1814&amp;dev_0302&amp;subsys_3c091186&amp;rev_00</p></td>
+<td align="left"><p>[32-bit driver](http://go.microsoft.com/fwlink/p/?LinkId=619099)</p>
+<p>[64-bit driver](http://go.microsoft.com/fwlink/p/?LinkId=619100)</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+IT administrators that want to target Windows To Go images for specific systems should test their images to ensure that the necessary system drivers are in the image, especially for critical functionality like Wi-Fi that is not supported by class drivers. Some consumer devices require OEM specific driver packages, which may not be available on Windows Update. For more information on how to add a driver to a Windows Image, please refer to the [Basic Windows Deployment Step-by-Step Guide](http://go.microsoft.com/fwlink/p/?LinkId=619079).
+
+### <a href="" id="wtg-appinstall"></a>Application installation and domain join
+
+Unless you are using a customized Windows image that includes unattended installation settings, the initial Windows To Go workspace will not be domain joined and will not contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications
+
+### <a href="" id="bkmk-wtggp"></a>Management of Windows To Go using Group Policy
+
+In general, management of Windows To Go workspaces is same as that for desktop and laptop computers. There are Windows To Go specific Group Policy settings that should be considered as part of Windows To Go deployment. Windows To Go Group Policy settings are located at `\\Computer Configuration\Administrative Templates\Windows Components\Portable Operating System\` in the Local Group Policy Editor.
+
+The use of the Store on Windows To Go workspaces that are running Windows 8 can also be controlled by Group Policy. This policy setting is located at `\\Computer Configuration\Administrative Templates\Windows Components\Store\` in the Local Group Policy Editor. The policy settings have specific implications for Windows To Go that you should be aware of when planning your deployment:
+
+**Settings for workspaces**
+
+-   **Allow hibernate (S4) when started from a Windows To Go workspace**
+
+    This policy setting specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. By default, hibernation is disabled when using Windows To Go workspace, so enabling this setting explicitly turns this ability back on. When a computer enters hibernation, the contents of memory are written to disk. When the disk is resumed, it is important that the hardware attached to the system, as well as the disk itself, are unchanged. This is inherently incompatible with roaming between PC hosts. Hibernation should only be used when the Windows To Go workspace is not being used to roam between host PCs.
+
+    **Important**  
+    For the host-PC to resume correctly when hibernation is enabled the Windows To Go workspace must continue to use the same USB port.
+
+     
+
+-   **Disallow standby sleep states (S1-S3) when starting from a Windows To Go workspace**
+
+    This policy setting specifies whether the PC can use standby sleep states (S1–S3) when started from a Windows To Go workspace. The Sleep state also presents a unique challenge to Windows To Go users. When a computer goes to sleep, it appears as if it is shut down. It could be very easy for a user to think that a Windows To Go workspace in sleep mode was actually shut down and they could remove the Windows To Go drive and take it home. Removing the Windows To Go drive in this scenario is equivalent to an unclean shutdown which may result in the loss of unsaved user data or the corruption on the drive. Moreover, if the user now boots the drive on another PC and brings it back to the first PC which still happens to be in the sleep state, it will lead to an arbitrary crash and eventually corruption of the drive and result in the workspace becoming unusable. If you enable this policy setting, the Windows To Go workspace cannot use the standby states to cause the PC to enter sleep mode. If you disable or do not configure this policy setting, the Windows To Go workspace can place the PC in sleep mode.
+
+**Settings for host PCs**
+
+-   **Windows To Go Default Startup Options**
+
+    This policy setting controls whether the host computer will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the **Windows To Go Startup Options** settings dialog. If you enable this policy setting, booting to Windows To Go when a USB device is connected will be enabled and users will not be able to make changes using the **Windows To Go Startup Options** settings dialog. If you disable this policy setting, booting to Windows To Go when a USB device is connected will not be enabled unless a user configures the option manually in the firmware. If you do not configure this policy setting, users who are members of the local Administrators group can enable or disable booting from USB using the **Windows To Go Startup Options** settings dialog.
+
+    **Important**  
+    Enabling this policy setting will cause PCs running Windows to attempt to boot from any USB device that is inserted into the PC before it is started.
+
+     
+
+## <a href="" id="wtg-bootusb"></a>Supporting booting from USB
+
+
+The biggest hurdle for a user wanting to use Windows To Go is configuring their computer to boot from USB. This is traditionally done by entering the firmware and configuring the appropriate boot order options. To ease the process of making the firmware modifications required for Windows To Go, Windows includes a feature named **Windows To Go Startup Options** that allows a user to configure their computer to boot from USB from within Windows—without ever entering their firmware, as long as their firmware supports booting from USB.
+
+**Note**  
+Enabling a system to always boot from USB first has implications that you should consider. For example, a USB device that includes malware could be booted inadvertently to compromise the system, or multiple USB drives could be plugged in to cause a boot conflict. For this reason, the Windows To Go startup options are disabled by default. In addition, administrator privileges are required to configure Windows To Go startup options.
+
+ 
+
+If you are going to be using a Windows 7 computer as a host-PC, see the wiki article [Tips for configuring your BIOS settings to work with Windows To Go](http://go.microsoft.com/fwlink/p/?LinkID=618951).
+
+### <a href="" id="stg-firmware"></a>Roaming between different firmware types
+
+Windows supports two types of PC firmware: Unified Extensible Firmware Interface (UEFI), which is the new standard, and legacy BIOS firmware, which was used in most PCs shipping with Windows 7 or earlier version of Windows. Each firmware type has completely different Windows boot components that are incompatible with each other. Beyond the different boot components, Windows supports different partition styles and layout requirements for each type of firmware as shown in the following diagrams.
+
+![bios layout](images/wtg-mbr-bios.gif)![uefi layout](images/wtg-gpt-uefi.gif)
+
+This presented a unique challenge for Windows To Go because the firmware type is not easily determined by end-users—a UEFI computer looks just like a legacy BIOS computer and Windows To Go must boot on both types of firmware.
+
+To enable booting Windows To Go on both types of firmware, a new disk layout is provided for Windows 8 or later that contains both sets of boot components on a FAT32 system partition and a new command-line option was added to bcdboot.exe to support this configuration. The **/f** option is used with the **bcdboot /s** command to specify the firmware type of the target system partition by appending either **UEFI**, **BIOS** or **ALL**. When creating Windows To Go drives manually you must use the **ALL** parameter to provide the Windows To Go drive the ability to boot on both types of firmware. For example, on volume H: (your Windows To Go USB drive letter), you would use the command **bcdboot C:\\windows /s H: /f ALL**. The following diagram illustrates the disk layout that results from that command:
+
+![firmware roaming disk layout](images/wtg-mbr-firmware-roaming.gif)
+
+This is the only supported disk configuration for Windows To Go. With this disk configuration, a single Windows To Go drive can be booted on computers with UEFI and legacy BIOS firmware.
+
+### <a href="" id="wtg-startup"></a>Configure Windows To Go startup options
+
+Windows To Go Startup Options is a setting available on Windows 10-based PCs that enables the computer to be booted from a USB without manually changing the firmware settings of the PC. To configure Windows To Go Startup Options you must have administrative rights on the computer and the **Windows To Go Default Startup Options** Group Policy setting must not be configured.
+
+**To configure Windows To Go startup options**
+
+1.  On the Start screen, type, type **Windows To Go Startup Options**, click **Settings** and then press Enter.
+
+    ![windows to go startup options](images/wtg-startup-options.gif)
+
+2.  Select **Yes** to enable the startup options.
+
+    **Tip**  
+    If your computer is part of a domain, the Group Policy setting can be used to enable the startup options instead of the dialog.
+
+     
+
+3.  Click **Save Changes**. If the User Account Control dialog box is displayed, confirm that the action it displays is what you want, and then click **Yes**.
+
+### <a href="" id="wtg-changefirmware"></a>Change firmware settings
+
+If you choose to not use the Windows To Go startup options or are using a PC running Windows 7 as your host computer you will need to manually configure the firmware settings. The process used to accomplish this will depend on the firmware type and manufacturer. If your host computer is protected by BitLocker and running Windows 7 you should suspend BitLocker before making the change to the firmware settings. After the firmware settings have been successfully reconfigured, resume BitLocker protection. If you do not suspend BitLocker first, BitLocker will assume that the computer has been tampered with and will boot into BitLocker recovery mode.
+
+## Related topics
+
+
+[Windows To Go: feature overview](windows-to-go-overview.md)
+
+[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
+
+[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
+
+[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/device-dialog-box.md b/windows/plan/device-dialog-box.md
new file mode 100644
index 0000000000..ae65f7330b
--- /dev/null
+++ b/windows/plan/device-dialog-box.md
@@ -0,0 +1,89 @@
+---
+title: Device Dialog Box (Windows 10)
+description: In Application Compatibility Manager (ACM), the Device dialog box shows information about the selected device.
+ms.assetid: 5bd7cfda-31ea-4967-8b64-6c0425092f4e
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# &lt;Device&gt; Dialog Box
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+In Application Compatibility Manager (ACM), the *&lt;Device&gt;* dialog box shows information about the selected device.
+
+**To open the &lt;Device&gt; dialog box**
+
+1.  In ACM, in the **Quick Reports** pane, click **Analyze**.
+
+2.  Under an operating system heading, click **Devices**.
+
+3.  Double-click the name of a device.
+
+## <a href="" id="tabs-in-the--device--dialog-box"></a>Tabs in the &lt;Device&gt; dialog box
+
+
+The following table shows the information available in the *&lt;Device&gt;* dialog box.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Tab</th>
+<th align="left">Information</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Details</p></td>
+<td align="left"><p>Shows the following information for the selected device:</p>
+<ul>
+<li><p>The model and manufacturer of the device.</p></li>
+<li><p>The class of device, as reported by the device.</p></li>
+<li><p>An evaluation of whether the device works on a 32-bit operating system or a 64-bit operating system.</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Computers</p></td>
+<td align="left"><p>Shows the following information for each of the computers on which the device is installed:</p>
+<ul>
+<li><p>Computer name, domain, and operating system.</p></li>
+<li><p>The count of installed applications and devices.</p></li>
+<li><p>The count of installed applications and devices that have issues.</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="using-the--device--dialog-box"></a>Using the &lt;Device&gt; Dialog Box
+
+
+In the *&lt;Device&gt;* dialog box, you can perform the following actions:
+
+-   Assign categories and subcategories to the device. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
+
+-   Specify the importance of the device to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md b/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
new file mode 100644
index 0000000000..0f3ad7aa3d
--- /dev/null
+++ b/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
@@ -0,0 +1,73 @@
+---
+title: Enabling and Disabling Compatibility Fixes in Compatibility Administrator (Windows 10)
+description: You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.
+ms.assetid: 6bd4a7c5-0ed9-4a35-948c-c438aa4d6cb6
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Enabling and Disabling Compatibility Fixes in Compatibility Administrator
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.
+
+## Disabling Compatibility Fixes
+
+
+Customized compatibility databases can become quite complex as you add your fixes for the multiple applications found in your organization. Over time, you may find you need to disable a particular fix in your customized database. For example, if a software vendor releases a fix for an issue addressed in one of your compatibility fixes, you must validate that the vendor's fix is correct and that it resolves your issue. To do this, you must temporarily disable the compatibility fix and then test your application.
+
+**Important**  
+Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to work with custom databases for 32-bit applications and the 64-bit version to work with custom databases for 64-bit applications.
+
+ 
+
+**To disable a compatibility fix within a database**
+
+1.  In the left-sde pane of Compatibility Administrator, expand the custom database that includes the compatibility fix that you want to disable, and then select the specific compatibility fix.
+
+    The compatibility fix details appear in the right-hand pane.
+
+2.  On the **Database** menu, click **Disable Entry**.
+
+    **Important**  
+    When you disable an entry, it will remain disabled even if you do not save the database file.
+
+     
+
+## Enabling Compatibility Fixes
+
+
+You can enable your disabled compatibility fixes at any time.
+
+**To enable a compatibility fix within a database**
+
+1.  In the left-side pane of Compatibility Administrator, expand the custom database that includes the compatibility fix that you want to enable, and then select the specific compatibility fix.
+
+    The compatibility fix details appear in the right-side pane.
+
+2.  On the **Database** menu, click **Enable Entry**.
+
+## Related topics
+
+
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/example-filter-queries.md b/windows/plan/example-filter-queries.md
new file mode 100644
index 0000000000..a128516e95
--- /dev/null
+++ b/windows/plan/example-filter-queries.md
@@ -0,0 +1,78 @@
+---
+title: Example Filter Queries (Windows 10)
+description: You can filter your compatibility-issue data or reports by selecting specific restriction criteria.
+ms.assetid: eae59380-56cc-4d57-bd2c-11a0e3c689c9
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Example Filter Queries
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+You can filter your compatibility-issue data or reports by selecting specific restriction criteria.
+
+## Example Queries
+
+
+The following sections show example queries created by using the Query Builder.
+
+### All Applications with Issues
+
+The following example query returns all applications that have one or more known issues.
+
+![act filter example all apps with issues](images/dep-win8-e-act-filterexampleallappswissues.gif)
+
+### All Applications with Solutions for Known Issues
+
+The following example query returns all applications that have solutions for their known issues.
+
+![act filter examples for issues with solutions](images/dep-win8-e-act-filterexampleforissueswsolutions.gif)
+
+### All Applications with Specific Solution Types
+
+The following example query returns all applications that have a solution type of Application Update or Application Configuration.
+
+![act filter example for specific solutions](images/dep-win8-e-act-filterexampleforspecificsolutions.gif)
+
+### All Applications with No Known Issues
+
+The following example query returns all applications that have no known issues.
+
+![act filter example all apps with no issues](images/dep-win8-e-act-filterexampleallapps0issues.gif)
+
+### All Applications with No Active Issues
+
+The following example query returns all applications that have no active issues.
+
+![act filter example all apps with no active issues](images/dep-win8-e-act-filterexampleallapps0activeissues.gif)
+
+### All Applications Appearing in a Specific Category and Subcategory
+
+The following example query returns all applications that have a category of Department and a subcategory of either Human Resources or Finance.
+
+![act filter example category](images/dep-win8-e-act-filterexamplecategory.gif)
+
+## Related topics
+
+
+[Filtering Your Compatibility Data](filtering-your-compatibility-data.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/exporting-a-data-collection-package.md b/windows/plan/exporting-a-data-collection-package.md
new file mode 100644
index 0000000000..c1eef9d0ad
--- /dev/null
+++ b/windows/plan/exporting-a-data-collection-package.md
@@ -0,0 +1,53 @@
+---
+title: Exporting a Data-Collection Package (Windows 10)
+description: In Application Compatibility Manager (ACM), you can export a data-collection package as a Windows installer (.msi) file. You can then use the .msi file to install the data-collection package on the computers from which you want to gather data.
+ms.assetid: 98fe19e4-9533-4ffc-a275-8b3776ee93ed
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Exporting a Data-Collection Package
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+In Application Compatibility Manager (ACM), you can export a data-collection package as a Windows installer (.msi) file. You can then use the .msi file to install the data-collection package on the computers from which you want to gather data.
+
+You can export only one data-collection package at a time.
+
+**To export a data-collection package**
+
+1.  In ACM, click **Collect** to open the Collect screen.
+
+2.  Select the data-collection package that you want to export.
+
+3.  On the **File** menu, click **Export**.
+
+4.  Navigate to the folder where you want to store the Windows installer (.msi) file for the data-collection package, and then click **Save**.
+
+## Related topics
+
+
+[Log File Locations for Data-Collection Packages](log-file-locations-for-data-collection-packages.md)
+
+[Deleting a Data-Collection Package](deleting-a-data-collection-package.md)
+
+[Labeling Data in ACM](labeling-data-in-acm.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/filtering-your-compatibility-data.md b/windows/plan/filtering-your-compatibility-data.md
new file mode 100644
index 0000000000..36776e764a
--- /dev/null
+++ b/windows/plan/filtering-your-compatibility-data.md
@@ -0,0 +1,114 @@
+---
+title: Filtering Your Compatibility Data (Windows 10)
+description: You can use Query Builder to filter your compatibility-issue data or reports by selecting specific restriction criteria.
+ms.assetid: b64267b5-83c0-4b4d-a075-0975d3a359c8
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Filtering Your Compatibility Data
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+You can use Query Builder to filter your compatibility-issue data or reports by selecting specific restriction criteria.
+
+The following table shows the columns in Query Builder.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Column</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>And/Or</p></td>
+<td align="left"><p>If you select <strong>And</strong>, your data must match all query rows to appear as a returned result.</p>
+<p>If you select <strong>Or</strong>, your data can match any query row to appear as a returned result.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Field</p></td>
+<td align="left"><p>Select filter criteria.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Operator</p></td>
+<td align="left"><p>Select an operator. The available operators depend on the field that you choose.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Value</p></td>
+<td align="left"><p>Type or select a value.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Creating Basic Queries
+
+
+You can insert as many query clauses as you want to create a customized view of your compatibility data.
+
+**Note**  
+The following examples use the **&lt;Operating\_System&gt; - Application Report** screen. The process is the same for other report types.
+
+ 
+
+**To create a basic query**
+
+1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click **Toggle Filter**.
+
+2.  In the Query Builder, enter your filter criteria, pressing the Tab key to add clauses.
+
+    To delete a clause, right-click the row, and then click **Delete Clause**.
+
+3.  Click **Refresh**.
+
+    Your filtered results appear. To close the Query Builder, click **Toggle Filter** again.
+
+## Querying on Objects
+
+
+You can query your compatibility data based on its relationship with other objects. For example, in the applications report, you can query for applications that have corresponding issues. Fields that have a (+) suffix in Query Builder are collections of objects.
+
+**To query for a collection of objects**
+
+1.  In Query Builder, in the **Field** column, click any field that contains a plus sign (+) as suffix.
+
+2.  In the **Operator** column, select **Exists**, **Not Exists**, or **All Have**.
+
+    Query Builder creates a group clause, which is shown by a bracket that spans the rows that are included in the group.
+
+3.  Move your cursor to the next row in the group clause, and then in the **Field** column, select a field.
+
+4.  In the **Operator** column, select an operator.
+
+5.  In the **Value** column, enter a value, and then click **Refresh**.
+
+## Related topics
+
+
+[Example Filter Queries](example-filter-queries.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/fixing-applications-by-using-the-sua-tool.md b/windows/plan/fixing-applications-by-using-the-sua-tool.md
new file mode 100644
index 0000000000..99bd4deb6e
--- /dev/null
+++ b/windows/plan/fixing-applications-by-using-the-sua-tool.md
@@ -0,0 +1,70 @@
+---
+title: Fixing Applications by Using the SUA Tool (Windows 10)
+description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
+ms.assetid: 7f5947b1-977b-4d7e-bb52-fbe8e76f6b8b
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Fixing Applications by Using the SUA Tool
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
+
+**To fix an application by using the SUA tool**
+
+1.  Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md).
+
+2.  After you finish testing, open the SUA tool.
+
+3.  On the **Mitigation** menu, click the command that corresponds to the action that you want to take. The following table describes the commands.
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">Mitigation menu command</th>
+    <th align="left">Description</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><strong>Apply Mitigations</strong></p></td>
+    <td align="left"><p>Opens the <strong>Mitigate AppCompat Issues</strong> dialog box, in which you can select the fixes that you intend to apply to the application.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><strong>Undo Mitigations</strong></p></td>
+    <td align="left"><p>Removes the application fixes that you just applied.</p>
+    <p>This option is available only after you apply an application fix and before you close the SUA tool. Alternatively, you can manually remove application fixes by using <strong>Programs and Features</strong> in Control Panel.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><strong>Export Mitigations as Windows Installer file</strong></p></td>
+    <td align="left"><p>Exports your application fixes as a Windows® Installer (.msi) file, which can then be deployed to other computers that are running the application.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/fixing-compatibility-issues.md b/windows/plan/fixing-compatibility-issues.md
new file mode 100644
index 0000000000..dc3e884415
--- /dev/null
+++ b/windows/plan/fixing-compatibility-issues.md
@@ -0,0 +1,77 @@
+---
+title: Fixing Compatibility Issues (Windows 10)
+description: This section provides step-by-step instructions and describes development tools that you can use to help fix your compatibility issues.
+ms.assetid: 30ba8d14-a41a-41b3-9019-e8658d6974de
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Fixing Compatibility Issues
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+This section provides step-by-step instructions and describes development tools that you can use to help fix your compatibility issues.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Deciding Whether to Fix an Application or Deploy a Workaround](deciding-whether-to-fix-an-application-or-deploy-a-workaround.md)</p></td>
+<td align="left"><p>You can fix a compatibility issue by changing the code for the application or by deploying a workaround.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[SUA User's Guide](sua-users-guide.md)</p></td>
+<td align="left"><p>You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)</p></td>
+<td align="left"><p>The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. Compatibility Administrator provides the following:</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Taking Inventory of Your Organization](taking-inventory-of-your-organization.md)
+
+[Testing Compatibility on the Target Platform](testing-compatibility-on-the-target-platform.md)
+
+[Managing Your Data-Collection Packages](managing-your-data-collection-packages.md)
+
+[Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md)
+
+[Troubleshooting ACT](troubleshooting-act.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/identifying-computers-for-inventory-collection.md b/windows/plan/identifying-computers-for-inventory-collection.md
new file mode 100644
index 0000000000..638addad76
--- /dev/null
+++ b/windows/plan/identifying-computers-for-inventory-collection.md
@@ -0,0 +1,104 @@
+---
+title: Identifying Computers for Inventory Collection (Windows 10)
+ms.assetid: f5bf2d89-fff2-4960-a153-dc1146b442fb
+description: 
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Identifying Computers for Inventory Collection
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+An inventory-collector package gathers inventory data from the computers on which it is installed. This data includes the following:
+
+-   **System inventory.** Information about the client computer. This information includes the memory capacity, the processor speed, and the processor architecture.
+
+-   **Device inventory.** Information about the devices that are installed on the client computer. This information includes the model, the manufacturer, and the device class.
+
+-   **Software inventory.** An inventory of the applications that are installed on the computer. This information includes system technologies such as Windows® Installer.
+
+To generate a complete inventory and obtain a comprehensive view of your organization, inventory all computers. However, remember that deploying inventory-collector packages to all computers in your organization will require the additional work of analyzing and reducing a larger list of applications. If you do not have the resources to deploy to all computers or you cannot process a larger list of applications, consider deploying inventory-collector packages to representative subsets of computers instead.
+
+If you decide to deploy inventory-collector packages to representative subsets of computers in your organization, consider the following:
+
+-   [Managed and Unmanaged Environments](#bmk-managedunmanaged)
+
+-   [Role-Based Applications](#bmk-rolebasedapplications)
+
+-   [Software Distribution](#bmk-softwaredistribution)
+
+-   [Geographic Distribution](#bmk-geographicdistribution)
+
+-   [Computer Types](#bmk-computertypes)
+
+## <a href="" id="bmk-managedunmanaged"></a>Managed and Unmanaged Environments
+
+
+In your organization, you may have managed environments and unmanaged environments.
+
+In a managed environment, IT administrators strictly control and manage the installation and use of applications. In this environment, you can discover the full inventory by deploying inventory-collector packages to a limited subset of computers.
+
+In an unmanaged environment, users have administrator permissions and can install applications at their own discretion. To obtain the full inventory, you must deploy your inventory-collector packages to more computers.
+
+## <a href="" id="bmk-rolebasedapplications"></a>Role-Based Applications
+
+
+Your organization may use role-based applications that relate to job function. For example, accountants may use finance-related applications. Reviewing application use together with job function helps you better identify which subsets of computers need inventory-collector packages.
+
+## <a href="" id="bmk-softwaredistribution"></a>Software Distribution
+
+
+You can distribute applications in various ways within an organization. For example, you can use Group Policy, Microsoft® IntelliMirror®, Microsoft System Center Configuration Manager, or a customized distribution method. Reviewing the policies for your software distribution system helps you better identify which subsets of computers need inventory-collector packages.
+
+## <a href="" id="bmk-geographicdistribution"></a>Geographic Distribution
+
+
+While you plan for inventory collection, consider the geographic distribution of your organization, and consider application use within each region. Be sure to account for divisional applications, localized applications, and applications that are specific to the geographic location and export restrictions. Consult with technical and business leaders from each region to understand the differences and determine which subsets of computers need inventory-collector packages.
+
+## <a href="" id="bmk-computertypes"></a>Computer Types
+
+
+Computer types can be an important factor in the deployment of inventory-collector packages. The following sections describe common computer types.
+
+### Mobile Computers
+
+Mobile users are frequently offline, occasionally synchronizing with the corporate network through a LAN or VPN connection. The user must be online for the inventory-collector package to be downloaded and installed, and must be online again for the logged data to be uploaded.
+
+### Multiuser Computers
+
+Multiuser computers are typically in university computer labs, libraries, and organizations that enable job sharing. These computers include a core set of applications that are always available, in addition to many applications that can be installed and removed as necessary. Because these computers typically have a core set of applications, you can identify a narrow subset of computers to receive the inventory-collector package.
+
+### AppStations and TaskStations
+
+AppStations that run vertical applications are typically for marketing, claims and loan processing, and customer service. TaskStations are typically dedicated to running a single application in a location such as a manufacturing floor (as an entry terminal) or a call center. Because AppStations and TaskStations do not typically enable users to add or remove applications, you can identify a narrow subset of computers to receive the inventory-collector package.
+
+### Kiosks
+
+Kiosks are generally in public areas. These computers run unattended. They also generally run a single application by using a single-use account and automatic logon. Because these computers typically run a single application, you can identify a narrow subset of computers to receive the inventory-collector package.
+
+## Related topics
+
+
+[Creating an Inventory-Collector Package](creating-an-inventory-collector-package.md)
+
+[Deploying an Inventory-Collector Package](deploying-an-inventory-collector-package.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/images/branch.png b/windows/plan/images/branch.png
new file mode 100644
index 0000000000..a7eefed13c
Binary files /dev/null and b/windows/plan/images/branch.png differ
diff --git a/windows/plan/images/chromebook-fig1-googleadmin.png b/windows/plan/images/chromebook-fig1-googleadmin.png
new file mode 100644
index 0000000000..b3d42e5ff2
Binary files /dev/null and b/windows/plan/images/chromebook-fig1-googleadmin.png differ
diff --git a/windows/plan/images/dep-win8-e-act-addissue.gif b/windows/plan/images/dep-win8-e-act-addissue.gif
new file mode 100644
index 0000000000..dbe6b657bb
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-addissue.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-addsolution.gif b/windows/plan/images/dep-win8-e-act-addsolution.gif
new file mode 100644
index 0000000000..98e6c27ad7
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-addsolution.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-categorize.gif b/windows/plan/images/dep-win8-e-act-categorize.gif
new file mode 100644
index 0000000000..23bae141bc
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-categorize.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-communityexample.gif b/windows/plan/images/dep-win8-e-act-communityexample.gif
new file mode 100644
index 0000000000..111e79a839
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-communityexample.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-createnewdcp.gif b/windows/plan/images/dep-win8-e-act-createnewdcp.gif
new file mode 100644
index 0000000000..7ad0515838
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-createnewdcp.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-delete.gif b/windows/plan/images/dep-win8-e-act-delete.gif
new file mode 100644
index 0000000000..24d6b6cd8f
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-delete.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-deploymentstatus.gif b/windows/plan/images/dep-win8-e-act-deploymentstatus.gif
new file mode 100644
index 0000000000..5f07b13d22
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-deploymentstatus.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-doesnotwork64icon.gif b/windows/plan/images/dep-win8-e-act-doesnotwork64icon.gif
new file mode 100644
index 0000000000..a92e0d9525
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-doesnotwork64icon.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-doesnotworkicon.gif b/windows/plan/images/dep-win8-e-act-doesnotworkicon.gif
new file mode 100644
index 0000000000..d07dce9b67
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-doesnotworkicon.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-exportdcp.gif b/windows/plan/images/dep-win8-e-act-exportdcp.gif
new file mode 100644
index 0000000000..35fb052076
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-exportdcp.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-exportreportdata.gif b/windows/plan/images/dep-win8-e-act-exportreportdata.gif
new file mode 100644
index 0000000000..924efd2a21
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-exportreportdata.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-filterdata.gif b/windows/plan/images/dep-win8-e-act-filterdata.gif
new file mode 100644
index 0000000000..ebb4547df3
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-filterdata.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-filterexampleallapps0activeissues.gif b/windows/plan/images/dep-win8-e-act-filterexampleallapps0activeissues.gif
new file mode 100644
index 0000000000..909cb95436
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-filterexampleallapps0activeissues.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-filterexampleallapps0issues.gif b/windows/plan/images/dep-win8-e-act-filterexampleallapps0issues.gif
new file mode 100644
index 0000000000..178095998f
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-filterexampleallapps0issues.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-filterexampleallappswissues.gif b/windows/plan/images/dep-win8-e-act-filterexampleallappswissues.gif
new file mode 100644
index 0000000000..824bcd764a
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-filterexampleallappswissues.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-filterexamplecategory.gif b/windows/plan/images/dep-win8-e-act-filterexamplecategory.gif
new file mode 100644
index 0000000000..2621c7e2b5
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-filterexamplecategory.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-filterexampleforissueswsolutions.gif b/windows/plan/images/dep-win8-e-act-filterexampleforissueswsolutions.gif
new file mode 100644
index 0000000000..40b8e61815
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-filterexampleforissueswsolutions.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-filterexampleforspecificsolutions.gif b/windows/plan/images/dep-win8-e-act-filterexampleforspecificsolutions.gif
new file mode 100644
index 0000000000..74c2687b0b
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-filterexampleforspecificsolutions.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-greenworks64icon.gif b/windows/plan/images/dep-win8-e-act-greenworks64icon.gif
new file mode 100644
index 0000000000..a69b282a37
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-greenworks64icon.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-greenworksicon.gif b/windows/plan/images/dep-win8-e-act-greenworksicon.gif
new file mode 100644
index 0000000000..73626ccdcf
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-greenworksicon.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-help.gif b/windows/plan/images/dep-win8-e-act-help.gif
new file mode 100644
index 0000000000..6ce522acba
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-help.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-home.gif b/windows/plan/images/dep-win8-e-act-home.gif
new file mode 100644
index 0000000000..0555779689
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-home.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-info64icon.gif b/windows/plan/images/dep-win8-e-act-info64icon.gif
new file mode 100644
index 0000000000..b4593fd6d1
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-info64icon.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-infoicon.gif b/windows/plan/images/dep-win8-e-act-infoicon.gif
new file mode 100644
index 0000000000..6ef158023c
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-infoicon.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-minorissues64icon.gif b/windows/plan/images/dep-win8-e-act-minorissues64icon.gif
new file mode 100644
index 0000000000..8842896029
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-minorissues64icon.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-minorissuesicon.png b/windows/plan/images/dep-win8-e-act-minorissuesicon.png
new file mode 100644
index 0000000000..ea4d0588a6
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-minorissuesicon.png differ
diff --git a/windows/plan/images/dep-win8-e-act-moveupanddown.gif b/windows/plan/images/dep-win8-e-act-moveupanddown.gif
new file mode 100644
index 0000000000..06a357b04e
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-moveupanddown.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-open.gif b/windows/plan/images/dep-win8-e-act-open.gif
new file mode 100644
index 0000000000..430bc23095
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-open.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-prioritize.gif b/windows/plan/images/dep-win8-e-act-prioritize.gif
new file mode 100644
index 0000000000..8327888637
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-prioritize.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-reactivate-resolved-issue.gif b/windows/plan/images/dep-win8-e-act-reactivate-resolved-issue.gif
new file mode 100644
index 0000000000..4a647114a4
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-reactivate-resolved-issue.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-refresh.gif b/windows/plan/images/dep-win8-e-act-refresh.gif
new file mode 100644
index 0000000000..1e9cd7e6aa
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-refresh.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-riskassessment.gif b/windows/plan/images/dep-win8-e-act-riskassessment.gif
new file mode 100644
index 0000000000..74c9e784e2
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-riskassessment.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-save.gif b/windows/plan/images/dep-win8-e-act-save.gif
new file mode 100644
index 0000000000..50691cc5c8
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-save.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-savereport.gif b/windows/plan/images/dep-win8-e-act-savereport.gif
new file mode 100644
index 0000000000..00395ee6dd
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-savereport.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-sendandreceive.gif b/windows/plan/images/dep-win8-e-act-sendandreceive.gif
new file mode 100644
index 0000000000..9272a99a14
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-sendandreceive.gif differ
diff --git a/windows/plan/images/dep-win8-e-act-sendandreceiveicon.gif b/windows/plan/images/dep-win8-e-act-sendandreceiveicon.gif
new file mode 100644
index 0000000000..7e38cf8108
Binary files /dev/null and b/windows/plan/images/dep-win8-e-act-sendandreceiveicon.gif differ
diff --git a/windows/plan/images/dep-win8-l-act-appcallosthroughiat.jpg b/windows/plan/images/dep-win8-l-act-appcallosthroughiat.jpg
new file mode 100644
index 0000000000..2ab0b3c13d
Binary files /dev/null and b/windows/plan/images/dep-win8-l-act-appcallosthroughiat.jpg differ
diff --git a/windows/plan/images/dep-win8-l-act-appredirectwithcompatfix.jpg b/windows/plan/images/dep-win8-l-act-appredirectwithcompatfix.jpg
new file mode 100644
index 0000000000..a4a4f4f616
Binary files /dev/null and b/windows/plan/images/dep-win8-l-act-appredirectwithcompatfix.jpg differ
diff --git a/windows/plan/images/dep-win8-l-act-communityworkflowdiagram.jpg b/windows/plan/images/dep-win8-l-act-communityworkflowdiagram.jpg
new file mode 100644
index 0000000000..95f3fdb690
Binary files /dev/null and b/windows/plan/images/dep-win8-l-act-communityworkflowdiagram.jpg differ
diff --git a/windows/plan/images/dep-win8-l-act-compatadminflowchart.jpg b/windows/plan/images/dep-win8-l-act-compatadminflowchart.jpg
new file mode 100644
index 0000000000..a6b484d53c
Binary files /dev/null and b/windows/plan/images/dep-win8-l-act-compatadminflowchart.jpg differ
diff --git a/windows/plan/images/dep-win8-l-act-suaflowchart.jpg b/windows/plan/images/dep-win8-l-act-suaflowchart.jpg
new file mode 100644
index 0000000000..07865c7c75
Binary files /dev/null and b/windows/plan/images/dep-win8-l-act-suaflowchart.jpg differ
diff --git a/windows/plan/images/dep-win8-l-act-suawizardflowchart.jpg b/windows/plan/images/dep-win8-l-act-suawizardflowchart.jpg
new file mode 100644
index 0000000000..9357e6f3bb
Binary files /dev/null and b/windows/plan/images/dep-win8-l-act-suawizardflowchart.jpg differ
diff --git a/windows/plan/images/dep-win8-l-act-supportedtopologies.jpg b/windows/plan/images/dep-win8-l-act-supportedtopologies.jpg
new file mode 100644
index 0000000000..fd03081e46
Binary files /dev/null and b/windows/plan/images/dep-win8-l-act-supportedtopologies.jpg differ
diff --git a/windows/plan/images/fig1-deferupgrades.png b/windows/plan/images/fig1-deferupgrades.png
new file mode 100644
index 0000000000..f8c52b943e
Binary files /dev/null and b/windows/plan/images/fig1-deferupgrades.png differ
diff --git a/windows/plan/images/fig2-deploymenttimeline.png b/windows/plan/images/fig2-deploymenttimeline.png
new file mode 100644
index 0000000000..a8061d2f15
Binary files /dev/null and b/windows/plan/images/fig2-deploymenttimeline.png differ
diff --git a/windows/plan/images/fig2-locallyconfig.png b/windows/plan/images/fig2-locallyconfig.png
new file mode 100644
index 0000000000..d2fe9820da
Binary files /dev/null and b/windows/plan/images/fig2-locallyconfig.png differ
diff --git a/windows/plan/images/fig3-overlaprelease.png b/windows/plan/images/fig3-overlaprelease.png
new file mode 100644
index 0000000000..58747a35cf
Binary files /dev/null and b/windows/plan/images/fig3-overlaprelease.png differ
diff --git a/windows/plan/images/fig4-wsuslist.png b/windows/plan/images/fig4-wsuslist.png
new file mode 100644
index 0000000000..de35531356
Binary files /dev/null and b/windows/plan/images/fig4-wsuslist.png differ
diff --git a/windows/plan/images/wtg-first-boot-home.gif b/windows/plan/images/wtg-first-boot-home.gif
new file mode 100644
index 0000000000..46cd605a2e
Binary files /dev/null and b/windows/plan/images/wtg-first-boot-home.gif differ
diff --git a/windows/plan/images/wtg-first-boot-work.gif b/windows/plan/images/wtg-first-boot-work.gif
new file mode 100644
index 0000000000..c1a9a9d31d
Binary files /dev/null and b/windows/plan/images/wtg-first-boot-work.gif differ
diff --git a/windows/plan/images/wtg-gpt-uefi.gif b/windows/plan/images/wtg-gpt-uefi.gif
new file mode 100644
index 0000000000..2ff2079a3c
Binary files /dev/null and b/windows/plan/images/wtg-gpt-uefi.gif differ
diff --git a/windows/plan/images/wtg-image-deployment.gif b/windows/plan/images/wtg-image-deployment.gif
new file mode 100644
index 0000000000..d622911f3e
Binary files /dev/null and b/windows/plan/images/wtg-image-deployment.gif differ
diff --git a/windows/plan/images/wtg-mbr-bios.gif b/windows/plan/images/wtg-mbr-bios.gif
new file mode 100644
index 0000000000..b93796944a
Binary files /dev/null and b/windows/plan/images/wtg-mbr-bios.gif differ
diff --git a/windows/plan/images/wtg-mbr-firmware-roaming.gif b/windows/plan/images/wtg-mbr-firmware-roaming.gif
new file mode 100644
index 0000000000..f21592c310
Binary files /dev/null and b/windows/plan/images/wtg-mbr-firmware-roaming.gif differ
diff --git a/windows/plan/images/wtg-startup-options.gif b/windows/plan/images/wtg-startup-options.gif
new file mode 100644
index 0000000000..302da78ea6
Binary files /dev/null and b/windows/plan/images/wtg-startup-options.gif differ
diff --git a/windows/plan/images/wuforbus-fig1-manuallyset.png b/windows/plan/images/wuforbus-fig1-manuallyset.png
new file mode 100644
index 0000000000..2f684c32ff
Binary files /dev/null and b/windows/plan/images/wuforbus-fig1-manuallyset.png differ
diff --git a/windows/plan/images/wuforbusiness-fig10-sccmconsole.png b/windows/plan/images/wuforbusiness-fig10-sccmconsole.png
new file mode 100644
index 0000000000..5e43f36403
Binary files /dev/null and b/windows/plan/images/wuforbusiness-fig10-sccmconsole.png differ
diff --git a/windows/plan/images/wuforbusiness-fig11-intune.png b/windows/plan/images/wuforbusiness-fig11-intune.png
new file mode 100644
index 0000000000..8006085bf1
Binary files /dev/null and b/windows/plan/images/wuforbusiness-fig11-intune.png differ
diff --git a/windows/plan/images/wuforbusiness-fig12a-updates.png b/windows/plan/images/wuforbusiness-fig12a-updates.png
new file mode 100644
index 0000000000..078d60b745
Binary files /dev/null and b/windows/plan/images/wuforbusiness-fig12a-updates.png differ
diff --git a/windows/plan/images/wuforbusiness-fig13a-upgrades.png b/windows/plan/images/wuforbusiness-fig13a-upgrades.png
new file mode 100644
index 0000000000..432e0d8711
Binary files /dev/null and b/windows/plan/images/wuforbusiness-fig13a-upgrades.png differ
diff --git a/windows/plan/images/wuforbusiness-fig2-gp.png b/windows/plan/images/wuforbusiness-fig2-gp.png
new file mode 100644
index 0000000000..d748cd0dc9
Binary files /dev/null and b/windows/plan/images/wuforbusiness-fig2-gp.png differ
diff --git a/windows/plan/images/wuforbusiness-fig3-mdm.png b/windows/plan/images/wuforbusiness-fig3-mdm.png
new file mode 100644
index 0000000000..90900dee9d
Binary files /dev/null and b/windows/plan/images/wuforbusiness-fig3-mdm.png differ
diff --git a/windows/plan/images/wuforbusiness-fig4-localpoleditor.png b/windows/plan/images/wuforbusiness-fig4-localpoleditor.png
new file mode 100644
index 0000000000..0c6a1a0265
Binary files /dev/null and b/windows/plan/images/wuforbusiness-fig4-localpoleditor.png differ
diff --git a/windows/plan/images/wuforbusiness-fig5-deferupgrade.png b/windows/plan/images/wuforbusiness-fig5-deferupgrade.png
new file mode 100644
index 0000000000..591ba04c8a
Binary files /dev/null and b/windows/plan/images/wuforbusiness-fig5-deferupgrade.png differ
diff --git a/windows/plan/images/wuforbusiness-fig6-pause.png b/windows/plan/images/wuforbusiness-fig6-pause.png
new file mode 100644
index 0000000000..d19ef0e013
Binary files /dev/null and b/windows/plan/images/wuforbusiness-fig6-pause.png differ
diff --git a/windows/plan/images/wuforbusiness-fig7-validationgroup.png b/windows/plan/images/wuforbusiness-fig7-validationgroup.png
new file mode 100644
index 0000000000..ebd28fb689
Binary files /dev/null and b/windows/plan/images/wuforbusiness-fig7-validationgroup.png differ
diff --git a/windows/plan/images/wuforbusiness-fig8a-chooseupdates.png b/windows/plan/images/wuforbusiness-fig8a-chooseupdates.png
new file mode 100644
index 0000000000..ce8a59a910
Binary files /dev/null and b/windows/plan/images/wuforbusiness-fig8a-chooseupdates.png differ
diff --git a/windows/plan/images/wuforbusiness-fig9-dosettings.jpg b/windows/plan/images/wuforbusiness-fig9-dosettings.jpg
new file mode 100644
index 0000000000..04c3558d41
Binary files /dev/null and b/windows/plan/images/wuforbusiness-fig9-dosettings.jpg differ
diff --git a/windows/plan/index.md b/windows/plan/index.md
new file mode 100644
index 0000000000..3c830e97d4
--- /dev/null
+++ b/windows/plan/index.md
@@ -0,0 +1,44 @@
+---
+title: Plan for Windows 10 deployment (Windows 10)
+description: Windows 10 provides new deployment capabilities, scenarios, and tools by building on technologies introduced in Windows 7, and Windows 8.1, while at the same time introducing new Windows as a service concepts to keep the operating system up to date.
+ms.assetid: 002F9B79-B50F-40C5-A7A5-0B4770E6EC15
+keywords: ["deploy", "upgrade", "update", "configure"]
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Plan for Windows 10 deployment
+Windows 10 provides new deployment capabilities, scenarios, and tools by building on technologies introduced in Windows 7, and Windows 8.1, while at the same time introducing new Windows as a service concepts to keep the operating system up to date. Together, these changes require that you rethink the traditional deployment process.
+
+## In this section
+|Topic |Description |
+|------|------------|
+|[Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md) |This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
+|[Windows 10 servicing options](windows-10-servicing-options.md) |Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process. |
+|[Windows 10 deployment considerations](windows-10-deployment-considerations.md) |There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. |
+|[Windows 10 compatibility](windows-10-compatibility.md) |Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. |
+|[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) |There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. |
+|[Windows Update for Business](windows-update-for-business.md) |Get an overview of how you can implement and deploy a Windows Update for Business solution and how to maintain enrolled systems. |
+|[Guidance for education environments](windows-10-guidance-for-education-environments.md) |Find resources to help you plan your deployment of Windows 10 to desktops, laptops, tablets, and other devices in educational institutions. |
+|[Windows To Go: feature overview](windows-to-go-overview.md) |Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. |
+|[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) |The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. |
+
+## Related topics
+- [Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md)
+- [Deploy Windows 10 with MDT 2013 Update 1](../deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Deploy Windows 10 with Configuration Manager and MDT 2013 Update 1](../deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
+- [Upgrade to Windows 10 with MDT 2013 Update 1](../deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Upgrade to Windows 10 with Configuration Manager](../deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
+- [Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=733911)
+- [Windows 10 and Windows 10 Mobile](../index.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
new file mode 100644
index 0000000000..2d040ed0be
--- /dev/null
+++ b/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
@@ -0,0 +1,72 @@
+---
+title: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator (Windows 10)
+description: The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases.
+ms.assetid: 659c9d62-5f32-433d-94aa-12141c01368f
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.
+
+By default, the Windows® operating system installs a System Application Fix database for use with the Compatibility Administrator. This database can be updated through Windows Update, and is stored in the %WINDIR% \\AppPatch directory. Your custom databases are automatically stored in the %WINDIR% \\AppPatch\\Custom directory and are installed by using the Sdbinst.exe tool provided with the Compatibility Administrator.
+
+**Important**  
+Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to work with custom databases for 32-bit applications and the 64-bit version to work with custom databases for 64-bit applications.
+
+In addition, you must deploy your databases to your organization’s computers before the included fixes will have any effect on the application issue. For more information about deploying your database, see [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md).
+
+ 
+
+## Installing a Custom Database
+
+
+Installing your custom-compatibility database enables you to fix issues with your installed applications.
+
+**To install a custom database**
+
+1.  In the left-side pane of Compatibility Administrator, click the custom database to install to your local computers.
+
+2.  On the **File** menu, click **Install**.
+
+    The Compatibility Administrator installs the database, which appears in the **Installed Databases** list.
+
+    The relationship between your database file and an included application occurs in the registry. Every time you start an application, the operating system checks the registry for compatibility-fix information and, if found, retrieves the information from your customized database file.
+
+## Uninstalling a Custom Database
+
+
+When a custom database is no longer necessary, either because the applications are no longer used or because the vendor has provided a fix that resolves the compatibility issues, you can uninstall the custom database.
+
+**To uninstall a custom database**
+
+1.  In the **Installed Databases** list, which appears in the left-side pane of Compatibility Administrator, click the database to uninstall from your local computers.
+
+2.  On the **File** menu, click **Uninstall**.
+
+## Related topics
+
+
+[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/integration-with-management-solutions-.md b/windows/plan/integration-with-management-solutions-.md
new file mode 100644
index 0000000000..195b8d4828
--- /dev/null
+++ b/windows/plan/integration-with-management-solutions-.md
@@ -0,0 +1,69 @@
+---
+title: Integration with management solutions (Windows 10)
+description: You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune.
+ms.assetid: E0CB0CD3-4FE1-46BF-BA6F-5A5A8BD14CC9
+keywords: ["update", "upgrade", "deployment", "manage", "tools"]
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Integration with management solutions
+
+
+**Applies to**
+
+-   Windows 10
+
+You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune.
+
+## System Center Configuration Manager
+
+
+For Windows 10, version 1511, organizations that already manage their systems with Configuration Manager can also have their devices configured for Windows Update for Business (in other words, set deferral policies on those machines). For Windows 10, version 1511, such devices will be visible in the Configuration Manager console, however they will appear with a detection state of “Unknown”.
+
+![figure 1](images/wuforbusiness-fig10-sccmconsole.png)
+
+## <a href="" id="wsus-standalone-"></a>WSUS standalone
+
+
+For Windows 10, version 1511, you cannot configure devices for both Windows Update for Business *and* to receive updates from WSUS. If both group policies are set (for both deferrals as well as WSUS scanning), Windows Update for Business settings will NOT be respected and devices will continue to scan against WSUS.
+
+## Enterprise Mobility Suite: Intune
+
+
+You can configure Windows Update for Business by using MDM policy. To configure Windows Update for Business with Intune:
+
+1.  Create a new Windows 10 custom policy. (Add a policy, and choose **Custom Configuration for Windows 10 Desktop and phone…**).
+
+    ![figure 2](images/wuforbusiness-fig11-intune.png)
+
+2.  Configure the device to Consumer Branch for Business by selecting to defer upgrades (as described in [Setup and deployment](setup-and-deployment.md).
+
+    **Note**  
+    As noted, because WSUS and Windows Update for Business are mutually exclusive policies, do not set **UpdateServiceUrl** if you want to configure to defer upgrades.
+
+     
+
+3.  Establish deferral windows for updates and upgrades.
+
+    ![figure 3](images/wuforbusiness-fig12a-updates.png)
+
+    ![figure 4](images/wuforbusiness-fig13a-upgrades.png)
+
+## Related topics
+
+
+[Windows Update for Business](windows-update-for-business.md)
+
+[Setup and deployment](setup-and-deployment.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/internet-explorer-web-site-report.md b/windows/plan/internet-explorer-web-site-report.md
new file mode 100644
index 0000000000..fdcd6ef921
--- /dev/null
+++ b/windows/plan/internet-explorer-web-site-report.md
@@ -0,0 +1,67 @@
+---
+title: Internet Explorer - Web Site Report (Windows 10)
+ms.assetid: f072033d-9d42-47ed-8fb0-dbdc28442910
+description: 
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Internet Explorer - Web Site Report
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The **Internet Explorer - Web Site Report** screen shows the following information for each of the websites visited in your organization:
+
+-   The website URL.
+
+-   Your organization's compatibility rating for the website.
+
+-   The count of issues for the website.
+
+-   The count of resolved issues for the website.
+
+**To open the Internet Explorer - Web Site Report screen**
+
+1.  In Application Compatibility Manager (ACM), on the **Quick Reports** pane, click **Analyze**.
+
+2.  In the **Quick Reports** pane, under the **Internet Explorer** heading, click **Web Sites**.
+
+## Using the Internet Explorer - Web Site Report Screen
+
+
+On the **Internet Explorer - Web Site Report** screen, you can:
+
+-   Export the report data to a spreadsheet, or import a report. For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).
+
+-   Synchronize your compatibility issues by using the Microsoft Compatibility Exchange. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
+
+-   Filter the report by using the query builder. For more information, see [Filtering Your Compatibility Data](filtering-your-compatibility-data.md).
+
+-   Specify your compatibility rating for a website. For more information, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).
+
+-   Select your deployment status for a website. For more information, see [Selecting Your Deployment Status](selecting-your-deployment-status.md).
+
+-   Assign categories and subcategories to a website. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
+
+-   Specify the importance of a website to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
+
+-   Double-click a website name to view its associated dialog box. For more information, see [&lt;WebsiteURL&gt; Dialog Box](websiteurl-dialog-box.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/labeling-data-in-acm.md b/windows/plan/labeling-data-in-acm.md
new file mode 100644
index 0000000000..d9fe6d9da7
--- /dev/null
+++ b/windows/plan/labeling-data-in-acm.md
@@ -0,0 +1,53 @@
+---
+title: Labeling Data in ACM (Windows 10)
+description: Application data and its associated compatibility issues can vary within an organization.
+ms.assetid: d099c747-e68a-4cad-a639-9f33efab35b3
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Labeling Data in ACM
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+Application data and its associated compatibility issues can vary within an organization. For example, the applications used by a Human Resources (HR) department might differ from the applications used by a Sales department. Even for applications that are used across an organization, different compatibility issues might be found for each business group because of the unique application use by each business group.
+
+Your data-collection packages can add a *label* to your inventoried applications. To filter by business group when analyzing reports, you can create a different data-collection package for each business group and have each package assign a unique label. For example, you can create a data-collection package for your Sales department with a **Sales** label. During reports analysis, you can filter your results so that only the data with the **Sales** label is visible.
+
+You can specify a label when you create a data-collection package. You cannot change the label for an existing data-collection package.
+
+**To specify the label for a new data-collection package**
+
+1.  In Application Compatibility Manager (ACM), on the **Go** menu, click **Collect**.
+
+2.  On the **Collect** screen, click **File** from the toolbar, and then click **New** to start creating a new data-collection package.
+
+3.  In the wizard, enter the label that you want to be applied by the data-collection package.
+
+## Related topics
+
+
+[Log File Locations for Data-Collection Packages](log-file-locations-for-data-collection-packages.md)
+
+[Exporting a Data-Collection Package](exporting-a-data-collection-package.md)
+
+[Deleting a Data-Collection Package](deleting-a-data-collection-package.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/log-file-locations-for-data-collection-packages.md b/windows/plan/log-file-locations-for-data-collection-packages.md
new file mode 100644
index 0000000000..6483bf1b49
--- /dev/null
+++ b/windows/plan/log-file-locations-for-data-collection-packages.md
@@ -0,0 +1,53 @@
+---
+title: Log File Locations for Data-Collection Packages (Windows 10)
+ms.assetid: dcc395e7-2d9c-4935-abab-33c5934ce24a
+description: 
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Log File Locations for Data-Collection Packages
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+When you create a data-collection package in Application Compatibility Manager (ACM), you can select an output location for your log files. You have the following options:
+
+-   Specify an ACT Log Processing Service (LPS) share. The data-collection package automatically writes the log files to the specified ACT LPS share.
+
+    If the ACT LPS share is unavailable when the upload time interval is reached, the data-collection package will make two more attempts.
+
+    For inventory collector packages, after the third attempt, the inventory collector package no longer attempts to upload data.
+
+    For runtime-analysis packages, if the problem persists, the runtime-analysis package will store the log file in %SYSTEMDRIVE%\\Users\\All Users\\Microsoft\\Application Compatibility Toolkit\\LogProcessor\\Failed. The runtime-analysis package will attempt to upload the files again at the next upload interval.
+
+-   Select **Local (%ACTAppData%\\DataCollector\\Output)**. If you use this option, the data-collection package creates log files on the local system and the computer administrator must manually copy the files to the ACT LPS share location. Consider this option for mobile users who are not always connected to the network. The log files are located in %SYSTEMDRIVE%\\Users\\All Users\\Microsoft\\Application Compatibility Toolkit\\DataCollector\\Output.
+
+-   Type an alternate network share location. If you use this option, verify that the data-collection package can write to the alternate location. You might consider this option if your organization is geographically diverse. For example, administrators can create data-collection packages and file shares individually for each geographic location. Administrators at a central location must then move the log files to a central location and map the files to the ACT LPS share for processing and entry into the ACT database.
+
+## Related topics
+
+
+[Exporting a Data-Collection Package](exporting-a-data-collection-package.md)
+
+[Deleting a Data-Collection Package](deleting-a-data-collection-package.md)
+
+[Labeling Data in ACM](labeling-data-in-acm.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md
new file mode 100644
index 0000000000..d85029f97f
--- /dev/null
+++ b/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md
@@ -0,0 +1,71 @@
+---
+title: Managing Application-Compatibility Fixes and Custom Fix Databases (Windows 10)
+description: This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases.
+ms.assetid: 9c2e9396-908e-4a36-ad67-2e40452ce017
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Managing Application-Compatibility Fixes and Custom Fix Databases
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Understanding and Using Compatibility Fixes](understanding-and-using-compatibility-fixes.md)</p></td>
+<td align="left"><p>As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. This can cause problems for applications that relied upon the original implementation. You can avoid compatibility issues by using the Microsoft Windows Application Compatibility (Compatibility Fix) infrastructure to create a specific application fix for a particular version of an application.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Compatibility Fix Database Management Strategies and Deployment](compatibility-fix-database-management-strategies-and-deployment.md)</p></td>
+<td align="left"><p>After you determine that you will use compatibility fixes in your application-compatibility mitigation strategy, you must define a strategy to manage your custom compatibility-fix database. Typically, you can use one of two approaches:</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Testing Your Application Mitigation Packages](testing-your-application-mitigation-packages.md)</p></td>
+<td align="left"><p>This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+
+[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/managing-your-data-collection-packages.md b/windows/plan/managing-your-data-collection-packages.md
new file mode 100644
index 0000000000..eb9af845ad
--- /dev/null
+++ b/windows/plan/managing-your-data-collection-packages.md
@@ -0,0 +1,79 @@
+---
+title: Managing Your Data-Collection Packages (Windows 10)
+description: This section provides information about using Application Compatibility Manager (ACM) to manage your data-collection packages.
+ms.assetid: 369ae82f-c8ca-42ec-85df-1b760a74e70a
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Managing Your Data-Collection Packages
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+This section provides information about using Application Compatibility Manager (ACM) to manage your data-collection packages. Data-collection packages include inventory-collector packages and runtime-analysis packages. The following procedures apply to both package types.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Log File Locations for Data-Collection Packages](log-file-locations-for-data-collection-packages.md)</p></td>
+<td align="left"><p>When you create a data-collection package in Application Compatibility Manager (ACM), you can select an output location for your log files. You have the following options:</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Exporting a Data-Collection Package](exporting-a-data-collection-package.md)</p></td>
+<td align="left"><p>In Application Compatibility Manager (ACM), you can export a data-collection package as a Windows installer (.msi) file. You can then use the .msi file to install the data-collection package on the computers from which you want to gather data.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Deleting a Data-Collection Package](deleting-a-data-collection-package.md)</p></td>
+<td align="left"><p>In Application Compatibility Manager (ACM), you can delete any of your existing data-collection packages from the database.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Labeling Data in ACM](labeling-data-in-acm.md)</p></td>
+<td align="left"><p>Application data and its associated compatibility issues can vary within an organization. For example, the applications used by a Human Resources (HR) department might differ from the applications used by a Sales department. Even for applications that are used across an organization, different compatibility issues might be found for each business group because of the unique application use by each business group.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Taking Inventory of Your Organization](taking-inventory-of-your-organization.md)
+
+[Testing Compatibility on the Target Platform](testing-compatibility-on-the-target-platform.md)
+
+[Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md)
+
+[Fixing Compatibility Issues](fixing-compatibility-issues.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/organizational-tasks-for-each-report-type.md b/windows/plan/organizational-tasks-for-each-report-type.md
new file mode 100644
index 0000000000..e49ccba8f8
--- /dev/null
+++ b/windows/plan/organizational-tasks-for-each-report-type.md
@@ -0,0 +1,95 @@
+---
+title: Organizational Tasks for Each Report Type (Windows 10)
+description: The following table shows which tasks can be performed for each report type.
+ms.assetid: 7463fab1-ba6e-4a9a-9112-0b69a18fe353
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Organizational Tasks for Each Report Type
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The following table shows which tasks can be performed for each report type.
+
+<table style="width:100%;">
+<colgroup>
+<col width="14%" />
+<col width="14%" />
+<col width="14%" />
+<col width="14%" />
+<col width="14%" />
+<col width="14%" />
+<col width="14%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Report</th>
+<th align="left">[Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md)</th>
+<th align="left">[Selecting Your Deployment Status](selecting-your-deployment-status.md)</th>
+<th align="left">[Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md)</th>
+<th align="left">[Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md)</th>
+<th align="left">[Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md)</th>
+<th align="left">[Creating and Editing Issues and Solutions](creating-and-editing-issues-and-solutions.md)</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[&lt;OperatingSystem&gt; - Application Report](act-operatingsystem-application-report.md)</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[&lt;OperatingSystem&gt; - Computer Report](act-operatingsystem-computer-report.md)</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[&lt;OperatingSystem&gt; - Device Report](act-operatingsystem-device-report.md)</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>No</p></td>
+<td align="left"><p>No</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[&lt;WebsiteURL&gt; Dialog Box](websiteurl-dialog-box.md)</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Yes</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/organizing-your-compatibility-data.md b/windows/plan/organizing-your-compatibility-data.md
new file mode 100644
index 0000000000..15d1d152b6
--- /dev/null
+++ b/windows/plan/organizing-your-compatibility-data.md
@@ -0,0 +1,89 @@
+---
+title: Organizing Your Compatibility Data (Windows 10)
+description: This section provides step-by-step instructions for organizing your compatibility data in Application Compatibility Manager (ACM).
+ms.assetid: e91ae444-5d85-4b5f-b655-a765ecc78b1e
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Organizing Your Compatibility Data
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+This section provides step-by-step instructions for organizing your compatibility data in Application Compatibility Manager (ACM).
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Organizational Tasks for Each Report Type](organizational-tasks-for-each-report-type.md)</p></td>
+<td align="left"><p>The following table shows which tasks can be performed for each report type.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md)</p></td>
+<td align="left"><p>You can rate the compatibility of your applications, installation packages, or websites, based on whether they run successfully on a 32-bit or 64-bit operating system. Your rating applies to your entire organization and is based on your own testing results and organizational requirements.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Selecting Your Deployment Status](selecting-your-deployment-status.md)</p></td>
+<td align="left"><p>In Application Compatibility Manager (ACM), you can track the deployment status of your applications and websites.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md)</p></td>
+<td align="left"><p>To customize and filter your compatibility reports, you can create categories and subcategories to assign to your applications, computers, devices, and websites. By default, Microsoft provides the following categories:</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md)</p></td>
+<td align="left"><p>You can prioritize your applications, websites, computers, and devices to help customize and filter your compatibility reports. The priority levels are:</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md)</p></td>
+<td align="left"><p>For each application listed in Application Compatibility Manager (ACM), you can select whether to send and receive specific application data through the Microsoft Compatibility Exchange</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Creating and Editing Issues and Solutions](creating-and-editing-issues-and-solutions.md)</p></td>
+<td align="left"><p>This section provides step-by-step instructions for adding and editing application compatibility issues and solutions. Your issue and solution data can be uploaded to Microsoft through the Microsoft® Compatibility Exchange.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Viewing Your Compatibility Reports](viewing-your-compatibility-reports.md)
+
+[Filtering Your Compatibility Data](filtering-your-compatibility-data.md)
+
+[Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/prepare-your-organization-for-windows-to-go.md b/windows/plan/prepare-your-organization-for-windows-to-go.md
new file mode 100644
index 0000000000..8c14a856c0
--- /dev/null
+++ b/windows/plan/prepare-your-organization-for-windows-to-go.md
@@ -0,0 +1,127 @@
+---
+title: Prepare your organization for Windows To Go (Windows 10)
+description: Prepare your organization for Windows To Go
+ms.assetid: f3f3c160-90ad-40a8-aeba-2aedee18f7ff
+keywords: ["mobile, device, USB, deploy"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Prepare your organization for Windows To Go
+
+
+**Applies to**
+
+-   Windows 10
+
+The following information is provided to help you plan and design a new deployment of a Windows To Go in your production environment. It provides answers to the “what”, “why”, and “when” questions an IT professional might have when planning to deploy Windows To Go.
+
+## What is Windows To Go?
+
+
+Windows To Go is a feature of Windows 10 Enterprise and Windows 10 Education that enables users to boot Windows from a USB-connected external drive. Windows To Go drives can use the same image that enterprises use for their desktops and laptops, and can be managed the same way. Offering a new mobility option, a Windows To Go workspace is not intended to replace desktops or laptops, or supplant other mobility offerings.
+
+Enterprise customers utilizing Volume Activation Windows licensing will be able to deploy USB drives provisioned with Windows To Go workspace. These drives will be bootable on multiple compatible host computers. Compatible host computers are computers that are:
+
+-   USB boot capable
+
+-   Have USB boot enabled in the firmware
+
+-   Meet Windows 7 minimum system requirements
+
+-   Have compatible processor architectures (for example, x86 or AMD64) as the image used to create the Windows To Go workspace. ARM is not a supported processor for Windows To Go.
+
+-   Have firmware architecture that is compatible with the architecture of the image used for the Windows To Go workspace
+
+Booting a Windows To Go workspace requires no specific software on the host computer. PCs certified for Windows 7 and later can host Windows To Go.
+
+The following topics will familiarize you with how you can use a Windows To Go workspace and give you an overview of some of the things you should consider in your design.
+
+## Usage scenarios
+
+
+The following scenarios are examples of situations in which Windows To Go workspaces provide a solution for an IT implementer:
+
+-   **Continuance of operations (COO).** In this scenario, selected employees receive a USB drive with a Windows To Go workspace, which includes all of the applications that the employees use at work. The employees can keep the device at home, in a briefcase, or wherever they want to store it until needed. When the users boot their home computer from the USB drive, it will create a corporate desktop experience so that they can quickly start working. On the very first boot, the employee sees that Windows is installing devices; after that one time, the Windows To Go drive boots like a normal computer. If they have enterprise network access, employees can use a virtual private network (VPN) connection or DirectAccess to access corporate resources. If the enterprise network is available, the Windows To Go workspace will automatically be updated using your standard client management processes.
+
+-   **Contractors and temporary workers.** In this situation, an enterprise IT pro or manager would distribute the Windows To Go drive directly to the worker where they can be assisted with any necessary additional user education needs or address any possible compatibility issues. While the worker is on assignment, they can boot their computer exclusively from the Windows To Go drive and run all applications in that environment until the end of the assignment when the device is returned. No installation of software is required on the worker’s personal computer.
+
+-   **Managed free seating.** The employee is issued a Windows To Go drive that is then used with the host computer assigned to that employee for a given session (this could be a vehicle, workspace, or standalone laptop). When the employee leaves the session, the next time they return they use the same USB flash drive but use a different host computer.
+
+-   **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including System Center Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employee’s credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity.
+
+-   **Travel lightly.** In this situation you have employees who are moving from site to site, but who always will have access to a compatible host computer on site. Using Windows To Go workspaces allows them to travel without the need to pack their PC.
+
+**Note**  
+If the employee wants to work offline for the majority of the time, but still maintain the ability to use the drive on the enterprise network, they should be informed of how often the Windows To Go workspace needs to be connected to the enterprise network. Doing so will ensure that the drive retains its access privileges and the workspace’s computer object is not potentially deleted from Active Directory Domain Services (AD DS).
+
+ 
+
+## Infrastructure considerations
+
+
+Because Windows To Go requires no additional software and minimal configuration, the same tools used to deploy images to other PCs can be used by an enterprise to install Windows To Go on a large group of USB devices. Moreover, because Windows To Go is compatible with connectivity and synchronization solutions already in use—such as Remote Desktop, DirectAccess and Folder Redirection—no additional infrastructure or management is necessary for this deployment. A Windows To Go image can be created on a USB drive that is identical to the hard drive inside a desktop. However, you may wish to consider making some modifications to your infrastructure to help make management of Windows To Go drives easier and to be able to identify them as a distinct device group.
+
+## Activation considerations
+
+
+Windows To Go uses volume activation. You can use either Active Directory-based activation or KMS activation with Windows To Go. The Windows To Go workspace counts as another installation when assessing compliance with application licensing agreements.
+
+Microsoft software, such as Microsoft Office, distributed to a Windows To Go workspace must also be activated. Office deployment is fully supported on Windows To Go. Please note, due to the retail subscription activation method associated with Office 365 ProPlus, Office 365 ProPlus subscribers are provided volume licensing activation rights for Office Professional Plus 2013 MSI for local installation on the Windows To Go drive. This is available to organizations who purchase Office 365 ProPlus or Office 365 Enterprise SKUs containing Office 365 ProPlus via volume licensing channels. For more information about activating Microsoft Office, see [Volume activation methods in Office 2013](http://go.microsoft.com/fwlink/p/?LinkId=618922).
+
+You should investigate other software manufacturer’s licensing requirements to ensure they are compatible with roaming usage before deploying them to a Windows To Go workspace.
+
+**Note**  
+Using Multiple Activation Key (MAK) activation is not a supported activation method for Windows To Go as each different PC-host would require separate activation. MAK activation should not be used for activating Windows, Office, or any other application on a Windows To Go drive.
+
+ 
+
+See [Plan for Volume Activation](http://go.microsoft.com/fwlink/p/?LinkId=618923) for more information about these activation methods and how they can be used in your organization.
+
+## Organizational unit structure and use of Group Policy Objects
+
+
+You may find it beneficial to create additional Active Directory organizational unit (OU) structures to support your Windows To Go deployment; one for host computer accounts and one for Windows To Go workspace computer accounts. Creating an organizational unit for host computers allows you to enable the Windows To Go Startup Options using Group Policy for only the computers that will be used as Windows To Go hosts. Setting this policy helps to prevent computers from being accidentally configured to automatically boot from USB devices and allows closer monitoring and control of those computers which have the ability to boot from a USB device. The organizational unit for Windows To Go workspaces allows you to apply specific policy controls to them, such as the ability to use the Store application, power state controls, and line-of-business application installation.
+
+If you are deploying Windows To Go workspaces for a scenario in which they are not going to be roaming, but are instead being used on the same host computer, such as with temporary or contract employees, you might wish to enable hibernation or the Windows Store.
+
+For more information about Group Policy settings that can be used with Windows To Go, see [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
+
+## Computer account management
+
+
+If you configure Windows To Go drives for scenarios where drives may remain unused for extended period of time such as use in continuance of operations scenarios, the AD DS computer account objects that correspond to Windows To Go drives have the potential to become stale and be pruned during maintenance operations. To address this issue, you should either have users log on regularly according to a schedule or modify any maintenance scripts to not clean up computer accounts in the Windows To Go device organizational unit.
+
+## User account and data management
+
+
+People use computers to work with data and consume content - that is their core function. The data must be stored and retrievable for it to be useful. When users are working in a Windows To Go workspace, they need to have the ability to get to the data that they work with and to keep it accessible when the workspace is not being used. For this reason we recommend that you use folder redirection and offline files to redirect the path of local folders (such as the Documents folder) to a network location, while caching the contents locally for increased speed and availability. We also recommend that you use roaming user profiles to synchronize user specific settings so that users receive the same operating system and application settings when using their Windows To Go workspace and their desktop computer. When a user signs in using a domain account that is set up with a file share as the profile path, the user’s profile is downloaded to the local computer and merged with the local profile (if present). When the user logs off the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](http://go.microsoft.com/fwlink/p/?LinkId=618924).
+
+Windows To Go is fully integrated with your Microsoft account. Setting synchronization is accomplished by connecting a Microsoft account to a user account. Windows To Go devices fully support this feature and can be managed by Group Policy so that the customization and configurations you prefer will be applied to your Windows To Go workspace.
+
+## Remote connectivity
+
+
+If you want Windows To Go to be able to connect back to organizational resources when it is being used off-premises a remote connectivity solution must be enabled. Windows Server 2012 DirectAccess can be used as can a virtual private network (VPN) solution. For more information about configuring a remote access solution, see the [Remote Access (DirectAccess, Routing and Remote Access) Overview](http://go.microsoft.com/fwlink/p/?LinkId=618925).
+
+## Related topics
+
+
+[Windows To Go: feature overview](windows-to-go-overview.md)
+
+[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
+
+[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
+
+[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/prioritizing-your-compatibility-data.md b/windows/plan/prioritizing-your-compatibility-data.md
new file mode 100644
index 0000000000..b597b63fc8
--- /dev/null
+++ b/windows/plan/prioritizing-your-compatibility-data.md
@@ -0,0 +1,102 @@
+---
+title: Prioritizing Your Compatibility Data (Windows 10)
+ms.assetid: 103e125a-bd2b-4019-9d6a-2e1d50c380b1
+description: 
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Prioritizing Your Compatibility Data
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+You can prioritize your applications, websites, computers, and devices to help customize and filter your compatibility reports. The priority levels are:
+
+-   **Priority 1 - Business Critical**. The highest priority level, applied to an item that is so important to your organization that a compatibility issue with the item would keep you from deploying a new operating system.
+
+-   **Priority 2 - Important**. Items that your organization regularly uses but can function without.
+
+-   **Priority 3 - Nice to Have**. Lower-priority items that you want to show in your compatibility reports that do not belong in either of the previous two categories.
+
+-   **Priority 4 - Unimportant**. Items that are irrelevant to the daily functions of your organization.
+
+-   **Unspecified**. The default priority level, applied to items that have not yet been reviewed for deployment.
+
+## Prioritizing Your Applications, Computers, Devices, and Websites
+
+
+The following example uses the **&lt;Operating\_System&gt; - Application Report** screen. You can alternatively use the **&lt;Application\_Name&gt;** dialog box. The procedure is the same on the reports for computers, devices, and websites.
+
+**To change the priority**
+
+1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click the name of the application.
+
+2.  On the **Actions** menu, click **Set Priority**.
+
+3.  Click a priority, and then click **OK**.
+
+**To filter your data by priority**
+
+1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click **Toggle Filter**.
+
+2.  Enter your filter criteria, pressing the Tab key to add clauses.
+
+    Consider the following example, which shows a query that filters for all applications that have a priority level of **Business Critical** or **Important**.
+
+    <table>
+    <colgroup>
+    <col width="25%" />
+    <col width="25%" />
+    <col width="25%" />
+    <col width="25%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">And/Or</th>
+    <th align="left">Field</th>
+    <th align="left">Operator</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>And</p></td>
+    <td align="left"><p>Priority</p></td>
+    <td align="left"><p>Equals</p></td>
+    <td align="left"><p>Priority 1 - Business Critical</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Or</p></td>
+    <td align="left"><p>Priority</p></td>
+    <td align="left"><p>Equals</p></td>
+    <td align="left"><p>Priority 2 - Important</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    To delete a clause, right-click the row, and then click **Delete Clause**.
+
+3.  Click **Refresh**.
+
+    Your filtered results appear.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/ratings-icons-in-acm.md b/windows/plan/ratings-icons-in-acm.md
new file mode 100644
index 0000000000..ab8a3a47ec
--- /dev/null
+++ b/windows/plan/ratings-icons-in-acm.md
@@ -0,0 +1,110 @@
+---
+title: Ratings Icons in ACM (Windows 10)
+description: Compatibility ratings can originate from Microsoft, the application vendor, your organization, and from the Application Compatibility Toolkit (ACT) community.
+ms.assetid: 0165499e-cb47-4d76-98a6-b871d23e4e83
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Ratings Icons in ACM
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+Compatibility ratings can originate from Microsoft, the application vendor, your organization, and from the Application Compatibility Toolkit (ACT) community.
+
+For information about specifying your own ratings, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md). For information about community ratings, see [ACT Community Ratings and Process](act-community-ratings-and-process.md).
+
+## Icons
+
+
+The following table shows icons that appear on the report screens and dialog boxes for **Company Assessment** and **Vendor Assessment**.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Icon</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><img src="images/dep-win8-e-act-greenworksicon.gif" alt="ACT Green icon" /></td>
+<td align="left"><p>Application, device, or website functions as expected on a 32-bit operating system.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><img src="images/dep-win8-e-act-greenworks64icon.gif" alt="ACT green 64-bit icon" /></td>
+<td align="left"><p>Application, device, or website functions as expected on a 64-bit operating system.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><img src="images/dep-win8-e-act-minorissuesicon.png" alt="ACT minor issue icon" /></td>
+<td align="left"><p>Application, device, or website with issues that are minor or have known solutions on a 32-bit operating system. Severity 3 issues are considered minor issues.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><img src="images/dep-win8-e-act-minorissues64icon.gif" alt="ACT Minor issues 64-bit icon" /></td>
+<td align="left"><p>Application, device, or website with issues that are minor or have known solutions on a 64-bit operating system.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><img src="images/dep-win8-e-act-doesnotworkicon.gif" alt="ACT does not work icon" /></td>
+<td align="left"><p>Application, device, or website with major issues, such as data loss or severely impaired functionality, on 32-bit operating systems. Severity 1 and Severity 2 issues are considered major issues.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><img src="images/dep-win8-e-act-doesnotwork64icon.gif" alt="ACT does not work 64-bit icon" /></td>
+<td align="left"><p>Application, device, or website with major issues, such as data loss or severely impaired functionality, on 64-bit operating systems.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><img src="images/dep-win8-e-act-infoicon.gif" alt="ACT Information icon" /></td>
+<td align="left"><p>Application, device, or website that does not have any application assessment data for 32-bit operating systems. The item does not match any information in the database, or no assessments have been submitted.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><img src="images/dep-win8-e-act-info64icon.gif" alt="ACT 64-bit info icon" /></td>
+<td align="left"><p>Application, device, or website that does not have any application assessment data for 64-bit operating systems.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## User Ratings and ACT Community Ratings
+
+
+Ratings are displayed graphically in the **User Ratings** column and the **Community Assessment** column. The rating color and bar count depend on how the users or community rated the item. There are three possible ratings:
+
+-   **Works**. Applications with this rating receive five green bars.
+
+-   **Works with minor issues or has solutions**. Applications with this rating receive three light-green bars.
+
+-   **Does not work**. Applications with this rating receive a single red bar.
+
+The color gradient from one to five bars shows the average rating.
+
+![act community](images/dep-win8-e-act-communityexample.gif)
+
+## Related topics
+
+
+[Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md)
+
+[Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/resolving-an-issue.md b/windows/plan/resolving-an-issue.md
new file mode 100644
index 0000000000..74ffe1f620
--- /dev/null
+++ b/windows/plan/resolving-an-issue.md
@@ -0,0 +1,61 @@
+---
+title: Resolving an Issue (Windows 10)
+description: You can use Application Compatibility Manager (ACM) to flag issues as resolved. Resolving an issue changes the status of the issue from a red x to a green check mark on your report and report detail screens.
+ms.assetid: 96195122-185d-4f6a-8e84-79c3d069e933
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Resolving an Issue
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+You can use Application Compatibility Manager (ACM) to flag issues as resolved. Resolving an issue changes the status of the issue from a red **x** to a green check mark on your report and report detail screens.
+
+Resolving an issue is not required. However, if you do not resolve the issue, the issue remains active in your ACT database and provides inaccurate reports.
+
+## Resolving Issues for Your Applications and Websites
+
+
+This procedure describes how to resolve an existing issue that is documented in ACM. For information about adding an issue, see [Adding or Editing an Issue](adding-or-editing-an-issue.md).
+
+**Note**  
+The following example uses the **&lt;Application\_Name&gt;** dialog box. The procedure is similar for websites.
+
+ 
+
+**To resolve issues**
+
+1.  On the **&lt;Operating\_System&gt; - Application Report** screen, double-click the name of the application to display the **&lt;Application\_Name&gt;** dialog box.
+
+2.  Click the **Issues** tab.
+
+3.  Double-click the specific issue to resolve.
+
+4.  On the **Actions** menu, click **Resolve**, and then close the **&lt;Application\_Name&gt; - &lt;Issue\_Title&gt;** dialog box.
+
+    The issue appears with a green check mark in the report details screen.
+
+    **Note**  
+    If you have not entered a solution but have resolved the issue, Microsoft recommends that you enter a solution with **Other** solution type and add text that describes why you resolved the issue without a solution. For information about entering solutions, see [Adding or Editing a Solution](adding-or-editing-a-solution.md).
+
+     
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/saving-opening-and-exporting-reports.md b/windows/plan/saving-opening-and-exporting-reports.md
new file mode 100644
index 0000000000..2f947a935e
--- /dev/null
+++ b/windows/plan/saving-opening-and-exporting-reports.md
@@ -0,0 +1,77 @@
+---
+title: Saving, Opening, and Exporting Reports (Windows 10)
+description: You can perform several common reporting tasks from the Analyze screen, including saving a compatibility report, opening a saved compatibility report (.adq) file, and exporting your report data to a spreadsheet (.xls) file.
+ms.assetid: 8be72a6c-63ab-4451-ad79-815e2ac18aa2
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Saving, Opening, and Exporting Reports
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+You can perform several common reporting tasks from the **Analyze** screen, including saving a compatibility report, opening a saved compatibility report (.adq) file, and exporting your report data to a spreadsheet (.xls) file.
+
+## Saving Your Compatibility Report
+
+
+You can save your compatibility report data, including any custom filters created by the query builder tool. You can import this report data back into Application Compatibility Manager (ACM) at a later time.
+
+**To save a report**
+
+1.  In the **Quick Reports** pane, click **Analyze**.
+
+2.  Expand the node for the target operating system for which you want to see compatibility reports, and then click a node for a report type.
+
+3.  On the **File** menu, click **Save As**.
+
+4.  Browse to the folder where you want to save your report, and then click **Save**.
+
+## Opening an Existing Compatibility Report
+
+
+In ACM, you can open, or import, a compatibility report (.adq) file.
+
+**To open a report**
+
+1.  In the **Quick Reports** pane, click **Analyze**.
+
+2.  Expand the node for the target operating system for which you want to see compatibility reports, and then click a node for a report type.
+
+3.  On the **File** menu, click **Open Report**.
+
+4.  Browse to the folder where you saved your report, and then click **Open**.
+
+## Exporting Compatibility Report Data
+
+
+You can export your compatibility report data to an Microsoft® Excel® spreadsheet (.xls) file.
+
+**To export report data**
+
+1.  In the **Quick Reports** pane, click **Analyze**.
+
+2.  Expand the node for the target operating system for which you want to see compatibility reports, and then click a node for a report type.
+
+3.  On the **File** menu, click **Export Report**.
+
+4.  Browse to the folder where you want to store the spreadsheet file, and then click **Save**.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md
new file mode 100644
index 0000000000..6c83a990ee
--- /dev/null
+++ b/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md
@@ -0,0 +1,75 @@
+---
+title: Searching for Fixed Applications in Compatibility Administrator (Windows 10)
+description: With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages.
+ms.assetid: 1051a2dc-0362-43a4-8ae8-07dae39b1cb8
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Searching for Fixed Applications in Compatibility Administrator
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application.
+
+The **Query Compatibility Databases** tool provides additional search options. For more information, see [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md).
+
+## Searching for Previously Applied Compatibility Fixes
+
+
+**Important**  
+You must perform your search with the correct version of the Compatibility Administrator tool. If you are searching for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. If you are searching for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator.
+
+ 
+
+**To search for previous fixes**
+
+1.  On the Compatibility Administrator toolbar, click **Search**.
+
+2.  Click **Browse** to locate the directory location to search for .exe files.
+
+3.  Select at least one check box from **Entries with Compatibility Fixes**, **Entries with Compatibility Modes**, or **Entries with AppHelp**.
+
+4.  Click **Find Now**.
+
+    The query runs, returning your results in the lower pane.
+
+## Viewing Your Query Results
+
+
+Your query results display the affected files, the application location, the application name, the type of compatibility fix, and the custom database that provided the fix.
+
+## Exporting Your Query Results
+
+
+You can export your search results to a text (.txt) file for later review or archival.
+
+**To export your search results**
+
+1.  In the **Search for Fixes** dialog box, click **Export**.
+
+2.  Browse to the location where you want to store your search result file, and then click **Save**.
+
+## Related topics
+
+
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
new file mode 100644
index 0000000000..bdc0043f6b
--- /dev/null
+++ b/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
@@ -0,0 +1,179 @@
+---
+title: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator (Windows 10)
+description: You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.
+ms.assetid: dd213b55-c71c-407a-ad49-33db54f82f22
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.
+
+For information about the Search feature, see [Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md). However, the Query tool provides more detailed search criteria, including tabs that enable you to search the program properties, the compatibility fix properties, and the fix description. You can perform a search by using SQL SELECT and WHERE clauses, in addition to searching specific types of databases.
+
+**Important**  
+You must perform your search with the correct version of the Compatibility Administrator tool. To use the Query tool to search for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. To use the Query tool to search for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator.
+
+ 
+
+## Querying by Using the Program Properties Tab
+
+
+You can use the **Program Properties** tab of the Query tool to search for any compatibility fix, compatibility mode, or AppHelp for a specific application.
+
+**To query by using the Program Properties tab**
+
+1.  On the Compatibility Administrator toolbar, click **Query**.
+
+2.  In the **Look in** drop-down list, select the appropriate database type to search.
+
+3.  Type the location of the application you are searching for into the **Search for the Application** field.
+
+    This name should be the same as the name in the **Applications** area (left pane) of Compatibility Administrator.
+
+4.  Type the application executable (.exe) file name into the **Search for the File** box. If you leave this box blank, the percent (%) sign appears as a wildcard to search for any file.
+
+    You must designate the executable name that was given when the compatibility fix was added to the database.
+
+5.  Optionally, select the check box for one of the following types of compatibility fix:
+
+    -   **Compatibility Modes**
+
+    -   **Compatibility Fixes**
+
+    -   **Application Helps**
+
+    **Important**  
+    If you do not select any of the check boxes, the search will look for all types of compatibility fixes. Do not select multiple check boxes because only applications that match all of the requirements will appear.
+
+     
+
+6.  Click **Find Now**.
+
+    The query runs and the results of the query are displayed in the lower pane.
+
+## Querying by Using the Fix Properties Tab
+
+
+You can use the **Fix Properties** tab of the Query tool to search for any application affected by a specific compatibility fix or a compatibility mode. For example, you can search for any application affected by the ProfilesSetup compatibility mode.
+
+**To query by using the Fix Properties tab**
+
+1.  On the Compatibility Administrator toolbar, click **Query**.
+
+2.  Click the **Fix Properties** tab.
+
+3.  In the **Look in** drop-down list, select the appropriate database type to search.
+
+4.  Type the name of the compatibility fix or compatibility mode into the **Search for programs fixed using** field.
+
+    **Note**  
+    You can use the percent (%) symbol as a wildcard in your fix-properties query, as a substitute for any string of zero or more characters.
+
+     
+
+5.  Select the check box for either **Search in Compatibility Fixes** or **Search in Compatibility Modes**.
+
+    **Important**  
+    Your text must match the type of compatibility fix or mode for which you are performing the query. For example, entering the name of a compatibility fix and selecting the compatibility mode check box will not return any results. Additionally, if you select both check boxes, the query will search for the fix by compatibility mode and compatibility fix. Only applications that match both requirements appear.
+
+     
+
+6.  Click **Find Now**.
+
+    The query runs and the results of the query are displayed in the lower pane.
+
+## Querying by Using the Fix Description Tab
+
+
+You can use the **Fix Description** tab of the Query tool to add parameters that enable you to search your compatibility databases by application title or solution description text.
+
+**To query by using the Fix Description tab**
+
+1.  On the Compatibility Administrator toolbar, click **Query**.
+
+2.  Click the **Fix Description** tab.
+
+3.  In the **Look in** drop-down list, select the appropriate database type to search.
+
+4.  Type your search keywords into the box **Words to look for**. Use commas to separate multiple keywords.
+
+    **Important**  
+    You cannot use wildcards as part of the Fix Description search query because the default behavior is to search for any entry that meets your search criteria.
+
+     
+
+5.  Refine your search by selecting **Match any word** or **Match all words** from the drop-down list.
+
+6.  Click **Find Now**.
+
+    The query runs and the results of the query are displayed in the lower pane.
+
+## Querying by Using the Fix Description Tab
+
+
+You can use the **Fix Description** tab of the Query tool to add additional SQL Server SELECT and WHERE clauses to your search criteria.
+
+**To query by using the Advanced tab**
+
+1.  On the Compatibility Administrator toolbar, click **Query**.
+
+2.  Click the **Advanced** tab.
+
+3.  In the **Look in** drop-down list, select the appropriate database type to search.
+
+4.  Select the appropriate SELECT clause for your search from the **Select clauses** box. For example, **APP\_NAME**.
+
+    The **APP\_NAME** clause appears in the **SELECT** field. You can add as many additional clauses as you require. They will appear as columns in your search results.
+
+5.  Select the appropriate WHERE clause for your search from the **Where clauses** box. For example, **DATABASE\_NAME**.
+
+    The **DATABASE\_NAME =** clause appears in the **WHERE** box.
+
+6.  Type the appropriate clause criteria after the equal (=) sign in the **WHERE** box. For example, **DATABASE\_NAME = "Custom\_Database"**.
+
+    You must surround your clause criteria text with quotation marks (") for the clause to function properly.
+
+7.  Click **Find Now**.
+
+    The query runs and the results of the query are displayed in the lower pane.
+
+## Exporting Your Search Results
+
+
+You can export any of your search results into a tab-delimited text (.txt) file for later review or for archival purposes.
+
+**To export your results**
+
+1.  After you have completed your search by using the Query tool, click **Export**.
+
+    The **Save results to a file** dialog box appears.
+
+2.  Browse to the location where you intend to store the search results file, and then click **Save**.
+
+## Related topics
+
+
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md b/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md
new file mode 100644
index 0000000000..41a1cbce6f
--- /dev/null
+++ b/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md
@@ -0,0 +1,78 @@
+---
+title: Security and data protection considerations for Windows To Go (Windows 10)
+description: One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure.
+ms.assetid: 5f27339f-6761-44f4-8c29-9a25cf8e75fe
+keywords: ["mobile, device, USB, secure, BitLocker"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Security and data protection considerations for Windows To Go
+
+
+**Applies to**
+
+-   Windows 10
+
+One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure.
+
+## Backup and restore
+
+
+As long as you are not saving data on the Windows To Go drive, there is no need for a backup and restore solution for Windows To Go. If you are saving data on the drive and are not using folder redirection and offline files, you should back up all of your data to a network location, such as cloud storage or a network share after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](http://go.microsoft.com/fwlink/p/?LinkId=619102) for different solutions you could implement.
+
+If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and re-provision the drive with Windows To Go, so all data and customization on the drive will be lost. This is another reason why using roaming user profiles, folder redirection and offline files with Windows To Go is strongly recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](http://go.microsoft.com/fwlink/p/?LinkId=618924).
+
+## BitLocker
+
+
+We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace, this helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) cannot be used by BitLocker to protect the drive. Instead, you will be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller.
+
+You can enable BitLocker while using the Windows To Go Creator wizard as part of the drive provisioning process before first use; or it can be enabled afterward by the user from within the Windows To Go workspace.
+
+**Tip**  
+If the Windows To Go Creator wizard is not able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.md#wtg-faq-blfail)
+
+ 
+
+If you are using a host computer running Windows 7 that has BitLocker enabled, you should suspend BitLocker before changing the BIOS settings to boot from USB and then resume BitLocker protection. If BitLocker is not suspended first, the next time the computer is started it will boot into recovery mode.
+
+## Disk discovery and data leakage
+
+
+We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This means the drive will not appear in Windows Explorer and an AutoPlay prompt will not be displayed to the user. This reduces the likelihood that an end-user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you.
+
+To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It is strongly recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted.
+
+For more information, see [How to Configure Storage Area Network (SAN) Policy in Windows PE](http://go.microsoft.com/fwlink/p/?LinkId=619103).
+
+## Security certifications for Windows To Go
+
+
+Windows to Go is a core capability of Windows when it is deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for additional certifications by the solution provider that cover the solution provider’s specific hardware environment. For more details about Windows security certifications, see the following topics.
+
+-   [Windows Platform Common Criteria Certification](http://go.microsoft.com/fwlink/p/?LinkId=619104)
+
+-   [FIPS 140 Evaluation](http://go.microsoft.com/fwlink/p/?LinkId=619107)
+
+## Related topics
+
+
+[Windows To Go: feature overview](windows-to-go-overview.md)
+
+[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
+
+[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
+
+[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/selecting-the-send-and-receive-status-for-an-application.md b/windows/plan/selecting-the-send-and-receive-status-for-an-application.md
new file mode 100644
index 0000000000..0a8f1c3450
--- /dev/null
+++ b/windows/plan/selecting-the-send-and-receive-status-for-an-application.md
@@ -0,0 +1,97 @@
+---
+title: Selecting the Send and Receive Status for an Application (Windows 10)
+description: For each application listed in Application Compatibility Manager (ACM), you can select whether to send and receive specific application data through the Microsoft Compatibility Exchange.
+ms.assetid: ae139093-27cf-4ad8-882d-e0509e78d33a
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Selecting the Send and Receive Status for an Application
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+For each application listed in Application Compatibility Manager (ACM), you can select whether to send and receive specific application data through the Microsoft Compatibility Exchange
+
+. For information about how to send and receive data, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
+
+## Selecting the Send and Receive Status for an Application
+
+
+**Note**  
+The following example uses the **&lt;Operating\_System&gt; - Application Report** screen. You can alternatively use the **&lt;Application\_Name&gt;** dialog box.
+
+ 
+
+**To change the send and receive status for an application**
+
+1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click the application name for which you want to select the send and receive status.
+
+2.  On the **Actions** menu, click **Set Send and Receive Status**.
+
+3.  Select one of the following:
+
+    -   **Do not send to Microsoft**
+
+    -   **Send to Microsoft** (default)
+
+4.  Click **OK**.
+
+**To filter based on send and receive status**
+
+1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click **Toggle Filter**.
+
+2.  In the **Query Builder**, enter your filter criteria, pressing the Tab key to add clauses.
+
+    To delete a clause, right-click the row, and then click **Delete Clause**.
+
+    The following example shows a query that filters for applications with a send and receive status of **Do not send to Microsoft**.
+
+    <table>
+    <colgroup>
+    <col width="25%" />
+    <col width="25%" />
+    <col width="25%" />
+    <col width="25%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">And/Or</th>
+    <th align="left">Field</th>
+    <th align="left">Operator</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>And</p></td>
+    <td align="left"><p>Send and Receive Status</p></td>
+    <td align="left"><p>Equals</p></td>
+    <td align="left"><p>Do not send to Microsoft</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+3.  Click **Refresh**.
+
+    Your filtered results appear.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/selecting-your-compatibility-rating.md b/windows/plan/selecting-your-compatibility-rating.md
new file mode 100644
index 0000000000..3b64974c1d
--- /dev/null
+++ b/windows/plan/selecting-your-compatibility-rating.md
@@ -0,0 +1,107 @@
+---
+title: Selecting Your Compatibility Rating (Windows 10)
+description: You can rate the compatibility of your applications, installation packages, or websites, based on whether they run successfully on a 32-bit or 64-bit operating system.
+ms.assetid: 959da499-8fd6-4f32-8771-a0580dd8e0d3
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Selecting Your Compatibility Rating
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+You can rate the compatibility of your applications, installation packages, or websites, based on whether they run successfully on a 32-bit or 64-bit operating system. Your rating applies to your entire organization and is based on your own testing results and organizational requirements.
+
+Possible ratings include:
+
+-   **Works**. During your organization's testing phase, there were no issues with the application, installation package, or website.
+
+-   **Works with minor issues or has solutions**. During your organization's testing phase, there were no Severity 1 or Severity 2 issues with the application, installation package, or website. For information about severity levels, see [Adding or Editing an Issue](adding-or-editing-an-issue.md).
+
+-   **Does not work**. During your organization's testing phase, the application, installation package, or website experienced a Severity 1 or Severity 2 issue.
+
+-   **No data**. You have no compatibility data to provide.
+
+## Selecting a Compatibility Rating
+
+
+You can select your compatibility rating from the report screen or from the associated dialog box that shows report details. As an example, the following procedures use the **&lt;Operating\_System&gt; - Application Report** screen. You can alternatively use the **&lt;Application\_Name&gt;** dialog box. The procedure is the same on the report for websites.
+
+**To select your compatibility rating**
+
+1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click the application name.
+
+2.  On the **Actions** menu, click **Set Assessment**.
+
+3.  Choose your ratings. Select separate ratings for 32-bit operating systems and 64-bit operating systems, and then click **OK**.
+
+    If your organization does not use a 32-bit operating system, or does not use a 64-bit operating system, you can hide the option in the **Customize Report Views** dialog box. If you hide the option, the associated column no longer appears in the **Set Assessment** dialog box.
+
+## Filtering By Your Compatibility Ratings
+
+
+You can filter your applications, installation packages, or website data by your compatibility ratings.
+
+**To filter based on your compatibility ratings**
+
+1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click **Toggle Filter**.
+
+2.  In the **Query Builder**, enter your filter criteria, pressing the Tab key to add additional clauses.
+
+    For example, the following query will show applications with a rating of **Works** or a rating of **Works with minor issues or has solutions**.
+
+    <table>
+    <colgroup>
+    <col width="25%" />
+    <col width="25%" />
+    <col width="25%" />
+    <col width="25%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">And/Or</th>
+    <th align="left">Field</th>
+    <th align="left">Operator</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>And</p></td>
+    <td align="left"><p>My Assessment</p></td>
+    <td align="left"><p>Equals</p></td>
+    <td align="left"><p>Works</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Or</p></td>
+    <td align="left"><p>My Assessment</p></td>
+    <td align="left"><p>Equals</p></td>
+    <td align="left"><p>Works with minor issues or has solutions</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    To delete a clause, right-click the row, and then click **Delete Clause**.
+
+3.  Click **Refresh**.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/selecting-your-deployment-status.md b/windows/plan/selecting-your-deployment-status.md
new file mode 100644
index 0000000000..4d47ec35fb
--- /dev/null
+++ b/windows/plan/selecting-your-deployment-status.md
@@ -0,0 +1,116 @@
+---
+title: Selecting Your Deployment Status (Windows 10)
+description: In Application Compatibility Manager (ACM), you can track the deployment status of your applications and websites.
+ms.assetid: 7735d256-77eb-4498-93aa-c838ee6e00fc
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Selecting Your Deployment Status
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+In Application Compatibility Manager (ACM), you can track the deployment status of your applications and websites.
+
+## Selecting Your Deployment Status
+
+
+You can change the deployment status from both the report screen and the associated report dialog box.
+
+**Note**  
+The following examples use the **&lt;Operating\_System&gt; - Application Report** screen. You can alternatively use the **&lt;Application\_Name&gt;** dialog box. The procedure is the same for setting deployment status on the report for websites.
+
+ 
+
+**To change the deployment status of an application**
+
+1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click the application name.
+
+2.  On the **Actions** menu, click **Set Deployment Status**.
+
+3.  Select one of the following options:
+
+    -   **Not Reviewed** (default)
+
+    -   **Testing**
+
+    -   **Mitigating**
+
+    -   **Ready to Deploy**
+
+    -   **Will Not Deploy**
+
+4.  Click **OK**.
+
+## Filtering By Deployment Status
+
+
+You can filter your applications and websites by your deployment status.
+
+**To filter based on deployment status**
+
+1.  On the **&lt;Operating\_System&gt; - Application Report** screen, click **Toggle Filter**.
+
+    The **Query Builder** appears with a blank row.
+
+2.  In the **Query Builder**, enter your filter criteria, pressing the Tab key to add clauses.
+
+    For example, the following query filters for applications with a deployment status of **Mitigating** or **Ready to Deploy**.
+
+    <table>
+    <colgroup>
+    <col width="25%" />
+    <col width="25%" />
+    <col width="25%" />
+    <col width="25%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">And/Or</th>
+    <th align="left">Field</th>
+    <th align="left">Operator</th>
+    <th align="left">Value</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p>And</p></td>
+    <td align="left"><p>Deployment Status</p></td>
+    <td align="left"><p>Equals</p></td>
+    <td align="left"><p>Mitigating</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p>Or</p></td>
+    <td align="left"><p>Deployment Status</p></td>
+    <td align="left"><p>Equals</p></td>
+    <td align="left"><p>Ready to Deploy</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+    To delete a clause, right-click the row, and then click **Delete Clause**.
+
+3.  Click **Refresh**.
+
+    Your filtered results appear.
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/sending-and-receiving-compatibility-data.md b/windows/plan/sending-and-receiving-compatibility-data.md
new file mode 100644
index 0000000000..e2165cb7e6
--- /dev/null
+++ b/windows/plan/sending-and-receiving-compatibility-data.md
@@ -0,0 +1,68 @@
+---
+title: Sending and Receiving Compatibility Data (Windows 10)
+description: The Microsoft® Compatibility Exchange is a web service that propagates application compatibility issues between various data sources, for example Microsoft Corporation, independent software vendors (ISVs) and the ACT Community.
+ms.assetid: b86d2431-1caa-4f95-baf9-52ff6af546cd
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Sending and Receiving Compatibility Data
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The Microsoft® Compatibility Exchange is a web service that propagates application compatibility issues between various data sources, for example Microsoft Corporation, independent software vendors (ISVs) and the ACT Community. This process involves checking for updated compatibility information from Microsoft over the Internet. You can send and receive data to keep Application Compatibility Manager (ACM) updated with the latest compatibility information.
+
+The synchronization process includes only the changes made since the last synchronization. During the synchronization process, a dialog box displaying the synchronization status appears. You can continue to work during this process. If no new issues have occurred since your last synchronization, the Microsoft Compatibility Exchange uploads your issue information and notifies you that no updates exist.
+
+The synchronization process uses the Microsoft Compatibility Exchange to:
+
+-   Download new information from Microsoft and ISVs, except for the applications for which you choose not to send application data to Microsoft.
+
+-   Upload your compatibility issues to Microsoft.
+
+-   Upload and download compatibility information from the ACT Community, if you are a member of the ACT Community and agree to share your data. For information about configuring your membership in the ACT Community, see [Settings Dialog Box - Preferences Tab](act-settings-dialog-box-preferences-tab.md).
+
+For information about which data is sent and received through the Microsoft Compatibility exchange, see [Data Sent Through the Microsoft Compatibility Exchange](data-sent-through-the-microsoft-compatibility-exchange.md).
+
+## Reviewing and Synchronizing Your Data
+
+
+Prior to sending your application data to Microsoft, you can review your application list and view the exact data being sent as a text (.txt) file. After you are done reviewing the information, you can synchronize your data with Microsoft.
+
+**To review and synchronize your data**
+
+1.  On the **Analyze** screen, click **Send and Receive**.
+
+2.  Click **Review the data before sending**.
+
+    The **Send and Receive Data** dialog box shows all of the application data that is to be sent to Microsoft during the synchronization process. To avoid sending application data for specific applications, see [Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md).
+
+3.  Optionally, click **Review all data**, save the resulting .txt file locally, and then review the exact XML data that will be sent to Microsoft.
+
+4.  After you finish reviewing the application list and XML data, click **Send**.
+
+## Related topics
+
+
+[Data Sent Through the Microsoft Compatibility Exchange](data-sent-through-the-microsoft-compatibility-exchange.md)
+
+[ACT Community Ratings and Process](act-community-ratings-and-process.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/settings-for-acm.md b/windows/plan/settings-for-acm.md
new file mode 100644
index 0000000000..b548b8f403
--- /dev/null
+++ b/windows/plan/settings-for-acm.md
@@ -0,0 +1,69 @@
+---
+title: Settings for ACM (Windows 10)
+description: This section provides information about settings that you can configure in Application Compatibility Manager (ACM).
+ms.assetid: e0126284-4348-4708-8976-a1e404f35971
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Settings for ACM
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+This section provides information about settings that you can configure in Application Compatibility Manager (ACM).
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Settings Dialog Box - Settings Tab](act-settings-dialog-box-settings-tab.md)</p></td>
+<td align="left"><p>To display the <strong>Settings</strong> dialog box, in Application Compatibility Manager (ACM), on the <strong>Tools</strong> menu, click <strong>Settings</strong>.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Settings Dialog Box - Preferences Tab](act-settings-dialog-box-preferences-tab.md)</p></td>
+<td align="left"><p>To display the <strong>Settings</strong> dialog box, in Application Compatibility Manager (ACM), on the <strong>Tools</strong> menu, click <strong>Settings</strong>.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Configuring ACT](configuring-act.md)
+
+[ACT Database Configuration](act-database-configuration.md)
+
+[Troubleshooting ACT](troubleshooting-act.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/setup-and-deployment.md b/windows/plan/setup-and-deployment.md
new file mode 100644
index 0000000000..a023b39573
--- /dev/null
+++ b/windows/plan/setup-and-deployment.md
@@ -0,0 +1,229 @@
+---
+title: Setup and deployment (Windows 10)
+description: This article describes the basic features of a Windows Update for Business deployment.
+ms.assetid: E176BB36-3B1B-4707-9665-968D80050DD1
+keywords: ["update", "upgrade", "deployment"]
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Setup and deployment
+
+
+**Applies to**
+
+-   Windows 10
+
+This article describes the basic features of a Windows Update for Business deployment. Use this information to familiarize yourself with a simple deployment with a single group of machines connected to Windows Update, in addition to more complex scenarios such as the creation of Windows Update for Business validation groups that receive updates from Windows Update at different time intervals, as well as Windows Update for Business deployments integrated with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, or Microsoft Intune.
+
+## Configure your systems to receive updates on CBB
+
+
+To use Windows Update for Business, Windows 10-based devices must first be configured for the Current Branch for Business (CBB). You can configure devices manually, by using Group Policy, or by using mobile device management (MDM).
+
+![figure 1](images/wuforbus-fig1-manuallyset.png)
+
+![figure 2](images/wuforbusiness-fig2-gp.png)
+
+![figure 3](images/wuforbusiness-fig3-mdm.png)
+
+## <a href="" id="defer-os-upgrade"></a>Defer OS upgrade and update deployments
+
+
+Windows Update for Business allows administrators to control when upgrades and updates are deployed to their Windows 10 clients by specifying deferral windows from when they are initially made available on the Windows Update service. As mentioned, there are restrictions as to how long you can delay upgrades and updates. The following table details these restrictions, per deployment category type:
+
+<table>
+<tr>
+<td rowspan="2">
+<p><b>Group Policy keys</b></p>
+</td>
+<td>
+<p>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod</p>
+<ul>
+<li>
+<p>Values: 0-8 where each unit for upgrade is a month
+
+</p>
+</li>
+</ul>
+</td>
+</tr>
+<tr>
+<td>
+<p>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod</p>
+<ul>
+<li>
+<p>Values: 0-4 where each unit for update is a week
+</p>
+</li>
+</ul>
+</td>
+</tr>
+<tr>
+<td rowspan="2">
+<p><b>MDM</b></p>
+<p><i>./Vendor/MSFT/Update/DeferUpgrade</i></p>
+</td>
+<td>
+<p>Software\Microsoft\PolicyManager\current\Update\RequireDeferUpgrade
+</p>
+<ul>
+<li>
+<p>Values: 0-8 where each unit for upgrade is a month
+	
+</p>
+</li>
+</ul>
+</td>
+</tr>
+<tr>
+<td>
+<p>Software\Microsoft\PolicyManager\current\Update\RequireDeferUpdate</p>
+<ul>
+<li>
+<p>Values: 0-4 where each unit for update is a week
+</p>
+</li>
+</ul>
+</td>
+</tr>
+</table>
+
+ 
+
+Administrators can control deferral periods with Group Policy Objects by using the [Local Group Policy Editor (GPEdit)](http://go.microsoft.com/fwlink/p/?LinkId=734030) or, for domain joined systems, [Group Policy Management Console (GPMC)](http://go.microsoft.com/fwlink/p/?LinkId=699325). For additional details on Group Policy management see [Group Policy management for IT pros](http://go.microsoft.com/fwlink/p/?LinkId=699282).
+
+**Set different deferrals based on update classification in GPedit.msc**
+
+![figure 4](images/wuforbusiness-fig4-localpoleditor.png)
+
+![figure 5](images/wuforbusiness-fig5-deferupgrade.png)
+
+## Pause upgrades and updates
+
+
+Although administrators can use deferral periods to stagger the rate at which deployments go out to their organization (which provides time to verify quality and address any issues), there may be cases where additional time is needed before an update is set to deploy to a machine, or group of machines. Windows Update for Business provides a means for administrators to *pause* updates and upgrades on a per-machine basis. This pause functionality ensures that no updates or upgrades will be made available for the specified machine; the machine will remain in this state until the machine is specifically “unpaused”, or when a period of five weeks (35 days) has passed, at which point updates are auto-resumed.
+
+**Note**  
+The five-week period ensures that pause functionality overlaps a possible subsequent Update Tuesday release.
+
+ 
+
+**Note**  
+Group Policy does not allow you to set a future "unpause” — administrators must actively select to unpause a deployment if they wish to do so before the time expiration.
+
+ 
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><strong>Group Policy keys</strong></p></td>
+<td align="left"><p>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\Pause</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><strong>MDM</strong></p>
+<p><em>./Vendor/MSFT/Update/DeferUpgrade</em></p></td>
+<td align="left"><p>Software\Microsoft\PolicyManager\current\Update\Pause</p>
+<ul>
+<li><p>Values (bool): 0, 1</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+![figure 6](images/wuforbusiness-fig6-pause.png)
+
+## Create validation groups for deployments
+
+
+By grouping machines into similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be used as a quality control measure as updates are deployed in Windows 10. With deferral windows and the ability to pause, administrators can effectively control and measure update deployments by rolling out to a small pool of devices first to verify quality, prior to a broader roll-out to their organization.
+
+Administrators can establish validation groups to maintain a level of control over update/driver deployments which allows them to:
+
+-   Control the date, time, and frequency updates will be applied and devices rebooted
+
+-   Deploy a small set of machines to verify quality prior to broad roll-out
+
+-   Stage broad roll-out in waves to continue quality verification and minimize disruptions
+
+-   Manage membership of waves based on criteria defined by IT
+
+-   Halt and roll-back deployment of updates/drivers that may be causing trouble
+
+![figure 7](images/wuforbusiness-fig7-validationgroup.png)
+
+## <a href="" id="peer-to-peer-networking-for-deployments-"></a>Peer-to-peer networking for deployments
+
+
+Windows Update Delivery Optimization enables Windows Update for Business enrolled devices to download Windows updates and Windows Store apps from sources other than Microsoft. With multiple devices, Delivery Optimization can reduce the amount of Internet bandwidth that is required to keep all of your Windows Update for Business enrolled systems up to date. It can also help ensure that devices get updates and apps more quickly if they have a limited or unreliable Internet connection.
+
+In addition to downloading updates and apps from Microsoft, Windows will get updates and apps from other PCs that already have them. You can choose which PCs you get these updates from.
+
+### How Delivery Optimization works
+
+-   **PCs on your local network.** When Windows downloads an update or app, it will look for other PCs on your local network that have already downloaded the update or app using Delivery Optimization. Windows then downloads parts of the file from those PCs and parts of the file from Microsoft. Windows doesn’t download the entire file from one place. Instead, the download is broken down into smaller parts. Windows uses the fastest, most reliable download source for each part of the file.
+
+-   **PCs on your local network and PCs on the Internet.** Windows uses the same process as when getting updates and apps from PCs on your local network, and also looks for PCs on the Internet that can be used as a source to download parts of updates and apps.
+
+### Delivery Optimization settings
+
+Delivery Optimization is turned on by default for the Enterprise and Education editions of Windows 10, where the default option is that updates will only be pulled and shared from PCs on your LAN and not the Internet.
+
+Delivery Optimization configuration settings can be viewed by going to: Settings &gt; Update and Security &gt; Advanced Options &gt; Choose how your updates are delivered
+
+![figure 8](images/wuforbusiness-fig8a-chooseupdates.png)
+
+## <a href="" id="use-group-policy-to-configure-windows-update-delivery-optimization-"></a>Use Group Policy to configure Windows Update Delivery Optimization
+
+
+You can use Group Policy to configure Windows Update Delivery Optimization. To do this, use the following steps:
+
+1.  Download the [Administrative Templates (.admx) file for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=699283) from the Microsoft Download Center.
+
+2.  Copy the following files to the SYSVOL central store:
+
+    -   DeliveryOptimization.admx from C:\\Program Files (x86)\\Microsoft Group Policy\\Windows 10\\PolicyDefinitions
+
+    -   DeliveryOptimization.adml from C:\\Program Files (x86)\\Microsoft Group Policy\\Windows 10\\PolicyDefinitions\\en-US
+
+3.  Start the Gpeditor tool.
+
+4.  Browse to the following location:
+
+    -   Computer Configuration\\Administrative Templates\\Windows Components\\Delivery Optimization
+
+5.  Make the following Windows Update Delivery Optimization settings, as appropriate.
+
+    ![figure 9](images/wuforbusiness-fig9-dosettings.jpg)
+
+**Virus-scan claim**
+
+Microsoft scanned this file for viruses, using the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to it.
+
+For more information about Windows Update Delivery Optimization in Windows 10, see the [Windows Update Delivery Optimization FAQ](http://go.microsoft.com/fwlink/p/?LinkId=699284).
+
+For additional resources, see [How to use Group Policy to configure Windows Update Delivery Optimization in Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=699288).
+
+## Related topics
+
+
+[Windows Update for Business](windows-update-for-business.md)
+
+[Integration with management solutions](integration-with-management-solutions-.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/showing-messages-generated-by-the-sua-tool.md b/windows/plan/showing-messages-generated-by-the-sua-tool.md
new file mode 100644
index 0000000000..1b34533117
--- /dev/null
+++ b/windows/plan/showing-messages-generated-by-the-sua-tool.md
@@ -0,0 +1,74 @@
+---
+title: Showing Messages Generated by the SUA Tool (Windows 10)
+description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
+ms.assetid: 767eb7f2-d6c4-414c-a7b3-a997337d904a
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Showing Messages Generated by the SUA Tool
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
+
+**To show the messages that the SUA tool has generated**
+
+1.  Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md).
+
+2.  After you finish testing, in the SUA tool, click the **App Info** tab.
+
+3.  On the **View** menu, click the command that corresponds to the messages that you want to see. The following table describes the commands.
+
+    <table>
+    <colgroup>
+    <col width="50%" />
+    <col width="50%" />
+    </colgroup>
+    <thead>
+    <tr class="header">
+    <th align="left">View menu command</th>
+    <th align="left">Description</th>
+    </tr>
+    </thead>
+    <tbody>
+    <tr class="odd">
+    <td align="left"><p><strong>Error Messages</strong></p></td>
+    <td align="left"><p>When this command is selected, the user interface shows error messages that the SUA tool has generated. Error messages are highlighted in pink.</p>
+    <p>This command is selected by default.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><strong>Warning Messages</strong></p></td>
+    <td align="left"><p>When this command is selected, the user interface shows warning messages that the SUA tool has generated. Warning messages are highlighted in yellow.</p></td>
+    </tr>
+    <tr class="odd">
+    <td align="left"><p><strong>Information Messages</strong></p></td>
+    <td align="left"><p>When this command is selected, the user interface shows informational messages that the SUA tool has generated. Informational messages are highlighted in green.</p></td>
+    </tr>
+    <tr class="even">
+    <td align="left"><p><strong>Detailed Information</strong></p></td>
+    <td align="left"><p>When this command is selected, the user interface shows information that the SUA tool has generated, such as debug, stack trace, stop code, and severity information.</p></td>
+    </tr>
+    </tbody>
+    </table>
+
+     
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/software-requirements-for-act.md b/windows/plan/software-requirements-for-act.md
new file mode 100644
index 0000000000..5b3047ffaf
--- /dev/null
+++ b/windows/plan/software-requirements-for-act.md
@@ -0,0 +1,85 @@
+---
+title: Software Requirements for ACT (Windows 10)
+description: The Application Compatibility Toolkit (ACT) has the following software requirements.
+ms.assetid: 9bbc21d4-f2ac-4a91-8add-017b1eacdeee
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Software Requirements for ACT
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The Application Compatibility Toolkit (ACT) has the following software requirements.
+
+## Operating Systems
+
+
+ACT can be installed on the following operating systems:
+
+-   Windows 10
+
+-   Windows 8.1
+
+-   Windows 8
+
+-   Windows 7
+
+-   Windows Server 2012
+
+-   Windows Server 2008 R2
+
+You can deploy inventory collector packages to all of the operating systems where you can install ACT. In addition, you can also deploy inventory collector packages to Windows Server 2008, Windows Vista, and Windows XP.
+
+**Note**  
+As of Update 2, there is a known issue where the inventory collector package fails on Windows Vista.
+
+ 
+
+## Database Components
+
+
+ACT requires one of the following database components:
+
+-   Microsoft® SQL Server® 2012
+
+-   Microsoft® SQL Server® 2008 R2
+
+-   SQL Server 2008
+
+-   SQL Server 2005
+
+-   SQL Server 2008 Express
+
+-   SQL Server 2005 Express Edition
+
+## .NET Framework
+
+
+ACT requires .NET Framework 4.
+
+## Related topics
+
+
+[What's New in Act 6.1](whats-new-in-act-60.md)
+
+[Software Requirements for RAP](software-requirements-for-rap.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/software-requirements-for-rap.md b/windows/plan/software-requirements-for-rap.md
new file mode 100644
index 0000000000..18462f9bd7
--- /dev/null
+++ b/windows/plan/software-requirements-for-rap.md
@@ -0,0 +1,69 @@
+---
+title: Software Requirements for RAP (Windows 10)
+description: The runtime-analysis package (RAP) has the following software requirements.
+ms.assetid: 0163ce70-f5ba-400c-bdd5-a25511aac91f
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Software Requirements for RAP
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The runtime-analysis package (RAP) has the following software requirements.
+
+## Compatibility Monitor Supported Operating Systems
+
+
+The Microsoft Compatibility Monitor tool is included in the runtime-analysis package. You can use the Compatibility Monitor on the following operating systems:
+
+-   Windows 10
+
+-   Windows 8.1
+
+-   Windows 8
+
+-   Windows 7
+
+## SUA Tool and Compatibility Administrator Supported Operating Systems
+
+
+The Standard User Analyzer (SUA) tool and wizard and the Compatibility Administrator tool are included in the runtime-analysis package. You can use the tools on the following operating systems:
+
+-   Windows 10
+
+-   Windows 8.1
+
+-   Windows 8
+
+-   Windows 7
+
+-   Windows Server 2012
+
+-   Windows Server 2008 R2
+
+## Related topics
+
+
+[What's New in Act 6.1](whats-new-in-act-60.md)
+
+[Software Requirements for ACT](software-requirements-for-act.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/sua-users-guide.md b/windows/plan/sua-users-guide.md
new file mode 100644
index 0000000000..d907f4229d
--- /dev/null
+++ b/windows/plan/sua-users-guide.md
@@ -0,0 +1,73 @@
+---
+title: SUA User's Guide (Windows 10)
+description: You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows.
+ms.assetid: ea525c25-b557-4ed4-b042-3e4d0e543e10
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# SUA User's Guide
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows.
+
+You can use SUA in either of the following ways:
+
+-   **Standard User Analyzer Wizard.** A wizard that guides you through a step-by-step process to locate and fix issues, without options for additional analysis.
+
+-   **Standard User Analyzer Tool.** A full-function tool in which you can perform in-depth analysis and fix issues.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Using the SUA Wizard](using-the-sua-wizard.md)</p></td>
+<td align="left"><p>The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Using the SUA Tool](using-the-sua-tool.md)</p></td>
+<td align="left"><p>By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Deciding Whether to Fix an Application or Deploy a Workaround](deciding-whether-to-fix-an-application-or-deploy-a-workaround.md)
+
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/tabs-on-the-sua-tool-interface.md b/windows/plan/tabs-on-the-sua-tool-interface.md
new file mode 100644
index 0000000000..70a9ac7535
--- /dev/null
+++ b/windows/plan/tabs-on-the-sua-tool-interface.md
@@ -0,0 +1,99 @@
+---
+title: Tabs on the SUA Tool Interface (Windows 10)
+description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
+ms.assetid: 0d705321-1d85-4217-bf2c-0ca231ca303b
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Tabs on the SUA Tool Interface
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
+
+The following table provides a description of each tab on the user interface for the SUA tool.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Tab name</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>App Info</p></td>
+<td align="left"><p>Provides the following information for the selected application:</p>
+<ul>
+<li><p>Debugging information</p></li>
+<li><p>Error, warning, and informational messages (if they are enabled)</p></li>
+<li><p>Options for running the application</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>File</p></td>
+<td align="left"><p>Provides information about access to the file system.</p>
+<p>For example, this tab might show an attempt to write to a file that only administrators can typically access.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Registry</p></td>
+<td align="left"><p>Provides information about access to the system registry.</p>
+<p>For example, this tab might show an attempt to write to a registry key that only administrators can typically access.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>INI</p></td>
+<td align="left"><p>Provides information about WriteProfile API issues.</p>
+<p>For example, in the Calculator tool (Calc.exe) in Windows® XP, when you change the view from <strong>Standard</strong> to <strong>Scientific</strong>, Calc.exe calls the WriteProfile API to write to the Windows\Win.ini file. The Win.ini file is writable only for administrators.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Token</p></td>
+<td align="left"><p>Provides information about access-token checking.</p>
+<p>For example, this tab might show an explicit check for the Builtin\Administrators security identifier (SID) in the user's access token. This operation may not work for a standard user.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Privilege</p></td>
+<td align="left"><p>Provides information about permissions.</p>
+<p>For example, this tab might show an attempt to explicitly enable permissions that do not work for a standard user.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Name Space</p></td>
+<td align="left"><p>Provides information about creation of system objects.</p>
+<p>For example, this tab might show an attempt to create a new system object, such as an event or a memory map, in a restricted namespace. Applications that attempt this kind of operation do not function for a standard user.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Other Objects</p></td>
+<td align="left"><p>Provides information related to applications accessing objects other than files and registry keys.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Process</p></td>
+<td align="left"><p>Provides information about process elevation.</p>
+<p>For example, this tab might show the use of the CreateProcess API to open an executable (.exe) file that, in turn, requires process elevation that will not function for a standard user.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/taking-inventory-of-your-organization.md b/windows/plan/taking-inventory-of-your-organization.md
new file mode 100644
index 0000000000..d42fc430b2
--- /dev/null
+++ b/windows/plan/taking-inventory-of-your-organization.md
@@ -0,0 +1,75 @@
+---
+title: Taking Inventory of Your Organization (Windows 10)
+description: This section provides information about how to use the Application Compatibility Toolkit (ACT) to identify applications and devices that are installed in your organization.
+ms.assetid: d52f138d-c6b2-4ab1-bb38-5b036311a51d
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Taking Inventory of Your Organization
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+This section provides information about how to use the Application Compatibility Toolkit (ACT) to identify applications and devices that are installed in your organization.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Identifying Computers for Inventory Collection](identifying-computers-for-inventory-collection.md)</p></td>
+<td align="left"><p>An inventory-collector package gathers inventory data from the computers on which it is installed. This data includes the following:</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Creating an Inventory-Collector Package](creating-an-inventory-collector-package.md)</p></td>
+<td align="left"><p>You can use Application Compatibility Manager (ACM) to create an inventory-collector package. You can then deploy the inventory-collector package to other computers to gather inventory data. The package uploads inventory data to the Application Compatibility Toolkit (ACT) database.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Deploying an Inventory-Collector Package](deploying-an-inventory-collector-package.md)</p></td>
+<td align="left"><p>You can use the following methods to deploy an inventory-collector package to the destination computers:</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Testing Compatibility on the Target Platform](testing-compatibility-on-the-target-platform.md)
+
+[Managing Your Data-Collection Packages](managing-your-data-collection-packages.md)
+
+[Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md)
+
+[Fixing Compatibility Issues](fixing-compatibility-issues.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/testing-compatibility-on-the-target-platform.md b/windows/plan/testing-compatibility-on-the-target-platform.md
new file mode 100644
index 0000000000..10111af439
--- /dev/null
+++ b/windows/plan/testing-compatibility-on-the-target-platform.md
@@ -0,0 +1,83 @@
+---
+title: Testing Compatibility on the Target Platform (Windows 10)
+description: This section provides information about setting up a test environment for compatibility testing, and about creating and deploying runtime-analysis packages to the test environment.
+ms.assetid: 8f3e9d58-37c2-41ea-a216-32712baf6cf4
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Testing Compatibility on the Target Platform
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+This section provides information about setting up a test environment for compatibility testing, and about creating and deploying runtime-analysis packages to the test environment.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Deciding Which Applications to Test](deciding-which-applications-to-test.md)</p></td>
+<td align="left"><p>Before starting your compatibility testing on the version of Windows that you want to deploy, you can use the Application Compatibility Toolkit (ACT) to identify which applications should be the focus of your testing.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md)</p></td>
+<td align="left"><p>The goal of the test environment is to model the operating system that you want to deploy and assess compatibility before deploying the operating system to your production environment. Your test environment is composed of computers on which the new operating system is installed. Your test environment can be a long-term investment. Consider retaining the test environment after deployment to assist in future deployment projects.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md)</p></td>
+<td align="left"><p>In Application Compatibility Manager (ACM), you can create runtime-analysis packages, which you can then deploy to computers for compatibility testing in your test environment.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Deploying a Runtime-Analysis Package](deploying-a-runtime-analysis-package.md)</p></td>
+<td align="left"><p>When you deploy a runtime-analysis package, you are deploying it to your test environment for compatibility testing.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Compatibility Monitor User's Guide](compatibility-monitor-users-guide.md)</p></td>
+<td align="left"><p>Compatibility Monitor is a tool in the runtime analysis package that you can use to monitor applications for compatibility issues. You can also use the Compatibility Monitor tool to submit compatibility feedback.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Taking Inventory of Your Organization](taking-inventory-of-your-organization.md)
+
+[Managing Your Data-Collection Packages](managing-your-data-collection-packages.md)
+
+[Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md)
+
+[Fixing Compatibility Issues](fixing-compatibility-issues.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/testing-your-application-mitigation-packages.md b/windows/plan/testing-your-application-mitigation-packages.md
new file mode 100644
index 0000000000..df727951fd
--- /dev/null
+++ b/windows/plan/testing-your-application-mitigation-packages.md
@@ -0,0 +1,97 @@
+---
+title: Testing Your Application Mitigation Packages (Windows 10)
+description: This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues.
+ms.assetid: ae946f27-d377-4db9-b179-e8875d454ccf
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Testing Your Application Mitigation Packages
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues.
+
+## Testing Your Application Mitigation Packages
+
+
+Testing your application mitigation package strategies is an iterative process, whereby the mitigation strategies that prove unsuccessful will need to be revised and retested. The testing process includes a series of tests in the test environment and one or more pilot deployments in the production environment.
+
+**To test your mitigation strategies**
+
+1.  Perform the following steps for each of the applications for which you have developed mitigations.
+
+    1.  Test the mitigation strategy in your test environment.
+
+    2.  If the mitigation strategy is unsuccessful, revise the mitigation strategy and perform step 1 again.
+
+    At the end of this step, you will have successfully tested all of your mitigation strategies in your test environment and can move to your pilot deployment environment.
+
+2.  Perform the following steps in the pilot deployments for each of the applications for which you have developed mitigations.
+
+    1.  Test the mitigation strategy in your pilot deployment.
+
+    2.  If the mitigation strategy is unsuccessful, revise the mitigation strategy and perform Step 2 again.
+
+    At the end of this step, you will have successfully tested all of your mitigation strategies in your pilot environment.
+
+## Reporting the Compatibility Mitigation Status to Stakeholders
+
+
+After testing your application mitigation package, you must communicate your status to the appropriate stakeholders before deployment begins. We recommend that you perform this communication by using the following status ratings.
+
+-   **Resolved application compatibility issues**. This status indicates that the application compatibility issues are resolved and that these applications represent no risk to your environment.
+
+-   **Unresolved application compatibility issues**. This status indicates that there are unresolved issues for the specifically defined applications. Because these applications are a risk to your environment, more discussion is required before you can resolve the compatibility issues.
+
+-   **Changes to user experience**. This status indicates that the fix will change the user experience for the defined applications, possibly requiring your staff to receive further training. More investigation is required before you can resolve the compatibility issues.
+
+-   **Changes in help desk procedures and processes**. This status indicates that the fix will require changes to your help desk's procedures and processes, possibly requiring your support staff to receive further training. More investigation is required before you can resolve the compatibility issues.
+
+## Resolving Outstanding Compatibility Issues
+
+
+At this point, you probably cannot resolve any unresolved application compatibility issues by automated mitigation methods or by modifying the application. Resolve any outstanding application compatibility issues by using one of the following methods.
+
+-   Apply specific compatibility modes, or run the program as an Administrator, by using the Compatibility Administrator tool.
+
+    **Note**  
+    For more information about using Compatibility Administrator to apply compatibility fixes and compatibility modes, see [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md).
+
+     
+
+-   Run the application in a virtual environment.
+
+    Run the application in a version of Windows supported by the application in a virtualized environment. This method ensures application compatibility, because the application is running on a supported operating system.
+
+-   Resolve application compatibility by using non-Microsoft tools.
+
+    If the application was developed in an environment other than Microsoft Visual Studio®, you must use non-Microsoft debugging and analysis tools to help resolve the remaining application compatibility issues.
+
+-   Outsource the application compatibility mitigation.
+
+    If your developers have insufficient resources to resolve the application compatibility issues, outsource the mitigation effort to another organization within your company.
+
+## Related topics
+
+
+[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/troubleshooting-act-database-issues.md b/windows/plan/troubleshooting-act-database-issues.md
new file mode 100644
index 0000000000..758df1a050
--- /dev/null
+++ b/windows/plan/troubleshooting-act-database-issues.md
@@ -0,0 +1,156 @@
+---
+title: Troubleshooting ACT Database Issues (Windows 10)
+description: The following solutions may help you resolve issues that are related to your Microsoft® SQL Server® database for the Application Compatibility Toolkit (ACT).
+ms.assetid: c36ab5d8-cc82-4681-808d-3d491551b75e
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Troubleshooting ACT Database Issues
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The following solutions may help you resolve issues that are related to your Microsoft® SQL Server® database for the Application Compatibility Toolkit (ACT).
+
+For information about how to set up the database, see [ACT Database Configuration](act-database-configuration.md).
+
+## Connecting to a SQL Server Database
+
+
+When you attempt to connect to a SQL Server database, you may receive the following error message:
+
+The SQL Server you entered either does not exist or you do not have the required credentials for access.
+
+This error message indicates that the connection to the database is not valid. To investigate this error, do the following:
+
+1.  Verify that the SQL Server database to which you are connecting is a valid database.
+
+2.  Verify that you have read and write permissions to the database. If you do not have read and write permissions, contact your SQL Server administrator. For more information, see [Adding a Member to a SQL Server Database Role](http://go.microsoft.com/fwlink/p/?LinkId=64170).
+
+If you have read and write permissions to the database but cannot connect to it, you may be able to change the settings for your instance of SQL Server to resolve the issue. Namely, you can enable TCP/IP and firewall exceptions.
+
+**To enable TCP/IP and firewall exceptions for your instance of SQL Server**
+
+1.  In a **Command Prompt** window, type the following command to stop your instance of SQL Server.
+
+    ``` syntax
+    net stop 
+    <MSSQLSERVER>
+    ```
+
+    In the preceding command, *MSSQLSERVER* is the name of the instance of SQL Server. For SQL Server, the default name is MSSQLSERVER. For Microsoft SQL Server Express, the default name is MSSQL$SQLEXPRESS.
+
+2.  Enable TCP/IP for your instance of SQL Server:
+
+    1.  In the **Command Prompt** window, type `SQLServerManager.msc`
+
+    2.  In SQL Server Configuration Manager, expand **SQL Server 2005 Network Configuration**, and then click **Protocols for MSSQLSERVER**.
+
+    3.  Right-click **TCP/IP**, and then click **Enable**.
+
+3.  Add firewall port exceptions for your instance of SQL Server:
+
+    1.  In the **Command Prompt** window, type `firewall.cpl`
+
+    2.  In the Windows® Firewall tool, click the **Exceptions** tab, and then click **Add Port**.
+
+    3.  Add a firewall exception for TCP port 1433 (SQL Server) and for UDP port 1434 (SQL Server Browser), and then click **OK**.
+
+        **Note**  
+        SQL Server Browser is the service that receives incoming SQL Server requests so that you can access the SQL Server Express database from a remote computer. By default, this service is disabled, which means that you can only access the database locally. If Application Compatibility Manager (ACM) or the ACT Log Processing Service is not installed on the same computer as the database, you must use the Services tool to manually start SQL Server Browser.
+
+         
+
+4.  In the **Command Prompt** window, type `net start <MSSQLSERVER>` to start your instance of SQL Server, where *MSSQLSERVER* is the name of the instance.
+
+5.  Type `sc config SQLBrowser start= auto` to change the configuration of SQL Server Browser.
+
+6.  Type `net start SQLBrowser` to start SQL Server Browser.
+
+## Verifying SQL Server Version
+
+
+If you attempt to connect to a SQL Server version that is not valid for ACT, you may receive the following error message:
+
+The SQL Server you are trying to connect to is not a supported version. Please check the Help documentation to find out about the supported versions of the SQL Server.
+
+To investigate this error, verify that ACT supports your version of SQL Server or SQL Server Express. For more information, see [Software Requirements for ACT](software-requirements-for-act.md).
+
+## Creating an ACT Database
+
+
+You cannot create an ACT database by using ACM if you do not have database-creation permissions for the instance of SQL Server. To create the database, add the required permissions to the user account and then use ACM to create it. Alternatively, ask a SQL Server administrator to create the database.
+
+**To grant database-creation permissions to a user account**
+
+1.  In SQL Server Management Studio, expand the **Security** folder, right-click **Logins**, and then click **New Logins**.
+
+2.  On the **General** page, type the name of the user account that you will use to create the ACT database.
+
+3.  Click **Server Roles**.
+
+4.  Select the **sysadmin** or **dbcreator** check box, depending on your organization's policy.
+
+**To create an ACT database as a SQL Server administrator**
+
+1.  Use SQL Server Management Studio to open and run the CreateDB.sql script against your instance of SQL Server. For information about the location of the CreateDB.sql file, see [ACT Database Configuration](act-database-configuration.md).
+
+    - or -
+
+    Use the OSQL tool, and run the command `osql -E -S <serverName> -I CreateDB.sql`
+
+2.  In ACM, in the **Settings** dialog box, update the **Database** box with the information for the newly created database.
+
+    To use ACM with the ACT database, the user account must have read and write permissions to the database.
+
+## Granting ACT Database Permissions for the ACT Log Processing Service
+
+
+The ACT Log Processing Service requires read and write access to the ACT database.
+
+**To grant permissions to the ACT database**
+
+1.  In SQL Server Management Studio, expand the **Security** folder, right-click **Logins**, and then click **New Login**.
+
+2.  Complete the following information on the **General** page:
+
+    -   **Login name**. Type the name of the account that requires permissions. If you are using the Local System account for the ACT Log Processing Service, provide access to the *&lt;domain&gt;*\\*&lt;computer\_name&gt;*$ account, where *&lt;computer\_name&gt;* is the name of the computer that is running the ACT Log Processing Service.
+
+    -   **Default database**. Select the ACT database to which your user account requires permissions.
+
+3.  Click **User Mapping**.
+
+4.  Select the check box next to your ACT database.
+
+5.  Select the **db\_datareader** and **db\_datawriter** check boxes, and then click **OK**.
+
+    **Important**  
+    If you continue to experience issues with the ACT Log Processing Service, even while you are using the Local System account, see [Troubleshooting Kerberos Delegation](http://go.microsoft.com/fwlink/p/?LinkId=65474).
+
+     
+
+## Related topics
+
+
+[ACT Database Configuration](act-database-configuration.md)
+
+[Software Requirements for ACT](software-requirements-for-act.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/troubleshooting-act.md b/windows/plan/troubleshooting-act.md
new file mode 100644
index 0000000000..1dbfeee130
--- /dev/null
+++ b/windows/plan/troubleshooting-act.md
@@ -0,0 +1,71 @@
+---
+title: Troubleshooting ACT (Windows 10)
+description: This section provides troubleshooting information for the Application Compatibility Toolkit (ACT).
+ms.assetid: 5696b0c0-5db5-4111-a1e1-825129e683d8
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Troubleshooting ACT
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+This section provides troubleshooting information for the Application Compatibility Toolkit (ACT).
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Troubleshooting the ACT Configuration Wizard](troubleshooting-the-act-configuration-wizard.md)</p></td>
+<td align="left"><p>When you start Application Compatibility Manager (ACM) for the first time, the Application Compatibility Toolkit (ACT) Configuration Wizard appears. The wizard helps you configure your ACT database, your shared folder for ACT log files, and your ACT Log Processing Service account.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Troubleshooting the ACT Log Processing Service](troubleshooting-the-act-log-processing-service.md)</p></td>
+<td align="left"><p>The following solutions may help you resolve issues that are related to the Application Compatibility Toolkit (ACT) Log Processing Service.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Troubleshooting ACT Database Issues](troubleshooting-act-database-issues.md)</p></td>
+<td align="left"><p>The following solutions may help you resolve issues that are related to your Microsoft® SQL Server® database for the Application Compatibility Toolkit (ACT).</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Using ACT](using-act.md)
+
+[ACT Product and Documentation Resources](act-product-and-documentation-resources.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/troubleshooting-the-act-configuration-wizard.md b/windows/plan/troubleshooting-the-act-configuration-wizard.md
new file mode 100644
index 0000000000..058b39db72
--- /dev/null
+++ b/windows/plan/troubleshooting-the-act-configuration-wizard.md
@@ -0,0 +1,75 @@
+---
+title: Troubleshooting the ACT Configuration Wizard (Windows 10)
+description: When you start Application Compatibility Manager (ACM) for the first time, the Application Compatibility Toolkit (ACT) Configuration Wizard appears.
+ms.assetid: f4f489c7-50b7-4b07-8b03-79777e1aaefd
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Troubleshooting the ACT Configuration Wizard
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+When you start Application Compatibility Manager (ACM) for the first time, the Application Compatibility Toolkit (ACT) Configuration Wizard appears. The wizard helps you configure your ACT database, your shared folder for ACT log files, and your ACT Log Processing Service account.
+
+## Selecting a Configuration for ACM
+
+
+The **Enterprise configuration** option enables all ACT functionality. You must be an administrator on the local computer to select this option.
+
+The **View and manage reports only** option enables you to use ACM to create data-collection packages and analyze your data. You cannot access the ACT Log Processing Service. This option assumes that another computer in your organization is processing the logs and loading the compatibility data into the ACT database.
+
+## Configuring ACT Database Settings
+
+
+To configure ACT database settings in the ACT Configuration Wizard, you must have read and write permissions to the ACT database. For more information, see [ACT Database Configuration](act-database-configuration.md). If you do not have the appropriate permissions, contact your Microsoft® SQL Server® administrator. For more information, see [Troubleshooting ACT Database Issues](troubleshooting-act-database-issues.md).
+
+## Configuring the ACT Log Processing Service
+
+
+If you use the Local System account to run the ACT Log Processing Service, your user account must be an Administrator account. Your computer account *&lt;domain&gt;*\\*&lt;computer&gt;*$ must have read and write permissions to the ACT database.
+
+Your user account must also have **Log on as a service** permissions. For more information, see [Troubleshooting the ACT Log Processing Service](troubleshooting-the-act-log-processing-service.md).
+
+## Configuring the Share for the ACT Log Processing Service
+
+
+For information about how to configure the share for the ACT Log Processing Service, see [ACT LPS Share Permissions](act-lps-share-permissions.md).
+
+## Changing Settings After You Finish the ACT Configuration Wizard
+
+
+In the **Settings** dialog box in ACM, you can change some of the settings that you see in the ACT Configuration Wizard. You can also change other settings that are not available in the wizard. For more information, see [Settings for ACM](settings-for-acm.md).
+
+## Restarting the ACT Configuration Wizard
+
+
+If you cancel the configuration process before you reach the final page of the ACT Configuration Wizard, your settings are deleted and the wizard restarts the next time that you start ACM.
+
+## Related topics
+
+
+[Configuring ACT](configuring-act.md)
+
+[Using ACT](using-act.md)
+
+[Troubleshooting ACT](troubleshooting-act.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/troubleshooting-the-act-log-processing-service.md b/windows/plan/troubleshooting-the-act-log-processing-service.md
new file mode 100644
index 0000000000..8fef3bc4b5
--- /dev/null
+++ b/windows/plan/troubleshooting-the-act-log-processing-service.md
@@ -0,0 +1,102 @@
+---
+title: Troubleshooting the ACT Log Processing Service (Windows 10)
+description: The following solutions may help you resolve issues that are related to the Application Compatibility Toolkit (ACT) Log Processing Service.
+ms.assetid: cb6f90c2-9f7d-4a34-a91e-8ed55b8c256d
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Troubleshooting the ACT Log Processing Service
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The following solutions may help you resolve issues that are related to the Application Compatibility Toolkit (ACT) Log Processing Service.
+
+For information about how to set up permissions for the service, see [ACT LPS Share Permissions](act-lps-share-permissions.md).
+
+## Reviewing Files in ACT Log File Format
+
+
+When you are reviewing log files for ACT, be aware that the log files are in Unicode format.
+
+## Uploading Files to the ACT Log Processing Service Share After Setting Permissions
+
+
+If you cannot upload files to the ACT Log Processing Service share, you must first verify that the account permissions are set correctly for the share. For more information, see [ACT LPS Share Permissions](act-lps-share-permissions.md).
+
+If the computers from which you are collecting data and the ACT Log Processing Service share are on different domains, or if the computers are not domain members, you must take additional steps. For the **Anonymous** group, provide explicit write permissions to the ACT Log Processing Service share. Alternatively, you can provide similar permissions to the **Authenticated users** group if you do not want to enable anonymous access. For more information, see [Everyone Group Does Not Include Anonymous Security Identifier](http://go.microsoft.com/fwlink/p/?LinkId=79830).
+
+If you are collecting data from computers that are running Microsoft® Windows® 2000 and you are uploading your collected data to a different domain, you must also explicitly enable null session access for the ACT Log Processing Service share.
+
+## Working Around Windows Firewall on the Computer That Hosts the ACT Log Processing Service Share
+
+
+If your organization has configured Windows Firewall on the computer that hosts your ACT Log Processing Service share, log files will not be copied to your share. To work around this issue, you can use one of the following methods:
+
+-   Before you set up the ACT Log Processing Service share, turn off Windows Firewall on the computer that will host the share.
+
+-   Continue to use Windows Firewall, but enable the **File Sharing** option.
+
+## Viewing and Assigning "Log on as a service" Permissions
+
+
+Starting the ACT Log Processing Service requires either a Local System account or a user account. For a user account to start the ACT Log Processing Service and complete the ACT Configuration Wizard, the *&lt;domain&gt;*\\*&lt;user&gt;* account must have **Log on as a service** permissions. By default, these permissions are assigned to built-in computer accounts, such as the Local System account.
+
+**To add rights to a user account for logging on as a service**
+
+1.  In Control Panel, double-click **Administrative Tools**, and then double-click **Local Security Policy**.
+
+2.  Expand the **Local Policies** folder, and then click **User Rights Assignment**.
+
+3.  Double-click the **Log on as a service** policy.
+
+4.  Verify that your *&lt;domain&gt;*\\*&lt;user&gt;* account appears. If it does not appear, click **Add User or Group**.
+
+5.  Add your user account information, click **OK**, and then click **OK** again.
+
+## Starting the ACT Log Processing Service
+
+
+If the ACT Log Processing Service does not start and log files are not being processed, the reason may be one of the following:
+
+-   **A conflict exists between ACT and the Microsoft® SQL Server® database.** If both ACT and the SQL Server database are on the same computer, the ACT Log Processing Service might have started before the SQL Server service.
+
+-   **The ACT Log Processing Service does not have the correct permissions to the ACT database.** To investigate, see [Troubleshooting ACT Database Issues](troubleshooting-act-database-issues.md).
+
+-   **The account type is incorrect for the account that is running the ACT Log Processing Service.** The ACT Log Processing Service account must be an Administrator account.
+
+**To manually restart the ACT Log Processing Service**
+
+1.  In Control Panel, double-click **Administrative Tools**, and then double-click **Services**.
+
+2.  Right-click **ACT Log Processing Service**, and then click **Restart**.
+
+3.  In the event log, verify that no issues occurred when the service restarted.
+
+## Related topics
+
+
+[Troubleshooting ACT Database Issues](troubleshooting-act-database-issues.md)
+
+[Configuring ACT](configuring-act.md)
+
+[Software Requirements for ACT](software-requirements-for-act.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/understanding-and-using-compatibility-fixes.md b/windows/plan/understanding-and-using-compatibility-fixes.md
new file mode 100644
index 0000000000..bde6db5bc2
--- /dev/null
+++ b/windows/plan/understanding-and-using-compatibility-fixes.md
@@ -0,0 +1,106 @@
+---
+title: Understanding and Using Compatibility Fixes (Windows 10)
+description: As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change.
+ms.assetid: 84bf663d-3e0b-4168-99d6-a26e054821b7
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Understanding and Using Compatibility Fixes
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. This can cause problems for applications that relied upon the original implementation. You can avoid compatibility issues by using the Microsoft Windows Application Compatibility (Compatibility Fix) infrastructure to create a specific application fix for a particular version of an application.
+
+## How the Compatibility Fix Infrastructure Works
+
+
+The Compatibility Fix infrastructure uses the linking ability of APIs to redirect an application from Windows code directly to alternative code that implements the compatibility fix.
+
+The Windows Portable Executable File Format includes headers that contain the data directories that are used to provide a layer of indirection between the application and the linked file. API calls to the external binary files take place through the Import Address Table (IAT), which then directly calls the Windows operating system, as shown in the following figure.
+
+![act app calls operating system through iat](images/dep-win8-l-act-appcallosthroughiat.jpg)
+
+Specifically, the process modifies the address of the affected Windows function in the IAT to point to the compatibility fix code, as shown in the following figure.
+
+![act app redirect with compatibility fix](images/dep-win8-l-act-appredirectwithcompatfix.jpg)
+
+**Note**  
+For statically linked DLLs, the code redirection occurs as the application loads. You can also fix dynamically linked DLLs by hooking into the GetProcAddress API.
+
+ 
+
+## Design Implications of the Compatibility Fix Infrastructure
+
+
+There are important considerations to keep in mind when determining your application fix strategy, due to certain characteristics of the Compatibility Fix infrastructure.
+
+-   The compatibility fix is not part of the Windows operating system (as shown in the previous figure). Therefore, the same security restrictions apply to the compatibility fix as apply to the application code, which means that you cannot use compatibility fixes to bypass any of the security mechanisms of the operating system. Therefore, compatibility fixes do not increase your security exposure, nor do you need to lower your security settings to accommodate compatibility fixes.
+
+-   The Compatibility Fix infrastructure injects additional code into the application before it calls the operating system. This means that any remedy that can be accomplished by a compatibility fix can also be addressed by fixing the application code.
+
+-   The compatibility fixes run as user-mode code inside of a user-mode application process. This means that you cannot use a compatibility fix to fix kernel-mode code issues. For example, you cannot use a compatibility fix to resolve device-driver issues.
+
+    **Note**  
+    Some antivirus, firewall, and anti-spyware code runs in kernel mode.
+
+     
+
+## Determining When to Use a Compatibility Fix
+
+
+The decision to use compatibility fixes to remedy your compatibility issues may involve more than just technical issues. The following scenarios reflect other common reasons for using a compatibility fix.
+
+### Scenario 1
+
+**The compatibility issue exists on an application which is no longer supported by the vendor.**
+
+As in many companies, you may run applications for which the vendor has ended support. In this situation, you cannot have the vendor make the fix, nor can you access the source code to modify the issue yourself. However, it is possible that the use of a compatibility fix might resolve the compatibility issue.
+
+### Scenario 2
+
+**The compatibility issue exists on an internally created application.**
+
+While it is preferable to fix the application code to resolve the issue, this is not always possible. Your internal team might not be able to fix all of the issues prior to the deployment of the new operating system. Instead, they might choose to employ a compatibility fix anywhere that it is possible. They can then fix the code only for issues that cannot be resolved in this manner. Through this method, your team can modify the application as time permits, without delaying the deployment of the new operating system into your environment.
+
+### Scenario 3
+
+**The compatibility issue exists on an application for which a compatible version is to be released in the near future, or an application that is not critical to the organization, regardless of its version.**
+
+In the situation where an application is either unimportant to your organization, or for which a newer, compatible version is to be released shortly, you can use a compatibility fix as a temporary solution. This means that you can continue to use the application without delaying the deployment of a new operating system, with the intention of updating your configuration as soon as the new version is released.
+
+## Determining Which Version of an Application to Fix
+
+
+You can apply a compatibility fix to a particular version of an application, either by using the "up to or including" clause or by selecting that specific version. This means that the next version of the application will not have the compatibility fix automatically applied. This is important, because it allows you to continue to use your application, but it also encourages the vendor to fix the application.
+
+## Support for Compatibility Fixes
+
+
+Compatibility fixes are shipped as part of the Windows operating system and are updated by using Windows Update. Therefore, they receive the same level of support as Windows itself.
+
+You can apply the compatibility fixes to any of your applications. However, Microsoft does not provide the tools to use the Compatibility Fix infrastructure to create your own custom fixes.
+
+## Related topics
+
+
+[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/using-act.md b/windows/plan/using-act.md
new file mode 100644
index 0000000000..a091159a76
--- /dev/null
+++ b/windows/plan/using-act.md
@@ -0,0 +1,89 @@
+---
+title: Using ACT (Windows 10)
+description: This section describes how to use the Application Compatibility Toolkit (ACT) in your organization.
+ms.assetid: e6a68f44-7503-450d-a000-a04fbb93a146
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Using ACT
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+This section describes how to use the Application Compatibility Toolkit (ACT) in your organization.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Taking Inventory of Your Organization](taking-inventory-of-your-organization.md)</p></td>
+<td align="left"><p>This section provides information about how to use the Application Compatibility Toolkit (ACT) to identify applications and devices that are installed in your organization.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Testing Compatibility on the Target Platform](testing-compatibility-on-the-target-platform.md)</p></td>
+<td align="left"><p>This section provides information about setting up a test environment for compatibility testing, and about creating and deploying runtime-analysis packages to the test environment.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Managing Your Data-Collection Packages](managing-your-data-collection-packages.md)</p></td>
+<td align="left"><p>This section provides information about using Application Compatibility Manager (ACM) to manage your data-collection packages. Data-collection packages include inventory-collector packages and runtime-analysis packages. The following procedures apply to both package types.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md)</p></td>
+<td align="left"><p>This section provides information about viewing and working with your compatibility data in Application Compatibility Manager (ACM).</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Fixing Compatibility Issues](fixing-compatibility-issues.md)</p></td>
+<td align="left"><p>This section provides step-by-step instructions and describes development tools that you can use to help fix your compatibility issues.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Welcome to ACT](welcome-to-act.md)
+
+[Configuring ACT](configuring-act.md)
+
+[Troubleshooting ACT](troubleshooting-act.md)
+
+[ACT User Interface Reference](act-user-interface-reference.md)
+
+[ACT Product and Documentation Resources](act-product-and-documentation-resources.md)
+
+[ACT Glossary](act-glossary.md)
+
+[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/using-compatibility-monitor-to-send-feedback.md b/windows/plan/using-compatibility-monitor-to-send-feedback.md
new file mode 100644
index 0000000000..4bf3abf7e8
--- /dev/null
+++ b/windows/plan/using-compatibility-monitor-to-send-feedback.md
@@ -0,0 +1,83 @@
+---
+title: Using Compatibility Monitor to Send Feedback (Windows 10)
+description: The Microsoft Compatibility Monitor tool is installed as part of the runtime-analysis package.
+ms.assetid: dc59193e-7ff4-4950-8c20-e90c246e469d
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Using Compatibility Monitor to Send Feedback
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The Microsoft Compatibility Monitor tool is installed as part of the runtime-analysis package. From the computers in your test environment, you can use Compatibility Monitor to submit compatibility information to the Application Compatibility Toolkit (ACT) database for your organization.
+
+**To automatically monitor applications on your computer for compatibility issues**
+
+1.  Start the Compatibility Monitor tool.
+
+2.  In Compatibility Monitor, click **Start Monitoring**.
+
+3.  Leave Compatibility Monitor running, and use the applications that you want to test for compatibility issues.
+
+    Compatibility information is automatically detected during monitoring, and is silently submitted to the ACT database at regular intervals.
+
+4.  After you finish testing applications, click **Stop Monitoring** to stop the automatic monitoring and submission of compatibility information.
+
+**To submit your compatibility rating for an application**
+
+1.  Start the Compatibility Monitor tool.
+
+2.  In Compatibility Monitor, click **Give Compatibility Feedback**.
+
+    You can enter and submit compatibility ratings whether monitoring is on or off. The process of submitting your compatibility feedback is entirely independent of the monitoring process.
+
+3.  Find your application in the list, and then select your compatibility rating for the application.
+
+    You can select ratings for one or more applications.
+
+4.  Click **Submit** to submit your compatibility ratings to the ACT database.
+
+    A copy of your ratings is kept on your computer so that you can review and modify the ratings later.
+
+**To submit a description of a compatibility issue for an application**
+
+1.  Start the Compatibility Monitor tool.
+
+2.  In Compatibility Monitor, click **Give Compatibility Feedback**.
+
+3.  Find your application in the list, and then click the **Add Details** link.
+
+4.  In the **Title** box, enter a title for the compatibility issue. The title is typically a phrase that briefly describes the issue. Check with others in your organization to verify your organization’s preferred style for issue titles.
+
+5.  In the **Description** box, enter a description of the compatibility issue.
+
+6.  Optionally, attach a screen shot or a step-by-step recording of the compatibility issue.
+
+7.  Click **Submit** to submit your compatibility issue to the ACT database.
+
+    After submitting your compatibility issue, you cannot edit it later. To submit further compatibility issues, you will need to submit a new issue.
+
+## Related topics
+
+
+[Common Compatibility Issues](common-compatibility-issues.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/using-the-compatibility-administrator-tool.md b/windows/plan/using-the-compatibility-administrator-tool.md
new file mode 100644
index 0000000000..09f3b30d05
--- /dev/null
+++ b/windows/plan/using-the-compatibility-administrator-tool.md
@@ -0,0 +1,88 @@
+---
+title: Using the Compatibility Administrator Tool (Windows 10)
+description: This section provides information about using the Compatibility Administrator tool.
+ms.assetid: 57271e47-b9b9-4018-a0b5-7115a533166d
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Using the Compatibility Administrator Tool
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+This section provides information about using the Compatibility Administrator tool.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Available Data Types and Operators in Compatibility Administrator](available-data-types-and-operators-in-compatibility-administrator.md)</p></td>
+<td align="left"><p>The Compatibility Administrator tool provides a way to query your custom-compatibility databases.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md)</p></td>
+<td align="left"><p>With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md)</p></td>
+<td align="left"><p>You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Creating a Custom Compatibility Fix in Compatibility Administrator](creating-a-custom-compatibility-fix-in-compatibility-administrator.md)</p></td>
+<td align="left"><p>The Compatibility Administrator tool uses the term <em>fix</em> to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)</p></td>
+<td align="left"><p>Windows® provides several <em>compatibility modes</em>, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Creating an AppHelp Message in Compatibility Administrator](creating-an-apphelp-message-in-compatibility-administrator.md)</p></td>
+<td align="left"><p>The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Viewing the Events Screen in Compatibility Administrator](viewing-the-events-screen-in-compatibility-administrator.md)</p></td>
+<td align="left"><p>The <strong>Events</strong> screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Enabling and Disabling Compatibility Fixes in Compatibility Administrator](enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md)</p></td>
+<td align="left"><p>You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md)</p></td>
+<td align="left"><p>The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/using-the-sdbinstexe-command-line-tool.md b/windows/plan/using-the-sdbinstexe-command-line-tool.md
new file mode 100644
index 0000000000..26fdc888d1
--- /dev/null
+++ b/windows/plan/using-the-sdbinstexe-command-line-tool.md
@@ -0,0 +1,95 @@
+---
+title: Using the Sdbinst.exe Command-Line Tool (Windows 10)
+description: You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied.
+ms.assetid: c1945425-3f8d-4de8-9d2d-59f801f07034
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Using the Sdbinst.exe Command-Line Tool
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways, including by using a logon script, by using Group Policy, or by performing file copy operations.
+
+After you deploy and store the customized databases on each of your local computers, you must register the database files. Until you register the database files, the operating system is unable to identify the available compatibility fixes when starting an application.
+
+## Command-Line Options for Deploying Customized Database Files
+
+
+The command-line options use the following conventions.
+
+Sdbinst.exe \[-q\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\] \[-?\]
+
+The following table describes the available command-line options.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Option</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>-q</p></td>
+<td align="left"><p>Performs a silent installation with no visible window, status, or warning information. Fatal errors appear only in Event Viewer (Eventvwr.exe).</p>
+<p>For example,</p>
+<p><code>sdbinst.exe -q</code></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>-u <em>filepath</em></p></td>
+<td align="left"><p>Performs an uninstallation of the specified database.</p>
+<p>For example,</p>
+<p><code>sdbinst.exe -u C:\example.sdb</code></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>-g <em>GUID</em></p></td>
+<td align="left"><p>Specifies the customized database to uninstall by a globally unique identifier (GUID).</p>
+<p>For example,</p>
+<p><code>sdbinst.exe -g 6586cd8f-edc9-4ea8-ad94-afabea7f62e3</code></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>-n <em>&quot;name&quot;</em></p></td>
+<td align="left"><p>Specifies the customized database to uninstall by file name.</p>
+<p>For example,</p>
+<p><code>sdbinst.exe -n &quot;My_Database&quot;</code></p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>-?</p></td>
+<td align="left"><p>Displays the Help for the Sdbinst.exe tool.</p>
+<p>For example,</p>
+<p><code>sdbinst.exe -?</code></p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/using-the-sua-tool.md b/windows/plan/using-the-sua-tool.md
new file mode 100644
index 0000000000..978389cd95
--- /dev/null
+++ b/windows/plan/using-the-sua-tool.md
@@ -0,0 +1,88 @@
+---
+title: Using the SUA Tool (Windows 10)
+description: By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.
+ms.assetid: ebe52061-3816-47f7-a865-07bc5f405f03
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Using the SUA Tool
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.
+
+The SUA Wizard also addresses UAC-related issues. In contrast to the SUA tool, the SUA Wizard guides you through the process step by step, without the in-depth analysis of the SUA tool. For information about the SUA Wizard, see [Using the SUA Wizard](using-the-sua-wizard.md).
+
+In the SUA tool, you can turn virtualization on and off. When you turn virtualization off, the tested application may function more like the way it does in earlier versions of Windows®.
+
+In the SUA tool, you can choose to run the application as **Administrator** or as **Standard User**. Depending on your selection, you may locate different types of UAC-related issues.
+
+## Testing an Application by Using the SUA Tool
+
+
+Before you can use the SUA tool, you must install Application Verifier. You must also install the Microsoft® .NET Framework 3.5 or later.
+
+The following flowchart shows the process of using the SUA tool.
+
+![act sua flowchart](images/dep-win8-l-act-suaflowchart.jpg)
+
+**To collect UAC-related issues by using the SUA tool**
+
+1.  Close any open instance of the SUA tool or SUA Wizard on your computer.
+
+    If there is an existing SUA instance on the computer, the SUA tool opens in log viewer mode instead of normal mode. In log viewer mode, you cannot start applications, which prevents you from collecting UAC issues.
+
+2.  Run the Standard User Analyzer.
+
+3.  In the **Target Application** box, browse to the executable file for the application that you want to analyze, and then double-click to select it.
+
+4.  Clear the **Elevate** check box, and then click **Launch**.
+
+    If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning.
+
+5.  Exercise the aspects of the application for which you want to gather information about UAC issues.
+
+6.  Exit the application.
+
+7.  Review the information from the various tabs in the SUA tool. For information about each tab, see [Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md).
+
+**To review and apply the recommended mitigations**
+
+1.  In the SUA tool, on the **Mitigation** menu, click **Apply Mitigations**.
+
+2.  Review the recommended compatibility fixes.
+
+3.  Click **Apply**.
+
+    The SUA tool generates a custom compatibility-fix database and automatically applies it to the local computer, so that you can test the fixes to see whether they worked.
+
+## Related topics
+
+
+[Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md)
+
+[Showing Messages Generated by the SUA Tool](showing-messages-generated-by-the-sua-tool.md)
+
+[Applying Filters to Data in the SUA Tool](applying-filters-to-data-in-the-sua-tool.md)
+
+[Fixing Applications by Using the SUA Tool](fixing-applications-by-using-the-sua-tool.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/using-the-sua-wizard.md b/windows/plan/using-the-sua-wizard.md
new file mode 100644
index 0000000000..7571be582c
--- /dev/null
+++ b/windows/plan/using-the-sua-wizard.md
@@ -0,0 +1,86 @@
+---
+title: Using the SUA Wizard (Windows 10)
+description: The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.
+ms.assetid: 29d07074-3de7-4ace-9a54-678af7255d6c
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Using the SUA Wizard
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.
+
+For information about the SUA tool, see [Using the SUA Tool](using-the-sua-tool.md).
+
+## Testing an Application by Using the SUA Wizard
+
+
+You must install Application Verifier before you can use the SUA Wizard. If Application Verifier is not installed on the computer that is running the SUA Wizard, the SUA Wizard notifies you. You must also install the Microsoft® .NET Framework 3.5 or later before you can use the SUA Wizard.
+
+The following flowchart shows the process of using the SUA Wizard.
+
+![act sua wizard flowchart](images/dep-win8-l-act-suawizardflowchart.jpg)
+
+**To test an application by using the SUA Wizard**
+
+1.  On the computer where the SUA Wizard is installed, log on by using a non-administrator account.
+
+2.  Run the Standard User Analyzer Wizard.
+
+3.  Click **Browse for Application**, browse to the folder that contains the application that you want to test, and then double-click the executable file for the application.
+
+4.  Click **Launch**.
+
+    If you are prompted, elevate your permissions. The SUA Wizard may require elevation of permissions to correctly diagnose the application.
+
+    If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning.
+
+5.  In the application, exercise the functionality that you want to test.
+
+6.  After you finish testing, exit the application.
+
+    The SUA Wizard displays a message that asks whether the application ran without any issues.
+
+7.  Click **No**.
+
+    The SUA Wizard shows a list of potential remedies that you might use to fix the application.
+
+8.  Select the fixes that you want to apply, and then click **Launch**.
+
+    The application appears again, with the fixes applied.
+
+9.  Test the application again, and after you finish testing, exit the application.
+
+    The SUA Wizard displays a message that asks whether the application ran without any issues.
+
+10. If the application ran correctly, click **Yes**.
+
+    The SUA Wizard closes the issue as resolved on the local computer.
+
+    If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer additional remedies. If the additional remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for additional investigation, see [Using the SUA Tool](using-the-sua-tool.md).
+
+## Related topics
+
+
+[SUA User's Guide](sua-users-guide.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md b/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md
new file mode 100644
index 0000000000..29d76d517d
--- /dev/null
+++ b/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md
@@ -0,0 +1,55 @@
+---
+title: Viewing the Events Screen in Compatibility Administrator (Windows 10)
+description: The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.
+ms.assetid: f2b2ada4-1b7b-4558-989d-5b52b40454b3
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Viewing the Events Screen in Compatibility Administrator
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The **Events** screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.
+
+**Important**  
+The **Events** screen only records your activities when the screen is open. If you perform an action before opening the **Events** screen, the action will not appear in the list.
+
+ 
+
+**To open the Events screen**
+
+-   On the **View** menu, click **Events**.
+
+## Handling Multiple Copies of Compatibility Fixes
+
+
+Compatibility Administrator enables you to copy your compatibility fixes from one database to another, which can become confusing after adding multiple fixes, compatibility modes, and databases. For example, you can copy a fix called MyFix from Database 1 to Database 2. However, if there is already a fix called MyFix in Database 2, Compatibility Administrator renames the fix as MyFix (1) to avoid duplicate names.
+
+If you open the **Events** screen and then perform the copy operation, you can see a description of the action, along with the time stamp, which enables you to view your fix information without confusion.
+
+## Related topics
+
+
+[Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)
+
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/viewing-your-compatibility-reports.md b/windows/plan/viewing-your-compatibility-reports.md
new file mode 100644
index 0000000000..b1a40653dc
--- /dev/null
+++ b/windows/plan/viewing-your-compatibility-reports.md
@@ -0,0 +1,85 @@
+---
+title: Viewing Your Compatibility Reports (Windows 10)
+description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
+ms.assetid: a28bbfbe-5f05-4a1e-9397-0a3ceb585871
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Viewing Your Compatibility Reports
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[&lt;OperatingSystem&gt; - Application Report](act-operatingsystem-application-report.md)</p></td>
+<td align="left"><p>This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[&lt;OperatingSystem&gt; - Computer Report](act-operatingsystem-computer-report.md)</p></td>
+<td align="left"><p>The <strong>&lt;OperatingSystem&gt; - Computer Report</strong> screen shows the following information for each computer in your organization:</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[&lt;OperatingSystem&gt; - Device Report](act-operatingsystem-device-report.md)</p></td>
+<td align="left"><p>The <strong>&lt;OperatingSystem&gt; - Device Report</strong> screen shows the following information for each device installed in your organization:</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Internet Explorer - Web Site Report](internet-explorer-web-site-report.md)</p></td>
+<td align="left"><p>The <strong>Internet Explorer - Web Site Report</strong> screen shows the following information for each of the websites visited in your organization:</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md)</p></td>
+<td align="left"><p>You can perform several common reporting tasks from the <strong>Analyze</strong> screen, including saving a compatibility report, opening a saved compatibility report (.adq) file, and exporting your report data to a spreadsheet (.xls) file.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Customizing Your Report Views](customizing-your-report-views.md)</p></td>
+<td align="left"><p>You can customize how you view your report data in Application Compatibility Manager (ACM).</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Organizing Your Compatibility Data](organizing-your-compatibility-data.md)
+
+[Filtering Your Compatibility Data](filtering-your-compatibility-data.md)
+
+[Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/websiteurl-dialog-box.md b/windows/plan/websiteurl-dialog-box.md
new file mode 100644
index 0000000000..10f108276b
--- /dev/null
+++ b/windows/plan/websiteurl-dialog-box.md
@@ -0,0 +1,55 @@
+---
+title: WebsiteURL Dialog Box (Windows 10)
+description: In Application Compatibility Manager (ACM), the websiteURL dialog box shows information about the selected website.
+ms.assetid: 0dad26e1-4bba-4fef-b160-3fa1f4325da8
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# &lt;WebsiteURL&gt; Dialog Box
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+In Application Compatibility Manager (ACM), the *&lt;websiteURL&gt;* dialog box shows information about the selected website.
+
+**To open the &lt;WebsiteURL&gt; Dialog Box**
+
+1.  In ACM, in the **Quick Reports** pane, click **Analyze**.
+
+2.  Under the **Internet Explorer** heading, click **Web Sites**.
+
+3.  Double-click the URL for a website.
+
+## <a href="" id="using-the--websiteurl--dialog-box"></a>Using the &lt;WebsiteURL&gt; Dialog Box
+
+
+In the *&lt;websiteURL&gt;* dialog box, you can perform the following actions:
+
+-   Select your compatibility rating for the website. For more information, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).
+
+-   Select your deployment status for the website. For more information, see [Selecting Your Deployment Status](selecting-your-deployment-status.md).
+
+-   Assign categories and subcategories to the website. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
+
+-   Specify the importance of the website to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
+
+-   Add or edit an issue for the selected website, and add or edit a solution. For more information, see [Creating and Editing Issues and Solutions](creating-and-editing-issues-and-solutions.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/welcome-to-act.md b/windows/plan/welcome-to-act.md
new file mode 100644
index 0000000000..fdbbc6ad7d
--- /dev/null
+++ b/windows/plan/welcome-to-act.md
@@ -0,0 +1,81 @@
+---
+title: Welcome to ACT (Windows 10)
+description: The Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system.
+ms.assetid: 3963db88-83d2-4b9a-872e-31c275d1a321
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Welcome to ACT
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+The Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. With ACT, you can obtain compatibility information from Microsoft and software vendors, identify compatibility issues within your own organization, and share compatibility ratings with other ACT users. The tools in ACT help you analyze and mitigate compatibility issues before deploying a version of Windows to your organization.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[What's New in ACT 6.1](whats-new-in-act-60.md)</p></td>
+<td align="left"><p>Two major updates have been released since ACT 6.1. They are ACT 6.1 Update and ACT 6.1 Update 2. The following table lists changes made in the Application Compatibility Toolkit (ACT), which is included in the Windows Assessment and Deployment Kit (ADK) download.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Software Requirements for ACT](software-requirements-for-act.md)</p></td>
+<td align="left"><p>The Application Compatibility Toolkit (ACT) has the following software requirements.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Software Requirements for RAP](software-requirements-for-rap.md)</p></td>
+<td align="left"><p>The runtime-analysis package (RAP) has the following software requirements.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Configuring ACT](configuring-act.md)
+
+[Using ACT](using-act.md)
+
+[Troubleshooting ACT](troubleshooting-act.md)
+
+[ACT User Interface Reference](act-user-interface-reference.md)
+
+[ACT Product and Documentation Resources](act-product-and-documentation-resources.md)
+
+[ACT Glossary](act-glossary.md)
+
+[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/whats-new-in-act-60.md b/windows/plan/whats-new-in-act-60.md
new file mode 100644
index 0000000000..c765ca62eb
--- /dev/null
+++ b/windows/plan/whats-new-in-act-60.md
@@ -0,0 +1,83 @@
+---
+title: What's New in ACT 6.1 (Windows 10)
+description: Two major updates have been released since ACT 6.1.
+ms.assetid: f12e137d-0b55-4f7d-88e0-149302655d9b
+ms.prod: W10
+ms.mktglfcycl: operate
+ms.sitesec: library
+author: TrudyHa
+---
+
+# What's New in ACT 6.1
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
+
+Two major updates have been released since ACT 6.1. They are ACT 6.1 Update and ACT 6.1 Update 2. The following table lists changes made in the Application Compatibility Toolkit (ACT), which is included in the Windows Assessment and Deployment Kit (ADK) download.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left">Version</td>
+<td align="left">Changes</td>
+</tr>
+<tr class="even">
+<td align="left">ACT 6.1 Update</td>
+<td align="left"><ul>
+<li>Support for Windows 10, including viewing Windows 10 reports on Application Compatibility Manager.</li>
+<li><strong>Bug fixes</strong>: this version of ACT fixed an issue where Inventory-Collector package would fail when it tried to inventory the system.</li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left">ACT 6.1 Update 2</td>
+<td align="left"><p><strong>Bug fixes</strong>: this version of ACT addresses the following bugs:</p>
+<ul>
+<li><p>Capability to create custom compatibility fixes for Windows versions other than the currently running version.</p></li>
+<li><p>Fixed issue where Inventory-Collector Package crashes when running on some Windows 7 x86 systems.</p></li>
+<li><p>Fixed issue where not specifying a tag for Inventory-Collector Package would cause an error in the log processing service. The result of this bug was that data collected by the Package would not be processed.</p></li>
+<li><p>Fixed issue where Standard User Analyzer (SUA) returns an error when trying to apply mitigations to an app on Windows 7.</p></li>
+<li><p>Fixed issue where ACT is unable to create custom compatibility fixes for 32-bit systems correctly.</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Note**  
+The version numbers for ACT 6.1 Update and Update 2 are identical, so you will need to look at the product ID of ACT to tell them apart. To find the product ID, open ACT, go to **Help** &gt; **About**, and compare the product ID to the following list.
+
+-   **ACT 6.1 Update**: B264FCCB-3F1F-828F-CCF8-EDB93E860970
+
+-   **ACT 6.1 Update 2**: B2BC4686-29A9-9E9D-F2E4-7E20659EECE7
+
+If you run into any of the bugs fixed in Update 2, you likely have ACT 6.1 Update or older. Please download the latest version in the Windows ADK.
+
+ 
+
+## Related topics
+
+
+[Software Requirements for ACT](software-requirements-for-act.md)
+
+[Software Requirements for RAP](software-requirements-for-rap.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/windows-10-compatibility.md b/windows/plan/windows-10-compatibility.md
new file mode 100644
index 0000000000..1f9c40a938
--- /dev/null
+++ b/windows/plan/windows-10-compatibility.md
@@ -0,0 +1,54 @@
+---
+title: Windows 10 compatibility (Windows 10)
+description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
+ms.assetid: 829BE5B5-330A-4702-807A-8908B4FC94E8
+keywords: ["deploy", "upgrade", "update", "appcompat"]
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Windows 10 compatibility
+
+
+**Applies to**
+
+-   Windows 10
+
+Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
+
+For full system requirements, see [Windows 10 specifications](http://go.microsoft.com/fwlink/p/?LinkId=625077). Some driver updates may be required for Windows 10.
+
+Existing desktop (Win32) application compatibility is also expected to be strong, with most existing applications working without any changes. Some applications that interface with Windows at a low level, those that use undocumented APIs, or those that do not follow recommended coding practices could experience issues.
+
+Existing Windows Store (WinRT) apps created for Windows 8 and Windows 8.1 should also continue to work, because compatibility can be validated against all the apps that have been submitted to the Windows Store.
+
+For web apps and sites, modern HTML5-based sites should also have a high degree of compatibility and excellent performance through the new Microsoft Edge browser, while older web apps and sites can continue to use Internet Explorer 11 and the Enterprise Mode features that were first introduced in Windows 7 and Windows 8.1 and are still present in Windows 10. For more information about Internet Explorer and Enterprise Mode, see the [Internet Explorer 11 Deployment Guide for IT Pros.](http://go.microsoft.com/fwlink/p/?LinkId=734031)
+
+## Recommended application testing process
+
+
+Historically, organizations have performed extensive, and often exhaustive, testing of the applications they use before deployment of a new Windows version, service pack, or any other significant update. With Windows 10, organizations are encouraged to leverage more optimized testing processes, which reflects the higher levels of compatibility that are expected. At a high level:
+
+-   Identify mission-critical applications and websites, those that are absolutely essential to the organization’s operations. Focus testing efforts on this subset of applications, early in the Windows development cycle (for example, with Windows Insider Program builds) to identify potential issues. Report any issues you encounter with the Windows Feedback tool, so that these issues can be addressed prior to the next Windows release.
+
+-   For less critical applications, leverage an “internal flighting” or pilot-based approach, by deploying new Windows upgrades to groups of machines, growing gradually in size and potential impact, to verify compatibility with hardware and software. Reactively address issues before you expand the pilot to more machines.
+
+## Related topics
+
+
+[Windows 10 servicing options](windows-10-servicing-options.md)
+
+[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
+
+[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/windows-10-deployment-considerations.md b/windows/plan/windows-10-deployment-considerations.md
new file mode 100644
index 0000000000..422ff1b3af
--- /dev/null
+++ b/windows/plan/windows-10-deployment-considerations.md
@@ -0,0 +1,141 @@
+---
+title: Windows 10 deployment considerations (Windows 10)
+description: There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications.
+ms.assetid: A8DD6B37-1E11-4CD6-B588-92C2404219FE
+keywords: ["deploy", "upgrade", "update", "in-place"]
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Windows 10 deployment considerations
+
+
+**Applies to**
+
+-   Windows 10
+
+There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications.
+
+For many years, organizations have deployed new versions of Windows using a “wipe and load” deployment process. At a high level, this process captures existing data and settings from the existing device, deploys a new custom-built Windows image to a PC, injects hardware drivers, reinstalls applications, and finally restores the data and settings. With Windows 10, this process is still fully supported, and for some deployment scenarios is still necessary.
+
+Windows 10 also introduces two additional scenarios that organizations should consider:
+
+-   **In-place upgrade**, which provides a simple, automated process that leverages the Windows setup process to automatically upgrade from an earlier version of Windows. This process automatically migrates existing data, settings, drivers, and applications.
+
+-   **Dynamic provisioning**, which enables organizations to configure new Windows 10 devices for organization use without having to deploy a new custom organization image to the device.
+
+    Both of these scenarios eliminate the image creation process altogether, which can greatly simplify the deployment process.
+
+    So how do you choose? At a high level:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Consider ...</th>
+<th align="left">For these scenarios</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">In-place upgrade</td>
+<td align="left"><ul>
+<li><p>When you want to keep all (or at least most) existing applications</p></li>
+<li><p>When you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)</p></li>
+<li><p>To migrate from Windows 10 to a later Windows 10 release</p></li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left">Traditional wipe-and-load</td>
+<td align="left"><ul>
+<li><p>When you upgrade significant numbers of applications along with the new Windows OS</p></li>
+<li><p>When you make significant device or operating system configuration changes</p></li>
+<li><p>When you “start clean”. For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs</p></li>
+<li><p>When you migrate from Windows Vista or other previous operating system versions</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left">Dynamic provisioning</td>
+<td align="left"><ul>
+<li><p>For new devices, especially in “choose your own device” scenarios when simple configuration (not reimaging) is all that is required</p></li>
+<li><p>When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps</p></li>
+</ul></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Migration from previous Windows versions
+
+
+For existing PCs running Windows 7 or Windows 8.1, in-place upgrade is the recommended method for Windows 10 deployment and should be used whenever possible. Although wipe-and-load (OS refresh) deployments are still fully supported (and necessary in some scenarios, as mentioned previously), in-place upgrade is simpler and faster, and enables a faster Windows 10 deployment overall.
+
+Note that the original Windows 8 release is only supported until January 2016. Organizations that do not think they can complete a full Windows 10 migration by that date should deploy Windows 8.1 now and consider Windows 10 after Windows 8 has been removed from the environment.
+
+For existing Windows PCs running Windows Vista, you can perform wipe-and-load (OS refresh) deployments when you use compatible hardware.
+
+Note that to take advantage of the limited-time free upgrade offer for PCs running Windows 7, Windows 8, or Windows 8.1, you must leverage an in-place upgrade, either from Windows Update or by using the upgrade media available from the [Windows 10 software download page](http://go.microsoft.com/fwlink/p/?LinkId=625073) to acquire a new Windows 10 license from the Windows Store. For more information, refer to the [Windows 10 FAQ](http://go.microsoft.com/fwlink/p/?LinkId=625074).
+
+For organizations with Software Assurance for Windows, both in-place upgrade or wipe-and-load can be leveraged (with in-place upgrade being the preferred method, as previously discussed).
+
+For organizations that do not take advantage of the free upgrade offer and are not enrolled in Software Assurance for Windows, Windows 10 upgrade licenses are available for purchase through existing Volume License (VL) agreements.
+
+## Setup of new computers
+
+
+For new computers acquired with Windows 10 preinstalled, you can leverage dynamic provisioning scenarios to transform the device from its initial state into a fully-configured organization PC. There are two primary dynamic provisioning scenarios you can use:
+
+-   **User-driven, from the cloud.** By joining a device into Azure Active Directory and leveraging the automatic mobile device management (MDM) provisioning capabilities at the same time, an end user can initiate the provisioning process themselves just by entering the Azure Active Directory account and password (called their “work or school account” within Windows 10). The MDM service can then transform the device into a fully-configured organization PC. For more information, see [Azure Active Directory integration with MDM](http://go.microsoft.com/fwlink/p/?LinkId=625075).
+
+-   **IT admin-driven, using new tools.** Using the new Windows Imaging and Configuration Designer (ICD) tool, IT administrators can create provisioning packages that can be applied to a computer to transform it into a fully-configured organization PC. For more information, see [Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=625076).
+
+In either of these scenarios, you can make a variety of configuration changes to the PC:
+
+-   Transform the edition (SKU) of Windows 10 that is in use.
+
+-   Apply configuration and settings to the device (for example, security settings, device restrictions, policies, Wi-Fi and VPN profiles, certificates, and so on).
+
+-   Install apps, language packs, and updates.
+
+-   Enroll the device in a management solution (applicable for IT admin-driven scenarios, configuring the device just enough to allow the management tool to take over configuration and ongoing management).
+
+## Stay up to date
+
+
+For computers already running Windows 10 on the Current Branch or Current Branch for Business, new upgrades will periodically be deployed, approximately two to three times per year. You can deploy these upgrades by using a variety of methods:
+
+-   Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet.
+
+-   Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they are approved (deploying like an update). Note that this will require updates to WSUS, which are only available for Windows Server 2012 and Windows Server 2012 R2, not previous versions.
+
+-   System Center Configuration Manager task sequences (with Configuration Manager 2012, 2012 R2, and later versions).
+
+-   System Center Configuration Manager vNext software update capabilities (deploying like an update).
+
+Note that these upgrades (which are installed differently than monthly updates) will leverage an in-place upgrade process. Unlike updates, which are relatively small, these upgrades will include a full operating system image (around 3 GB for 64-bit operating systems), which requires time (1-2 hours) and disk space (approximately 10 GB) to complete. Ensure that the deployment method you use can support the required network bandwidth and/or disk space requirements.
+
+Over time, this upgrade process will be optimized to reduce the overall time and network bandwidth consumed.
+
+## Related topics
+
+
+[Windows 10 servicing options](windows-10-servicing-options.md)
+
+[Windows 10 compatibility](windows-10-compatibility.md)
+
+[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/windows-10-guidance-for-education-environments.md b/windows/plan/windows-10-guidance-for-education-environments.md
new file mode 100644
index 0000000000..91d543470a
--- /dev/null
+++ b/windows/plan/windows-10-guidance-for-education-environments.md
@@ -0,0 +1,47 @@
+---
+title: Guidance for education environments (Windows 10)
+description: Find resources to help you plan your deployment of Windows 10 to desktops, laptops, tablets, and other devices in educational institutions.
+ms.assetid: 225C9D6F-9329-4DDF-B447-6CE7804E314E
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Guidance for education environments
+
+
+Find resources to help you plan your deployment of Windows 10 to desktops, laptops, tablets, and other devices in educational institutions.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Chromebook migration guide](chromebook-migration-guide.md)</p></td>
+<td align="left"><p>In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You will learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You will then learn the best method to perform the migration by using automated deployment and migration tools.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/windows-10-infrastructure-requirements.md b/windows/plan/windows-10-infrastructure-requirements.md
new file mode 100644
index 0000000000..0718fc8270
--- /dev/null
+++ b/windows/plan/windows-10-infrastructure-requirements.md
@@ -0,0 +1,126 @@
+---
+title: Windows 10 infrastructure requirements (Windows 10)
+description: There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization.
+ms.assetid: B0FA27D9-A206-4E35-9AE6-74E70748BE64
+keywords: ["deploy", "upgrade", "update", "hardware"]
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Windows 10 infrastructure requirements
+
+
+**Applies to**
+
+-   Windows 10
+
+There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization.
+
+## High-level requirements
+
+
+For initial Windows 10 deployments, as well as subsequent Windows 10 upgrades, ensure that sufficient disk space is available for distribution of the Windows 10 installation files (about 3 GB for Windows 10 x64 images, slightly smaller for x86). Also, be sure to take into account the network impact of moving these large images to each PC; you may need to leverage local server storage.
+
+For persistent VDI environments, carefully consider the I/O impact from upgrading large numbers of PCs in a short period of time. Ensure that upgrades are performed in smaller numbers, or during off-peak time periods. (For pooled VDI environments, a better approach is to replace the base image with a new version.)
+
+## Deployment tools
+
+
+A new version of the Assessment and Deployment Toolkit (ADK) has been released to support Windows 10. This new version, available for download [here](http://go.microsoft.com/fwlink/p/?LinkId=526740), is required for Windows 10; you should not use earlier versions of the ADK to deploy Windows 10. It also supports the deployment of Windows 7, Windows 8, and Windows 8.1.
+
+Significant enhancements in the ADK for Windows 10 include new runtime provisioning capabilities, which leverage the Windows Imaging and Configuration Designer (Windows ICD), as well as updated versions of existing deployment tools (DISM, USMT, Windows PE, and more).
+
+Microsoft Deployment Toolkit 2013 Update 1, available for download [here](http://go.microsoft.com/fwlink/p/?LinkId=625079), has also been updated to support Windows 10 and the new ADK; older versions do not support Windows 10. New in this release is task sequence support for Windows 10 in-place upgrades.
+
+For System Center Configuration Manager, Windows 10 support is offered with various releases:
+
+| Release                                     | Windows 10 management? | Windows 10 deployment?                         |
+|---------------------------------------------|------------------------|------------------------------------------------|
+| System Center Configuration Manager 2007    | Yes, with a hotfix     | No                                             |
+| System Center Configuration Manager 2012    | Yes, with SP2 and CU1  | Yes, with SP2, CU1, and the ADK for Windows 10 |
+| System Center Configuration Manager 2012 R2 | Yes, with SP1 and CU1  | Yes, with SP1, CU1, and the ADK for Windows 10 |
+
+ 
+
+For more details about System Center Configuration Manager support for Windows 10, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
+
+## Management tools
+
+
+In addition to System Center Configuration Manager, Windows 10 also leverages other tools for management. For Windows Server and Active Directory, existing supported versions are fully supported for Windows 10. New Group Policy templates will be needed to configure new settings available in Windows 10; these templates are available in the Windows 10 media images, and are available as a separate download [here](http://go.microsoft.com/fwlink/p/?LinkId=625081). See [Group Policy settings reference](http://go.microsoft.com/fwlink/p/?LinkId=625082) for a list of the new and modified policy settings. If you are using a central policy store, follow the steps outlined [here](http://go.microsoft.com/fwlink/p/?LinkId=625083) to update the ADMX files stored in that central store.
+
+No new Active Directory schema updates or specific functional levels are currently required for core Windows 10 product functionality, although subsequent upgrades could require these to support new features.
+
+Microsoft Desktop Optimization Pack (MDOP) has been updated to support Windows 10. The minimum versions required to support Windows 10 are as follows:
+
+| Product                                                  | Required version         |
+|----------------------------------------------------------|--------------------------|
+| Advanced Group Policy Management (AGPM)                  | AGPM 4.0 Service Pack 3  |
+| Application Virtualization (App-V)                       | App-V 5.1                |
+| Diagnostics and Recovery Toolkit (DaRT)                  | DaRT 10                  |
+| Microsoft BitLocker Administration and Monitoring (MBAM) | MBAM 2.5 SP1 (2.5 is OK) |
+| User Experience Virtualization (UE-V)                    | UE-V 2.1 SP1             |
+
+ 
+
+For more information, see the [MDOP TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=625090).
+
+For devices you manage with mobile device management (MDM) solutions such as Microsoft Intune, existing capabilities (provided initially in Windows 8.1) are fully supported in Windows 10; new Windows 10 MDM settings and capabilities will require updates to the MDM services. See [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=625084) for more information.
+
+Windows Server Update Services (WSUS) requires some additional configuration to receive updates for Windows 10. Use the Windows Server Update Services admin tool and follow these instructions:
+
+1.  Select the **Options** node, and then click **Products and Classifications**.
+
+2.  In the **Products** tree, select the **Windows 10** and **Windows 10 LTSB** products and any other Windows 10-related items that you want. Click **OK**.
+
+3.  From the **Synchronizations** node, right-click and choose **Synchronize Now**.
+
+![figure 1](images/fig4-wsuslist.png)
+
+Figure 1. WSUS product list with Windows 10 choices
+
+Because Windows 10 updates are cumulative in nature, each month’s new update will supersede the previous month's. Consider leveraging “express installation” packages to reduce the size of the payload that needs to be sent to each PC each month; see [Express installation files](http://go.microsoft.com/fwlink/p/?LinkId=625086) for more information. (Note that this will increase the amount of disk storage needed by WSUS, and impacts all operating systems being managed with WSUS.)
+
+## Activation
+
+
+Windows 10 volume license editions of Windows 10 will continue to support all existing activation methods (KMS, MAK, and AD-based activation). An update will be required for existing KMS servers:
+
+| Product                                | Required update                                                                             |
+|----------------------------------------|---------------------------------------------------------------------------------------------|
+| Windows 10                             | None                                                                                        |
+| Windows Server 2012 R2 and Windows 8.1 | [https://support.microsoft.com/kb/3058168](http://go.microsoft.com/fwlink/p/?LinkId=625087) |
+| Windows Server 2012 and Windows 8      | [https://support.microsoft.com/kb/3058168](http://go.microsoft.com/fwlink/p/?LinkId=625087) |
+| Windows Server 2008 R2 and Windows 7   | Available by October 2015                                                                   |
+
+ 
+
+Additionally, new product keys will be needed for all types of volume license activation (KMS, MAK, and AD-based Activation); these keys are available on the Volume Licensing Service Center (VLSC) for customers with rights to the Windows 10 operating system. To find the needed keys:
+
+-   Sign into the [Volume Licensing Service Center (VLSC)](http://go.microsoft.com/fwlink/p/?LinkId=625088) at with a Microsoft account that has appropriate rights.
+
+-   For KMS keys, click **Licenses** and then select **Relationship Summary**. Click the appropriate active license ID, and then select **Product Keys** near the right side of the page. For KMS running on Windows Server, find the **Windows Srv 2012R2 DataCtr/Std KMS for Windows 10** product key; for KMS running on client operating systems, find the **Windows 10** product key.
+
+-   For MAK keys, click **Downloads and Keys**, and then filter the list by using **Windows 10** as a product. Click the **Key** link next to an appropriate list entry (for example, **Windows 10 Enterprise** or **Windows 10 Enterprise LTSB**) to view the available MAK keys. (You can also find keys for KMS running on Windows 10 in this list. These keys will not work on Windows servers running KMS.)
+
+Note that Windows 10 Enterprise and Windows 10 Enterprise LTSB installations use different MAK keys. But you can use the same KMS server or Active Directory-based activation environment for both; the KMS keys obtained from the Volume Licensing Service Center will work with both.
+
+## Related topics
+
+
+[Windows 10 servicing options](windows-10-servicing-options.md)
+
+[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
+
+[Windows 10 compatibility](windows-10-compatibility.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/windows-10-servicing-options.md b/windows/plan/windows-10-servicing-options.md
new file mode 100644
index 0000000000..1ed3b55f95
--- /dev/null
+++ b/windows/plan/windows-10-servicing-options.md
@@ -0,0 +1,249 @@
+---
+title: Windows 10 servicing options (Windows 10)
+description: Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process.
+ms.assetid: 6EF0792C-B587-497D-8489-4A7F5848D92A
+keywords: ["deploy", "upgrade", "update", "servicing"]
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Windows 10 servicing options
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process.
+
+Traditionally, new versions of Windows have been released every few years. The deployment of those new versions within an organization would then become a project, either by leveraging a “wipe and load” process to deploy the new operating system version to existing machines, or by migrating to the new operating system version as part of the hardware replacement cycle. Either way, organizations would invest significant time and effort to complete the required tasks.
+
+With Windows 10, a new model is being adopted. Instead of new features being added only in new releases that happen every few years, the goal is to provide new features two to three times per year, continually providing new capabilities while maintaining a high level of hardware and application compatibility. This new model, referred to as Windows as a service, requires organizations to rethink how they deploy and upgrade Windows. It is no longer a project that happens “every few years”; it is a continual process.
+
+To support this process, you need to use simpler deployment methods. By combining these simpler methods (for example, in-place upgrade) with new techniques to deploy in phases to existing devices, you can reduce the amount of effort required overall, by taking the effort that used to be performed as part of a traditional deployment project and spreading it across a broad period of time.
+
+## Key terminology
+
+
+With the shift to this new Windows as a service model, it is important to understand the distinction between two key terms:
+
+-   **Upgrade**. A new Windows 10 release that contains additional features and capabilities, released two to three times per year.
+
+-   **Update**. Packages of security fixes, reliability fixes, and other bug fixes that are released periodically, typically once a month on Update Tuesday (sometimes referred to as Patch Tuesday). With Windows 10, these are cumulative in nature.
+
+In addition to these terms, some additional concepts need to be understood:
+
+-   **Branches**. The concept of “branching” goes back many years, and represents how Windows has traditionally been written and serviced: Each release was from a particular branch of the Windows code, and updates would be made to that release for the lifecycle of that release. This concept still applies now with Windows 10, but is much more visible because of the increased frequency of upgrades.
+
+-   **Rings**. The concept of “rings” defines a mechanism for Windows 10 deployment to targeted groups of PCs; each ring represents another group. These are used as part of the release mechanism for new Windows 10 upgrades, and should be used internally by organizations to better control the upgrade rollout process.
+
+## Windows 10 branch overview
+
+
+To support different needs and use cases within your organization, you can select among different branches:
+
+![branches](images/branch.png)
+
+-   **Windows Insider Program**. To see new features before they are released, to provide feedback on those new features, and to initially validate compatibility with existing applications and hardware, small numbers of PCs can leverage the Windows Insider Program branch. These would typically be dedicated lab machines used for IT testing, secondary PCs used by IT administrators, and other non-critical devices.
+
+-   **Current Branch**. For early adopters, IT teams, and other broader piloting groups, the Current Branch (CB) can be used to further validate application compatibility and newly-released features.
+
+-   **Current Branch for Business**. For the majority of people in an organization, the Current Branch for Business (CBB) allows for a staged deployment of new features over a longer period of time.
+
+-   **Long-Term Servicing Branch**. For critical or specialized devices (for example, operation of factory floor machinery, point-of-sale systems, automated teller machines), the Long-Term Servicing Branch (LTSB) provides a version of Windows 10 Enterprise that receives no new features, while continuing to be supported with security and other updates for a long time. (Note that the Long-Term Servicing Branch is a separate Windows 10 Enterprise image, with many in-box apps, including Microsoft Edge, Cortana, and Windows Store, removed.)
+
+Most organizations will leverage all of these choices, with the mix determined by how individual PCs are used. Some examples:
+
+| Industry           | Windows Insider Program | Current Branch | Current Branch for Business | Long-Term Servicing Branch |
+|--------------------|-------------------------|----------------|-----------------------------|----------------------------|
+| Retail             | &lt;1%                  | 10%            | 60%                         | 30%                        |
+| Manufacturing      | &lt;1%                  | 10%            | 55%                         | 45%                        |
+| Pharmaceuticals    | &lt;1%                  | 10%            | 50%                         | 40%                        |
+| Consulting         | 10%                     | 50%            | 35%                         | 5%                         |
+| Software developer | 30%                     | 60%            | 5%                          | 5%                         |
+
+ 
+
+Because every organization is different, the exact breakdown will vary even within a specific industry; these should be considered only examples, not specific recommendations. To determine the appropriate mix for a specific organization, profile how individual PCs are used within the organization, and target them with the appropriate branch.
+
+-   Retailers often have critical devices (for example, point-of-sale systems) in stores which results in higher percentages of PCs on the Long-Term Servicing Branch. But those used by information workers in support of the retail operations would leverage Current Branch for Business to receive new features.
+
+-   Manufacturers typically have critical devices (for example, control systems) in factories; these are also good candidates for the Long-Term Servicing Branch. But as with retailers, information workers that support those factories are better suited to the Current Branch for Business.
+
+-   Pharmaceutical firms often have regulatory requirements for PCs used for the development of their products, which are best satisfied by using Long-Term Servicing Branch. But not all PCs are subject to these regulatory requirements; those that are not can use the Current Branch for Business.
+
+-   Consulting firms want their employees to have the latest functionality so they can be as productive as possible. They also want to develop expertise with new capabilities as soon as possible, hence more emphasis on Current Branch. But they also have information workers that provide services to the consultants; these workers can leverage Current Branch for Business.
+
+-   Software developers typically work on software that will release in conjunction with a new Windows upgrade. To enable that, a significant percentage of developers may use the Windows Insider Program preview branch for initial efforts, which shifts to Current Branch as development progresses.
+
+Note that there are few, if any, scenarios where an entire organization would use the Long-Term Servicing Branch for all PCs – or even for a majority of them.
+
+For more information about the Windows as a service model, refer to [Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md).
+
+## Current Branch versus Current Branch for Business
+
+
+When the development of a new Windows 10 feature upgrade is complete, it is initially offered to Current Branch computers; those computers configured for Current Branch for Business will receive the feature upgrade (with additional fixes) at a later date, generally at least four months later. An additional deferral of at least eight months is available to organizations that use tools to control the update process. During this time, monthly security updates will continue to be made available to machines not yet upgraded.
+
+The process to configure a PC for Current Branch for Business is simple. The **Defer upgrades** setting needs to be configured, either manually (through the Settings app), by using Group Policy, or by using mobile device management (MDM).
+
+![figure 1](images/fig1-deferupgrades.png)
+
+Figure 1. Configure the **Defer upgrades** setting
+
+Most organizations today leverage Windows Server Update Services (WSUS) or System Center Configuration Manager to update their PCs. With Windows 10, this does not need to change; all updates are controlled through approvals or automatic deployment rules configured in those products, so new upgrades will not be deployed until the organization chooses. The **Defer upgrades** setting can function as an additional validation check, so that Current Branch for Business machines that are targeted with a new upgrade prior to the end of the initial four-month deferral period will decline to install it; they can install the upgrade any time within the eight-month window after that initial four-month deferral period.
+
+For computers configured to receive updates from Windows Update directly, the **Defer upgrades** setting directly controls when the PC will be upgraded. Computers that are not configured to defer upgrades will be upgraded at the time of the initial Current Branch release; computers that are configured to defer upgrades will be upgraded four months later.
+
+With Windows 10 it is now possible to manage updates for PCs and tablets that have a higher degree of mobility and are not joined to a domain. For these PCs, you can leverage mobile device management (MDM) services or Windows Update for Business to provide the same type of control provided today with WSUS or Configuration Manager.
+
+For PCs enrolled in a mobile device management (MDM) service, Windows 10 provides new update approval mechanisms that could be leveraged to delay the installation of a new feature upgrade or any other update. Windows Update for Business will eventually provide these and other capabilities to manage upgrades and updates; more details on these capabilities will be provided when they are available later in 2015.
+
+With the release of each Current Branch feature update, new ISO images will be made available. You can use these images to upgrade existing machines or to create new custom images. These feature upgrades will also be published with WSUS to enable simple deployment to devices already running Windows 10.
+
+Unlike previous versions of Windows, the servicing lifetime of Current Branch or Current Branch for Business is finite. You must install new feature upgrades on machines running these branches in order to continue receiving monthly security updates. This requires new ways of thinking about software deployment. It is best to align your deployment schedule with the Current Branch release schedule:
+
+-   Begin your evaluation process with the Windows Insider Program releases.
+
+-   Perform initial pilot deployments by using the Current Branch.
+
+-   Expand to broad deployment after the Current Branch for Business is available.
+
+-   Complete deployments by using that release in advance of the availability of the next Current Branch.
+
+![figure 2](images/fig2-deploymenttimeline.png)
+
+Figure 2. Deployment timeline
+
+Some organizations may require more than 12 months to deploy Windows 10 to all of their existing PCs. To address this, it may be necessary to deploy multiple Windows 10 releases, switching to these new releases during the deployment project. Notice how the timelines can overlap, with the evaluation of one release happening during the pilot and deployment of the previous release:
+
+![figure 3](images/fig3-overlaprelease.png)
+
+Figure 3. Overlapping releases
+
+As a result of these overlapping timelines, organizations can choose which release to deploy. Note though that by continuing for longer with one release, that gives you less time to deploy the subsequent release (to both existing Windows 10 PCs as well as newly-migrated ones), so staying with one release for the full lifetime of that release can be detrimental overall.
+
+## Long-Term Servicing Branch
+
+
+For specialized devices, Windows 10 Enterprise Long Term Servicing Branch (LTSB) ISO images will be made available. These are expected to be on a variable schedule, less often than CB and CBB releases. Once released, these will be supported with security and reliability fixes for an extended period; no new features will be added over its servicing lifetime. Note that LTSB images will not contain most in-box Universal Windows Apps (for example, Microsoft Edge, Cortana, the Windows Store, the Mail and Calendar apps) because the apps or the services that they use will be frequently updated with new functionality and therefore cannot be supported on PCs running the LTSB OS.
+
+These LTSB images can be used to upgrade existing machines or to create new custom images.
+
+Note that Windows 10 Enterprise LTSB installations fully support the Universal Windows Platform, with the ability to run line-of-business apps created using the Windows SDK, Visual Studio, and related tools capable of creating Universal Windows apps. For apps from other ISVs (including those published in the Windows Store), contact the ISV to confirm if they will provide long-term support for their specific apps.
+
+As mentioned previously, there are few, if any, scenarios where an organization would use the Long-Term Servicing Branch for every PC – or even for a majority of them.
+
+## Windows Insider Program
+
+
+During the development of a new Windows 10 feature update, preview releases will be made available to Windows Insider Program participants. This enables those participants to try out new features, check application compatibility, and provide feedback during the development process.
+
+To obtain Windows Insider Program builds, the Windows Insider Program participants must opt in through the Settings app, and specify their Microsoft account.
+
+Occasionally (typically as features are made available to those in the Windows Insider Program “slow” ring), new ISO images will be released to enable deployment validation, testing, and image creation.
+
+## Switching between branches
+
+
+During the life of a particular PC, it may be necessary or desirable to switch between the available branches. Depending on the branch you are using, the exact mechanism for doing this can be different; some will be simple, others more involved.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">For a PC that uses…</th>
+<th align="left">Changing to…</th>
+<th align="left">You need to:</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">Windows Insider Program</td>
+<td align="left">Current Branch</td>
+<td align="left">Wait for the final Current Branch release.</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Current Branch for Business</td>
+<td align="left">Not directly possible, because Windows Insider Program machines are automatically upgraded to the Current Branch release at the end of the development cycle.</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Long-Term Servicing Branch</td>
+<td align="left">Not directly possible (requires wipe-and-load).</td>
+</tr>
+<tr class="even">
+<td align="left">Current Branch</td>
+<td align="left">Insider</td>
+<td align="left">Use the Settings app to enroll the device in the Windows Insider Program.</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Current Branch for Business</td>
+<td align="left">Select the <strong>Defer upgrade</strong> setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Current Branch release.</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Long-Term Servicing Branch</td>
+<td align="left">Not directly possible (requires wipe-and-load).</td>
+</tr>
+<tr class="odd">
+<td align="left">Current Branch for Business</td>
+<td align="left">Insider</td>
+<td align="left">Use the Settings app to enroll the device in the Windows Insider Program.</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Current Branch</td>
+<td align="left">Disable the <strong>Defer upgrade</strong> setting, or move the PC to a target group or flight that will receive the latest Current Branch release.</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Long-Term Servicing Branch</td>
+<td align="left">Not directly possible (requires wipe-and-load).</td>
+</tr>
+<tr class="even">
+<td align="left">Long-Term Servicing Branch</td>
+<td align="left">Insider</td>
+<td align="left">Use media to upgrade to the latest Windows Insider Program build.</td>
+</tr>
+<tr class="odd">
+<td align="left"></td>
+<td align="left">Current Branch</td>
+<td align="left">Use media to upgrade to a later Current Branch build. (Note that the Current Branch build must be a later build.)</td>
+</tr>
+<tr class="even">
+<td align="left"></td>
+<td align="left">Current Branch for Business</td>
+<td align="left">Use media to upgrade to a later Current Branch for Business build (Current Branch build plus fixes). Note that it must be a later build.</td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Related topics
+
+
+[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
+
+[Windows 10 compatibility](windows-10-compatibility.md)
+
+[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/windows-to-go-frequently-asked-questions.md b/windows/plan/windows-to-go-frequently-asked-questions.md
new file mode 100644
index 0000000000..3f8e61bb9f
--- /dev/null
+++ b/windows/plan/windows-to-go-frequently-asked-questions.md
@@ -0,0 +1,454 @@
+---
+title: Windows To Go frequently asked questions (Windows 10)
+description: Windows To Go frequently asked questions
+ms.assetid: bfdfb824-4a19-4401-b369-22c5e6ca9d6e
+keywords: ["FAQ, mobile, device, USB"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Windows To Go: frequently asked questions
+
+
+**Applies to**
+
+-   Windows 10
+
+The following list identifies some commonly asked questions about Windows To Go.
+
+-   [What is Windows To Go?](#wtg-faq-whatis)
+
+-   [Does Windows To Go rely on virtualization?](#wtg-faq-virt)
+
+-   [Who should use Windows To Go?](#wtg-faq-who)
+
+-   [How can Windows To Go be deployed in an organization?](#wtg-faq-deploy)
+
+-   [Is Windows To Go supported on both USB 2.0 and USB 3.0 drives?](#wtg-faq-usbvs)
+
+-   [Is Windows To Go supported on USB 2.0 and USB 3.0 ports?](#wtg-faq-usbports)
+
+-   [How do I identify a USB 3.0 port?](#wtg-faq-usb3port)
+
+-   [Does Windows To Go run faster on a USB 3.0 port?](#wtg-faq-usb3speed)
+
+-   [Can the user self-provision Windows To Go?](#wtg-faq-selfpro)
+
+-   [How can Windows To Go be managed in an organization?](#wtg-faq-mng)
+
+-   [How do I make my computer boot from USB?](#wtf-faq-startup)
+
+-   [Why isn’t my computer booting from USB?](#wtg-faq-noboot)
+
+-   [What happens if I remove my Windows To Go drive while it is running?](#wtg-faq-surprise)
+
+-   [Can I use BitLocker to protect my Windows To Go drive?](#wtg-faq-bitlocker)
+
+-   [Why can’t I enable BitLocker from Windows To Go Creator?](#wtg-faq-blfail)
+
+-   [What power states does Windows To Go support?](#wtg-faq-power)
+
+-   [Why is hibernation disabled in Windows To Go?](#wtg-faq-hibernate)
+
+-   [Does Windows To Go support crash dump analysis?](#wtg-faq-crashdump)
+
+-   [Do “Windows To Go Startup Options” work with dual boot computers?](#wtg-faq-dualboot)
+
+-   [I plugged my Windows To Go drive into a running computer and I can’t see the partitions on the drive. Why not?](#wtg-faq-diskpart)
+
+-   [I’m booted into Windows To Go, but I can’t browse to the internal hard drive of the host computer. Why not?](#wtg-faq-san4)
+
+-   [Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition?](#wtg-faq-fatmbr)
+
+-   [Is Windows To Go secure if I use it on an untrusted machine?](#wtg-faq-malhost)
+
+-   [Does Windows To Go work with ARM processors?](#wtg-faq-arm)
+
+-   [Can I synchronize data from Windows To Go with my other computer?](#wtg-faq-datasync)
+
+-   [What size USB Flash Drive do I need to make a Windows To Go drive?](#wtg-faq-usbsz)
+
+-   [Do I need to activate Windows To Go every time I roam?](#wtg-faq-roamact)
+
+-   [Can I use all Windows features on Windows To Go?](#wtg-faq-features)
+
+-   [Can I use all my applications on Windows To Go?](#wtg-faq-approam)
+
+-   [Does Windows To Go work slower than standard Windows?](#wtg-faq-slow)
+
+-   [If I lose my Windows To Go drive, will my data be safe?](#wtg-faq-safeloss)
+
+-   [Can I boot Windows To Go on a Mac?](#wtg-faq-mac)
+
+-   [Are there any APIs that allow applications to identify a Windows To Go workspace?](#wtg-faq-api)
+
+-   [How is Windows To Go licensed?](#wtg-faq-lic)
+
+-   [Does Windows Recovery Environment work with Windows To Go? What’s the guidance for recovering a Windows To Go drive?](#wtg-faq-recovery)
+
+-   [Why won’t Windows To Go work on a computer running Windows XP or Windows Vista?](#wtg-faq-oldos)
+
+-   [Why does the operating system on the host computer matter?](#wtg-faq-oldos2)
+
+-   [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#wtg-faq-blreckey)
+
+-   [I decided to stop using a drive for Windows To Go and reformatted it – why doesn’t it have a drive letter assigned and how can I fix it?](#wtg-faq-reformat)
+
+-   [Why do I keep on getting the message “Installing devices…” when I boot Windows To Go?](#bkmk-roamconflict)
+
+-   [How do I upgrade the operating system on my Windows To Go drive?](#bkmk-upgradewtg)
+
+## <a href="" id="wtg-faq-whatis"></a>What is Windows To Go?
+
+
+Windows To Go is a feature for users of Windows 10 Enterprise and Windows 10 Education that enables users to boot a full version of Windows from external USB drives on host PCs.
+
+## <a href="" id="wtg-faq-virt"></a>Does Windows To Go rely on virtualization?
+
+
+No. Windows To Go is a native instance of Windows 10 that runs from a USB device. It is just like a laptop hard drive with Windows 8 that has been put into a USB enclosure.
+
+## <a href="" id="wtg-faq-who"></a>Who should use Windows To Go?
+
+
+Windows To Go was designed for enterprise usage and targets scenarios such as continuance of operations, contractors, managed free seating, traveling workers, and work from home.
+
+## <a href="" id="wtg-faq-deploy"></a>How can Windows To Go be deployed in an organization?
+
+
+Windows To Go can be deployed using standard Windows deployment tools like Diskpart and DISM. The prerequisites for deploying Windows To Go are:
+
+-   A Windows To Go recommended USB drive to provision; See the list of currently available USB drives at [Hardware considerations for Windows To Go](windows-to-go-overview.md#wtg-hardware)
+
+-   A Windows 10 Enterprise or Windows 10 Education image
+
+-   A Windows 10 Enterprise or Windows 10 Education host PC that can be used to provision new USB keys
+
+You can use a Windows PowerShell script to target several drives and scale your deployment for a large number of Windows To Go drives. You can also use a USB duplicator to duplicate a Windows To Go drive after it has been provisioned if you are creating a large number of drives. See the [Windows To Go Step by Step](http://go.microsoft.com/fwlink/p/?LinkId=618950) article on the TechNet wiki for a walkthrough of the drive creation process.
+
+## <a href="" id="wtg-faq-usbvs"></a>Is Windows To Go supported on both USB 2.0 and USB 3.0 drives?
+
+
+No. Windows To Go is supported on USB 3.0 drives that are certified for Windows To Go.
+
+## <a href="" id="wtg-faq-usbports"></a>Is Windows To Go supported on USB 2.0 and USB 3.0 ports?
+
+
+Yes. Windows To Go is fully supported on either USB 2.0 ports or USB 3.0 ports on PCs certified for Windows 7 or later.
+
+## <a href="" id="wtg-faq-usb3port"></a>How do I identify a USB 3.0 port?
+
+
+USB 3.0 ports are usually marked blue or carry a SS marking on the side.
+
+## <a href="" id="wtg-faq-usb3speed"></a>Does Windows To Go run faster on a USB 3.0 port?
+
+
+Yes. Because USB 3.0 offers significantly faster speeds than USB 2.0, a Windows To Go drive running on a USB 3.0 port will operate considerably faster. This speed increase applies to both drive provisioning and when the drive is being used as a workspace.
+
+## <a href="" id="wtg-faq-selfpro"></a>Can the user self-provision Windows To Go?
+
+
+Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise and Windows 10 Education. Additionally, System Center 2012 Configuration Manager SP1 and later releases includes support for user self-provisioning of Windows To Go drives. Configuration Manager can be downloaded for evaluation from the [Microsoft TechNet Evaluation Center](http://go.microsoft.com/fwlink/p/?LinkID=618746).
+
+## <a href="" id="wtg-faq-mng"></a>How can Windows To Go be managed in an organization?
+
+
+Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like System Center Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network.
+
+## <a href="" id="wtf-faq-startup"></a>How do I make my computer boot from USB?
+
+
+For host computers running Windows 10
+
+-   Using Cortana, search for **Windows To Go startup options**, and then press Enter.
+-   In the **Windows To Go Startup Options** dialog box, select **Yes**, and then click **Save Changes** to configure the computer to boot from USB.
+
+For host computers running Windows 8 or Windows 8.1:
+
+Press **Windows logo key+W** and then search for **Windows To Go startup options** and then press Enter.
+
+In the **Windows To Go Startup Options** dialog box select **Yes** and then click **Save Changes** to configure the computer to boot from USB.
+
+**Note**  
+Your IT department can use Group Policy to configure Windows To Go Startup Options in your organization.
+
+ 
+
+If the host computer is running an earlier version of the Windows operating system need to configure the computer to boot from USB manually.
+
+To do this, early during boot time (usually when you see the manufacturer’s logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer’s site to be sure if you do not know which key to use to enter firmware setup.)
+
+After you have entered firmware setup, make sure that boot from USB is enabled. Then change the boot order to boot from USB drives first.
+
+Alternatively, if your computer supports it, you can try to use the one-time boot menu (often F12), to select USB boot on a per-boot basis.
+
+For more detailed instructions, see the wiki article, [Tips for configuring your BIOS settings to work with Windows To Go](http://go.microsoft.com/fwlink/p/?LinkID=618951).
+
+**Warning**  
+Configuring a computer to boot from USB will cause your computer to attempt to boot from any bootable USB device connected to your computer. This potentially includes malicious devices. Users should be informed of this risk and instructed to not have any bootable USB storage devices plugged in to their computers except for their Windows To Go drive.
+
+ 
+
+## <a href="" id="wtg-faq-noboot"></a>Why isn’t my computer booting from USB?
+
+
+Computers certified for Windows 7 and later are required to have support for USB boot. Check to see if any of the following items apply to your situation:
+
+1.  Ensure that your computer has the latest BIOS installed and the BIOS is configured to boot from a USB device.
+
+2.  Ensure that the Windows To Go drive is connected directly to a USB port on the computer. Many computers don’t support booting from a device connected to a USB 3 PCI add-on card or external USB hubs.
+
+3.  If the computer is not booting from a USB 3.0 port, try to boot from a USB 2.0 port.
+
+If none of these items enable the computer to boot from USB, contact the hardware manufacturer for additional support.
+
+## <a href="" id="wtg-faq-surprise"></a>What happens if I remove my Windows To Go drive while it is running?
+
+
+If the Windows To Go drive is removed, the computer will freeze and the user will have 60 seconds to reinsert the Windows To Go drive. If the Windows To Go drive is reinserted into the same port it was removed from, Windows will resume at the point where the drive was removed. If the USB drive is not reinserted, or is reinserted into a different port, the host computer will turn off after 60 seconds.
+
+**Warning**  
+You should never remove your Windows To Go drive when your workspace is running. The computer freeze is a safety measure to help mitigate the risk of accidental removal. Removing the Windows To Go drive without shutting down the Windows To Go workspace could result in corruption of the Windows To Go drive.
+
+ 
+
+## <a href="" id="wtg-faq-bitlocker"></a>Can I use BitLocker to protect my Windows To Go drive?
+
+
+Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you will be prompted to enter this password every time you use the Windows To Go workspace.
+
+## <a href="" id="wtg-faq-blfail"></a>Why can’t I enable BitLocker from Windows To Go Creator?
+
+
+Several different Group Policies control the use of BitLocker on your organizations computers. These policies are located in the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** folder of the local Group Policy editor. The folder contains three sub-folders for fixed, operating system and removable data drive types.
+
+When you are using Windows To Go Creator, the Windows To Go drive is considered a removable data drive by BitLocker. Review the following setting to see if these settings apply in your situation:
+
+1.  **Control use of BitLocker on removable drives**
+
+    If this setting is disabled BitLocker cannot be used with removable drives, so the Windows To Go Creator wizard will fail if it attempts to enable BitLocker on the Windows To Go drive.
+
+2.  **Configure use of smart cards on removable data drives**
+
+    If this setting is enabled and the option **Require use of smart cards on removable data drives** is also selected the creator wizard might fail if you have not already signed on using your smart card credentials before starting the Windows To Go Creator wizard.
+
+3.  **Configure use of passwords for removable data drives**
+
+    If this setting is enabled and the **Require password complexity option** is selected the computer must be able to connect to the domain controller to verify that the password specified meets the password complexity requirements. If the connection is not available, the Windows To Go Creator wizard will fail to enable BitLocker.
+
+Additionally, the Windows To Go Creator will disable the BitLocker option if the drive does not have any volumes. In this situation, you should initialize the drive and create a volume using the Disk Management console before provisioning the drive with Windows To Go.
+
+## <a href="" id="wtg-faq-power"></a>What power states does Windows To Go support?
+
+
+Windows To Go supports all power states except the hibernate class of power states, which include hybrid boot, hybrid sleep, and hibernate. This default behavior can be modified by using Group Policy settings to enable hibernation of the Windows To Go workspace.
+
+## <a href="" id="wtg-faq-hibernate"></a>Why is hibernation disabled in Windows To Go?
+
+
+When a Windows To Go workspace is hibernated, it will only successfully resume on the exact same hardware. Therefore, if a Windows To Go workspace is hibernated on one computer and roamed to another, the hibernation state (and therefore user state) will be lost. To prevent this from happening, the default settings for a Windows To Go workspace disable hibernation. If you are confident that you will only attempt to resume on the same computer, you can enable hibernation using the Windows To Go Group Policy setting, **Allow hibernate (S4) when started from a Windows To Go workspace** that is located at **\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\** in the Local Group Policy Editor (gpedit.msc).
+
+## <a href="" id="wtg-faq-crashdump"></a>Does Windows To Go support crash dump analysis?
+
+
+Yes. Windows 8 and later support crash dump stack analysis for both USB 2.0 and 3.0.
+
+## <a href="" id="wtg-faq-dualboot"></a>Do “Windows To Go Startup Options” work with dual boot computers?
+
+
+Yes, if both operating systems are running the Windows 8 operating system. Enabling “Windows To Go Startup Options” should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on.
+
+If you have configured a dual boot computer with a Windows operating system and another operating system it might work occasionally and fail occasionally. Using this configuration is unsupported.
+
+## <a href="" id="wtg-faq-diskpart"></a>I plugged my Windows To Go drive into a running computer and I can’t see the partitions on the drive. Why not?
+
+
+Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. That’s why you can’t see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter.
+
+**Warning**  
+It is strongly recommended that you do not plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised.
+
+ 
+
+## <a href="" id="wtg-faq-san4"></a>I’m booted into Windows To Go, but I can’t browse to the internal hard drive of the host computer. Why not?
+
+
+Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That’s why you can’t see the internal hard drives of the host computer when you are booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive.
+
+**Warning**  
+It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted.
+
+ 
+
+## <a href="" id="wtg-faq-fatmbr"></a>Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition?
+
+
+This is done to allow Windows To Go to boot from UEFI and legacy systems.
+
+## <a href="" id="wtg-faq-malhost"></a>Is Windows To Go secure if I use it on an untrusted computer?
+
+
+While you are more secure than if you use a completely untrusted operating system, you are still vulnerable to attacks from the firmware or anything that runs before Windows To Go starts. If you plug your Windows To Go drive into a running untrusted computer, your Windows To Go drive can be compromised because any malicious software that might be active on the computer can access the drive.
+
+## <a href="" id="wtg-faq-arm"></a>Does Windows To Go work with ARM processors?
+
+
+No. Windows RT is a specialized version of Windows designed for ARM processors. Windows To Go is currently only supported on PCs with x86 or x64-based processors.
+
+## <a href="" id="wtg-faq-datasync"></a>Can I synchronize data from Windows To Go with my other computer?
+
+
+To get your data across all your computers, we recommend using folder redirection and client side caching to store copies of your data on a server while giving you offline access to the files you need.
+
+## <a href="" id="wtg-faq-usbsz"></a>What size USB flash drive do I need to make a Windows To Go drive?
+
+
+The size constraints are the same as full Windows. To ensure that you have enough space for Windows, your data, and your applications, we recommend USB drives that are a minimum of 20 GB in size.
+
+## <a href="" id="wtg-faq-roamact"></a>Do I need to activate Windows To Go every time I roam?
+
+
+No, Windows To Go requires volume activation; either using the [Key Management Service](http://go.microsoft.com/fwlink/p/?LinkId=619051) (KMS) server in your organization or using [Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=619053) based volume activation. The Windows To Go workspace will not need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or a through remote connection using DirectAccess or a virtual private network connection), once activated the machine will not need to be activated again until the activation validity interval has passed. In a KMS configuration the activation validity interval is 180 days.
+
+## <a href="" id="wtg-faq-features"></a>Can I use all Windows features on Windows To Go?
+
+
+Yes, with some minor exceptions, you can use all Windows features with your Windows To Go workspace. The only currently unsupported features are using the Windows Recovery Environment and PC Reset & Refresh.
+
+## <a href="" id="wtg-faq-approam"></a>Can I use all my applications on Windows To Go?
+
+
+Yes. Because your Windows To Go workspace is a full Windows 10 environment, all applications that work with Windows 10 should work in your Windows To Go workspace. However, any applications that use hardware binding (usually for licensing and/or digital rights management reasons) may not run when you roam your Windows To Go drive between different host computers, and you may have to use those applications on the same host computer every time.
+
+## <a href="" id="wtg-faq-slow"></a>Does Windows To Go work slower than standard Windows?
+
+
+If you are using a USB 3.0 port and a Windows To Go certified device, there should be no perceivable difference between standard Windows and Windows To Go. However, if you are booting from a USB 2.0 port, you may notice some slowdown since USB 2.0 transfer speeds are slower than SATA speeds.
+
+## <a href="" id="wtg-faq-safeloss"></a>If I lose my Windows To Go drive, will my data be safe?
+
+
+Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user will not be able to access your data without your password. If you don’t enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive.
+
+## <a href="" id="wtg-faq-mac"></a>Can I boot Windows To Go on a Mac?
+
+
+We are committed to give customers a consistent and quality Windows 10 experience with Windows To Go. Windows To Go supports host devices certified for use with Windows 7 or later. Because Mac computers are not certified for use with Windows 7 or later, using Windows To Go is not supported on a Mac.
+
+## <a href="" id="wtg-faq-api"></a>Are there any APIs that allow applications to identify a Windows To Go workspace?
+
+
+Yes. You can use a combination of identifiers to determine if the currently running operating system is a Windows To Go workspace. First, check if the **PortableOperatingSystem** property is true. When that value is true it means that the operating system was booted from an external USB device.
+
+Next, check if the **OperatingSystemSKU** property is equal to **4** (for Windows 10 Enterprise) or **121** (for Windows 10 Education). The combination of those two properties represents a Windows To Go workspace environment.
+
+For more information, see the MSDN article on the [Win32\_OperatingSystem class](http://go.microsoft.com/fwlink/p/?LinkId=619059).
+
+## <a href="" id="wtg-faq-lic"></a>How is Windows To Go licensed?
+
+
+Windows To Go allows organization to support the use of privately owned PCs at the home or office with more secure access to their organizational resources. With Windows To Go use rights under [Software Assurance](http://go.microsoft.com/fwlink/p/?LinkId=619062), an employee will be able to use Windows To Go on any company PC licensed with Software Assurance as well as from their home PC.
+
+## <a href="" id="wtg-faq-recovery"></a>Does Windows Recovery Environment work with Windows To Go? What’s the guidance for recovering a Windows To Go drive?
+
+
+No, use of Windows Recovery Environment is not supported on Windows To Go. It is recommended that you implement user state virtualization technologies like Folder Redirection to centralize and back up user data in the data center. If any corruption occurs on a Windows To Go drive, you should re-provision the workspace.
+
+## <a href="" id="wtg-faq-oldos"></a>Why won’t Windows To Go work on a computer running Windows XP or Windows Vista?
+
+
+Actually it might. If you have purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you have configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports.
+
+## <a href="" id="wtg-faq-oldos2"></a>Why does the operating system on the host computer matter?
+
+
+It doesn’t other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer cannot boot from USB there is no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected.
+
+## <a href="" id="wtg-faq-blreckey"></a>My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?
+
+
+The default BitLocker protection profile in Windows 7 monitors the host computer for changes to the boot order as part of protecting the computer from tampering. When you change the boot order of the host computer to enable it to boot from the Windows To Go drive, the BitLocker system measurements will reflect that change and boot into recovery mode so that the computer can be inspected if necessary.
+
+You can reset the BitLocker system measurements to incorporate the new boot order using the following steps:
+
+1.  Log on to the host computer using an account with administrator privileges.
+
+2.  Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**.
+
+3.  Click **Suspend Protection** for the operating system drive.
+
+    A message is displayed, informing you that your data will not be protected while BitLocker is suspended and asking if you want to suspend BitLocker Drive Encryption. Click **Yes** to continue and suspend BitLocker on the drive.
+
+4.  Restart the computer and enter the firmware settings to reset the boot order to boot from USB first. For more information on changing the boot order in the BIOS, see [Tips for configuring your BIOS settings to work with Windows To Go](http://go.microsoft.com/fwlink/p/?LinkId=618951) on the TechNet wiki.
+
+5.  Restart the computer again and then log on to the host computer using an account with administrator privileges. (Neither your Windows To Go drive nor any other USB drive should be inserted.)
+
+6.  Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**.
+
+7.  Click **Resume Protection** to re-enable BitLocker protection.
+
+The host computer will now be able to be booted from a USB drive without triggering recovery mode.
+
+**Note**  
+The default BitLocker protection profile in Windows 8 or later does not monitor the boot order.
+
+ 
+
+## <a href="" id="wtg-faq-reformat"></a>I decided to stop using a drive for Windows To Go and reformatted it – why doesn’t it have a drive letter assigned and how can I fix it?
+
+
+Reformatting the drive erases the data on the drive, but doesn’t reconfigure the volume attributes. When a drive is provisioned for use as a Windows To Go drive the NODEFAULTDRIVELETTER attribute is set on the volume. To remove this attribute, use the following steps:
+
+1.  Open a command prompt with full administrator permissions.
+
+    **Note**  
+    If your user account is a member of the Administrators group, but is not the Administrator account itself, then, by default, the programs that you run only have standard user permissions unless you explicitly choose to elevate them.
+
+     
+
+2.  Start the [diskpart](http://go.microsoft.com/fwlink/p/?LinkId=619070) command interpreter, by typing `diskpart` at the command prompt.
+
+3.  Use the `select disk` command to identify the drive. If you do not know the drive number, use the `list` command to display the list of disks available.
+
+4.  After selecting the disk, run the `clean` command to remove all data, formatting, and initialization information from the drive.
+
+## <a href="" id="bkmk-roamconflict"></a>Why do I keep on getting the message “Installing devices…” when I boot Windows To Go?
+
+
+One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers which are not present on the new configuration. In general this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations.
+
+In certain cases, third party drivers for different hardware models or versions can reuse device ID’s, driver file names, registry keys (or any other operating system constructs which do not support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID’s, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver.
+
+This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message “Installing devices…” displaying every time that a Windows to Go drive is roamed between two PCs which require conflicting drivers.
+
+## <a href="" id="bkmk-upgradewtg"></a>How do I upgrade the operating system on my Windows To Go drive?
+
+
+There is no support in Windows for upgrading a Windows To Go drive. Deployed Windows To Go drives with older versions of Windows will need to be re-imaged with a new version of Windows in order to transition to the new operating system version.
+
+## Additional resources
+
+
+-   [Windows 10 forums](http://go.microsoft.com/fwlink/p/?LinkId=618949)
+
+-   [Windows To Go Step by Step Wiki](http://go.microsoft.com/fwlink/p/?LinkId=618950)
+
+-   [Windows To Go: feature overview](windows-to-go-overview.md)
+
+-   [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
+
+-   [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
+
+-   [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/windows-to-go-overview.md b/windows/plan/windows-to-go-overview.md
new file mode 100644
index 0000000000..a84b375c14
--- /dev/null
+++ b/windows/plan/windows-to-go-overview.md
@@ -0,0 +1,279 @@
+---
+title: Windows To Go feature overview (Windows 10)
+description: Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs.
+ms.assetid: 9df82b03-acba-442c-801d-56db241f8d42
+keywords: ["workspace, mobile, installation, image, USB, device, image"]
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Windows To Go: feature overview
+
+
+**Applies to**
+
+-   Windows 10
+
+Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs.
+
+PCs that meet the Windows 7 or later [certification requirements](http://go.microsoft.com/fwlink/p/?LinkId=618711) can run Windows 10 in a Windows To Go workspace, regardless of the operating system running on the PC. Windows To Go workspaces can use the same image enterprises use for their desktops and laptops and can be managed the same way. Windows To Go is not intended to replace desktops, laptops or supplant other mobility offerings. Rather, it provides support for efficient use of resources for alternative workplace scenarios. There are some additional considerations that you should keep in mind before you start to use Windows To Go:
+
+-   [Differences between Windows To Go and a typical installation of Windows](#bkmk-wtgdif)
+
+-   [Roaming with Windows To Go](#bkmk-wtgroam)
+
+-   [Prepare for Windows To Go](#wtg-prep-intro)
+
+-   [Hardware considerations for Windows To Go](#wtg-hardware)
+
+**Note**  
+Windows To Go is not supported on Windows RT.
+
+ 
+
+## <a href="" id="bkmk-wtgdif"></a>Differences between Windows To Go and a typical installation of Windows
+
+
+Windows To Go workspace operates just like any other installation of Windows with a few exceptions. These exceptions are:
+
+-   **Internal disks are offline.** To ensure data isn’t accidentally disclosed, internal hard disks on the host computer are offline by default when booted into a Windows To Go workspace. Similarly if a Windows To Go drive is inserted into a running system, the Windows To Go drive will not be listed in Windows Explorer.
+
+-   **Trusted Platform Module (TPM) is not used.** When using BitLocker Drive Encryption a pre-operating system boot password will be used for security rather than the TPM since the TPM is tied to a specific computer and Windows To Go drives will move between computers.
+
+-   **Hibernate is disabled by default.** To ensure that the Windows To Go workspace is able to move between computers easily, hibernation is disabled by default. Hibernation can be re-enabled by using Group Policy settings.
+
+-   **Windows Recovery Environment is not available.** In the rare case that you need to recover your Windows To Go drive, you should re-image it with a fresh image of Windows.
+
+-   **Refreshing or resetting a Windows To Go workspace is not supported.** Resetting to the manufacturer’s standard for the computer doesn’t apply when running a Windows To Go workspace, so the feature was disabled.
+
+-   **Upgrading a Windows To Go workspace is not supported.** Older Windows 8 or Windows 8.1 Windows To Go workspaces cannot be upgraded to Windows 10 workspaces, nor can Windows 10 Windows To Go workspaces be upgraded to future versions of Windows 10. For new versions, the workspace needs to be re-imaged with a fresh image of Windows.
+
+## <a href="" id="bkmk-wtgroam"></a>Roaming with Windows To Go
+
+
+Windows To Go drives can be booted on multiple computers. When a Windows To Go workspace is first booted on a host computer it will detect all hardware on the computer and install any needed drivers. When the Windows To Go workspace is subsequently booted on that host computer it will be able to identify the host computer and load the correct set of drivers automatically.
+
+The applications that you want to use from the Windows To Go workspace should be tested to make sure they also support roaming. Some applications bind to the computer hardware which will cause difficulties if the workspace is being used with multiple host computers.
+
+## <a href="" id="wtg-prep-intro"></a>Prepare for Windows To Go
+
+
+Enterprises install Windows on a large group of computers either by using configuration management software (such as System Center Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool.
+
+These same tools can be used to provision Windows To Go drive, just as you would if you were planning for provisioning a new class of mobile PCs. You can use the [Windows Assessment and Deployment Kit](http://go.microsoft.com/fwlink/p/?LinkId=526803) to review deployment tools available.
+
+**Important**  
+Make sure you use the versions of the deployment tools provided for the version of Windows you are deploying. There have been many enhancements made to support Windows To Go. Using versions of the deployment tools released for earlier versions of Windows to provision a Windows To Go drive is not supported.
+
+ 
+
+As you decide what to include in your Windows To Go image, be sure to consider the following questions:
+
+Are there any drivers that you need to inject into the image?
+
+How will data be stored and synchronized to appropriate locations from the USB device?
+
+Are there any applications that are incompatible with Windows To Go roaming that should not be included in the image?
+
+What should be the architecture of the image - 32bit/64bit?
+
+What remote connectivity solution should be supported in the image if Windows To Go is used outside the corporate network?
+
+For more information about designing and planning your Windows To Go deployment, see [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md).
+
+## <a href="" id="wtg-hardware"></a>Hardware considerations for Windows To Go
+
+
+**For USB drives**
+
+The devices listed in this section have been specially optimized and certified for Windows To Go and meet the necessary requirements for booting and running a full version of Windows 10 from a USB drive. The optimizations for Windows To Go include the following:
+
+-   Windows To Go certified USB drives are built for high random read/write speeds and support the thousands of random access I/O operations per second required for running normal Windows workloads smoothly.
+
+-   Windows To Go certified USB drives have been tuned to ensure they boot and run on hardware certified for use with Windows 7 and later.
+
+-   Windows To Go certified USB drives are built to last. Certified USB drives are backed with manufacturer warranties and should continue operating under normal usage. Refer to the manufacturer websites for warranty details.
+
+As of the date of publication, the following are the USB drives currently certified for use as Windows To Go drives:
+
+**Warning**  
+Using a USB drive that has not been certified is not supported
+
+ 
+
+-   IronKey Workspace W700 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w700.html](http://go.microsoft.com/fwlink/p/?LinkId=618714))
+
+-   IronKey Workspace W500 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w500.html](http://go.microsoft.com/fwlink/p/?LinkId=618717))
+
+-   IronKey Workspace W300 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w300.html](http://go.microsoft.com/fwlink/p/?LinkId=618718))
+
+-   Kingston DataTraveler Workspace for Windows To Go ([http://www.kingston.com/wtg/](http://go.microsoft.com/fwlink/p/?LinkId=618719))
+
+-   Spyrus Portable Workplace ([http://www.spyruswtg.com/](http://go.microsoft.com/fwlink/p/?LinkId=618720))
+
+    We recommend that you run the Spyrus Deployment Suite for Windows To Go to provision the Spyrus Portable Workplace.
+
+-   Spyrus Secure Portable Workplace ([http://www.spyruswtg.com/](http://go.microsoft.com/fwlink/p/?LinkId=618720))
+
+    **Important**  
+    You must use the Spyrus Deployment Suite for Windows To Go to provision the Spyrus Secure Portable Workplace. For more information about the Spyrus Deployment Suite for Windows To Go please refer to [http://www.spyruswtg.com/](http://go.microsoft.com/fwlink/p/?LinkId=618720).
+
+     
+
+-   Spyrus Worksafe ([http://www.spyruswtg.com/](http://go.microsoft.com/fwlink/p/?LinkId=618720))
+
+    **Tip**  
+    This device contains an embedded smart card.
+
+     
+
+-   Super Talent Express RC4 for Windows To Go
+
+    -and-
+
+    Super Talent Express RC8 for Windows To Go
+
+    ([http://www.supertalent.com/wtg/](http://go.microsoft.com/fwlink/p/?LinkId=618721))
+
+-   Western Digital My Passport Enterprise ([http://www.wd.com/wtg](http://go.microsoft.com/fwlink/p/?LinkId=618722))
+
+    We recommend that you run the WD Compass utility to prepare the Western Digital My Passport Enterprise drive for provisioning with Windows To Go.  For more information about the WD Compass utility please refer to [http://www.wd.com/wtg](http://go.microsoft.com/fwlink/p/?LinkId=618722)
+
+**For host computers**
+
+When assessing the use of a PC as a host for a Windows To Go workspace you should consider the following criteria:
+
+-   Hardware that has been certified for use with Windows 7or later operating systems will work well with Windows To Go.
+
+-   Running a Windows To Go workspace from a computer that is running Windows RT is not a supported scenario.
+
+-   Running a Windows To Go workspace on a Mac computer is not a supported scenario.
+
+The following table details the characteristics that the host computer must have to be used with Windows To Go:
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Item</th>
+<th align="left">Requirement</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Boot process</p></td>
+<td align="left"><p>Capable of USB boot</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Firmware</p></td>
+<td align="left"><p>USB boot enabled. (PCs certified for use with Windows 7 or later can be configured to boot directly from USB, check with the hardware manufacturer if you are unsure of the ability of your PC to boot from USB)</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Processor architecture</p></td>
+<td align="left"><p>Must support the image on the Windows To Go drive</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>External USB Hubs</p></td>
+<td align="left"><p>Not supported; connect the Windows To Go drive directly to the host machine</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Processor</p></td>
+<td align="left"><p>1 Ghz or faster</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>RAM</p></td>
+<td align="left"><p>2 GB or greater</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Graphics</p></td>
+<td align="left"><p>DirectX 9 graphics device with WDDM 1.2 or greater driver</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>USB port</p></td>
+<td align="left"><p>USB 2.0 port or greater</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+**Checking for architectural compatibility between the host PC and the Windows To Go drive**
+
+In addition to the USB boot support in the BIOS, the Windows 10 image on your Windows To Go drive must be compatible with the processor architecture and the firmware of the host PC as shown in the table below.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Host PC Firmware Type</th>
+<th align="left">Host PC Processor Architecture</th>
+<th align="left">Compatible Windows To Go Image Architecture</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Legacy BIOS</p></td>
+<td align="left"><p>32-bit</p></td>
+<td align="left"><p>32-bit only</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Legacy BIOS</p></td>
+<td align="left"><p>64-bit</p></td>
+<td align="left"><p>32-bit and 64-bit</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>UEFI BIOS</p></td>
+<td align="left"><p>32-bit</p></td>
+<td align="left"><p>32-bit only</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>UEFI BIOS</p></td>
+<td align="left"><p>64-bit</p></td>
+<td align="left"><p>64-bit only</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Additional resources
+
+
+-   [Windows 10 forums](http://go.microsoft.com/fwlink/p/?LinkId=618949)
+
+-   [Windows To Go Step by Step Wiki](http://go.microsoft.com/fwlink/p/?LinkId=618950)
+
+-   [Tips for configuring your BIOS settings to work with Windows To Go](http://go.microsoft.com/fwlink/p/?LinkId=618951)
+
+## Related topics
+
+
+-   [Deploy Windows To Go in your organization](http://go.microsoft.com/fwlink/p/?LinkId=619975)
+
+-   [Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
+
+-   [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
+
+-   [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
+
+-   [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
+
+-   [Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/plan/windows-update-for-business.md b/windows/plan/windows-update-for-business.md
new file mode 100644
index 0000000000..b936f37735
--- /dev/null
+++ b/windows/plan/windows-update-for-business.md
@@ -0,0 +1,123 @@
+---
+title: Windows Update for Business (Windows 10)
+description: Get an overview of how you can implement and deploy a Windows Update for Business solution and how to maintain enrolled systems.
+ms.assetid: DF61F8C9-A8A6-4E83-973C-8ABE090DB8C6
+keywords: ["update", "upgrade", "deployment", "WSUS"]
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Windows Update for Business
+
+
+**Applies to**
+
+-   Windows 10
+
+Get an overview of how you can implement and deploy a Windows Update for Business solution and how to maintain enrolled systems.
+
+## Introduction
+
+
+Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. By using [Group Policy Objects](http://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
+
+-   **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met).
+
+-   **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient.
+
+-   **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](http://go.microsoft.com/fwlink/p/?LinkId=699281).
+
+Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](http://go.microsoft.com/fwlink/p/?LinkId=734043) and [System Center Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=734044).
+
+## Deploy Windows Update for Business in your organization
+
+
+For Windows 10, version 1511, Windows Update for Business is enabled using a set of client-side configurations, allowing you to manage how and when Windows-based devices receive updates and upgrades. These capabilities use the Windows Update service like any other Windows 10 clients, but provides controls to help businesses validate update quality as well as time their update deployments to machines through the use of Group Policy Objects. Windows Update for Business also incorporates smart peer-to-peer networking for distribution of Windows updates, which will help maintain bandwidth efficiency in the absence of a WSUS solution.
+
+## Eligible devices
+
+
+All devices running Windows 10 Pro, Enterprise, and Education on the Current Branch for Business (CBB) are Windows Update for Business eligible.
+
+## OS upgrades and updates
+
+
+In Windows 10, Windows Update for Business recognizes three deployment categories that clients receive from Windows Update:
+
+-   **Upgrades**
+
+    -   Examples: Windows 10 (Build 10240) to Windows 10, version 1511; CBB 1 to CBB 2
+
+        **Note**  
+        In the Windows 10 servicing model, new CBBs will be declared 2-3 times per year.
+
+         
+
+-   **Updates**
+
+    -   General OS updates, typically released the second Tuesday of each month. These include Security, Critical, and Driver updates.
+
+-   **Other/non-deferrable**
+
+    -   Definition updates (these cannot be deferred)
+
+Both upgrades and updates can be deferred from deployment to client machines by a Windows Update for Business administrator within a bounded rage of time from when those updates are first made available on the Windows Update service. This deferral capability allows administrators to validate deployments as they are pushed to all their Windows Update for Business enrolled clients. The following table defines maximum deferral periods allowed by deployment type:
+
+<table>
+<tr>
+<th>Category</th>
+<th>Maximum deferral</th>
+<th>Deferral increments</th>
+<th>Classification type</th>
+<th>Classification GUID</th>
+</tr>
+<tr>
+<td>OS upgrades</td>
+<td>8 months</td>
+<td>1 month</td>
+<td>Upgrade</td>
+<td>3689BDC8-B205-4AF4-8D4A-A63924C5E9D5</td>
+</tr>
+<tr>
+<td rowspan="3">OS updates</td>
+<td rowspan="3">4 weeks</td>
+<td rowspan="3">1 week</td>
+<td>Security updates</td>
+<td>0FA1201D-4330-4FA8-8AE9-B877473B6441</td>
+</tr>
+<tr>
+<td>Drivers</td>
+<td>EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</td>
+</tr>
+<tr>
+<td>Updates</td>
+<td>CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</td>
+</tr>
+<tr>
+<td>Other/non-deferrable</td>
+<td>No deferral</td>
+<td>No deferral</td>
+<td>Definition updates</td>
+<td>E0789628-CE08-4437-BE74-2495B842F43B</td>
+</tr>
+</table>
+
+## Related topics
+
+
+[Setup and deployment](setup-and-deployment.md)
+
+[Integration with management solutions](integration-with-management-solutions-.md)
+
+[Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md
new file mode 100644
index 0000000000..c8901b35ec
--- /dev/null
+++ b/windows/whats-new/TOC.md
@@ -0,0 +1,20 @@
+# [What's new in Windows 10](index.md)
+## [Change history for What's new in Windows 10](change-history-for-what-s-new-in-windows-10.md)
+## [AppLocker](applocker.md)
+## [BitLocker](bitlocker.md)
+## [Browser: Microsoft Edge and Internet Explorer 11](edge-ie11-whats-new-overview.md)
+## [Credential Guard](credential-guard.md)
+## [Device Guard](device-guard-overview.md)
+## [Enterprise data protection (EDP)](edp-whats-new-overview.md)
+## [Enterprise management for Windows 10 devices](device-management.md)
+## [Lockdown features from Windows Embedded Industry 8.1](lockdown-features-windows-10.md)
+## [Microsoft Passport](microsoft-passport.md)
+## [Provisioning packages](new-provisioning-packages.md)
+## [Security](security.md)
+## [Security auditing](security-auditing.md)
+## [Trusted Platform Module](trusted-platform-module.md)
+## [User Account Control](user-account-control.md)
+## [Windows spotlight on the lock screen](windows-spotlight.md)
+## [Windows Store for Business overview](windows-store-for-business-overview.md)
+## [Windows Update for Business](windows-update-for-business.md)
+
diff --git a/windows/whats-new/applocker.md b/windows/whats-new/applocker.md
new file mode 100644
index 0000000000..1921961c20
--- /dev/null
+++ b/windows/whats-new/applocker.md
@@ -0,0 +1,41 @@
+---
+title: What's new in AppLocker (Windows 10)
+description: AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
+ms.assetid: 6F836FF6-7794-4E7B-89AA-1EABA1BF183F
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# What's new in AppLocker?
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
+
+In Windows 10, AppLocker has added some improvements.
+
+## New features in Windows 10
+
+
+-   A new parameter was added to the [New-AppLockerPolicy](http://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**.
+
+-   A new [AppLocker](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server.
+
+-   You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx).
+
+[Learn how to manage AppLocker within your organization](../keep-secure/applocker-overview.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/whats-new/bitlocker.md b/windows/whats-new/bitlocker.md
new file mode 100644
index 0000000000..2d2adc6cff
--- /dev/null
+++ b/windows/whats-new/bitlocker.md
@@ -0,0 +1,60 @@
+---
+title: What's new in BitLocker (Windows 10)
+description: BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
+ms.assetid: 3F2DE365-68A1-4CDB-AB5F-C65574684C7B
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# What's new in BitLocker?
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
+
+## New features in Windows 10, version 1511
+
+
+-   **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys.
+
+    It provides the following benefits:
+
+    -   The algorithm is FIPS-compliant.
+
+    -   Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization.
+
+    **Note**  
+    Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms.
+
+     
+
+## New features in Windows 10
+
+
+-   **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](http://technet.microsoft.com/library/dn306081.aspx#bkmk-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online.
+
+-   **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
+
+-   **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the "Configure pre-boot recovery message and URL" section in [BitLocker Group Policy settings](../keep-secure/bitlocker-group-policy-settings.md).
+
+[Learn how to deploy and manage BitLocker within your organization](../keep-secure/bitlocker-overview.md).
+
+## Related topics
+
+
+[Trusted Platform Module](../keep-secure/trusted-platform-module-overview.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/whats-new/change-history-for-what-s-new-in-windows-10.md b/windows/whats-new/change-history-for-what-s-new-in-windows-10.md
new file mode 100644
index 0000000000..2e451088c6
--- /dev/null
+++ b/windows/whats-new/change-history-for-what-s-new-in-windows-10.md
@@ -0,0 +1,109 @@
+---
+title: Change history for What's new in Windows 10 (Windows 10)
+description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 and Windows 10 Mobile.
+ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Change history for What's new in Windows 10
+
+
+This topic lists new and updated topics in the [What's new in Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+
+## February 2016
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">New or changed topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">[Lockdown features from Windows Embedded Industry 8.1](lockdown-features-windows-10.md)</td>
+<td align="left"><p>Updated to include policy setting names for USB filter and Toast notification filter</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## January 2016
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">New or changed topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left">[Browser: Microsoft Edge and Internet Explorer 11](edge-ie11-whats-new-overview.md)</td>
+<td align="left"><p>Updated to include the &quot;Applies to&quot; section</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## December 2015
+
+
+| New or changed topic                                          | Description |
+|---------------------------------------------------------------|-------------|
+| [Security](security.md)                                      | New         |
+| [Windows Update for Business](windows-update-for-business.md) | New         |
+
+ 
+
+## November 2015
+
+
+| New or changed topic                                                                                             | Description |
+|------------------------------------------------------------------------------------------------------------------|-------------|
+| [AppLocker](applocker.md)                                                                                       | New         |
+| [BitLocker](bitlocker.md)                                                                                       | New         |
+| [Credential Guard](credential-guard.md)                                                                         | New         |
+| [Device Guard](device-guard-overview.md)                                                                        | New         |
+| [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) | New         |
+| [Security auditing](security-auditing.md)                                                                       | New         |
+| [Trusted Platform Module](trusted-platform-module.md)                                                           | New         |
+| [Windows spotlight on the lock screen](windows-spotlight.md)                                                    | New         |
+| [Windows Store for Business overview](windows-store-for-business-overview.md)                                         | New         |
+
+ 
+
+## Related topics
+
+
+[Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
+
+[Change history for Deploy Windows 10](../deploy/change-history-for-deploy-windows-10.md)
+
+[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
+
+[Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/whats-new/credential-guard.md b/windows/whats-new/credential-guard.md
new file mode 100644
index 0000000000..27c035b5ad
--- /dev/null
+++ b/windows/whats-new/credential-guard.md
@@ -0,0 +1,44 @@
+---
+title: What's new in Credential Guard (Windows 10)
+description: Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
+ms.assetid: 59C206F7-2832-4555-97B4-3070D93CC3C5
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# What's new in Credential Guard?
+
+
+**Applies to**
+
+-   Windows 10
+
+Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
+
+## New features in Windows 10, version 1511
+
+
+-   **Credential Manager support**. Credentials that are stored with Credential Manager, including domain credentials, are protected with Credential Guard with the following considerations:
+
+    -   Credentials that are saved by the Remote Desktop Protocol cannot be used. Employees in your organization can manually store credentials in Credential Manager as generic credentials.
+
+    -   Applications that extract derived domain credentials using undocumented APIs from Credential Manager will no longer be able to use those saved derived credentials.
+
+    -   You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
+
+-   **Enable Credential Guard without UEFI lock**. You can enable Credential Guard by using the registry. This allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can configure this by using Group Policy.
+
+-   **CredSSP/TsPkg credential delegation**. CredSSP/TsPkg cannot delegate default credentials when Credential Guard is enabled.
+
+[Learn how to deploy and manage Credential Guard within your organization](../keep-secure/credential-guard.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/whats-new/device-guard-overview.md b/windows/whats-new/device-guard-overview.md
new file mode 100644
index 0000000000..e9bb342203
--- /dev/null
+++ b/windows/whats-new/device-guard-overview.md
@@ -0,0 +1,164 @@
+---
+title: Device Guard overview (Windows 10)
+description: Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications.
+ms.assetid: FFE244EE-5804-4CE8-A2A9-48F49DC3AEF2
+keywords: ["Device Guard"]
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Device Guard overview
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when.
+
+Device Guard uses the new virtualization-based security in Windows 10 Enterprise to isolate the Code Integrity service from the Microsoft Windows kernel itself, letting the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
+
+For details on how to implement Device Guard, see [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md).
+
+## Why use Device Guard
+
+
+With thousands of new malicious files created every day, using traditional methods like signature-based detection to fight against malware provides an inadequate defense against new attacks. Device Guard on Windows 10 Enterprise changes from a mode where apps are trusted unless blocked by an antivirus or other security solutions, to a mode where the operating system trusts only apps authorized by your enterprise.
+
+Device Guard also helps protect against [zero day attacks](http://go.microsoft.com/fwlink/p/?linkid=534209) and works to combat the challenges of [polymorphic viruses](http://go.microsoft.com/fwlink/p/?LinkId=534210).
+
+### Advantages to using Device Guard
+
+You can take advantage of the benefits of Device Guard, based on what you turn on and use:
+
+-   Helps provide strong malware protection with enterprise manageability
+-   Helps provide the most advanced malware protection ever offered on the Windows platform
+-   Offers improved tamper resistance
+
+## How Device Guard works
+
+
+Device Guard restricts the Windows 10 Enterprise operating system to only running code that’s signed by trusted signers, as defined by your Code Integrity policy through specific hardware and security configurations, including:
+
+-   User Mode Code Integrity (UMCI)
+
+-   New kernel code integrity rules (including the new Windows Hardware Quality Labs (WHQL) signing constraints)
+
+-   Secure Boot with database (db/dbx) restrictions
+
+-   Virtualization-based security to help protect system memory and kernel mode apps and drivers from possible tampering.
+
+-   **Optional:** Trusted Platform Module (TPM) 1.2 or 2.0
+
+Device Guard works with your image-building process, so you can turn the virtualization-based security feature on for capable devices, configure your Code Integrity policy, and set any other operating system settings you require for Windows 10 Enterprise. After that, Device Guard works to help protect your devices:
+
+1.  Your device starts up using Universal Extensible Firmware Interface (UEFI) Secure Boot, so that boot kits can’t run and so that Windows 10 Enterprise starts before anything else.
+
+2.  After securely starting up the Windows boot components, Windows 10 Enterprise can start the Hyper-V virtualization-based security services, including Kernel Mode Code Integrity. These services help protect the system core (kernel), privileged drivers, and system defenses, like anti-malware solutions, by preventing malware from running early in the boot process, or in kernel after startup.
+
+3.  Device Guard uses UMCI to make sure that anything that runs in User mode, such as a service, a Universal Windows Platform (UWP) app, or a Classic Windows application is trusted, allowing only trusted binaries to run.
+
+4.  At the same time that Windows 10 Enterprise starts up, so too does the trusted platform module (TPM). TPM provides an isolated hardware component that helps protect sensitive information, such as user credentials and certificates.
+
+## Required hardware and software
+
+
+The following table shows the hardware and software you need to install and configure to implement Device Guard.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Requirement</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Windows 10 Enterprise</p></td>
+<td align="left"><p>The PC must be running Windows 10 Enterprise.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>UEFI firmware version 2.3.1 or higher and Secure Boot</p></td>
+<td align="left"><p>To verify that the firmware is using UEFI version 2.3.1 or higher and Secure Boot, you can validate it against the [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby) Windows Hardware Compatibility Program requirement.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Virtualization extensions</p></td>
+<td align="left"><p>The following virtualization extensions are required to support virtualization-based security:</p>
+<ul>
+<li>Intel VT-x or AMD-V</li>
+<li>Second Level Address Translation</li>
+</ul></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Firmware lock</p></td>
+<td align="left"><p>The firmware setup should be locked to prevent other operating systems from starting and to prevent changes to the UEFI settings. You should also disable boot methods other than from the hard drive.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>x64 architecture</p></td>
+<td align="left"><p>The features that virtualization-based security uses in the Windows hypervisor can only run on a 64-bit PC.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>A VT-d or AMD-Vi IOMMU (Input/output memory management unit)</p></td>
+<td align="left"><p>In Windows 10, an IOMMU enhances system resiliency against memory attacks. ¹</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Secure firmware update process</p></td>
+<td align="left"><p>To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## <a href="" id="before-you-begin"></a>Before using Device Guard in your company
+
+
+Before you can successfully use Device Guard, you must set up your environment and your policies.
+
+### Signing your apps
+
+Device Guard mode supports both UWP apps and Classic Windows applications. Trust between Device Guard and your apps happen when your apps are signed using a signature that you determine to be trustworthy. Not just any signature will work.
+
+This signing can happen by:
+
+-   **Using the Windows Store publishing process.** All apps that come out of the Microsoft Store are automatically signed with special signatures that can roll-up to our certificate authority (CA) or to your own.
+
+-   **Using your own digital certificate or public key infrastructure (PKI).** ISV's and enterprises can sign their own Classic Windows applications themselves, adding themselves to the trusted list of signers.
+
+-   **Using a non-Microsoft signing authority.** ISV's and enterprises can use a trusted non-Microsoft signing authority to sign all of their own Classic Windows applications.
+
+-   **Use the Device Guard signing portal**. Available in the Windows Store for Business, you can use a Microsoft web service to sign your Classic Windows applications. For more info, see [Device Guard signing](../manage/device-guard-signing-portal.md).
+
+### Code Integrity policy
+
+Before you can use the app protection included in Device Guard, you must create a Code Integrity policy using tools provided by Microsoft, but deployed using your current management tools, like Group Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 Enterprise, along with restrictions on Windows 10 script hosts. This policy restricts what code can run on a device.
+
+For the Device Guard feature, devices should only have Code Integrity pre-configured if the settings are provided by a customer for a customer-provided image.
+
+**Note**  This XML document can be signed in Windows 10 Enterprise, helping to add additional protection against administrative users changing or removing this policy.
+
+ 
+
+### <a href="" id="virtualization-based-security-using-windows-10-hypervisor"></a>Virtualization-based security using Windows 10 Enterprise Hypervisor
+
+Windows 10 Enterprise Hypervisor introduces new capabilities around virtual trust levels, which helps Windows 10 Enterprise services to run in a protected environment, in isolation from the running operating system. Windows 10 Enterprise virtualization-based security helps protect kernel code integrity and helps to provide credential isolation for the local security authority (LSA). Letting the Kernel Code Integrity service run as a hypervisor-hosted service increases the level of protection around the root operating system, adding additional protections against any malware that compromises the kernel layer.
+
+**Important**  Device Guard devices that run Kernel Code Integrity with virtualization-based security must have compatible drivers - legacy drivers can be updated - and have all virtualization capabilities turned on. This includes virtualization extensions and input/output memory management unit (IOMMU) support.
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/whats-new/device-management.md b/windows/whats-new/device-management.md
new file mode 100644
index 0000000000..acf0982f94
--- /dev/null
+++ b/windows/whats-new/device-management.md
@@ -0,0 +1,123 @@
+---
+title: Enterprise management for Windows 10 devices (Windows 10)
+description: Windows 10 provides mobile device management (MDM) capabilities that enable enterprise-level management of devices.
+ms.assetid: 36DA67A1-25F1-45AD-A36B-AEEAC30C9BC4
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Enterprise management for Windows 10 devices
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices.
+
+## MDM support
+
+
+MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Windows Store, VPN configuration, and more. To learn more about policies, see [Configuration service provider reference for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=533046).
+
+MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](http://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification.
+
+Corporate-owned devices can be enrolled automatically for enterprises using Azure AD.
+
+## Unenrollment
+
+
+When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device.
+
+When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed.
+
+## Infrastructure
+
+
+Enterprises have the following identity and management choices.
+
+| Area | Choices |
+|---|---|                                                                                                                                                                            
+| Identity          | Active Directory; Azure AD                                                                                                                                                  |
+| Grouping          | Domain join; Workgroup; Azure AD join                                                                                                                                       |
+| Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
+
+ 
+
+**Note**  
+With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](http://go.microsoft.com/fwlink/p/?LinkID=613512).
+
+ 
+
+## Device lockdown
+
+
+Do you need a computer that can only do one thing? For example:
+
+-   A device in the lobby that customers can use to view your product catalog.
+
+-   A portable device that drivers can use to check a route on a map.
+
+-   A device that a temporary worker uses to enter data.
+
+You can configure a persistent locked down state to create a kiosk-type device. When the locked-down account is logged on, the device displays only the app that you select.
+
+You can also configure a lockdown state that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify.
+
+Lockdown settings can also be configured for device look and feel, such as a theme or a custom layout on the Start screen.
+
+## Updates
+
+
+With Windows 10, your enterprise will have more choice and flexibility in applying operating system updates. You can manage and control updates to devices running Windows 10 Pro and Windows 10 Enterprise using MDM policies.
+
+While Windows Update provides updates to unmanaged devices, most enterprises prefer to manage and control the flow of updates using their device management solution. You can choose to apply the latest updates as soon as they are available, or you can set a source and schedule for updates that works for your specific requirements.
+
+For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md).
+
+## Easier certificate management
+
+
+For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Microsoft Passport in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](http://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device.
+
+## Learn more
+
+
+[Windows 10: Manageability Choices](http://go.microsoft.com/fwlink/p/?LinkId=533886)
+
+[Windows 10: Management](http://go.microsoft.com/fwlink/p/?LinkId=533887)
+
+[Windows 10 Technical Preview Fundamentals for IT Pros: Windows 10 Management and Deployment](http://go.microsoft.com/fwlink/p/?LinkId=533888)
+
+[Reference for Mobile device management for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=533172)
+
+Active Directory blog posts on Azure AD and Windows 10:
+
+-   [Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility!](http://go.microsoft.com/fwlink/p/?LinkId=619025)
+
+-   [Azure AD Join on Windows 10 devices](http://go.microsoft.com/fwlink/p/?LinkID=616791)
+
+-   [Azure AD on Windows 10 Personal Devices]( http://go.microsoft.com/fwlink/p/?LinkId=619028)
+
+-   [Azure Active Directory and Windows 10: Bringing the cloud to enterprise desktops!](http://go.microsoft.com/fwlink/p/?LinkID=615765)
+
+## Related topics
+
+
+[Manage corporate devices](../manage/manage-corporate-devices.md)
+
+[Microsoft Passport](microsoft-passport.md)
+
+[Enterprise Data Protection Overview](edp-whats-new-overview.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/whats-new/edge-ie11-whats-new-overview.md b/windows/whats-new/edge-ie11-whats-new-overview.md
new file mode 100644
index 0000000000..5fe335ccb1
--- /dev/null
+++ b/windows/whats-new/edge-ie11-whats-new-overview.md
@@ -0,0 +1,55 @@
+---
+title: Browser Microsoft Edge and Internet Explorer 11 (Windows 10)
+description: Resources to help you explore the Windows 10 browsing options for your enterprise.
+ms.assetid: e986f903-69ad-4145-9d24-0c6d04b3e489
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: eross-msft
+---
+
+# Browser: Microsoft Edge and Internet Explorer 11
+**Microsoft Edge content applies to:**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+**Internet Explorer 11 content applies to:**
+
+-   Windows 10
+
+## Enterprise guidance
+Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Windows Store or from the [Internet Explorer 11 download page](http://go.microsoft.com/fwlink/p/?linkid=290956).
+
+We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
+
+### Microsoft Edge
+Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
+
+-   **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages.
+-   **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing.
+-   **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.
+-   **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
+
+### IE11
+IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support.
+
+-   **Backward compatibility.** IE11 supports 9 document modes that include high-fidelity emulations for older versions of IE.
+-   **Modern web standards.** IE11 supports modern web technologies like HTML5, CSS3, and WebGL, which help to ensure today's modern websites and apps work just as well as your old, legacy websites and apps.
+-   **More secure.** IE11 was designed with security in mind and is more secure than older versions. Using security features like SmartScreen and Enhanced Protected Mode can help IE11 reduce your risk.
+-   **Faster.** IE11 is significantly faster than previous versions of Internet Explorer, taking advantage of network optimization and hardware-accelerated text, graphics, and JavaScript rendering.
+-   **Easier migration to Windows 10.** IE11 is the only version of IE that runs on Windows 7, Windows 8.1, and Windows 10. Upgrading to IE11 on Windows 7 can also help your organization support the next generation of software, services, and devices.
+-   **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control.
+
+## Related topics
+- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/en-us/browser/mt612809.aspx)
+- [Download Internet Explorer 11](http://windows.microsoft.com/en-US/internet-explorer/download-ie)
+- [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index)
+- [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index)
+- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index)
+ 
+
+
+
+
+
diff --git a/windows/whats-new/edp-whats-new-overview.md b/windows/whats-new/edp-whats-new-overview.md
new file mode 100644
index 0000000000..36c34d0cea
--- /dev/null
+++ b/windows/whats-new/edp-whats-new-overview.md
@@ -0,0 +1,104 @@
+---
+title: Enterprise data protection (EDP) overview (Windows 10)
+description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprise’s control like email, social media, and the public cloud.
+ms.assetid: 42ba3135-cb5e-478b-b1ff-b6eb76f0df14
+keywords: ["EDP Overview", "EDP"]
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: eross-msft
+---
+
+# Enterprise data protection (EDP) overview
+**Applies to:**
+
+-   Windows 10 Insider Preview
+-   Windows 10 Mobile Preview
+
+<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
+
+With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprise’s control like email, social media, and the public cloud.
+
+Many of the existing solutions try to address this issue by requiring employees to switch between personal and work containers and apps, which can lead to a less than optimal user experience. The feature code-named enterprise data protection (EDP) offers a better user experience, while helping to better separate and protect enterprise apps and data against disclosure risks across both company and personal devices, without requiring changes in environments or apps. Additionally, EDP when used with Rights Management Services (RMS), can help to protect your enterprise data locally, persisting the protection even when your data roams or is shared.
+
+## Benefits of EDP
+EDP provides:
+-   Additional protection against enterprise data leakage, with minimal impact on employees’ regular work practices.
+
+-   Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
+
+-   Additional data protection for existing line-of-business apps without a need to update the apps.
+
+-   Ability to wipe corporate data from devices while leaving personal data alone.
+
+-   Use of audit reports for tracking issues and remedial actions.
+
+-   Integration with your existing management system (Microsoft Intune, System Center Configuration Manager (version 1511 or later)’, or your current mobile device management (MDM) system) to configure, deploy, and manage EDP for your company.
+
+-   Additional protection for your data (through RMS integration) while roaming and sharing, like when you share encrypted content through Outlook or move encrypted files to USB keys.
+
+-   Ability to manage Office universal apps on Windows 10 devices using an MDM solution to help protect corporate data. To manage Office mobile apps for Android and iOS devices, see technical resources [here]( http://go.microsoft.com/fwlink/p/?LinkId=526490).
+
+## Enterprise scenarios
+
+EDP currently addresses these enterprise scenarios:
+
+-   You can encrypt enterprise data on employee-owned and corporate-owned devices.
+
+-   You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
+
+-   You can select specific apps that can access enterprise data, called "protected apps" that are clearly recognizable to employees. You can also block non-protected apps from accessing enterprise data.
+
+-   Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.
+
+### Enterprise data security
+As an enterprise admin, you need to maintain the security and confidentiality of your corporate data. Using EDP you can help ensure that your corporate data is protected on your employee-owned computers, even when the employee isn’t actively using it. In this case, when the employee initially creates the content on a managed device he’s asked whether it’s a work document. If it's a work document, it becomes locally-protected as enterprise data.
+
+### Persistent data encryption
+EDP helps keep your enterprise data protected, even when it roams. Apps like Office and OneNote work with EDP to persist your data encryption across locations and services. For example, if an employee opens EDP-encrypted content from Outlook, edits it, and then tries to save the edited version with a different name to remove the encryption, it won’t work. Outlook automatically applies EDP to the new document, keeping the data encryption in place.
+
+### Remotely wiping devices of enterprise data
+EDP also offers the ability to remotely wipe your corporate data from all devices managed by you and used by an employee, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen computer.
+
+In this case, documents are stored locally, and encrypted with an enterprise identity. When you verify that you have to wipe the device, you can send a remote wipe command through your mobile device management system so when the device connects to the network, the encryption keys are revoked and the enterprise data is removed. This action only affects devices that have been targeted by the command. All other devices will continue to work normally.
+
+### Protected apps and restrictions
+Using EDP you can control the set of apps that are made "protected apps", or apps that can access and use your enterprise data. After you add an app to your **Protected App** list, it’s trusted to use enterprise data. All apps not on this list are treated as personal and are potentially blocked from accessing your corporate data, depending on your EDP protection-mode.
+
+As a note, your existing line-of-business apps don’t have to change to be included as protected apps. You simply have to include them in your list.
+
+### Great employee experiences
+EDP can offer a great user experience by not requiring employees to switch between apps to protect corporate data. For example, while checking work emails in Microsoft Outlook, an employee gets a personal message. Instead of having to leave Outlook, both the work and personal messages appear on the screen, side-by-side.
+
+#### Using protected apps
+Protected apps are allowed to access your enterprise data and will react differently with other non-protected or personal apps. For example, if your EDP-protection mode is set to block, your protected apps will let the employee copy and paste information between other protected apps, but not with personal apps. Imagine an HR person wants to copy a job description from a protected app to an internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that it couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website and it works without a problem.
+
+#### Copying or downloading enterprise data
+Downloading content from a location like SharePoint or a network file share, or an enterprise web location, such as Office365.com automatically determines that the content is enterprise data and is encrypted as such, while it’s stored locally. The same applies to copying enterprise data to something like a USB drive. Because the content is already marked as enterprise data locally, the encryption is persisted on the new device.
+
+#### Changing the EDP protection
+Employees can change enterprise data protected documents back to personal if the document is wrongly marked as enterprise. However, this requires the employee to take an action and is audited and logged for you to review
+
+### Deciding your level of data access
+EDP lets you decide to block, allow overrides, or silently audit your employee's data sharing actions. Blocking the action stops it immediately, while allowing overrides let the employee know there's a problem, but lets the employee continue to share the info, and silent just logs the action without stopping it, letting you start to see patterns of inappropriate sharing so you can take educative action.
+
+### Helping prevent accidental data disclosure to public spaces
+EDP helps protect your enterprise data from being shared to public spaces, like the public cloud, accidentally. For example, if an employee stores content in the **Documents** folder, which is automatically synched with OneDrive (an app on your Protected Apps list), then the document is encrypted locally and not synched it to the user’s personal cloud. Likewise, if other synching apps, like Dropbox™, aren’t on the Protected Apps list, they also won’t be able to sync encrypted files to the user’s personal cloud.
+
+### Helping prevent accidental data disclosure to other devices
+EDP helps protect your enterprise data from leaking to other devices while transferring or moving between them. For example, if an employee puts corporate data on a USB key that also includes personal data, the corporate data remains encrypted even though the personal information remains open. Additionally, the encryption continues when the employee copies the encrypted content back to another corporate-managed device.
+
+## Turn off EDP
+You can turn off all enterprise data protection and restrictions, reverting to where you were pre-EDP, with no data loss. However, turning off EDP isn't recommended. If you choose to turn it off, you can always turn it back on, but EDP won't retain your decryption and policies info.
+
+## Related topics
+- [Protect your enterprise data using enterprise data protection (EDP)](../keep-secure/protect-enterprise-data-using-edp.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/whats-new/images/funfacts.png b/windows/whats-new/images/funfacts.png
new file mode 100644
index 0000000000..71355ec370
Binary files /dev/null and b/windows/whats-new/images/funfacts.png differ
diff --git a/windows/whats-new/images/lockscreen.png b/windows/whats-new/images/lockscreen.png
new file mode 100644
index 0000000000..68c64e15ec
Binary files /dev/null and b/windows/whats-new/images/lockscreen.png differ
diff --git a/windows/whats-new/images/lockscreenpolicy.png b/windows/whats-new/images/lockscreenpolicy.png
new file mode 100644
index 0000000000..30b6a7ae9d
Binary files /dev/null and b/windows/whats-new/images/lockscreenpolicy.png differ
diff --git a/windows/whats-new/images/spotlight.png b/windows/whats-new/images/spotlight.png
new file mode 100644
index 0000000000..515269740b
Binary files /dev/null and b/windows/whats-new/images/spotlight.png differ
diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md
new file mode 100644
index 0000000000..28468ba5d2
--- /dev/null
+++ b/windows/whats-new/index.md
@@ -0,0 +1,126 @@
+---
+title: What's new in Windows 10 (Windows 10)
+description: Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Microsoft Passport, Device Guard, and more.
+ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44
+keywords: ["What's new in Windows 10", "Windows 10"]
+ms.prod: W10
+author: TrudyHa
+---
+
+# What's new in Windows 10
+
+
+Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Microsoft Passport, Device Guard, and more. These technical overviews are designed to help you understand key feature changes and benefits and answer common questions about Windows 10 technologies.
+
+## In this section
+
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Topic</th>
+<th align="left">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Change history for What's new in Windows 10](change-history-for-what-s-new-in-windows-10.md)</p></td>
+<td align="left"><p>This topic lists new and updated topics in the What's new in Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[AppLocker](applocker.md)</p></td>
+<td align="left"><p>AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[BitLocker](bitlocker.md)</p></td>
+<td align="left"><p>BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Browser: Microsoft Edge and Internet Explorer 11](edge-ie11-whats-new-overview.md)</p></td>
+<td align="left"><p>Resources to help you explore the Windows 10 browsing options for your enterprise.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Credential Guard](credential-guard.md)</p></td>
+<td align="left"><p>Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Device Guard](device-guard-overview.md)</p></td>
+<td align="left"><p>Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Enterprise data protection (EDP)](edp-whats-new-overview.md)</p></td>
+<td align="left"><p>With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprise’s control like email, social media, and the public cloud.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Enterprise management for Windows 10 devices](device-management.md)</p></td>
+<td align="left"><p>Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Lockdown features from Windows Embedded Industry 8.1](lockdown-features-windows-10.md)</p></td>
+<td align="left"><p>Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Microsoft Passport](microsoft-passport.md)</p></td>
+<td align="left"><p>In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Provisioning packages](new-provisioning-packages.md)</p></td>
+<td align="left"><p>With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Security](security.md)</p></td>
+<td align="left"><p>There are several key client security improvements Microsoft has made in Windows 10. These improvements focus on three key areas — threat resistance, information protection, and identity protection and access control. In addition to an overview of the features themselves, this article discusses the hardware requirements for each new feature and offers configuration recommendations and links to more detailed resources.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Security auditing](security-auditing.md)</p></td>
+<td align="left"><p>Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Trusted Platform Module](trusted-platform-module.md)</p></td>
+<td align="left"><p>This topic for the IT professional describes new features for the Trusted Platform Module (TPM) in Windows 10.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[User Account Control](user-account-control.md)</p></td>
+<td align="left"><p>User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Windows spotlight on the lock screen](windows-spotlight.md)</p></td>
+<td align="left"><p>Windows spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows spotlight is now available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows spotlight background.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Windows Store for Business overview](windows-store-for-business-overview.md)</p></td>
+<td align="left"><p>With the new Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Windows Update for Business](windows-update-for-business.md)</p></td>
+<td align="left"><p>Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+## Learn more
+
+
+[Windows 10 content from Microsoft Ignite](http://go.microsoft.com/fwlink/p/?LinkId=613210)
+
+[Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkId=690485)
+
+## Related topics
+
+
+[Windows 10 and Windows 10 Mobile](../index.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/whats-new/lockdown-features-windows-10.md b/windows/whats-new/lockdown-features-windows-10.md
new file mode 100644
index 0000000000..ad706275ab
--- /dev/null
+++ b/windows/whats-new/lockdown-features-windows-10.md
@@ -0,0 +1,124 @@
+---
+title: Lockdown features from Windows Embedded 8.1 Industry (Windows 10)
+description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. 
+ms.assetid: 3C006B00-535C-4BA4-9421-B8F952D47A14
+keywords: ["lockdown", "embedded"]
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Lockdown features from Windows Embedded 8.1 Industry
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.
+
+<table>
+<colgroup>
+<col width="33%" />
+<col width="33%" />
+<col width="33%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Windows Embedded 8.1 Industry lockdown feature</th>
+<th align="left">Windows 10 feature</th>
+<th align="left">Changes</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>[Hibernate Once/Resume Many (HORM)](http://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device</p></td>
+<td align="left">N/A</td>
+<td align="left"><p>HORM is not supported in Windows 10. However, with enhancements to the Windows boot process and Unified Extensible Firmware Interface (UEFI) hardware, startup times can be dramatically reduced compared to previous versions.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Unified Write Filter](http://go.microsoft.com/fwlink/p/?LinkId=626757): protect a device's physical storage media</p></td>
+<td align="left">[Unified Writer Filter](http://go.microsoft.com/fwlink/p/?LinkId=626607)</td>
+<td align="left"><p>The Unified Write Filter is continued in Windows 10, with the exception of HORM which has been deprecated.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Keyboard Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626761): block hotkeys and other key combinations</p></td>
+<td align="left">[Keyboard Filter](http://go.microsoft.com/fwlink/p/?LinkId=708391)</td>
+<td align="left"><p>Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via <strong>Turn Windows Features On/Off</strong>. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on</p></td>
+<td align="left">[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=618603)</td>
+<td align="left"><p>Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the <strong>SMISettings</strong> category.</p>
+<p>Learn [how to use Shell Launcher to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Application Launcher]( http://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on</p></td>
+<td align="left">[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)</td>
+<td align="left"><p>The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Dialog Filter](http://go.microsoft.com/fwlink/p/?LinkId=626762): suppress system dialogs and control which processes can run</p></td>
+<td align="left">[AppLocker](../keep-secure/applocker-overview.md)</td>
+<td align="left"><p>Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.</p>
+<ul>
+<li><p>Control over which processes are able to run will now be provided by AppLocker.</p></li>
+<li><p>System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below.</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Toast Notification Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626673): suppress toast notifications</p></td>
+<td align="left">Mobile device management (MDM) and Group Policy</td>
+<td align="left"><p>Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps.</p>
+<p>Group Policy: <strong>User Configuration</strong> &gt; <strong>Administrative Templates</strong> &gt; <strong>Start Menu and Taskbar</strong> &gt; <strong>Notifications</strong></p>
+<p>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use <strong>Allow action center notifications</strong> and a [custom OMA-URI setting](http://go.microsoft.com/fwlink/p/?LinkID=616317) for <strong>AboveLock/AllowActionCenterNotifications</strong>.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Embedded Lockdown Manager](http://go.microsoft.com/fwlink/p/?LinkId=626763): configure lockdown features</p></td>
+<td align="left">[Windows Imaging and Configuration Designer (ICD)](http://go.microsoft.com/fwlink/p/?LinkID=525483)</td>
+<td align="left"><p>The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[USB Filter](http://go.microsoft.com/fwlink/p/?LinkId=626674): restrict USB devices and peripherals on system</p></td>
+<td align="left">MDM and Group Policy</td>
+<td align="left"><p>The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.</p>
+<p>Group Policy: <strong>Computer Configuration</strong> &gt; <strong>Administrative Templates</strong> &gt; <strong>System</strong> &gt; <strong>Device Installation</strong> &gt; <strong>Device Installation Restrictions</strong></p>
+<p>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use <strong>Allow removable storage</strong> or <strong>Allow USB connection (Windows 10 Mobile only)</strong>.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkID=613653): launch a UWP app on sign-in and lock access to system</p></td>
+<td align="left">[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)</td>
+<td align="left"><p>Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device.</p>
+<p>In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed.</p>
+<p>Learn [how to use Assigned Access to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Universal Windows app.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Gesture Filter](http://go.microsoft.com/fwlink/p/?LinkId=626672): block swipes from top, left, and right edges of screen</p></td>
+<td align="left">[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)</td>
+<td align="left"><p>The capabilities of Gesture Filter have been consolidated into Assigned Access for Windows 10. In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. For Windows 10, Charms have been removed, and blocking the closing or switching of apps is part of Assigned Access.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>[Custom Logon]( http://go.microsoft.com/fwlink/p/?LinkId=626759): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown</p></td>
+<td align="left">[Embedded Logon](http://go.microsoft.com/fwlink/p/?LinkId=626760)</td>
+<td align="left"><p>No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>[Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626872): custom brand a device by removing or replacing Windows boot UI elements</p></td>
+<td align="left">[Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626873)</td>
+<td align="left"><p>No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/whats-new/microsoft-passport.md b/windows/whats-new/microsoft-passport.md
new file mode 100644
index 0000000000..f50638ea29
--- /dev/null
+++ b/windows/whats-new/microsoft-passport.md
@@ -0,0 +1,56 @@
+---
+title: Microsoft Passport overview (Windows 10)
+description: In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication.
+ms.assetid: 292F3BE9-3651-4B20-B83F-85560631EF5B
+keywords: ["password", "hello", "fingerprint", "iris", "biometric"]
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Microsoft Passport overview
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.
+
+Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports [Fast ID Online (FIDO)](http://go.microsoft.com/fwlink/p/?LinkId=533889) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services.
+
+Microsoft Passport also enables Windows 10 Mobile devices to be used as a remote credential when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Microsoft Passport on the user’s Windows 10 Mobile device. Because users carry their phone with them, Microsoft Passport makes implementing two-factor authentication across the enterprise less costly and complex than other solutions
+
+## Benefits of Microsoft Passport
+
+
+-   **User convenience**. The employee provides credentials (such as account and password, or other credentials), and is then guided to set up Microsoft Passport and Hello. From that point on, the employee can access enterprise resources by providing a gesture.
+
+-   **Security**. Microsoft Passport helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Microsoft Passport credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of Trusted Platform Modules (TPMs).
+
+[Learn how to implement and manage Microsoft Passport in your organization.](../keep-secure/implement-microsoft-passport-in-your-organization.md)
+
+## Learn more
+
+
+[Why a PIN is better than a password](../keep-secure/why-a-pin-is-better-than-a-password.md)
+
+[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](http://go.microsoft.com/fwlink/p/?LinkId=533890)
+
+[Windows 10: The End Game for Passwords and Credential Theft?](http://go.microsoft.com/fwlink/p/?LinkId=533891)
+
+## Related topics
+
+
+[Device management](device-management.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/whats-new/new-provisioning-packages.md b/windows/whats-new/new-provisioning-packages.md
new file mode 100644
index 0000000000..b389c0b3c6
--- /dev/null
+++ b/windows/whats-new/new-provisioning-packages.md
@@ -0,0 +1,107 @@
+---
+title: Provisioning packages (Windows 10)
+description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Provisioning packages
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+
+Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization.
+
+## Benefits of provisioning packages
+
+
+Provisioning packages let you:
+
+-   Quickly configure a new device without going through the process of installing a new image.
+
+-   Save time by configuring multiple devices using one provisioning package.
+
+-   Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure.
+
+-   Set up a device without the device having network connectivity.
+
+Provisioning packages can be:
+
+-   Installed using removable media such as an SD card or USB flash drive.
+
+-   Attached to an email.
+
+-   Downloaded from a network share.
+
+## What you can configure
+
+
+The following table provides some examples of what can be configured using provisioning packages.
+
+| Customization options    | Examples                                                                                      |
+|--------------------------|-----------------------------------------------------------------------------------------------|
+| Applications             | Windows apps, line-of-business applications                                                   |
+| Bulk enrollment into MDM | Automatic enrollment into Microsoft Intune or a third-party MDM service                       |
+| Certificates             | Root certification authority (CA), client certificates                                        |
+| Connectivity profiles    | Wi-Fi, proxy settings, Email                                                                  |
+| Enterprise policies      | Security restrictions (password, device lock, camera, and so on), encryption, update settings |
+| Data assets              | Documents, music, videos, pictures                                                            |
+| Start menu customization | Start menu layout, application pinning                                                        |
+| Other                    | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on           |
+
+ 
+
+For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
+
+## Creating a provisioning package
+
+
+With Windows 10, you can use the Windows Imaging and Configuration Designer (ICD) tool to create provisioning packages. To install Windows ICD and create provisioning packages, you must install the Windows Assessment and Deployment Kit (ADK) for Windows 10[from the Windows Insider Program site](http://go.microsoft.com/fwlink/p/?linkid=533700).
+
+While running ADKsetup.exe, select the following features from the **Select the features you want to install** dialog box:
+
+-   Deployment Tools
+
+-   Windows Preinstallation Environment (Windows PE)
+
+-   Windows Imaging and Configuration Designer (ICD)
+
+-   Windows User State Migration Tool (USMT)
+
+Windows ICD depends on other tools in order to work correctly. If you only select Windows ICD in the installation wizard, the other tools listed above will also be selected for installation.
+
+Once you have installed Windows ICD, you can use it to create a provisioning package. For detailed instructions on how to create a provisioning package, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651).
+
+## Applying a provisioning package to a device
+
+
+Provisioning packages can be applied both during image deployment and during runtime. For information on how to apply a provisioning package to a Windows 10-based device, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651).
+
+## Learn more
+
+
+[Windows 10: Deployment](http://go.microsoft.com/fwlink/p/?LinkId=533708)
+
+## Related topics
+
+
+[Update Windows 10 images with provisioning packages](../deploy/update-windows-10-images-with-provisioning-packages.md)
+
+[Configure devices without MDM](../manage/configure-devices-without-mdm.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/whats-new/security-auditing.md b/windows/whats-new/security-auditing.md
new file mode 100644
index 0000000000..9d88b459f9
--- /dev/null
+++ b/windows/whats-new/security-auditing.md
@@ -0,0 +1,178 @@
+---
+title: What's new in security auditing (Windows 10)
+description: Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system.
+ms.assetid: CB35A02E-5C66-449D-8C90-7B73C636F67B
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# What's new in security auditing?
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment.
+
+## New features in Windows 10, version 1511
+
+
+-   The [WindowsSecurityAuditing](http://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](http://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices.
+
+## New features in Windows 10
+
+
+In Windows 10, security auditing has added some improvements:
+
+-   [New audit subcategories](#bkmk-auditsubcat)
+-   [More info added to existing audit events](#bkmk-moreinfo)
+
+### <a href="" id="bkmk-auditsubcat"></a>New audit subcategories
+
+In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
+
+-   [Audit Group Membership](../keep-secure/audit-group-membership.md) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
+
+    When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event.
+
+-   [Audit PNP Activity](../keep-secure/audit-pnp-activity.md) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.
+
+    Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play.
+
+    A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event.
+
+### <a href="" id="bkmk-moreinfo"></a>More info added to existing audit events
+
+With Windows 10, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events:
+
+-   [Changed the kernel default audit policy](#bkmk-kdal)
+
+-   [Added a default process SACL to LSASS.exe](#bkmk-lsass)
+
+-   [Added new fields in the logon event](#bkmk-logon)
+
+-   [Added new fields in the process creation event](#bkmk-logon)
+
+-   [Added new Security Account Manager events](#bkmk-sam)
+
+-   [Added new BCD events](#bkmk-bcd)
+
+-   [Added new PNP events](#bkmk-pnp)
+
+### <a href="" id="bkmk-kdal"></a>Changed the kernel default audit policy
+
+In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts.
+
+### <a href="" id="bkmk-lsass"></a>Added a default process SACL to LSASS.exe
+
+In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**.
+
+This can help identify attacks that steal credentials from the memory of a process.
+
+### <a href="" id="bkmk-logon"></a>New fields in the logon event
+
+The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624:
+
+1.  **MachineLogon** String: yes or no
+
+    If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no.
+
+2.  **ElevatedToken** String: yes or no
+
+    If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown.
+
+3.  **TargetOutboundUserName** String
+
+    **TargetOutboundUserDomain** String
+
+    The username and domain of the identity that was created by the LogonUser method for outbound traffic.
+
+4.  **VirtualAccount** String: yes or no
+
+    If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no.
+
+5.  **GroupMembership** String
+
+    A list of all of the groups in the user's token.
+
+6.  **RestrictedAdminMode** String: yes or no
+
+    If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes.
+
+    For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx).
+
+### <a href="" id="bkmk-process"></a>New fields in the process creation event
+
+The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688:
+
+1.  **TargetUserSid** String
+
+    The SID of the target principal.
+
+2.  **TargetUserName** String
+
+    The account name of the target user.
+
+3.  **TargetDomainName** String
+
+    The domain of the target user..
+
+4.  **TargetLogonId** String
+
+    The logon ID of the target user.
+
+5.  **ParentProcessName** String
+
+    The name of the creator process.
+
+6.  **ParentProcessId** String
+
+    A pointer to the actual parent process if it's different from the creator process.
+
+### <a href="" id="bkmk-sam"></a>New Security Account Manager events
+
+In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited:
+
+-   SamrEnumerateGroupsInDomain
+-   SamrEnumerateUsersInDomain
+-   SamrEnumerateAliasesInDomain
+-   SamrGetAliasMembership
+-   SamrLookupNamesInDomain
+-   SamrLookupIdsInDomain
+-   SamrQueryInformationUser
+-   SamrQueryInformationGroup
+-   SamrQueryInformationUserAlias
+-   SamrGetMembersInGroup
+-   SamrGetMembersInAlias
+-   SamrGetUserDomainPasswordInformation
+
+### <a href="" id="bkmk-bcd"></a>New BCD events
+
+Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD):
+
+-   DEP/NEX settings
+-   Test signing
+-   PCAT SB simulation
+-   Debug
+-   Boot debug
+-   Integrity Services
+-   Disable Winload debugging menu
+
+### <a href="" id="bkmk-pnp"></a>New PNP events
+
+Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller.
+
+[Learn how to manage your security audit policies within your organization](../keep-secure/security-auditing-overview.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/whats-new/security.md b/windows/whats-new/security.md
new file mode 100644
index 0000000000..49711ce074
--- /dev/null
+++ b/windows/whats-new/security.md
@@ -0,0 +1,257 @@
+---
+title: What's new in Windows 10 security (Windows 10)
+description: There are several key client security improvements Microsoft has made in Windows 10.
+ms.assetid: 6B8A5F7A-ABD3-416C-87B0-85F68B214C81
+keywords: ["secure", "data loss prevention", "multifactor authentication"]
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: TrudyHa
+---
+
+# What's new in Windows 10 security
+
+
+There are several key client security improvements Microsoft has made in Windows 10. These improvements focus on three key areas — threat resistance, information protection, and identity protection and access control. In addition to an overview of the features themselves, this article discusses the hardware requirements for each new feature and offers configuration recommendations and links to more detailed resources.
+
+Microsoft designed the Windows 10 operating system to be the most secure version of the Windows operating system to date. To achieve this goal, Windows 10 employs advanced and now widely available hardware features to help protect users and devices against modern cyber threats. With thousands of new malware variants discovered daily and malicious hacking techniques evolving rapidly, never before has Windows client security been more important. In Windows 10, organizations can deploy new threat-resistant security features that harden the operating system in ways that can benefit Bring Your Own Device (BYOD) and corporate-owned device scenarios, as well as devices for special use cases, such as kiosks, ATMs, and point-of-sale (PoS) systems. These new threat-resistant features are modular—that is, they’re designed to be deployed together, although you can also implement them individually. With all these new features enabled together, organizations can protect themselves immediately against a majority of today’s most sophisticated threats and malware.
+
+In addition to new, impactful threat mitigations, Windows 10 includes several improvements in built-in information protection, including a new data loss-prevention (DLP) component. These improvements allow organizations to separate business and personal data easily, define which apps have access to business data, and determine how data can be shared (for example, copy and paste). Unlike other DLP solutions, Microsoft integrated this functionality deeply into the Windows platform, offering the same type of security capabilities that container-based solutions offer but without altering such user experiences as requiring mode changes or switching applications.
+
+Finally, new identity-protection and access control features make it easier to implement two-factor authentication (2FA) across the entire enterprise, which empowers organizations to transition away from passwords. Windows 10 introduces Microsoft Passport, a new 2FA user credential built directly into the operating system that users can access with either a PIN or a new biometrics-driven capability called Windows Hello. Together, these technologies provide a simple logon experience for users, with the robust security of multifactor authentication (MFA). Unlike third-party multifactor solutions, Microsoft Passport is designed specifically to integrate with Microsoft Azure Active Directory (Azure AD) and hybrid Active Directory environments and requires minimal administrative configuration and maintenance.
+
+## Threat resistance
+
+
+Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks and the personal enjoyment of temporarily taking a system offline. Since then, attacker’s motives have shifted toward monetizing their attacks, which includes holding machines and data hostage until the owners pay the demanded ransom and exploiting the valuable information the attackers discover for monetary gain. Unlike these examples, modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that results in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets, seemingly unlimited human resources, and unknown motives. Threats like these require a different approach and mitigations that can meet the challenge.
+
+Windows 10 introduces several new security features that help mitigate modern threats and protect organizations against cyber attackers, regardless of their motive. Microsoft has made significant investments in Windows 10 to make it the most malware-resistant Windows operating system to date. Rather than simply adding defenses to the operating system, as was the case in previous Windows releases, Microsoft introduces architectural changes in Windows 10 that address entire classes of threats. By fundamentally changing the way the operating system works, Microsoft seeks to make Windows 10 much more difficult for modern attackers to exploit. New features in Windows 10 include Device Guard, configurable code integrity, virtualization-based security (VBS), and improvements to Windows Defender, to name just a few. By enabling all these new features together, organizations can immediately protect themselves against the types of malware responsible for approximately 95 percent of modern attacks.
+
+### <a href="" id="virtualization-security"></a>Virtualization-based security
+
+In the server world, virtualization technologies like Microsoft Hyper-V have proven extremely effective in isolating and protecting virtual machines (VMs) in the data center. Now, with those virtualization capabilities becoming more pervasive in modern client devices, there is an incredible opportunity for new Windows client security scenarios. Windows 10 can use virtualization technology to isolate core operating system services in a segregated, virtualized environment, similar to a VM. This additional level of protection, called virtualization-based security, ensures that no one can manipulate those services, even if the kernel mode of the host operating system is compromised.
+
+Just like with client Hyper-V, Windows itself can now take advantage of processors equipped with second-level address translation (SLAT) technology and virtualization extensions, such as Intel Virtualization Technology (VT) x and AMD V, to create a secure execution environment for sensitive Windows functions and data. This VBS environment protects the following services:
+
+-   **Hypervisor Code Integrity (HVCI).** The HVCI service in Windows 10 determines whether code executing in kernel mode is securely designed and trustworthy. It offers Zero Day and vulnerability exploit protection capabilities by ensuring that all software running in kernel mode, including drivers, securely allocate memory and operate as they are intended. In Windows 10, kernel mode code integrity is configurable, which allows organizations to scope preboot code execution to their desired configuration. For more information about configurable code integrity in Windows 10, see the [Configurable code integrity](#config-code) section.
+
+-   **Local Security Authority (LSA).** The LSA service in Windows manages authentication operations, including NT LAN Manager (NTLM) and Kerberos mechanisms. In Windows 10, the Credential Guard feature isolates a portion of this service and helps mitigate the pass-the-hash and pass-the-ticket techniques by protecting domain credentials. In addition to logon credentials, this protection is extended to credentials stored within Credential Manager. For more information about Credential Guard, see the [Credential Guard](#credential-guard) section.
+
+**Note**  
+To determine whether virtualization is supported for a client machine model, simply run **systeminfo** from a command prompt window.
+
+ 
+
+VBS provides the core framework for some of the most impactful mitigations Windows 10 offers. Having client machines within your organization that can employ this functionality is crucial to modern threat resistance. For more information about the specific hardware features that each Windows 10 feature requires, including VBS, see the [Windows 10 hardware considerations](#hardware) section.
+
+### Device Guard
+
+Microsoft Device Guard is a feature set that combines system integrity–hardening features that revolutionize Windows security by taking advantage of new VBS options to protect the system core and a trust-nothing model often seen in mobile operating systems. This feature set takes advantage of the best preexisting Windows hardening features (for example, Unified Extensible Firmware Interface \[UEFI\] Secure Boot, Windows Trusted Boot), and then combines them with powerful new app control features like the VBS-powered HVCI service and configurable code integrity, which together help prevent vulnerability exploits and unauthorized apps from running on the device in both user and kernel modes. For more information about VBS in Windows 10 and the additional features that use it, see the [Virtualization-based security](#virtualization-security) section. For more information about configurable code integrity, see the [Configurable code integrity](#config-code) section.
+
+Although Microsoft intends the Device Guard feature set to run alongside new Windows security features such as Credential Guard, it can run independently. Depending on your organization’s client resources, you can selectively choose which features make sense for your environment and device compatibility. For information about the hardware requirements for Device Guard and other Windows 10 security features, see the [Windows 10 hardware considerations](#hardware) section. For more information about Credential Guard, see the [Credential Guard](#credential-guard) section.
+
+For most organizations, implementing specific Device Guard functionality will depend on the role of the device and its primary user, employing more features on single-workload devices, such as kiosks, and fewer features on administrative machines over which users are allowed full control. By using this model, IT organizations can categorize users into groups that align with Device Guard security policies relating to device security and code integrity restrictions. For more information about configurable code integrity, see the [Configurable code integrity](#config-code) section.
+
+New desktops and laptops will be available to expedite your Device Guard implementation efforts. Device Guard-ready devices will require the least amount of physical interaction with the actual device before it’s ready for use. Going forward, all devices will fall into one of the following three categories:
+
+-   **Device Guard capable**. These devices will meet all the hardware requirements for Device Guard. You will still need to properly prepare devices with components that require enablement or configuration for Device Guard deployment. Device drivers on the device must be compatible with HVCI and may require updates from the original equipment manufacturer (OEM).
+
+-   **Device Guard ready**. Device Guard-ready devices will come directly from the OEM with all necessary hardware components and drivers to run Device Guard. In addition, all of these components will be pre-configured and enabled, which minimizes the effort needed to deploy Device Guard. No interaction with the BIOS is necessary to deploy these devices, and you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to manage them.
+
+-   **Not supported for Device Guard**. Many current devices cannot take advantage of all Device Guard features because they don’t have the required hardware components or HVCI-compatible drivers. However, most of these devices can enable some Device Guard features, such as configurable code integrity.
+
+For more information about how to prepare for, manage, and deploy Device Guard, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md).
+
+### <a href="" id="config-code"></a>Configurable code integrity
+
+*Code integrity* is the Windows component that verifies that the code Windows is running is trusted and safe. Like the operating modes found in Windows itself, Windows code integrity contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). Microsoft has used KMCI in recent versions of Windows to prevent the Windows kernel from executing unsigned drivers. Although this approach is effective, drivers aren’t the only route malware can take to penetrate the operating system’s kernel mode space. So, for Windows 10, Microsoft has raised the standard for kernel mode code out of the box by requiring the use of security best practices regarding memory management and has provided enterprises with a way to set their own UMCI and KMCI standards.
+
+Historically, UMCI has been available only for Windows RT and Windows Phone devices, which made it difficult for attackers to infect such devices with viruses and malware. This reduced infection rate results from the way the operating system determines which code to execute. Natively, binaries follow a process to prove to the operating system that they are trustworthy before the operating system allows them to execute. This process is intended to restrict the execution of arbitrary code and thereby decrease the risk of malware infection. This successful trust-nothing operating system model is now available in Windows 10 through a feature called *configurable code integrity*.
+
+Configurable code integrity allows IT organizations to create and deploy code integrity policies that stipulate exactly which binaries can run in their environment. Administrators can manage this trust at a certification authority or publisher level down to the individual hash values for each executed binary. This level of customization allows organizations to create policies that are as restrictive as they desire. In addition, organizations can choose to provide different levels of restriction for certain types of machines. For example, fixed-workload devices such as kiosks and PoS systems would likely receive a strict policy, because their purpose is to provide the same service day after day. Administrators can manage devices that have more variable workloads, such as users’ PCs, at a higher level, providing certain software publishers’ applications for installation or aligning those devices with the organization’s software catalog.
+
+**Note**  
+Configurable code integrity is not intended to replace technologies that allow or block programs such as AppLocker or an organization’s antivirus software. Rather, it complements such technologies by establishing a baseline of security, and then using those additional technologies to fine-tune client security.
+
+ 
+
+Configurable code integrity is not limited to Windows Store applications. In fact, it is not even limited to existing signed applications. Windows 10 gives you a way to sign line-of-business or third-party applications without having to repackage them: you can monitor the application’s installation and initial execution to create a list of binaries called a catalog file. When created, you sign these catalog files and add the signing certificate to the code integrity policy so that those binaries contained within the catalog files are allowed to execute. Then, you can use Group Policy, Configuration Manager, or any other familiar management tool to distribute these catalog files to your client machines. Historically, most malware has been unsigned; simply by deploying code integrity policies, your organization can immediately protect itself against unsigned malware, which is responsible for most modern attacks.
+
+**Note**  
+For detailed deployment and planning information about configurable code integrity, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md).
+
+ 
+
+The process to create, test, and deploy a code integrity policy is as follows:
+
+1.  **Create a code integrity policy.** Use the Windows PowerShell cmdlet **New-CIPolicy**, available in Windows 10, to create a new code integrity policy. This cmdlet scans a PC for all listings of a specific policy level. For example, if you set the rule level to **Hash**, the cmdlet would add hash values for all discovered binaries to the policy that resulted from the scan. When you enforce and deploy the policy, this list of hash values determines exactly which binaries are allowed to run on the machines that receive the policy. Code integrity policies can contain both a kernel mode and user mode execution policy, restricting what can run in either or both modes. Finally, when created, this policy is converted to binary format so that the managed client can consume it when the policy is copied to the client’s code integrity folder.
+
+2.  **Audit the code integrity policy for exceptions.** When you first create a code integrity policy, audit mode is enabled by default so that you can simulate the effect of a code integrity policy without actually blocking the execution of any binaries. Instead, policy exceptions are logged in the CodeIntegrity event log so that you can add the exceptions to the policy later. Be sure to audit any policy to discover potential issues before you deploy it.
+
+3.  **Merge the audit results with the existing policy.** After you have audited a policy, you can use the audit events to create an additional code integrity policy. Because each machine processes just one code integrity policy, you must merge the file rules within this new code integrity policy with the original policy. To do so, run the **Merge-CIPolicy** cmdlet, which is available in Windows 10 Enterprise.
+
+4.  **Enforce and sign the policy.** After you create, audit, and merge the resulting code integrity policies, it’s time to enforce your policy. To do so, run the **Set-RuleOption** cmdlet to remove the **Unsigned Policy** rule. When enforced, no binaries that are exceptions to the policy will be allowed to run. In addition to enforcing a policy, signed policies offer an additional level of protection. Signed code integrity policies inherently protect themselves against manipulation and deletion, even by administrators.
+
+5.  **Deploy the code integrity policy.** When you have enforced and optionally signed your code integrity policy, it’s ready for deployment. To deploy your code integrity policies, you can use Microsoft client management technologies, mobile device management solutions, or Group Policy, or you can simply copy the file to the correct location on your client computers. For Group Policy deployment, a new administrative template is available in Windows 10 and the Windows Server 2016 operating system to simplify the deployment process.
+
+**Note**  
+Configurable code integrity is available in Windows 10 Enterprise and Windows 10 Education.
+
+ 
+
+You can enable configurable code integrity as part of a Device Guard deployment or as a stand-alone component. In addition, you can run configurable code integrity on hardware that is compatible with the Windows 7 operating system, even if such hardware is not Device Guard ready. Code integrity policies can align with an existing application catalog, existing corporate imaging strategy, or with any other method that provides the organization’s desired levels of restriction. For more information about configurable code integrity with Device Guard, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md).
+
+### <a href="" id="measured-boot-and-remote-attestation-"></a>Measured Boot and remote attestation
+
+Although software-based antimalware and antivirus solutions are effective, they have no way to detect pre–operating system resource modification or infection such as by bootkits and rootkits—malicious software that can manipulate a client before the operating system and antimalware solutions load. Bootkits and rootkits and similar software are nearly impossible to detect using software-based solutions alone, so Windows 10 uses the client’s Trusted Platform Module (TPM) and the Windows Measured Boot feature to analyze the overall boot integrity. When requested, Windows 10 reports integrity information to the Windows cloud-based device health attestation service, which can then be used in coordination with management solutions such as Intune to analyze the data and provide conditional access to resources based on the device’s health state.
+
+Measured Boot uses one of TPM’s key functionalities and provides unique benefits to secure organizations. The feature can accurately and securely report the state of a machine’s trusted computing base (TCB). By measuring a system’s TCB, which consists of crucial startup-related security components such as firmware, the Operating System Loader, and drivers and software, the TPM can store the current device state in platform configuration registers (PCRs). When this measurement process is complete, the TPM cryptographically signs this PCR data so that Measured Boot information can be sent to either the Windows cloud-based device health attestation service or a non-Microsoft equivalent for signing or review. For example, if a company only wants to validate a computer’s BIOS information before allowing network access, PCR\[0\], which is the PCR that contains BIOS information, would be added to the policy for the attestation server to validate. This way, when the attestation server receives the manifest from the TPM, the server knows which values that PCR should contain.
+
+Measured Boot by itself does not prevent malware from loading during the startup process, but it does provide a TPM-protected audit log that allows a trusted remote attestation server to evaluate the PC’s startup components and determine its trustworthiness. If the remote attestation server indicates that the PC loaded an untrusted component and is therefore out of compliance, a management system can use the information for conditional access scenarios to block the PC’s access to network resources or perform other quarantine actions.
+
+###  Improvements in Windows Defender
+
+For Windows 10, Microsoft has revamped Windows Defender and combined it with Microsoft System Center Endpoint Protection. Unlike with Microsoft System Center 2012 R2, there will be no System Center Endpoint Protection client to deploy to Windows 10 machines because Windows Defender is built into the operating system and enabled by default.
+
+In addition to simplified deployment, Windows Defender contains several improvements. The most important improvements to Windows Defender are:
+
+-   **Early Launch Antimalware (ELAM) compatible.** After Secure Boot has verified that the loading operating system is trusted, ELAM can start a registered and signed antimalware application before any other operating system components. Windows Defender is compatible with ELAM.
+
+-   **Local context for detections and centralized sensory data.** Unlike most antimalware software and previous versions of Windows Defender, Windows Defender in Windows 10 reports additional information about the context of discovered threats. This information includes the source of the content that contains the threat as well as the historical movement of the malware throughout the system. When collection is complete, Windows Defender reports this information (when users elect to enable cloud-based protection) and uses it to mitigate threats more quickly.
+
+-   **User Account Control (UAC) integration.** Windows Defender is now closely integrated with the UAC mechanism in Windows 10. Whenever a UAC request is made, Windows Defender automatically scans the threat before prompting the user, which helps prevent users from providing elevated privileges to malware.
+
+-   **Simplified management.** In Windows 10, you can manage Windows Defender much more easily than ever before. Manage settings through Group Policy, Intune, or Configuration Manager.
+
+## Information protection
+
+
+Protecting the integrity of company data as well as preventing the inappropriate disclosure and sharing of that data are a top priority for IT organizations. Trends like BYOD and mobility make the task of information protection more challenging than ever before. Windows 10 includes several improvements to built-in information protection, including a new Enterprise Data Protection (EDP) feature that offers DLP capability. This feature allows an organizations’ users to classify data themselves and gives you the ability to automatically classify data as it ingresses from business resources. It can also help prevent users from copying business content to unauthorized locations such as personal documents or websites.
+
+Unlike some current DLP solutions, EDP does not require users to switch modes or apps or work within containers to protect data, and the protection happens behind the scenes without altering the user experience that your users have grown accustomed to in Windows. For more information about EDP in Windows 10, see the [Enterprise Data Protection](#enterprise) section.
+
+In addition to EDP, Microsoft has made substantial improvements to BitLocker, including simplified manageability through Microsoft BitLocker Administration and Monitoring (MBAM), used-space-only encryption, and single sign-on (SSO) capability. For more information about BitLocker improvements in Windows 10, see the [Improvements to BitLocker](#bitlocker) section.
+
+### <a href="" id="enterprise"></a>Enterprise Data Protection
+
+DLP systems are intended to protect sensitive corporate data through encryption and managed use while the data is in use, in motion, or at rest. Traditional DLP software is typically invasive and frustrating for users and can be complicated for administrators to configure and deploy. Windows 10 now includes an EDP feature that offers DLP capabilities and is built in and simple to use. This solution gives you the flexibility to define policies that will help determine what kind of data to protect as business data and what should be considered personal. Based on these policies, you can also choose what to do, either automatically or manually, whenever you suspect that data is about to be or has been compromised. For example, if an employee has a personal but managed device that contains business data, an IT organization could block that user from copying and pasting business data to nonbusiness documents and locations or could even selectively wipe the business data from the device at any time without affecting the personal data on the device.
+
+You can configure EDP policies to encrypt and protect files automatically based on the network source from which the content was acquired, such as an email server, file share, or a Microsoft SharePoint site. The policies can work with on-premises resources as well as those that originate from the Internet. When specified, any data retrieved from internal network resources will always be protected as business data; even if that data is copied to portable storage, such as a flash drive or CD, the protection remains. In an effort to allow easy corrections of misclassified data, users who feel that EDP has incorrectly protected their personal data can modify the data’s classification. When such a modification occurs, you have access to audit data on the client machine. You can also use a policy to prevent users from reclassifying data. The EDP feature in Windows 10 also includes policy controls that allow you to define which apps have access to business data and even which have access to the corporate virtual private network (VPN).
+
+To manage EDP, you use the same system management tools you probably already use to manage your Windows client computers, such as Configuration Manager and Intune. For more information about EDP, see [Enterprise data protection (EDP) overview](edp-whats-new-overview.md).
+
+### <a href="" id="bitlocker"></a>Improvements in BitLocker
+
+With so many laptops stolen annually, protecting data at rest should be a top priority for any IT organization. Microsoft has provided an encryption solution called BitLocker directly in Windows since 2004. If your last encounter with BitLocker was in Windows 7, you’ll find that the manageability and SSO capabilities that were previously lacking are now included in Windows 10. These and other improvements make BitLocker one of the best choices on the marketplace for protecting data on Windows devices. Windows 10 builds on the BitLocker improvements made in the Windows 8.1 and Windows 8 operating systems to make BitLocker more manageable and to simplify its deployment even further.
+
+Microsoft has made the following key improvements to BitLocker:
+
+-   **Automatic drive encryption through Device Encryption.** By default, BitLocker is automatically enabled on clean installations of Windows 10 if the device has passed the Device Encryption Requirements test from the Windows Hardware Certification Kit. Many Windows 10–compatible PCs will meet this requirement. This version of BitLocker is called Device Encryption. Whenever devices on which Drive Encryption is enabled join your domain, the encryption keys can be escrowed in either Active Directory or MBAM.
+
+-   **MBAM improvements.** MBAM provides a simplified management console for BitLocker administration. It also simplifies recovery requests by providing a self-service portal in which users can recover their drives without calling the help desk.
+
+-   **SSO.** BitLocker for Windows 7 often required the use of a pre-boot PIN to access the protected drive’s encryption key and allow Windows to start. In Windows 10, user input-based preboot authentication (in other words, a PIN) is not required because the TPM maintains the keys. In addition, modern hardware often mitigates the cold boot attacks (for example, port-based direct memory access attacks) that have previously necessitated PIN protection. For more information to determine which cases and device types require the use of PIN protection, refer to [BitLocker Countermeasures](../keep-secure/bitlocker-countermeasures.md).
+
+-   **Used-space-only encryption.** Rather than encrypting an entire hard drive, you can configure BitLocker to encrypt only the used space on a drive. This option drastically reduces the overall encryption time required.
+
+## Identity protection and access control
+
+
+User credentials are vital to the overall security of an organization’s domain. Until Windows 10, user name-password combinations were the primary way for a person to prove his or her identity to a machine or system. Unfortunately, passwords are easily stolen, and attackers can use them remotely to spoof a user’s identity. Some organizations deploy public key infrastructure (PKI)-based solutions, like smart cards, to address the weaknesses of passwords. Because of the complexity and costs associated with these solutions, however, they’re rarely deployed and, even when they are used, frequently used only to protect top-priority assets such as the corporate VPN. Windows 10 introduces new identity-protection and access control features that address the weaknesses of today’s solutions and can effectively remove the need for user passwords in an organization.
+
+Windows 10 also includes a feature called Microsoft Passport, a new 2FA mechanism built directly into the operating system. The two factors of authentication include a combination of something you know (for example, a PIN), something you have (for example, your PC, your phone), or something about the user (for example, biometrics). With Microsoft Passport enabled, when you log on to a computer, Microsoft Passport is responsible for brokering user authentication around the network, providing the same SSO experience with which you’re familiar. For more information about Microsoft Passport, see the [Microsoft Passport](#passport) section.
+
+The biometrics factor available for Microsoft Passport is driven by another new feature in Windows 10 called Windows Hello. Windows Hello uses a variety of biometric sensors to accept different points of biometric measurement, such as the face, iris, and fingerprints, which allows organizations to choose from various options when they consider what makes the most sense for their users and devices. By combining Windows Hello with Microsoft Passport, users no longer need to remember a password to access corporate resources. For more information about Windows Hello, see the [Windows Hello](#hello) section.
+
+Finally, Windows 10 uses VBS to isolate the Windows service responsible for maintaining and brokering a user’s derived credentials (for example, Kerberos ticket, NTLM hash) through a feature called Credential Guard. In addition to service isolation, the TPM protects credential data while the machine is running and while it’s off. Credential Guard provides a comprehensive strategy to protect user-derived credentials at runtime as well as at rest, thus preventing them from being accessed and used in pass-the-hash–type attacks. For more information about Credential Guard, see the [Credential Guard](#credential-guard) section.
+
+### <a href="" id="passport"></a>Microsoft Passport
+
+Historically, companies have mitigated the risk of credential theft by implementing 2FA. In this method, a combination of something you know (for example, a PIN), something you have (traditionally a smart card or token), or possibly something about the user (for example, biometrics) strengthens the logon process. The additional factor beyond something you know requires that a credential thief acquire a physical device or, in the case of biometrics, the actual user.
+
+Microsoft Passport introduces a strong 2FA mechanism integrated directly into Windows. Many organizations use 2FA today but don’t integrate its functionality into their organization because of the expense and time required to do so. Therefore, most organizations use MFA only to secure VPN connections and the highest-value resources on their network, and then use traditional passwords for logon to devices and to navigate the rest of the network. Microsoft Passport is unlike these other forms of 2FA in that Microsoft designed it specifically to address the complexity, cost, and user experience challenges of traditional 2FA solutions, making it simple to deploy throughout the enterprise through existing infrastructure and devices.
+
+Microsoft Passport can use the biometric information from Windows Hello or a unique PIN with cryptographic signing keys stored in the device’s TPM. For organizations that don’t have an existing PKI, the TPM—or Windows, when no TPM is present—can generate and protect these keys. If your organization has an on-premises PKI or wants to deploy one, you can use certificates from the PKI to generate the keys, and then store them in the TPM. When the user has registered the device and uses Windows Hello or a PIN to log in to the device, the Microsoft Passports private key fulfills any subsequent authentication requests. Microsoft Passport combines the deployment flexibility of virtual smart cards with the robust security of physical smart cards without requiring the extra infrastructure components needed for traditional smart card deployments and hardware such as cards and readers.
+
+In Windows 10, the physical factor of authentication is the user’s device—either his or her PC or mobile phone. By using the new phone sign-in capability which will available to Windows Insiders as a preview in early 2016, users can unlock their PC without ever touching it. Users simply enroll their phone with Microsoft Passport by pairing it with the PC via Wi-Fi or Bluetooth and install a simple-to-use application on their phone that allows them to select which PC to unlock. When selected, users can enter a PIN or their biometric login from their phone to unlock their PC.
+
+### <a href="" id="hello"></a>Windows Hello
+
+Passwords represent a losing identity and access control mechanism. When an organization relies on password-driven Windows authentication, attackers only have to determine a single string of text to access anything on a corporate network that those credentials protect. Unfortunately, attackers can use several methods to retrieve a user’s password, making credential theft relatively easy for determined attackers. By moving to an MFA mechanism to verify user identities, organizations can remove the threats that single-factor options like passwords represent.
+
+Windows Hello is the enterprise-grade biometric integration feature in Windows 10. This feature allows users to use their face, iris, or fingerprint rather than a password to authenticate. Although biometric logon capabilities have been around since the Windows XPoperating system, they have never been as easy, seamless, and secure as they are in Windows 10. In previous uses of biometrics in Windows, the operating system used the biometric information only to unlock the device; then, behind the scenes the user’s traditional password was used to access resources on the organization’s network. Also, the IT organization had to run additional software to configure the biometric devices to log in to Windows or applications. Windows Hello is integrated directly into the operating system and so doesn’t require additional software to function. However, as with any other biometrics-based login, Windows Hello requires specific hardware to function:
+
+-   **Facial recognition.** To establish facial recognition, Windows Hello uses special infrared (IR) cameras and anti-spoofing technology to reliably tell the difference between a photograph and a living person. This requirement ensures that no one can take a person’s PC and spoof his or her identity simply by obtaining a high-definition picture. Many manufacturers already offer PC models that include such cameras and are therefore compatible with Windows Hello. For those machines that don’t currently include these special cameras, several external cameras are available.
+
+-   **Fingerprint recognition.** Fingerprint sensors already exist in a large percentage of consumer and business PCs. Most of them (whether external or integrated into laptops or USB keyboards) work with Windows Hello. The detection and anti-spoofing technology available in Windows 10 is much more advanced than in previous versions of Windows, making it more difficult for attackers to deceive the operating system.
+
+-   **Iris recognition.** Like facial recognition, iris-based recognition uses special IR cameras and anti-spoofing technology to reliably tell the difference between the user’s iris and an impostor. Iris recognition will be available in mobile devices by the end of 2016 but is also available for independent hardware vendors and OEMs to incorporate into PCs.
+
+With Windows Hello in conjunction with Microsoft Passport, users have the same SSO experience they would if they logged on with domain credentials: they simply use biometrics, instead. In addition, because no passwords are involved, users won’t be calling the help desk saying that they have forgotten their password. For an attacker to spoof a user’s identity, he or she would have to have physical possession of both the user and the device on which the user is set up for Windows Hello. From a privacy perspective, organizations can rest assured that the biometric data Windows Hello uses is not centrally stored; can’t be converted to images of the user’s fingerprint, face, or iris; and is designed never to leave the device. In the end, Windows Hello and Microsoft Passport can completely remove the necessity for passwords for Azure AD and hybrid Azure AD/Active Directory environments and the apps and web services that depend on them for identity services. For more information about Microsoft Passport, see the [Microsoft Passport](#passport) section.
+
+### Credential Guard
+
+Pass the hash is the most commonly used derived credential attack today. This attack begins with an attacker extracting a user account’s derived credentials (hash value) from memory. Then, by using a product such as Mimikatz, the attacker reuses (passes) those credentials to other machines and resources on the network to gain additional access. Microsoft designed Credential Guard specifically to eliminate derived credential theft and abuse in pass-the-hash–type attacks.
+
+Credential Guard is another new feature in Windows 10 Enterprise that employs VBS to protect domain credentials against theft, even when the host operating system is compromised. To achieve such protection, Credential Guard isolates a portion of the LSA service, which is responsible for managing authentication, inside a virtualized container. This container is similar to a VM running on a hypervisor but is extremely lightweight and contains only those files and components required to operate the LSA and other isolated services. By isolating a portion of the LSA service within this virtualized environment, credentials are protected even if the system kernel is compromised, removing the attack vector for pass the hash.
+
+For more information about the hardware requirements for Credential Guard, see the [Windows 10 hardware considerations](#hardware) section. For more information about VBS in Windows 10, see the [Virtualization-based security](#virtualization-security) section.
+
+**Note**  
+Because it requires isolated user mode and a Hyper-V hypervisor, you cannot configure Credential Guard on a VM, only on a physical computer.
+
+ 
+
+The Credential Guard feature is targeted at resisting the use of pass-the-hash and pass-the-ticket techniques. By employing a MFA option such as Microsoft Passport with Credential Guard, you can gain additional protection against such threats. For more in-depth information about how Credential Guard works and the specific mitigations it provides, see [Protect derived domain credentials with Credential Guard](../keep-secure/credential-guard.md).
+
+## <a href="" id="hardware"></a>Windows 10 hardware considerations
+
+
+Most of the features this article describes rely on specific hardware to maximize their capabilities. By purchasing hardware that includes these features during your next purchase cycle, you will be able to take advantage of the most comprehensive client security package Windows 10 has to offer. Careful consideration about which hardware vendor and specific models to purchase is vital to the success of your organization’s client security portfolio. Table 1 contains a list of each new Windows 10 security feature and its hardware requirements.
+
+Table 1. Windows 10 hardware requirements
+
+| Windows 10 feature                              | TPM | Input/output memory management unit | Virtualization extensions | SLAT | UEFI 2.3.1 | x64 architecture only |
+|-------------------------------------------------|-----|-------------------------------------|---------------------------|------|------------|-----------------------|
+| Credential Guard                                | R   | N                                   | Y                         | Y    | Y          | Y                     |
+| Device Guard                                    | N   | Y                                   | Y                         | Y    | Y          | Y                     |
+| BitLocker                                       | R   | N                                   | N                         | N    | N          | N                     |
+| Configurable code integrity                     | N   | N                                   | N                         | N    | R          | R                     |
+| Microsoft Passport                              | R   | N                                   | N                         | N    | N          | N                     |
+| Windows Hello                                   | R   | N                                   | N                         | N    | N          | N                     |
+| VBS                                             | N   | Y                                   | Y                         | Y    | N          | Y                     |
+| UEFI Secure Boot                                | R   | N                                   | N                         | N    | Y          | N                     |
+| Device health attestation through Measured Boot | Y\* | N                                   | N                         | N    | Y          | Y                     |
+
+ 
+
+\* Requires use of TPM 2.0.
+
+**Note**  
+In this table, **R** stands for *recommended*, **Y** means that the hardware component is *required* for that Windows 10 feature, and **N** means that the hardware component is *not used* with that Windows 10 feature.
+
+ 
+
+## Related topics
+
+
+[Windows 10 Specifications](http://go.microsoft.com/fwlink/p/?LinkId=717550)
+
+[Making Windows 10 More Personal and More Secure with Windows Hello](http://go.microsoft.com/fwlink/p/?LinkId=717551)
+
+[Protect BitLocker from pre-boot attacks](../keep-secure/protect-bitlocker-from-pre-boot-attacks.md)
+
+[BitLocker Countermeasures](../keep-secure/bitlocker-countermeasures.md)
+
+[Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md)
+
+[Protect derived domain credentials with Credential Guard](../keep-secure/credential-guard.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/whats-new/trusted-platform-module.md b/windows/whats-new/trusted-platform-module.md
new file mode 100644
index 0000000000..e1ba634071
--- /dev/null
+++ b/windows/whats-new/trusted-platform-module.md
@@ -0,0 +1,60 @@
+---
+title: What's new in Trusted Platform Module (Windows 10)
+description: This topic for the IT professional describes new features for the Trusted Platform Module (TPM) in Windows 10.
+ms.assetid: CE8BBC2A-EE2D-4DFA-958E-2A178F2E6C44
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# What's new in Trusted Platform Module?
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+This topic for the IT professional describes new features for the Trusted Platform Module (TPM) in Windows 10.
+
+## New features in Windows 10, version 1511
+
+
+-   Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC).
+
+## New features in Windows 10
+
+
+The following sections describe the new and changed functionality in the TPM for Windows 10:
+
+-   [Device health attestation](#bkmk-dha)
+-   [Microsoft Passport](microsoft-passport.md) support
+-   [Device Guard](device-guard-overview.md) support
+-   [Credential Guard](credential-guard.md) support
+
+## <a href="" id="bkmk-dha"></a>Device health attestation
+
+
+Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
+
+Some things that you can check on the device are:
+
+-   Is Data Execution Prevention supported and enabled?
+-   Is BitLocker Drive Encryption supported and enabled?
+-   Is SecureBoot supported and enabled?
+
+**Note**  The device must be running Windows 10 and it must support at least TPM 2.0.
+
+ 
+
+[Learn how to deploy and manage TPM within your organization](../keep-secure/trusted-platform-module-overview.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/whats-new/user-account-control.md b/windows/whats-new/user-account-control.md
new file mode 100644
index 0000000000..464a0a7af3
--- /dev/null
+++ b/windows/whats-new/user-account-control.md
@@ -0,0 +1,36 @@
+---
+title: What's new in User Account Control (Windows 10)
+description: User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment.
+ms.assetid: 9281870C-0819-4694-B4F1-260255BB8D07
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# What's new in User Account Control?
+
+
+**Applies to**
+
+-   Windows 10
+
+User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment.
+
+In Windows 10, User Account Control has added some improvements.
+
+## New features in Windows 10
+
+
+-   **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](http://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked.
+
+[Learn how to manage User Account Control within your organization](../keep-secure/user-account-control-overview.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/whats-new/windows-spotlight.md b/windows/whats-new/windows-spotlight.md
new file mode 100644
index 0000000000..1c0d39092e
--- /dev/null
+++ b/windows/whats-new/windows-spotlight.md
@@ -0,0 +1,64 @@
+---
+title: Windows spotlight on the lock screen (Windows 10)
+description: Windows spotlight is an option for the lock screen background that displays different background images on the lock screen.
+ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A
+keywords: ["lockscreen"]
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Windows spotlight on the lock screen
+
+
+**Applies to**
+
+-   Windows 10
+
+Windows spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows spotlight is now available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows spotlight background.
+
+## What does Windows spotlight include?
+
+
+-   **Background image**
+
+    The Windows spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis.
+
+    ![lock screen image](images/lockscreen.png)
+
+-   **Feature suggestions, fun facts, tips**
+
+    The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**.
+
+## How do you turn off Windows spotlight?
+
+
+Go to **Settings** &gt; **Personalization** &gt; **Lock screen** &gt; **Background** &gt; **Windows spotlight** &gt; select a different lock screen background
+
+![personalization background](images/spotlight.png)
+
+## How do you disable Windows spotlight for managed devices?
+
+
+Windows spotlight is enabled by default. Administrators can replace Windows spotlight with a selected image using the Group Policy setting **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Force a specific default lock screen image**.
+
+![lockscreen policy details](images/lockscreenpolicy.png)
+
+Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages, such as the example in the following image.
+
+![fun facts](images/funfacts.png)
+
+## Related topics
+
+
+[Manage Windows 10 Start layout options](../manage/windows-10-start-layout-options-and-policies.md)
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/whats-new/windows-store-for-business-overview.md b/windows/whats-new/windows-store-for-business-overview.md
new file mode 100644
index 0000000000..9bf1212d06
--- /dev/null
+++ b/windows/whats-new/windows-store-for-business-overview.md
@@ -0,0 +1,327 @@
+---
+title: Windows Store for Business overview (Windows 10)
+description: With the new Windows Store for Business, organizations can make volume purchases of Windows apps.
+ms.assetid: 9DA71F6B-654D-4121-9A40-D473CC654A1C
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: TrudyHa
+---
+
+# Windows Store for Business overview
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+With the new Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
+
+## Features
+
+
+Organizations of any size can benefit from using the Store for Business provides:
+
+-   **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Businessare available to you, or you can integrate the Store for Businesswith management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
+
+-   **Bulk app acquisition** - Acquire apps in volume from the Store for Business.
+
+-   **Private store** - Curate a private store for your business that’s easily available from any Windows 10 device.
+
+-   **Flexible distribution options** - Flexible options for distributing content and apps to your employee devices:
+
+    -   Distribute through Store for Business services. You can assign apps to individual employees, or make apps available to all employees in your private store.
+
+    -   Use a management tool from Microsoft, or a 3rd-party tool for advanced distribution and management functions, or for managing images.
+
+    -   Offline licensing model allows you to distribute apps without connecting to Store services, and for managing images.
+
+-   **Line-of-business apps** - Privately add and distribute your internal line-of-business apps using any of the distribution options.
+
+-   **App license management**: Admins can reclaim and reuse app licenses. Online and offline licenses allow you to customize how you decide to deploy apps.
+
+-   **Up-to-date apps** - The Store for Business manages the update process for apps with online licenses. Apps are automatically updated so you are always current with the most recent software updates and product features. Store for Business apps also uninstall cleanly, without leaving behind extra files, for times when you need to switch apps for specific employees.
+
+## Prerequisites
+
+
+You'll need this software to work with the Store for Business.
+
+### Required
+
+-   IT Pros that are administering Store for Business need a browser compatible with Store for Business running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, Microsoft Edge, or current versions of Chrome or Firefox.
+
+-   Employees using apps from Store for Business need Windows 10, version 1511 running on a PC or mobile device.
+
+Microsoft Azure Active Directory (AD) accounts for your employees:
+
+-   Admins need Azure AD accounts to sign up for the Store for Business, and then to sign in, get apps, distribute apps, and manage app licenses.
+
+-   Employees need Azure AD account when they access Store for Business content from Windows devices.
+
+-   If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account
+
+-   For offline-licensed apps, Azure AD accounts are not required for employees.
+
+For more information on Azure AD, see [About Office 365 and Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=708612), and [Intro to Azure: identity and access](http://go.microsoft.com/fwlink/p/?LinkId=708611).
+
+### Optional
+
+While not required, you can use a management tool to distribute and manage apps. Using a management tool allows you to distribute content, scope app availability, and control when app updates are installed. This might make sense for larger organizations that already use a management tool. A couple of things to note about management tools:
+
+-   Need to integrate with Windows 10 management framework and Azure AD.
+
+-   Need to sync with the Store for Business inventory to distribute apps.
+
+## How does the Store for Business work?
+
+
+### Sign up!
+
+The first step for getting your organization started with the Store for Business is signing up. To sign up for the Business store, you need an Azure AD account and you must be a Global Administrator for your organization.
+
+For more information, see [Sign up for the Store for Business](../manage/sign-up-windows-store-for-business.md).
+
+### Set up
+
+After your admin signs up for the Store for Business, they can assign roles to other employees in your company. These are the roles and their permissions.
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Permission</th>
+<th align="left">Account settings</th>
+<th align="left">Acquire apps</th>
+<th align="left">Distribute apps</th>
+<th align="left">Device Guard signing</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Admin</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Purchaser</p></td>
+<td align="left"></td>
+<td align="left"><p>X</p></td>
+<td align="left"><p>X</p></td>
+<td align="left"></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Device Guard signer</p></td>
+<td align="left"></td>
+<td align="left"></td>
+<td align="left"></td>
+<td align="left"><p>X</p></td>
+</tr>
+</tbody>
+</table>
+
+ 
+
+In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](../manage/manage-users-and-groups-windows-store-for-business.md).
+
+Also, if your organization plans to use a management tool, you’ll need to configure your management tool to sync with the Store for Business.
+
+### Get apps and content
+
+Once signed in to the Store for Business, you can browse and search for all products in the Store for Business catalog. For now, apps in the Store for Business are free. Over time, when paid apps are available, you’ll have more options for paying for apps.
+
+**App types** -- These app types are supported in the Store for Business:
+
+-   Universal Windows Platform apps
+
+-   Universal Windows apps, by device: Phone, Surface Hub, IOT devices , HoloLens
+
+Apps purchased from the Store for Business only work on Windows 10 devices.
+
+Line-of-business (LOB) apps are also supported via the Business store. You can invite IT developers or ISVs to be LOB publishers for your organization. This allows them to submit apps via the developer center that are only available to your organization. These apps can be distributed using the distribution methods discussed in this topic. For more information, see Working with Line-of-Business apps.
+
+**App licensing model**
+
+The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center.
+
+For more information, see [Apps in the Store for Business](../manage/apps-in-windows-store-for-business.md#licensing-model).
+
+### Distribute apps and content
+
+App distribution is handled through two channels, either through the Store for Business, or using a management tool. You can use either or both distribution methods in your organization.
+
+**Using the Store for Business** – Distribution options for the Store for Business:
+
+-   Email link – After purchasing an app, admins can send employees a link in an email message. Employees can click the link to install the app.
+
+-   Curate private store for all employees – A private store can include content you’ve purchased from the Store, and your line-of-business apps that you’ve submitted to the Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed.
+
+-   To use the options above users must be signed in with an Azure AD account on a Windows 10 device.
+
+**Using a management tool** – For larger organizations that might want a greater level of control over how apps are distributed and managed, a management tools provides other distribution options:
+
+-   Scoped content distribution – Ability to scope content distribution to specific groups of employees.
+
+-   Install apps for employees – Employees are not responsible for installing apps. Management tool installs apps for employees.
+
+Management tools can synchronize content that has been acquired in the Store for Business. If an offline application has been purchased this will also include the app package, license and metadata for the app (like, icons, count, or localized product descriptions). Using the metadata, management tools can enable portals or apps as a destination for employees to acquire apps.
+
+For more information, see [Distribute apps to your employees from the Store for Business](../manage/distribute-apps-to-your-employees-windows-store-for-business.md).
+
+### Manage Store for Business settings and content
+
+Once you are signed up with the Business store and have purchased apps, Admins can manage Store for Business settings and inventory.
+
+**Manage Store for Business settings**
+
+-   Assign and change roles for employees or groups
+
+-   Device Guard signing
+
+-   Register a management server to deploy and install content
+
+-   Manage relationships with LOB publishers
+
+-   Manage offline licenses
+
+-   Update the name of your private store
+
+**Manage inventory**
+
+-   Assign app licenses to employees
+
+-   Reclaim and reassign app licenses
+
+-   Manage app updates for all apps, or customize updates for each app. Online apps will automatically update from the Store. Offline apps can be updated using a management server.
+
+-   Download apps for offline installs
+
+For more information, see [Manage settings in the Store for Business](../manage/manage-settings-windows-store-for-business.md) and [Manage apps](../manage/manage-apps-windows-store-for-business-overview.md).
+
+## Supported markets
+
+
+Store for Business is currently available in these markets.
+
+-   Argentina
+
+-   Australia
+
+-   Austria
+
+-   Belgium (Dutch, French)
+
+-   Brazil
+
+-   Canada (English, French)
+
+-   Chile
+
+-   Columbia
+
+-   Croatia
+
+-   Czech Republic
+
+-   Denmark
+
+-   Finland
+
+-   France
+
+-   Germany
+
+-   Greece
+
+-   Hong Kong SAR
+
+-   Hungary
+
+-   India
+
+-   Indonesia
+
+-   Ireland
+
+-   Italy
+
+-   Japan
+
+-   Malaysia
+
+-   Mexico
+
+-   Netherlands
+
+-   New Zealand
+
+-   Norway
+
+-   Philippines
+
+-   Poland
+
+-   Portugal
+
+-   Romania
+
+-   Russia
+
+-   Singapore
+
+-   Slovakia
+
+-   South Africa
+
+-   Spain
+
+-   Sweden
+
+-   Switzerland (French, German)
+
+-   Taiwan
+
+-   Thailand
+
+-   Turkey
+
+-   Ukraine
+
+-   United Kingdom
+
+-   United States
+
+-   Vietnam
+
+## <a href="" id="isv-wsfb"></a>ISVs and the Store for Business
+
+
+Developers in your organization, or ISVs can create content specific to your organization. In the Store for Business, we call these app line-of-business (LOB) apps, and the devs that create them are LOB publishers. The process looks like this:
+
+-   Admin invites devs to be LOB publishers for your organization. These devs can be internal devs, or external ISVs.
+
+-   LOB publishers accept the invitation, develop apps, and submits the app to the Windows Dev Center. LOB publishers use Enterprise associations when submitting the app to make the app exclusive to your organization.
+
+-   Admin adds the app to Store for Business inventory.
+
+Once the app is in inventory, admins can choose how to distribute the app. ISVs creating apps through the dev center can make their apps available in the Store for Business. ISVs can opt-in their apps to make them available for offline licensing. Apps purchased in the Store for Business will work only on Windows 10.
+
+For more information on line-of-business apps, see [Working with Line-of-Business apps](../manage/working-with-line-of-business-apps.md).
+
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/whats-new/windows-update-for-business.md b/windows/whats-new/windows-update-for-business.md
new file mode 100644
index 0000000000..0d2dfd165d
--- /dev/null
+++ b/windows/whats-new/windows-update-for-business.md
@@ -0,0 +1,49 @@
+---
+title: What's new in Windows Update for Business (Windows 10)
+description: Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.
+ms.assetid: 9271FC9A-6AF1-4BBD-A272-909BF54363F4
+ms.prod: W10
+ms.mktglfcycl: explore
+ms.sitesec: library
+author: TrudyHa
+---
+
+# What's new in Windows Update for Business?
+
+
+**Applies to**
+
+-   Windows 10
+
+Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.
+
+## Benefits of Windows Update for Business
+
+
+By using [Group Policy Objects](http://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
+
+-   **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met).
+
+-   **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient.
+
+-   **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](http://go.microsoft.com/fwlink/p/?LinkId=699281).
+
+Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](http://technet.microsoft.com/library/gg682129.aspx).
+
+## Learn more
+
+
+[Windows Update for Business](../plan/windows-update-for-business.md)
+
+[Setup and deployment](../plan/setup-and-deployment.md)
+
+[Integration with management solutions](../plan/integration-with-management-solutions-.md)
+
+ 
+
+ 
+
+
+
+
+