diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 7c4e04d4a5..efe7a5e648 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -135,6 +135,22 @@
       "moniker_groups": [],
       "version": 0
     },
+    {
+      "docset_name": "privacy",
+      "build_source_folder": "windows/privacy",
+      "build_output_subfolder": "privacy",
+      "locale": "en-us",
+      "monikers": [],
+      "moniker_ranges": [],
+      "open_to_public_contributors": false,
+      "type_mapping": {
+        "Conceptual": "Content",
+        "ManagedReference": "Content",
+        "RestApi": "Content"
+      },
+      "build_entry_point": "docs",
+      "template_folder": "_themes"
+    },
     {
       "docset_name": "security",
       "build_source_folder": "windows/security",
@@ -460,7 +476,7 @@
     }
   ],
   "notification_subscribers": [
-    "brianlic@microsoft.com"
+    "elizapo@microsoft.com"
   ],
   "branches_to_filter": [
     ""
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 19546735ca..79fce660b9 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -6185,6 +6185,11 @@
 "redirect_url": "/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions",
 "redirect_document_id": true
 },
+{
+    "source_path": "windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md",
+    "redirect_url": "/windows/configuration/setup-kiosk-digital-signage",
+    "redirect_document_id": true
+},
 {
 "source_path": "windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md",
 "redirect_url": "/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition",
diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md
index 2c07c79718..eae5a880c2 100644
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@@ -36,7 +36,6 @@ When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration D
 >Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md).
 
 1. On the Windows Configuration Designer start page, select **Advanced provisioning**.
-
 2. In the **Enter project details** window, specify a name for your project and the location for your project. Optionally, enter a brief description to describe your project.
 
 3. Click **Next**.
@@ -68,7 +67,7 @@ When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration D
 
 6. On the **Select security details for the provisioning package**, click **Next**.
 
-    >[WARNING!]
+    >[!WARNING]
     >If you encrypt the provisioning package, provisioning the HoloLens device will fail.  
 
 7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows Configuration Designer uses the project folder as the output location.
diff --git a/devices/hololens/hololens-upgrade-enterprise.md b/devices/hololens/hololens-upgrade-enterprise.md
index cc97f37aba..1ac6bbeed2 100644
--- a/devices/hololens/hololens-upgrade-enterprise.md
+++ b/devices/hololens/hololens-upgrade-enterprise.md
@@ -12,7 +12,7 @@ ms.date: 02/02/2018
 
 # Unlock Windows Holographic for Business features
 
-Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://developer.microsoft.com/windows/mixed-reality/release_notes_-_august_2016#introducing_microsoft_hololens_commercial_suite), which provides extra features designed for business. 
+Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://docs.microsoft.com/windows/mixed-reality/commercial-features), which provides extra features designed for business. 
 
 When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic for Business. This license can be applied to the device either through the organization's [mobile device management (MDM) provider](#edition-upgrade-using-mdm) or a [provisioning package](#edition-upgrade-using-a-provisioning-package).
 
diff --git a/devices/surface-hub/surface-hub-downloads.md b/devices/surface-hub/surface-hub-downloads.md
index 33ef0f983f..71706b04fe 100644
--- a/devices/surface-hub/surface-hub-downloads.md
+++ b/devices/surface-hub/surface-hub-downloads.md
@@ -31,7 +31,7 @@ This topic provides links to useful Surface Hub documents, such as product datas
 | [Rolling Stand Mounting and Assembly Guide (PDF)](http://download.microsoft.com/download/7/0/2/702485E3-B55E-4DE8-B5DD-3B56F90DCF5D/SH-Guide_WACG_Rolling_Stands_EN-FR-ES-NL-DE-IT-AR-DA-FI-NO-SV.pdf) | Detailed instructions on how to safely and securely assemble the rolling stand, and how to mount your Surface Hub onto it. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/1f/94/1f949613-3e4a-41e3-ad60-fe8aa7134115.mov?n=04.07.16_installation_video_04_rolling_stand_mount.mov) |
 | [Mounts and Stands Datasheet (PDF)](http://download.microsoft.com/download/5/0/1/501F98D9-1BCC-4448-A1DB-47056CEE33B6/20160711_Surface_Hub_Mounts_and_Stands_Datasheet.pdf) | Specifications and prices for all Surface Hub add-on stands and mounts that turn your workspace into a Surface Hub workspace. |
 | [Surface Hub Stand and Wall Mount Specifications (PDF)](http://download.microsoft.com/download/7/A/7/7A75BD0F-5A46-4BCE-B313-A80E47AEB581/20160720_Combined_Stand_Wall_Mount_Drawings.pdf) | Illustrated specifications for the 55” and 84” Surface Hub rolling stands, wall mounts, and floor-supported wall mounts. |
-| [Surface Hub Onsite Installation and Onsite Repair/Exchange Services FAQ (PDF)](http://download.microsoft.com/download/B/D/1/BD16D7C5-2662-4B7D-9C98-272CEB11A6F3/20160816%20SurfaceHub_Onsite%20Services%20FAQs%20FINAL.PDF) | Get answers to the most common questions about Surface Hub onsite service offerings and delivery. |
+
 
 
 
diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md
index 9b2ef8764a..1056ed9472 100644
--- a/devices/surface-hub/troubleshoot-surface-hub.md
+++ b/devices/surface-hub/troubleshoot-surface-hub.md
@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
-ms.date: 09/07/2017
+ms.date: 03/16/2018
 ms.localizationpriority: medium
 ---
 
@@ -18,9 +18,13 @@ ms.localizationpriority: medium
 
 Troubleshoot common problems, including setup issues, Exchange ActiveSync errors.
 
+The [Surface Hub Hardware Diagnostic tool](https://www.microsoft.com/store/p/surface-hub-hardware-diagnostic/9nblggh51f2g?rtc=1&activetab=pivot%3aoverviewtab) contains interactive tests which allow you to confirm essential functionality of your Hub is working as expected. In addition to testing hardware, the diagnostic can test the resource account to verify that it is configured properly for your environment. If problems are encountered, results can be saved and shared with the Surface Hub Support Team. For usage information, see [Using the Surface Hub Hardware Diagnostic Tool to test a device account](https://support.microsoft.com/help/4077574/using-the-surface-hub-hardware-diagnostic-tool-to-test-a-device-accoun).
+
 Common issues are listed in the following table, along with causes and possible fixes. The [Setup troubleshooting](#setup-troubleshooting) section contains a listing of on-device problems, along with several types of issues that may be encountered during the first-run experience. The [Exchange ActiveSync errors](#exchange-activesync-errors) section lists common errors the device may encounter when trying to synchronize with an Microsoft Exchange ActiveSync server.
 
 
+
+
 ## Setup troubleshooting
 
 
diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
index d535905d0d..0759f97b9a 100644
--- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
+++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
@@ -45,26 +45,26 @@ Recent additions to the downloads for Surface devices provide you with options t
 ## Surface Book 2
 
 
-Download the following updates for Surface Book 2 from the Microsoft Download Center.
+Download the following updates for [Surface Book 2 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=56261).
 * SurfaceBook2_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
 
 ## Surface Laptop
 
 
-Download the following updates for Surface Laptop from the Microsoft Download Center.
+Download the following updates for [Surface Laptop from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55489).
 * SurfaceLaptop_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
 
 ## Surface Pro
 
 
-Download the following updates for Surface Pro (Model 1796) from the Microsoft Download Center.
+Download the following updates for [Surface Pro (Model 1796) from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55484).
 
 * SurfacePro_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
 
 ## Surface Pro with LTE Advanced
 
 
-Download the following updates for Surface Pro with LTE Advanced from the Microsoft Download Center.
+Download the following updates for [Surface Pro with LTE Advanced from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=56278).
 * SurfacePro_LTE_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
 
 ## Surface Studio
diff --git a/education/index.md b/education/index.md
index 1f982844d6..4a5f5a36ba 100644
--- a/education/index.md
+++ b/education/index.md
@@ -18,7 +18,7 @@ ms.date: 10/30/2017
                             <div class="card">
                                 <div class="cardImageOuter">
                                     <div class="cardImage">
-                                        <img data-hoverimage="/media/common/i_advanced.svg" src="/media/common/i_advanced.svg" alt="Learn more about Microsoft Education products." />
+                                        <img data-hoverimage="/media/common/i_advanced.svg" src="/media/common/i_advanced.svg" alt="" />
                                     </div>
                                 </div>
                                 <div class="cardText">
@@ -36,7 +36,7 @@ ms.date: 10/30/2017
                             <div class="card">
                                 <div class="cardImageOuter">
                                     <div class="cardImage">
-                                        <img data-hoverimage="/media/common/i_get-started.svg" src="/media/common/i_get-started.svg" alt="For IT Pros: Get started with Microsoft Education" />
+                                        <img data-hoverimage="/media/common/i_get-started.svg" src="/media/common/i_get-started.svg" alt="" />
                                     </div>
                                 </div>
                                 <div class="cardText">
@@ -54,7 +54,7 @@ ms.date: 10/30/2017
                             <div class="card">
                                 <div class="cardImageOuter">
                                     <div class="cardImage">
-                                        <img data-hoverimage="/media/common/i_download-install.svg" src="/media/common/i_download-install.svg" alt="Test Windows 10 S for education" />
+                                        <img data-hoverimage="/media/common/i_download-install.svg" src="/media/common/i_download-install.svg" alt="" />
                                     </div>
                                 </div>
                                 <div class="cardText">
@@ -88,7 +88,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="images/M365-education.svg" alt="Learn about Microsoft 365 Education" />
+                                                        <img src="images/M365-education.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -107,7 +107,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-pro-get-started.svg" alt="For IT Pros: Get started with Microsoft Education" />
+                                                        <img src="/media/hubs/education/education-pro-get-started.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -126,7 +126,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-pro-office365.svg" alt="Office 365 for Education" />
+                                                        <img src="/media/hubs/education/education-pro-office365.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -145,7 +145,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-pro-intune.svg" alt="Microsoft Intune for Education" />
+                                                        <img src="/media/hubs/education/education-pro-intune.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -164,7 +164,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-pro-windows10.svg" alt="Windows 10 for Education" />
+                                                        <img src="/media/hubs/education/education-pro-windows10.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -183,7 +183,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-pro-school-data.svg" alt="School Data Sync" />
+                                                        <img src="/media/hubs/education/education-pro-school-data.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -202,7 +202,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-pro-azure-directory.svg" alt="Azure Active Directory" />
+                                                        <img src="/media/hubs/education/education-pro-azure-directory.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -221,7 +221,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-pro-store.svg" alt="Microsoft Store for Education" />
+                                                        <img src="/media/hubs/education/education-pro-store.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -240,7 +240,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-pro-minecraft.svg" alt="Minecraft: Educaton Edition" />
+                                                        <img src="/media/hubs/education/education-pro-minecraft.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -259,7 +259,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="images/education-pro-usb.svg" alt="Set up School PCs" />
+                                                        <img src="images/education-pro-usb.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -278,7 +278,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="images/education-ms-teams.svg" alt="Meet Microsoft Teams" />
+                                                        <img src="images/education-ms-teams.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -312,7 +312,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-teachers-office-help.svg" alt="Office help and training" />
+                                                        <img src="/media/hubs/education/education-teachers-office-help.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -331,7 +331,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-teachers-windows-help.svg" alt="Windows help" />
+                                                        <img src="/media/hubs/education/education-teachers-windows-help.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -350,7 +350,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-pro-store.svg" alt="Microsoft Store for Education" />
+                                                        <img src="/media/hubs/education/education-pro-store.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -369,7 +369,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-pro-minecraft.svg" alt="Minecraft: Education Edition" />
+                                                        <img src="/media/hubs/education/education-pro-minecraft.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -388,7 +388,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-teachers-educator-community.svg" alt="Microsoft Educator Community" />
+                                                        <img src="/media/hubs/education/education-teachers-educator-community.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -407,7 +407,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="images/education-ms-teams.svg" alt="Meet Microsoft Teams" />
+                                                        <img src="images/education-ms-teams.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -426,7 +426,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="images/education-pro-usb.svg" alt="Set up School PCs" />
+                                                        <img src="images/education-pro-usb.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -460,7 +460,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-students-help.svg" alt="Get started for students" />
+                                                        <img src="/media/hubs/education/education-students-help.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -479,7 +479,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-students-office-help.svg" alt="Office help and training" />
+                                                        <img src="/media/hubs/education/education-students-office-help.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -498,7 +498,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-students-windows-help.svg" alt="Windows help" />
+                                                        <img src="/media/hubs/education/education-students-windows-help.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -517,7 +517,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-students-imagine.svg" alt="Microsoft Imagine" />
+                                                        <img src="/media/hubs/education/education-students-imagine.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -551,7 +551,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-developers-uwp-apps.svg" alt="UWP apps for education" />
+                                                        <img src="/media/hubs/education/education-developers-uwp-apps.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -570,7 +570,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-developers-api-test.svg" alt="Take a Test API" />
+                                                        <img src="/media/hubs/education/education-developers-api-test.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -589,7 +589,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-developers-office-education.svg" alt="Office Education Dev Center" />
+                                                        <img src="/media/hubs/education/education-developers-office-education.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -623,7 +623,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="images/education-partner-mepn-1.svg" alt="Microsoft Education Partner Network" />
+                                                        <img src="images/education-partner-mepn-1.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -642,7 +642,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="images/education-partner-aep-2.svg" alt="Authorized Education Partner home page" />
+                                                        <img src="images/education-partner-aep-2.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -661,7 +661,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="images/education-partner-directory-3.svg" alt="Authorized Education Partner directory" />
+                                                        <img src="images/education-partner-directory-3.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -680,7 +680,7 @@ ms.date: 10/30/2017
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="images/education-partner-yammer.svg" alt="Education Partner community Yammer group" />
+                                                        <img src="images/education-partner-yammer.svg" alt="" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md
index d1b54552d1..c827683002 100644
--- a/education/trial-in-a-box/educator-tib-get-started.md
+++ b/education/trial-in-a-box/educator-tib-get-started.md
@@ -11,7 +11,7 @@ ms.pagetype: edu
 ROBOTS: noindex,nofollow
 author: CelesteDG
 ms.author: celested
-ms.date: 01/12/2017
+ms.date: 03/18/2018
 ---
 
 # Educator Trial in a Box Guide
@@ -186,6 +186,15 @@ Bring out the best in students by providing a platform for collaborating, explor
 | <iframe width="420" height="236" src="https://www.youtube-nocookie.com/embed/hMmRud4B54o" frameborder="0" allowfullscreen></iframe></br>Watch teachers elevate the education of students using OneNote. | <iframe width="420" height="236" src="https://www.youtube.com/embed/hl9ZQiektJE" frameborder="0" allowfullscreen></iframe></br>Here what other teachers say about using Minecraft: Education Edition in their classrooms. |
 |  |  |
 
+## Update your apps
+
+Microsoft Education works hard to bring you the most current Trial in a Box program experience. As a result, you may need to update your apps to get our latest innovations. 
+
+For more information about checking for updates, and how to optionally turn on automatic app updates, see the following articles:
+
+- [Check updates for apps and games from Microsoft Store](https://support.microsoft.com/en-us/help/4026259/microsoft-store-check-updates-for-apps-and-games)
+
+- [Turn on automatic app updates](https://support.microsoft.com/en-us/help/15081/windows-turn-on-automatic-app-updates)
 
 ## Get more info
 * Learn more at <a href="https://www.microsoft.com/education" target="_blank">microsoft.com/education</a>
diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md
index bd1c4b36cd..97a8d7964f 100644
--- a/education/trial-in-a-box/itadmin-tib-get-started.md
+++ b/education/trial-in-a-box/itadmin-tib-get-started.md
@@ -11,7 +11,7 @@ ms.pagetype: edu
 ROBOTS: noindex,nofollow
 author: CelesteDG
 ms.author: celested
-ms.date: 12/11/2017
+ms.date: 03/18/2018
 ---
 
 # IT Admin Trial in a Box Guide
@@ -259,6 +259,16 @@ Follow these instructions to confirm if you configured your tenant correctly and
     3. In the **Downloads and updates** page, click **Get updates**.
 * [Try the BYOD scenario](https://docs.microsoft.com/en-us/education/get-started/finish-setup-and-other-tasks#connect-other-devices-to-your-cloud-infrastructure) 
 
+## Update your apps
+
+Microsoft Education works hard to bring you the most current Trial in a Box program experience. As a result, you may need to update your apps to get our latest innovations. 
+
+For more information about checking for updates, and how to optionally turn on automatic app updates, see the following articles:
+
+- [Check updates for apps and games from Microsoft Store](https://support.microsoft.com/en-us/help/4026259/microsoft-store-check-updates-for-apps-and-games)
+
+- [Turn on automatic app updates](https://support.microsoft.com/en-us/help/15081/windows-turn-on-automatic-app-updates)
+
 
 ## Get more info
 * Learn more at <a href="https://www.microsoft.com/education" target="_blank">microsoft.com/education</a>
diff --git a/education/trial-in-a-box/support-options.md b/education/trial-in-a-box/support-options.md
index bf520efef1..9df3ab2015 100644
--- a/education/trial-in-a-box/support-options.md
+++ b/education/trial-in-a-box/support-options.md
@@ -11,13 +11,23 @@ ms.pagetype: edu
 ROBOTS: noindex,nofollow
 author: CelesteDG
 ms.author: celested
-ms.date: 12/11/2017
+ms.date: 03/18/2018
 ---
 
 # Microsoft Education Trial in a Box Support
 Need help or have a question about using Microsoft Education? Start here.
 
-## 1. Confirm your admin contact information is current
+## 1. Update your apps
+
+Microsoft Education works hard to bring you the most current Trial in a Box program experience. As a result, you may need to update your apps to get our latest innovations. 
+
+For more information about checking for updates, and how to optionally turn on automatic app updates, see the following articles:
+
+- [Check updates for apps and games from Microsoft Store](https://support.microsoft.com/en-us/help/4026259/microsoft-store-check-updates-for-apps-and-games)
+
+- [Turn on automatic app updates](https://support.microsoft.com/en-us/help/15081/windows-turn-on-automatic-app-updates)
+
+## 2. Confirm your admin contact information is current
 
 1. Go to the <a href="https://portal.office.com/adminportal/home" target="_blank">Office 365 admin center</a> and sign in with your Office 365 admin credentials.
 2. In the admin center dashboard, select your profile on the upper righthand corner and select **My account** from the options.
@@ -30,7 +40,7 @@ Need help or have a question about using Microsoft Education? Start here.
 
 4. Click **Save**.
 
-## 2. Request a call back
+## 3. Request a call back
 
 1. Click the **Need help?** button in the lower right-hand corner of the Office 365 console.
 
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
index 5659364a47..fad685b3d2 100644
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -10,7 +10,7 @@ searchScope:
   - Store
 author: trudyha
 ms.author: trudyha
-ms.date: 11/01/2017
+ms.date: 3/30/2018
 ---
 
 # Working with Microsoft Store for Education
diff --git a/education/windows/images/sfe-roles.png b/education/windows/images/sfe-roles.png
index d208fb29b7..63a9290371 100644
Binary files a/education/windows/images/sfe-roles.png and b/education/windows/images/sfe-roles.png differ
diff --git a/mdop/mbam-v25/mbam-25-security-considerations.md b/mdop/mbam-v25/mbam-25-security-considerations.md
index a21a2b1440..1ab4144ac1 100644
--- a/mdop/mbam-v25/mbam-25-security-considerations.md
+++ b/mdop/mbam-v25/mbam-25-security-considerations.md
@@ -32,7 +32,7 @@ This topic contains the following information about how to secure Microsoft BitL
 
 ## <a href="" id="bkmk-tpm"></a>Configure MBAM to escrow the TPM and store OwnerAuth passwords
 
-**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details.  
+**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addition, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details.  
 
 Depending on its configuration, the Trusted Platform Module (TPM) will lock itself in certain situations ─ such as when too many incorrect passwords are entered ─ and can remain locked for a period of time. During TPM lockout, BitLocker cannot access the encryption keys to perform unlock or decryption operations, requiring the user to enter their BitLocker recovery key to access the operating system drive. To reset TPM lockout, you must provide the TPM OwnerAuth password.
 
diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md
index ed89a40966..5bd846269f 100644
--- a/store-for-business/TOC.md
+++ b/store-for-business/TOC.md
@@ -15,7 +15,7 @@
 ### [Assign apps to employees](assign-apps-to-employees.md)
 ### [Distribute apps with a management tool](distribute-apps-with-management-tool.md)
 ### [Distribute offline apps](distribute-offline-apps.md)
-## [Manage apps and devices](manage-apps-microsoft-store-for-business-overview.md)
+## [Manage products and services](manage-apps-microsoft-store-for-business-overview.md)
 ### [App inventory managemement for Microsoft Store for Business and Education](app-inventory-management-microsoft-store-for-business.md)
 ### [Manage app orders in Microsoft Store for Business and Education](manage-orders-microsoft-store-for-business.md)
 ### [Manage access to private store](manage-access-to-private-store.md)
@@ -23,6 +23,7 @@
 ### [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md)
 ### [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md)
 ### [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md)
+### [Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business](manage-mpsa-software-microsoft-store-for-business.md)
 ## [Device Guard signing portal](device-guard-signing-portal.md)
 ### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md)
 ### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md)
diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md
index 3ce46baf61..2228ac8f3e 100644
--- a/store-for-business/distribute-apps-from-your-private-store.md
+++ b/store-for-business/distribute-apps-from-your-private-store.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
 ms.localizationpriority: high
-ms.date: 10/17/2017
+ms.date: 3/19/2018
 ---
 
 # Distribute apps using your private store
@@ -47,6 +47,9 @@ Microsoft Store adds the app to **Apps & software**. Click **Manage**, **Apps &
 
 The value under **Private store** for the app will change to pending. It will take approximately thirty-six hours before the app is available in the private store.
 
+>[!Note]
+ > If you are working with a new Line-of-Business (LOB) app, you have to wait for the app to be avilable in **Products & services** before adding it to your private store. For more information, see [Working with line of business apps](working-with-line-of-business-apps.md). 
+
 Employees can claim apps that admins added to the private store by doing the following.
 
 **To claim an app from the private store**
@@ -57,6 +60,7 @@ Employees can claim apps that admins added to the private store by doing the fol
 
 ## Related topics
 - [Manage access to private store](manage-access-to-private-store.md)
+- [Manage private store settings](manage-private-store-settings.md)
 - [Configure access to Microsoft Store](/windows/configuration/stop-employees-from-using-microsoft-store)
 
  
diff --git a/store-for-business/education/TOC.md b/store-for-business/education/TOC.md
index f5ff057e17..4de95964bc 100644
--- a/store-for-business/education/TOC.md
+++ b/store-for-business/education/TOC.md
@@ -20,7 +20,7 @@
 ### [Assign apps to employees](/microsoft-store/assign-apps-to-employees?toc=/microsoft-store/education/toc.json)
 ### [Distribute apps with a management tool](/microsoft-store/distribute-apps-with-management-tool?toc=/microsoft-store/education/toc.json)
 ### [Distribute offline apps](/microsoft-store/distribute-offline-apps?toc=/microsoft-store/education/toc.json)
-## [Manage apps](/microsoft-store/manage-apps-microsoft-store-for-business-overview?toc=/microsoft-store/education/toc.json)
+## [Manage products and services](/microsoft-store/manage-apps-microsoft-store-for-business-overview?toc=/microsoft-store/education/toc.json)
 ### [App inventory managemement for Microsoft Store for Business](/microsoft-store/app-inventory-management-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
 ### [Manage app orders in Microsoft Store for Business and Education](/microsoft-store/manage-orders-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
 ### [Manage access to private store](/microsoft-store/manage-access-to-private-store?toc=/microsoft-store/education/toc.json)
@@ -28,6 +28,7 @@
 ### [Configure MDM provider](/microsoft-store/configure-mdm-provider-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
 ### [Manage Windows device deployment with Windows AutoPilot Deployment](/microsoft-store/add-profile-to-devices?toc=/microsoft-store/education/toc.json)
 ### [Microsoft Store for Business and Education PowerShell module - preview](/microsoft-store/microsoft-store-for-business-education-powershell-module?toc=/microsoft-store/education/toc.json)
+### [Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business](/microsoft-store/manage-mpsa-software-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
 ## [Device Guard signing portal](/microsoft-store/device-guard-signing-portal?toc=/microsoft-store/education/toc.json)
 ### [Add unsigned app to code integrity policy](/microsoft-store/add-unsigned-app-to-code-integrity-policy?toc=/microsoft-store/education/toc.json)
 ### [Sign code integrity policy with Device Guard signing](/microsoft-store/sign-code-integrity-policy-with-device-guard-signing?toc=/microsoft-store/education/toc.json)
diff --git a/store-for-business/images/bank-account-icon.png b/store-for-business/images/bank-account-icon.png
new file mode 100644
index 0000000000..664f8c7a6f
Binary files /dev/null and b/store-for-business/images/bank-account-icon.png differ
diff --git a/store-for-business/images/lob-workflow.png b/store-for-business/images/lob-workflow.png
new file mode 100644
index 0000000000..954b787e6d
Binary files /dev/null and b/store-for-business/images/lob-workflow.png differ
diff --git a/store-for-business/images/skype-icon-wn.png b/store-for-business/images/skype-icon-wn.png
new file mode 100644
index 0000000000..d9819ae0ae
Binary files /dev/null and b/store-for-business/images/skype-icon-wn.png differ
diff --git a/store-for-business/manage-apps-microsoft-store-for-business-overview.md b/store-for-business/manage-apps-microsoft-store-for-business-overview.md
index b46f2b5e80..5f765d2f3c 100644
--- a/store-for-business/manage-apps-microsoft-store-for-business-overview.md
+++ b/store-for-business/manage-apps-microsoft-store-for-business-overview.md
@@ -1,6 +1,6 @@
 ---
-title: Manage apps and devices in Microsoft Store for Business (Windows 10)
-description: Manage settings and access to apps in Microsoft Store for Business.
+title: Manage products and services in Microsoft Store for Business (Windows 10)
+description: Manage apps, software, devices, products and services in Microsoft Store for Business.
 ms.assetid: 2F65D4C3-B02C-41CC-92F0-5D9937228202
 ms.prod: w10
 ms.mktglfcycl: manage
@@ -18,7 +18,7 @@ ms.date: 10/17/2017
 -   Windows 10
 -   Windows 10 Mobile
 
-Manage settings and access to apps in Microsoft Store for Business and Microsoft Store for Education.
+Manage products and services in Microsoft Store for Business and Microsoft Store for Education. This includes apps, software, products, devices, and services available under **Products & services**. 
 
 ## In this section
 
@@ -28,4 +28,6 @@ Manage settings and access to apps in Microsoft Store for Business and Microsoft
 | [App inventory managemement for Microsoft Store for Business and Education](app-inventory-management-microsoft-store-for-business.md) | You can manage all apps that you've acquired on your **Apps & software** page. |
 | [Manage private store settings](manage-private-store-settings.md) | The private store is a feature in Microsoft Store for Business and Education that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store. |
 | [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md) | For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Microsoft Store management tool services work with your third-party management tool to manage content. |
-| [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md) | In Microsoft Store for Business, you can manage devices for your organization and apply an AutoPilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the AutoPilot deployment profile you applied to the device. |
\ No newline at end of file
+| [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md) | In Microsoft Store for Business, you can manage devices for your organization and apply an AutoPilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the AutoPilot deployment profile you applied to the device. |
+| [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md) | Use PowerShell cmdlets to automate basic app license assignment.  |
+| [Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business](manage-mpsa-software-microsoft-store-for-business.md) | Software purchased with the Microsoft Products and Services Agreement (MPSA) can be managed in Microsoft Store for Business and Education. This allows customers to manage online software purchases in one location. |
\ No newline at end of file
diff --git a/store-for-business/manage-mpsa-software-microsoft-store-for-business.md b/store-for-business/manage-mpsa-software-microsoft-store-for-business.md
new file mode 100644
index 0000000000..970b3c783f
--- /dev/null
+++ b/store-for-business/manage-mpsa-software-microsoft-store-for-business.md
@@ -0,0 +1,59 @@
+---
+title: Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business
+description: Software purchased under Microsoft Products and Services Agreement (MPSA) can be managed in Microsoft Store for Business
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: store
+author: TrudyHa
+ms.localizationpriority: high
+ms.date: 3/20/2018
+---
+
+# Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Software purchased with the Microsoft Products and Services Agreement (MPSA) can now be managed in Microsoft Store for Business. This allows customers to manage online software purchases in one location. 
+
+There are a couple of things you might need to set up to manage MPSA software purchases in Store for Business. 
+
+**To manage MPSA software in Microsoft Store for Business** 
+1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com).
+2. Click **Manage**, and then click **My Organization**.
+3. Click **Connected tenants** to see purchasing accounts and the tenants that they are connected to. 
+
+## Add tenant
+The tenant or tenants that are added to your purchasing account control how you can distribute software to people in your organization. If there isn't a tenant listed for your purchasing account, you'll need to add one before you can use or manage the software you've purchased. When we give you a list to choose from, tenants are grouped by domain. 
+
+**To add a tenant to a purchasing account**  
+1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com).
+2. Click **Manage**, and then click **My Organization**.
+3. Click **Connected tenants**, and then click the ellipses for a purchasing account without a tenant listed.
+4. Click **Choose a tenant**, and then click **Submit**. 
+
+If you don't see your tenant in the list, you can add the name of your tenant
+
+**To add the name of your tenant**
+1. On **Add a tenant**, click **Don't see your tenant?**.
+2. Enter a domain name, and then click **Next**, and then click **Done**.
+
+You'll need to get permissions for the admin that manages the domain you want to add. We'll take you to Business Center Portal where you can manage permissions and roles. The admin will need to be the **Account Manager**.  
+
+## Add global admin
+In some cases, we might not have info on who the global admin is for the tenant that you select. It might be that the tenant is unmanaged, and you'll need to identify a global admin. Or, you might only need to share account info for the global admin.
+
+If you need to nominate someone to be the global admin, they need sufficient permissions:
+- someone who can distribute sofware
+- in Business Center Portal (BCP), it should be someone with **Agreement Admin** role  
+
+**To add a global admin to a tenant**
+
+We'll ask for a global admin if we need that info when you add a tenant to a purchasing account. You'd see the request for a global admin before returning to **Store for Business**. 
+
+-  On **Add a Global Admin**, click **Make me the Global Admin**, and then click **Submit**.
+-or-
+-  On **Add a Global Admin**, type a name in **Invite someone else**, and then click **Submit**.    
\ No newline at end of file
diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md
index 93d1f09234..eabd198c73 100644
--- a/store-for-business/manage-private-store-settings.md
+++ b/store-for-business/manage-private-store-settings.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-ms.date: 2/15/2018
+ms.date: 3/29/2018
 ms.localizationpriority: high
 ---
 
@@ -53,7 +53,7 @@ You can add a collection to your private store from the private store, or from t
     ![Image showing Add a Collection.](images/msfb-add-collection.png)
 
 4. Type a name for your collection, and then click **Next**.
-5. Add at least one product to your collection, and then click **Done**. 
+5. Add at least one product to your collection, and then click **Done**. You can search for apps and refine results based on the source of the app, or the supported devices.  
 
 > [!NOTE] 
 > New collections require at least one app, or they will not be created. 
@@ -64,7 +64,7 @@ You can add a collection to your private store from the private store, or from t
 3. Under **Apps & software**, choose an app you want to include in a new collection. 
 4. Under **Private Store Collections**, click **Add a collection**. 
 
-![Image showing app details page with Add a Collection.](images/msfb-ps-collection-idp.png)
+    ![Image showing app details page with Add a Collection.](images/msfb-ps-collection-idp.png)
 
 5. Type a name for your collection, and then click **Next**.
 6. Add at least one product to your collection, and then click **Done**.
@@ -78,7 +78,7 @@ If you've already added a Collection to your private store, you can easily add a
 1. Sign in to [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 
 2. Click your private store.</br>
 
-![Image showing private store name on MSfB store UI.](images/msfb-click-private-store.png)
+    ![Image showing private store name on MSfB store UI.](images/msfb-click-private-store.png)
 
 3. Click the ellipses next to the collection name, and click **Edit collection**. 
 4. Add or remove products from the collection, and then click **Done**. 
@@ -89,9 +89,8 @@ You can also add an app to a collection from the app details page.
 3. Under **Apps & software**, choose an app you want to include in a new collection. 
 4. Under **Private Store Collections**, turn on the collection you want to add the app to.
 
-![Image showing app details page with Add a Collection.](images/msfb-ps-collection-idp.png) 
+    ![Image showing app details page with Add a Collection.](images/msfb-ps-collection-idp.png) 
 
-<!---
 ## Private store performance
 We've recently made performance improvements for changes in the private store. This table includes common actions, and the current estimate for amount of time required for the change. 
 
@@ -103,5 +102,4 @@ We've recently made performance improvements for changes in the private store. T
 | Create a new collection | 15 minutes|
 | Edit or remove a collection | 15 minutes |
 | Create private store tab | 4-6 hours |
-| Rename private store tab | 4-6 hours |
---> 
\ No newline at end of file
+| Rename private store tab | 4-6 hours | 
\ No newline at end of file
diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md
index 0f9242807a..acc4768d86 100644
--- a/store-for-business/microsoft-store-for-business-education-powershell-module.md
+++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md
@@ -22,7 +22,7 @@ Microsoft Store for Business and Education PowerShell module (preview) is now av
 > This is a preview and not intended for production environments. For production environments, continue to use **Microsoft Store for Business and Education** or your MDM tool to manage licenses. The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
 
 You can use the PowerShell module to:
-- View items you've purchased - shown in **Apps & software**
+- View items you've purchased - shown in **Products & services**
 - Manage licenses - assigning and removing
 - Perform bulk operations with .csv files - automates license management for customers with larger numbers of licenses
 
diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md
index 53ac6bd262..3dd01700a4 100644
--- a/store-for-business/microsoft-store-for-business-overview.md
+++ b/store-for-business/microsoft-store-for-business-overview.md
@@ -282,7 +282,6 @@ Store for Business and Education is currently available in these markets.
             <li>Philippines</li>
             <li>Poland</li>
             <li>Portugal</li>
-            <li>Puerto Rico</li>
             <li>Qatar</li>
             <li>Republic of Cabo Verde</li>
             <li>Reunion</li>
@@ -358,6 +357,10 @@ Customers in these markets can use Microsoft Store for Business and Education to
 - Tajikistan
 - Ukraine 
 
+### Support to only manage products
+Customers in these markets can use Microsoft Store for Business and Education only to manage products that they've purchased from other channels. For example, they might have purchased products through Volume Licensing Service Center. However, they can't purhcase apps directly from Microsoft Store for Business and Education. 
+- Puerto Rico
+
 This table summarize what customers can purchase, depending on which Microsoft Store they are using. 
 
 | Store | Free apps | Minecraft: Education Edition |
diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md
index 705b6a6199..bbad8985d5 100644
--- a/store-for-business/release-history-microsoft-store-business-education.md
+++ b/store-for-business/release-history-microsoft-store-business-education.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-ms.date: 2/8/2018
+ms.date: 3/29/2018
 ---
 
 # Microsoft Store for Business and Education release history
@@ -15,6 +15,13 @@ Microsoft Store for Business and Education regularly releases new and improved f
 
 Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) 
 
+## January and February 2018
+- **One place for apps, software, and subscriptions** - The new **Products &amp; services** page in Microsoft Store for Business and Education gives customers a single place to manage all products and services.
+- **Create collections of apps in your private store** - Use **collections** to customize your private store. Collections allow you to create groups of apps that are commonly used in your organization or school -- you might create a collection for a Finance department, or a 6th-grade class. [Get more info](https://docs.microsoft.com/en-us/microsoft-store/manage-private-store-settings#private-store-collections)
+- **Upgrade Office 365 trial subscription** - Customers with Office 365 trials can now transition their trial to a paid subscription in Microsoft Store for Business. This works for trials you acquired from Microsoft Store for Business, or Office Admin Portal.
+- **Supporting Microsoft Product and Services Agreement customers** - If you are purchasing under the Microsoft Products and Services Agreement (MPSA), you can use Microsoft Store for Business. Here you will find access to Products & Services purchased, Downloads & Keys, Software Assurance benefits, Order history, and Agreement details.
+- **Microsoft Product and Services Agreement customers can invite people to take roles** - MPSA admins can invite people to take Microsoft Store for Business roles even if the person is not in their tenant. You provide an email address when you assign the role, and we'll add the account to your tenant and assign the role. 
+
 ## December 2017
 
 - Bug fixes and permformance improvements.
diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
index 1d42371897..e5c032895c 100644
--- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md
+++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
 ms.localizationpriority: high
-ms.date: 10/17/2017
+ms.date: 3/30/2018
 ---
 
 # Roles and permissions in Microsoft Store for Business and Education
@@ -48,7 +48,7 @@ This table lists the roles and their permissions.
 |                                |  Admin | Purchaser | Device Guard signer |
 | ------------------------------ | ------ | --------  | ------------------- |
 | Assign roles                   | X      |           |                     |
-| Manage Microsoft Store for business and education settings |  X |           |                     |
+| Manage Microsoft Store for Business and Education settings |  X |           |                     |
 | Acquire apps                   | X      | X         |                     |
 | Distribute apps                | X      | X         |                     |
 | Sign policies and catalogs     | X      |           |                     |
@@ -69,7 +69,9 @@ These permissions allow people to:
 
 -   **Acquire apps** - Acquire apps from Microsoft Store and add them to your inventory.
 
--   **Distribute apps** - Distribute apps that are in your inventory. You can distribute from inventory, private store, or use a management tool.
+-   **Distribute apps** - Distribute apps that are in your inventory. 
+    - Admins can assign apps to people, add apps to the private store, or use a management tool.
+    - Purchasers can assign apps to people. 
 
 **To assign roles to people**
 
diff --git a/store-for-business/sfb-change-history.md b/store-for-business/sfb-change-history.md
index 457f36b96b..75ec8368a3 100644
--- a/store-for-business/sfb-change-history.md
+++ b/store-for-business/sfb-change-history.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
 ms.author: TrudyHa
-ms.date: 10/31/2017
+ms.date: 3/29/2018
 ms.localizationpriority: high
 ---
 
@@ -18,12 +18,33 @@ ms.localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
+## March 2018
+| New or changed topic | Description |
+| --- | --- |
+| [Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business](manage-mpsa-software-microsoft-store-for-business.md) | New |
+| [Manage private store settings](manage-private-store-settings.md) | Update for adding private store performance improvements. |
+| [What's New in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) | Update |
+ [Roles and permissions in Microsoft Store for Business](roles-and-permissions-microsoft-store-for-business.md) | Update |
+
+## February 2018
+
+| New or changed topic | Description |
+| --- | --- |
+| [Manage private store settings](manage-private-store-settings.md) | Update for adding private store collections. |
+| [What's New in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) | Update |
+
+## November 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [What's New in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) | Update |
+
 ## October 2017
 
 | New or changed topic | Description |
 | --- | --- |
 | [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md) | Update. Add profile settings with supported build info.  |
-| [What's New in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) | Update. |
+| [What's New in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) | Update |
 
 ## September 2017
 
diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
index fd595f2771..0c4e59c682 100644
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-ms.date: 2/16/2018
+ms.date: 3/29/2018
 ---
 
 # What's new in Microsoft Store for Business and Education
@@ -15,17 +15,14 @@ Microsoft Store for Business and Education regularly releases new and improved f
 
 ## Latest updates for Store for Business and Education
 
-**January &amp; February, 2018**
+**March 2018**
 
 |  |  |
 |--------------------------------------|---------------------------------|
-| ![Microsoft Store for Business Products &amp; services page.](images/product-and-service-icon.png) |**One place for apps, software, and subscriptions**<br /><br /> The new **Products &amp; services** page in Microsoft Store for Business and Education gives customers a single place to manage all products and services. This includes Apps, Software, and Subscriptions that your organization acquired or manages through Microsoft Store for Business. This change centralizes these products, but the platform changes also improve overall performance. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
-| ![Private store collections](images/private-store-icon.png) |**Create collections of apps in your private store**<br /><br /> Use **collections** to customize your private store. Collections allow you to create groups of apps that are commonly used in your organization or school -- you might create a collection for a Finance department, or a 6th-grade class.<br /><br />[Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-collections)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
-|  ![Upgrade Office 365 trial subscription.](images/office-logo.png) |**Upgrade Office 365 trial subscription**<br /><br> Customers with Office 365 trials can now transition their trial to a paid subscription in Microsoft Store for Business. This works for trials you acquired from Microsoft Store for Business, or Office Admin Portal. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
-|  ![Image showing Settings icon.](images/mpsa-link.png) |**Supporting Microsoft Product and Services Agreement customers**<br /><br>If you are purchasing under the Microsoft Products and Services Agreement (MPSA), you can use Microsoft Store for Business. Here you will find access to Products & Services purchased, Downloads & Keys, Software Assurance benefits, Order history, and Agreement details. Also, we added the ability to associate your purchasing account to your tenant. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
-|  ![Image showing Settings icon.](images/invite-people.png) |**Microsoft Product and Services Agreement customers can invite people to take roles**<br /><br> MPSA admins can invite people to take Microsoft Store for Business roles even if the person is not in their tenant. You provide an email address when you assign the role, and we'll add the account to your tenant and assign the role. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
-
-
+| ![Private store performance icon](images/perf-improvement-icon.png) |**Performance improvements in private store**<br /><br /> We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. <br /><br />[Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
+| ![Private store library icon](images/private-store-icon.png) |**Private store collection updates**<br /><br /> We’ve made it easier to find apps when creating private store collections – now you can search and filter results. <br /><br />[Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-collections)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
+|  ![Skype icon.](images/skype-icon-wn.png) |**Manage Skype communication credits in Microsoft Store for Business and Education**<br /><br> Office 365 customers that own Skype Communication Credits can now see and manage them in Microsoft Store for Business. You can view your account, add funds to your account, and manage auto-recharge settings. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
+|  ![Upgrade Office 365 trial subscription.](images/office-logo.png) |**Upgrade Office 365 trial subscription**<br /><br> Customers with Office 365 can upgrade their subscription and automatically re-assign their user licenses over to a new target subscription. For example, you could upgrade your Office 365 Business to Office 365 Business Premium. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
 
 <!---
 We’ve been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new features!
@@ -39,6 +36,13 @@ We’ve been working on bug fixes and performance improvements to provide you a
 
 ## Previous releases and updates
 
+[January &amp; February, 2018](release-history-microsoft-store-business-education.md#january-and-february-2018)
+- One place for apps, software, and subscriptions
+- Create collections of apps in your private store
+- Upgrade Office 365 trial subscription
+- Supporting Microsoft Product and Services Agreement customers
+- Microsoft Product and Services Agreement customers can invite people to take roles
+
 [December 2017](release-history-microsoft-store-business-education.md#december-2017)
 - Bug fixes and permformance improvements
 
diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md
index d91d822b0f..0c12c3b9f9 100644
--- a/store-for-business/working-with-line-of-business-apps.md
+++ b/store-for-business/working-with-line-of-business-apps.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
 ms.localizationpriority: high
-ms.date: 10/17/2017
+ms.date: 3/19/2018
 ---
 
 # Working with line-of-business apps
@@ -38,8 +38,10 @@ You'll need to set up:
 -   LOB publishers need to have an active developer account. To learn more about account options, see [Ready to sign up](https://go.microsoft.com/fwlink/p/?LinkId=623432).
 -   LOB publishers need to have an app in Microsoft Store, or have an app ready to submit to the Store.
 
-## <a href="" id="add-lob-publisher"></a>Add an LOB publisher (Admin)
+The process and timing look like this:
+![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for MSFB admin, LOB publisher, and Developer](images/lob-workflow.png)
 
+## <a href="" id="add-lob-publisher"></a>Add an LOB publisher (Admin)
 Admins need to invite developer or ISVs to become an LOB publisher.
 
 **To invite a developer to become an LOB publisher**
@@ -47,6 +49,7 @@ Admins need to invite developer or ISVs to become an LOB publisher.
 1.  Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com).
 2.  Click **Manage**, click **Permissions**, and then choose **Line-of-business publishers**.
 3.  On the Line-of business publishers page, click **Invite** to send an email invitation to a developer.
+ 
  >[!Note]
  > This needs to be the email address listed in contact info for the developer account.
   
diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md
index c70689420c..447b1277d6 100644
--- a/windows/application-management/app-v/appv-getting-started.md
+++ b/windows/application-management/app-v/appv-getting-started.md
@@ -6,18 +6,18 @@ ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 03/28/2018
 ---
 
 
 # Getting Started with App-V for Windows 10
 
 **Applies to**
--   Windows 10, version 1607
+-   Windows 10
 
 Microsoft Application Virtualization (App-V) for Windows 10 enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points and interact with them as if they were installed locally.
 
-With the release of Windows 10, version 1607, App-V is included with the [Windows 10 for Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/windows-for-enterprise). If you are new to Windows 10 and App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. For information about what you need to know before getting started with App-V, see the [Application Virtualization (App-V) overview](appv-for-windows.md).
+With the release of Windows 10, version 1607, App-V is included with the [Windows 10 for Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/windows-for-enterprise). If you are new to Windows 10 and App-V, review which versions of Windows are supported and have the necessary software preinstalled in the [App-V for Windows 10 Prerequisites](appv-prerequisites.md).
 
 If you’re already using App-V, performing an in-place upgrade to Windows 10 on user devices automatically installs the App-V client and migrates users’ App-V applications and settings. For more information about how to configure an existing App-V installation after upgrading user devices to Windows 10, see [Upgrading to App-V for Windows 10 from an existing installation](appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md).
 
diff --git a/windows/application-management/index.md b/windows/application-management/index.md
index fdd42c35b8..23490f9d99 100644
--- a/windows/application-management/index.md
+++ b/windows/application-management/index.md
@@ -24,8 +24,8 @@ Learn about managing applications in Windows 10 and Windows 10 Mobile clients.
 | [Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md) | Learn how to enable or block Windows Mixed Reality apps. |
 |[App-V](app-v/appv-getting-started.md)| Microsoft Application Virtualization (App-V) for Windows 10 enables organizations to deliver Win32 applications to users as virtual applications|
 | [Service Host process refactoring](svchost-service-refactoring.md) | Changes to Service Host grouping in Windows 10  |
-|[Per User services in Windows 10](sideload-apps-in-windows-10.md)| Overview of per user services and instructions for viewing and disabling them in Windows 10 and Windows 2016|
+|[Per User services in Windows 10](per-user-services-in-windows.md)| Overview of per user services and instructions for viewing and disabling them in Windows 10 and Windows 2016|
 [Disabling System Services in Windows Server](https://docs.microsoft.com/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server) | Security guidelines for disabling services in Windows Server 2016 with Desktop Experience
 |[Understand apps in Windows 10](apps-in-windows-10.md)| Overview of the different apps included by default in Windows 10 Enterprise|
-| [Deploy app updgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | How to upgrade apps on Windows 10 Mobile  |
+| [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | How to upgrade apps on Windows 10 Mobile  |
 [Change history for Application management](change-history-for-application-management.md) | This topic lists new and updated topics in the Application management documentation for Windows 10 and Windows 10 Mobile. 
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index c29fa0959d..b0b0610178 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -68,6 +68,8 @@
 ### [ICSPValidate](icspvalidate.md)
 ### [Samples for writing a custom configuration service provider](samples-for-writing-a-custom-configuration-service-provider.md)
 ## [Configuration service provider reference](configuration-service-provider-reference.md)
+### [AccountManagement CSP](accountmanagement-csp.md)
+#### [AccountManagement DDF file](accountmanagement-ddf.md)
 ### [ActiveSync CSP](activesync-csp.md)
 #### [ActiveSync DDF file](activesync-ddf-file.md)
 ### [AllJoynManagement CSP](alljoynmanagement-csp.md)
@@ -217,6 +219,7 @@
 #### [InternetExplorer](policy-csp-internetexplorer.md)
 #### [Kerberos](policy-csp-kerberos.md)
 #### [KioskBrowser](policy-csp-kioskbrowser.md)
+#### [LanmanWorkstation](policy-csp-lanmanworkstation.md)
 #### [Licensing](policy-csp-licensing.md)
 #### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)
 #### [Location](policy-csp-location.md)
diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md
new file mode 100644
index 0000000000..f43068ab86
--- /dev/null
+++ b/windows/client-management/mdm/accountmanagement-csp.md
@@ -0,0 +1,62 @@
+---
+title: AccountManagement CSP
+description: Used to configure settings in the Account Manager service
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 03/23/2018
+---
+
+# AccountManagement CSP 
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803.
+
+> [!Note]  
+> The AccountManagement CSP is only supported in Windows Holographic for Business edition.
+
+
+The following diagram shows the AccountManagement configuration service provider in tree format.
+
+![accountmanagement csp](images/provisioning-csp-accountmanagement.png)
+
+<a href="" id="accountmanagement"></a>**./Vendor/MSFT/AccountManagement**  
+Root node for the AccountManagement configuration service provider.
+
+<a href="" id="accountmanagement-userprofilemanagemen-enableprofilemanager"></a>**UserProfileManagement**  
+Interior node. 
+
+<a href="" id="accountmanagement-userprofilemanagement-deletionpolicy"></a>**UserProfileManagement/EnableProfileManager**  
+Enable profile lifetime mangement for shared or communal device scenarios. Default value is false.
+
+Supported operations are Add, Get,Replace, and Delete. Value type is bool.
+
+<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystartdeletion"></a>**UserProfileManagement/DeletionPolicy**  
+Configures when profiles will be deleted. Default value is 1.
+
+Valid values:  
+
+-  0 - delete immediately when the device returns to a state with no currently active users
+-  1 - delete at storage capacity threshold
+-  2 - delete at both storage capacity threshold and profile inactivity threshold
+
+Supported operations are Add, Get,Replace, and Delete. Value type is integer.
+
+<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystopdeletion"></a>**UserProfileManagement/StorageCapacityStartDeletion**  
+Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first. Default value is 25.
+
+Supported operations are Add, Get,Replace, and Delete. Value type is integer.
+
+<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystopdeletion"></a>**UserProfileManagement/StorageCapacityStopDeletion**  
+Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles. Default value is 50.
+
+Supported operations are Add, Get,Replace, and Delete. Value type is integer.
+
+<a href="" id="accountmanagement-userprofilemanagement-profileinactivitythreshold"></a>**UserProfileManagement/ProfileInactivityThreshold**  
+Start deleting profiles when they have not been logged on during the specified period, given as number of days. Default value is 30.
+
+Supported operations are Add, Get,Replace, and Delete. Value type is integer.
\ No newline at end of file
diff --git a/windows/client-management/mdm/accountmanagement-ddf.md b/windows/client-management/mdm/accountmanagement-ddf.md
new file mode 100644
index 0000000000..eddb5ce0ba
--- /dev/null
+++ b/windows/client-management/mdm/accountmanagement-ddf.md
@@ -0,0 +1,201 @@
+---
+title: AccountManagement DDF file
+description: Used to configure settings in the Account Manager service
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 03/23/2018
+---
+
+# AccountManagement DDF file 
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+This topic shows the OMA DM device description framework (DDF) for the **AccountManagement** configuration service provider.
+
+The XML below is for Windows 10, version 1803.
+
+``` syntax
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
+  "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
+  [<?oma-dm-ddf-ver supported-versions="1.2"?>]>
+<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
+  <VerDTD>1.2</VerDTD>
+      <Node>
+        <NodeName>AccountManagement</NodeName>
+        <Path>./Device/Vendor/MSFT</Path>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <MIME>com.microsoft/1.0/MDM/AccountManagement</MIME>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>UserProfileManagement</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>EnableProfileManager</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Add />
+                <Delete />
+                <Replace />
+              </AccessType>
+              <DefaultValue>false</DefaultValue>
+              <Description>Enable profile lifetime mangement for shared or communal device scenarios.</Description>
+              <DFFormat>
+                <bool />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFTitle>Enable profile manager</DFTitle>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>DeletionPolicy</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Add />
+                <Delete />
+                <Replace />
+              </AccessType>
+              <DefaultValue>1</DefaultValue>
+              <Description>Configures when profiles will be deleted. Allowed values: 0 (delete immediately upon device returning to a state with no currently active users); 1 (delete at storage capacity threshold); 2 (delete at both storage capacity threshold and profile inactivity threshold).</Description>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFTitle>Profile deletion policy</DFTitle>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>StorageCapacityStartDeletion</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Add />
+                <Delete />
+                <Replace />
+              </AccessType>
+              <DefaultValue>25</DefaultValue>
+              <Description>Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first.</Description>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFTitle>Storage capacity threshold to start profile deletion</DFTitle>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>StorageCapacityStopDeletion</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Add />
+                <Delete />
+                <Replace />
+              </AccessType>
+              <DefaultValue>50</DefaultValue>
+              <Description>Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles.</Description>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFTitle>Storage capacity threshold to stop profile deletion</DFTitle>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>ProfileInactivityThreshold</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Add />
+                <Delete />
+                <Replace />
+              </AccessType>
+              <DefaultValue>30</DefaultValue>
+              <Description>Start deleting profiles when they have not been logged on during the specified period, given as number of days.</Description>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFTitle>Profile inactive threshold</DFTitle>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+        </Node>
+      </Node>
+</MgmtTree>
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index b08768dc86..f083dad4a1 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -7,20 +7,20 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 03/01/2018
+ms.date: 03/20/2018
 ---
 
 # AssignedAccess CSP
 
 
-The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device in the kiosk mode running the application specified in the CSP configuration.
+The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
 
 For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211)
 
  In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For a step-by-step guide, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps).
 
 > [!Note]
-> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting in Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S.
+> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S.
 
 The following diagram shows the AssignedAccess configuration service provider in tree format
 
@@ -30,12 +30,16 @@ The following diagram shows the AssignedAccess configuration service provider in
 Root node for the CSP.
 
 <a href="" id="assignedaccess-kioskmodeapp"></a>**./Device/Vendor/MSFT/AssignedAccess/KioskModeApp**  
-A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, follow the information in [this Microsoft website](http://go.microsoft.com/fwlink/p/?LinkId=404220).
+A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app).
+
+For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211)
 
 > [!Note]  
-> You cannot set both KioskModeApp and Configuration at the same time in the device in Windows 10, version 1709.
+> You cannot set both KioskModeApp and Configuration at the same time in the device in Windows 10, version 1709.  
+>
+> You cannot set both KioskModeApp and ShellLauncher at the same time on the device.
 
-In Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md).
+Starting in Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md).
 
 Here's an example:
 
@@ -44,9 +48,9 @@ Here's an example:
 ```
 
 > [!Tip]  
-> In this example the double \\\ is only required because it's in json and json escapes \ into \\\\. If MDM server uses json parser\composer, they should only ask customer to type one \\, which will be \\\ in the json. If user types \\\\, it'll be \\\\\\\ in json, which is wrong. For the same reason, domain\account used in Configuration xml does not need \\\ but only one \\, because xml does not (require) escape \\.
+> In this example the double \\\ is required because it's in JSON and JSON escapes \ into \\\\. If an MDM server uses JSON parser\composer, they should ask customers to type only one \\, which will be \\\ in the JSON. If user types \\\\, it'll become \\\\\\\ in JSON, which will cause erroneous results. For the same reason, domain\account used in Configuration xml does not need \\\ but only one \\, because xml does not (need to) escape \\.
 >
-> This comment applies to both domain\account, AzureAD\someone@contoso.onmicrosoft.com, i.e. as long as a \ used in json string. 
+> This applies to both domain\account, AzureAD\someone@contoso.onmicrosoft.com, i.e. as long as a \ used in JSON string. 
 
 When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name.
 
@@ -59,11 +63,10 @@ For a local account, the domain name should be the device name. When Get is exec
 The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
 
 <a href="" id="assignedaccess-configuration"></a>**./Device/Vendor/MSFT/AssignedAccess/Configuration**  
-Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps).Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). 
+Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). 
 
 > [!Note]  
 > You cannot set both KioskModeApp and Configuration at the same time on the device in Windows 10, version 1709.  
-> You cannot set both ShellLauncher and Configuration at the same time on the device.
 
 Enterprises can use this to easily configure and manage the curated lockdown experience. 
 
@@ -97,12 +100,14 @@ Additionally, the status payload includes a profileId, which can be used by the
 Supported operation is Get.
 
 <a href="" id="assignedaccess-shelllauncher"></a>**./Device/Vendor/MSFT/AssignedAccess/ShellLauncher**  
-Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema.
+Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema. For more information, see [Shell Launcher](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/shell-launcher).
 
 > [!Note]  
-> You cannot set both ShellLauncher and Configuration at the same time on the device.
+> You cannot set both ShellLauncher and KioskModeApp at the same time on the device.
 >
-> Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature if it is available within the SKU.
+> Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature if it is available within the SKU. I. Shell Launcher as a feature and the ShellLauncher node both require Windows Enterprise or Windows Education to function.  
+>  
+>The ShellLauncher node is not supported in Windows 10 Pro.
 
 <a href="" id="assignedaccess-statusconfiguration"></a>**./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration**  
 Added in Windows 10, version 1803. This node accepts a StatusConfiguration xml as input to configure the Kiosk App Health monitoring. There are three possible values for StatusEnabled node inside StatusConfiguration xml: On, OnWithAlerts, and Off. Click [link](#statusconfiguration-xsd) to see the StatusConfiguration schema.
diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index 5948135c19..1183e5b3d6 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -63,7 +63,7 @@ The following image shows the ClientCertificateInstall configuration service pro
 
 
 <a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-containername"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**  
-<p style="margin-left: 20px">ptional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail.
+<p style="margin-left: 20px">Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail.
 
 <p style="margin-left: 20px">Date type is string.
 
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index 3764a9326f..85c2515f2c 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 03/12/2018
+ms.date: 03/23/2018
 ---
 
 # Configuration service provider reference
@@ -29,6 +29,7 @@ Footnotes:
 - 1 - Added in Windows 10, version 1607
 - 2 - Added in Windows 10, version 1703
 - 3 - Added in Windows 10, version 1709
+- 4 - Added in Windows 10, version 1803
 
 <!--StartCSPs-->
 <hr/>
@@ -36,7 +37,7 @@ Footnotes:
 ## CSP support  
 
 <!--StartCSP-->
-[APPLICATION CSP](application-csp.md)  
+[AccountManagement CSP](accountmanagement-csp.md)  
 
 <!--StartSKU-->
 <table>
@@ -50,13 +51,13 @@ Footnotes:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 
@@ -119,6 +120,34 @@ Footnotes:
 <!--EndSKU-->
 <!--EndCSP-->
 
+<!--StartCSP-->
+[APPLICATION CSP](application-csp.md)  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--EndCSP-->
+
 <!--StartCSP-->
 [AppLocker CSP](applocker-csp.md)  
 
@@ -2509,7 +2538,8 @@ Footnotes:
  Footnotes: 
 - 1 - Added in Windows 10, version 1607
 - 2 - Added in Windows 10, version 1703  
-- 3 - Added in Windows 10, version 1803  
+- 3 - Added in Windows 10, version 1709
+- 4 - Added in Windows 10, version 1803
 
 ## CSP DDF files download
 
@@ -2527,6 +2557,7 @@ The following list shows the configuration service providers supported in Window
 
 | Configuration service provider        | Windows Holographic edition      | Windows Holographic for Business edition |
 |--------|--------|------------|
+| [AccountManagement CSP](accountmanagement-csp.md)   | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)3       |
 | [Application CSP](application-csp.md)   | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)       |
 | [AppLocker CSP](applocker-csp.md)      | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       |
 | [CertificateStore CSP](certificatestore-csp.md)    | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)|
@@ -2535,7 +2566,6 @@ The following list shows the configuration service providers supported in Window
 | [DeveloperSetup CSP](developersetup-csp.md)   | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)2   (Provisioning only)|
 | [DeviceStatus CSP](devicestatus-csp.md)  | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)  |
 | [DevInfo CSP](devinfo-csp.md)  | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)       |
-| [DiagnosticLog CSP](diagnosticlog-csp.md)  | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)    |
 | [DMAcc CSP](dmacc-csp.md)      | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)       |
 | [DMClient CSP](dmclient-csp.md)    | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)       |
 | [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       |
@@ -2550,30 +2580,11 @@ The following list shows the configuration service providers supported in Window
 
 Footnotes: 
 - 2 - Added in Windows 10, version 1703
-
-## <a href="" id="newcsps"></a>New CSPs added in Windows 10, version 1703
-
--   [BitLocker CSP](bitlocker-csp.md)
--   [CleanPC CSP](cleanpc-csp.md)
--   [DeveloperSetup CSP](developersetup-csp.md)
--   [DynamicManagement CSP](dynamicmanagement-csp.md)
--   [EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md)
--   [Messaging CSP](messaging-csp.md)
--   [NetworkProxy CSP](networkproxy-csp.md)
--   [NetworkQoSPolicy CSP](networkqospolicy-csp.md)
--   [Office CSP](office-csp.md)
--   [Personalization CSP](personalization-csp.md)
-
-## <a href="" id="newcsps"></a>New CSPs added in Windows 10, version 1511
-
--   [AllJoynManagement CSP](alljoynmanagement-csp.md)
--   [Maps CSP](maps-csp.md)
--   [Reporting CSP](reporting-csp.md)
--   [SurfaceHub CSP](surfacehub-csp.md)
--   [WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md)
+- 3 - Added in Windows 10, version 1803
 
 ## <a href="" id="surfacehubcspsupport"></a>CSPs supported in Microsoft Surface Hub
 
+-   [AccountManagement CSP](accountmanagement-csp.md)
 -   [APPLICATION CSP](application-csp.md)
 -   [CertificateStore CSP](certificatestore-csp.md)
 -   [ClientCertificateInstall CSP](clientcertificateinstall-csp.md)
@@ -2632,6 +2643,8 @@ The CSPs supported in Windows 10 S is the same as in Windows 10 Pro except that
 - [CellularSettings CSP](cellularsettings-csp.md)
 - [CertificateStore CSP](certificatestore-csp.md)
 - [ClientCertificateInstall CSP](clientcertificateinstall-csp.md)
+- [CMPolicy CSP](cmpolicy-csp.md)
+- [CM_ProxyEntries CSP](cm-proxyentries-csp.md)
 - [CM_CellularEntries CSP](cm-cellularentries-csp.md)
 - [Defender CSP](defender-csp.md)
 - [DevDetail CSP](devdetail-csp.md)
@@ -2641,6 +2654,8 @@ The CSPs supported in Windows 10 S is the same as in Windows 10 Pro except that
 - [DiagnosticLog CSP](diagnosticlog-csp.md)
 - [DMAcc CSP](dmacc-csp.md)
 - [DMClient CSP](dmclient-csp.md)
+- [eUICCs CSP](euiccs-csp.md)
+- [Firewall CSP](firewall-csp.md)
 - [EMAIL2 CSP](email2-csp.md)
 - [EnterpriseAPN CSP](enterpriseapn-csp.md)
 - [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
@@ -2670,4 +2685,5 @@ The CSPs supported in Windows 10 S is the same as in Windows 10 Pro except that
 - [WiFi CSP](wifi-csp.md)
 - [Win32AppInventory CSP](win32appinventory-csp.md)
 - [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)
+- [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)
 - [WindowsLicensing CSP](windowslicensing-csp.md)
diff --git a/windows/client-management/mdm/images/provisioning-csp-accountmanagement.png b/windows/client-management/mdm/images/provisioning-csp-accountmanagement.png
new file mode 100644
index 0000000000..1475cb600f
Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-accountmanagement.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png b/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png
index 8a01ad0dff..69effac5fd 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png and b/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-rootcacertificate.png b/windows/client-management/mdm/images/provisioning-csp-rootcacertificate.png
index 7a3f671955..68672472c3 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-rootcacertificate.png and b/windows/client-management/mdm/images/provisioning-csp-rootcacertificate.png differ
diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md
index 9467b896ff..5453323c70 100644
--- a/windows/client-management/mdm/multisim-csp.md
+++ b/windows/client-management/mdm/multisim-csp.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 02/27/2018
+ms.date: 03/22/2018
 ---
 
 # MultiSIM CSP 
@@ -30,9 +30,13 @@ Node representing a Mobile Broadband Modem. The node name is the modem ID. Modem
 <a href="" id="modemid"></a>**_ModemID_/Identifier**  
 Modem ID.
 
+Supported operation is Get. Value type is string.
+
 <a href="" id="tbd"></a>**_ModemID_/IsEmbedded**  
 Indicates whether this modem is embedded or external.
 
+Supported operation is Get. Value type is bool.
+
 <a href="" id="tbd"></a>**_ModemID_/Slots**  
 Represents all SIM slots in the Modem.
 
@@ -42,17 +46,110 @@ Node representing a SIM Slot. The node name is the Slot ID. SIM Slot ID format i
 <a href="" id="tbd"></a>**_ModemID_/Slots/_SlotID_/Identifier**  
 Slot ID.
 
+Supported operation is Get. Value type is integer.
+
 <a href="" id="tbd"></a>**_ModemID_/Slots/_SlotID_/IsEmbedded**  
 Indicates whether this Slot is embedded or a physical SIM slot.
 
+Supported operation is Get. Value type is bool.
+
 <a href="" id="tbd"></a>**_ModemID_/Slots/_SlotID_/IsSelected**  
 Indicates whether this Slot is selected or not.
 
+Supported operation is Get and Replace. Value type is bool.
+
 <a href="" id="tbd"></a>**_ModemID_/Slots/_SlotID_/State**  
 Slot state (Unknown = 0, OffEmpty = 1, Off = 2, Empty = 3, NotReady = 4, Active = 5, Error = 6, ActiveEsim = 7, ActiveEsimNoProfile = 8)
 
+Supported operation is Get. Value type is integer.
+
 <a href="" id="tbd"></a>**_ModemID_/Policies**  
 Policies associated with the Modem.
 
 <a href="" id="tbd"></a>**_ModemID_/Policies/SlotSelectionEnabled**  
-Determines whether the user is allowed to change slots in the Cellular settings UI. Default is true.
\ No newline at end of file
+Determines whether the user is allowed to change slots in the Cellular settings UI. Default is true.
+
+Supported operation is Get and Replace. Value type is bool.
+
+## Examples
+
+Get modem
+``` syntax
+<SyncML xmlns="SYNCML:SYNCML1.2">
+  <SyncBody>
+    <Get>
+      <CmdID>1</CmdID>
+      <Item>
+        <Target>
+          <LocURI>
+            ./Vendor/MSFT/MultiSIM
+          </LocURI>
+        </Target>
+      </Item>
+    </Get>
+    <Final/> 
+  </SyncBody>
+</SyncML>
+```
+
+Get slots
+``` syntax
+<SyncML xmlns="SYNCML:SYNCML1.2">
+  <SyncBody>
+    <Get>
+      <CmdID>1</CmdID>
+      <Item>
+        <Target>
+          <LocURI>
+            ./Vendor/MSFT/MultiSIM/Embedded/Slots
+          </LocURI>
+        </Target>
+      </Item>
+    </Get>
+    <Final/> 
+  </SyncBody>
+</SyncML>
+```
+
+Get slot state
+``` syntax
+<SyncML xmlns="SYNCML:SYNCML1.2">
+  <SyncBody>
+    <Get>
+      <CmdID>1</CmdID>
+      <Item>
+        <Target>
+          <LocURI>
+            ./Vendor/MSFT/MultiSIM/Embedded/Slots/Embedded/State
+          </LocURI>
+        </Target>
+      </Item>
+    </Get>
+    <Final/> 
+  </SyncBody>
+</SyncML>
+```
+
+Select slot
+``` syntax
+<SyncML xmlns="SYNCML:SYNCML1.2">
+  <SyncBody>
+    <Replace>
+      <CmdID>1</CmdID>
+      <Item>
+        <Target>
+          <LocURI>
+            ./Vendor/MSFT/MultiSIM/Embedded/Slots/0/IsSelected
+          </LocURI>
+        </Target>
+        <Meta>
+          <Format xmlns="syncml:metinf">bool</Format>
+          <Type>text/plain</Type>
+        </Meta>
+        <Data>true</Data>
+      </Item>
+    </Replace>
+    <Final/> 
+  </SyncBody>
+</SyncML>
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 375d058557..a7eeb7a2b0 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 03/03/2018
+ms.date: 03/23/2018
 ---
 
 # What's new in MDM enrollment and management
@@ -30,6 +30,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 -   [What's new in Windows 10, version 1607](#whatsnew1607)
 -   [What's new in Windows 10, version 1703](#whatsnew10)
 -   [What's new in Windows 10, version 1709](#whatsnew1709)
+-   [What's new in Windows 10, version 1803](#whatsnew1803)
 -   [Change history in MDM documentation](#change-history-in-mdm-documentation)
 -   [Breaking changes and known issues](#breaking-changes-and-known-issues)
     -   [Get command inside an atomic command is not supported](#getcommand)
@@ -1124,6 +1125,224 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 </tbody>
 </table>
 
+## <a href="" id="whatsnew1803"></a>What's new in Windows 10, version 1803
+
+<table class="mx-tdBreakAll">
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>New or updated topic</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
+<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1803:</p>
+<ul>
+<li>AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration</li>
+<li>AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold</li>
+<li>AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter</li>
+<li>ApplicationDefaults/EnableAppUriHandlers</li>
+<li>ApplicationManagement/MSIAllowUserControlOverInstall</li>
+<li>ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges</li>
+<li>Browser/AllowConfigurationUpdateForBooksLibrary</li>
+<li>Browser/AlwaysEnableBooksLibrary</li>
+<li>Browser/EnableExtendedBooksTelemetry</li>
+<li>Browser/UseSharedFolderForBooks</li>
+<li>Connectivity/AllowPhonePCLinking</li>
+<li>DeliveryOptimization/DODelayBackgroundDownloadFromHttp</li>
+<li>DeliveryOptimization/DODelayForegroundDownloadFromHttp</li>
+<li>DeliveryOptimization/DOGroupIdSource</li>
+<li>DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth</li>
+<li>DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth</li>
+<li>DeliveryOptimization/DORestrictPeerSelectionBy</li>
+<li>DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth</li>
+<li>DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth</li>
+<li>Display/DisablePerProcessDpiForApps</li>
+<li>Display/EnablePerProcessDpi</li>
+<li>Display/EnablePerProcessDpiForApps</li>
+<li>Experience/AllowWindowsSpotlightOnSettings</li>
+<li>KioskBrowser/BlockedUrlExceptions</li>
+<li>KioskBrowser/BlockedUrls</li>
+<li>KioskBrowser/DefaultURL</li>
+<li>KioskBrowser/EnableHomeButton</li>
+<li>KioskBrowser/EnableNavigationButtons</li>
+<li>KioskBrowser/RestartOnIdleTime</li>
+<li>LanmanWorkstation/EnableInsecureGuestLogons</li>
+<li>LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon</li> 
+<li>LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia</li> 
+<li>LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters</li> 
+<li>LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</li> 
+<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</li> 
+<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</li> 
+<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</li> 
+<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</li> 
+<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees</li> 
+<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts</li> 
+<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares</li> 
+<li>LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers</li> 
+<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares</li> 
+<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</li> 
+<li>LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange</li> 
+<li>LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</li> 
+<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</li> 
+<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</li> 
+<li>LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode</li> 
+<li>RestrictedGroups/ConfigureGroupMembership</li>
+<li>Search/AllowCortanaInAAD</li>
+<li>Search/DoNotUseWebResults</li>
+<li>Security/ConfigureWindowsPasswords</li>
+<li>System/FeedbackHubAlwaysSaveDiagnosticsLocally</li>
+<li>SystemServices/ConfigureHomeGroupListenerServiceStartupMode</li>
+<li>SystemServices/ConfigureHomeGroupProviderServiceStartupMode</li>
+<li>SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode</li>
+<li>SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode</li>
+<li>SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode</li>
+<li>SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode</li>
+<li>TaskScheduler/EnableXboxGameSaveTask</li>
+<li>TextInput/AllowHardwareKeyboardTextSuggestions</li>
+<li>TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode</li>
+<li>TextInput/ForceTouchKeyboardDockedState</li>
+<li>TextInput/TouchKeyboardDictationButtonAvailability</li>
+<li>TextInput/TouchKeyboardEmojiButtonAvailability</li>
+<li>TextInput/TouchKeyboardFullModeAvailability</li>
+<li>TextInput/TouchKeyboardHandwritingModeAvailability</li>
+<li>TextInput/TouchKeyboardNarrowModeAvailability</li>
+<li>TextInput/TouchKeyboardSplitModeAvailability</li>
+<li>TextInput/TouchKeyboardWideModeAvailability</li>
+<li>Update/ConfigureFeatureUpdateUninstallPeriod</li>
+<li>UserRights/AccessCredentialManagerAsTrustedCaller</li>
+<li>UserRights/AccessFromNetwork</li>
+<li>UserRights/ActAsPartOfTheOperatingSystem</li> 
+<li>UserRights/AllowLocalLogOn</li> 
+<li>UserRights/BackupFilesAndDirectories</li> 
+<li>UserRights/ChangeSystemTime</li> 
+<li>UserRights/CreateGlobalObjects</li> 
+<li>UserRights/CreatePageFile</li> 
+<li>UserRights/CreatePermanentSharedObjects</li> 
+<li>UserRights/CreateSymbolicLinks</li> 
+<li>UserRights/CreateToken</li> 
+<li>UserRights/DebugPrograms</li> 
+<li>UserRights/DenyAccessFromNetwork</li> 
+<li>UserRights/DenyLocalLogOn</li> 
+<li>UserRights/DenyRemoteDesktopServicesLogOn</li> 
+<li>UserRights/EnableDelegation</li> 
+<li>UserRights/GenerateSecurityAudits</li> 
+<li>UserRights/ImpersonateClient</li> 
+<li>UserRights/IncreaseSchedulingPriority</li> 
+<li>UserRights/LoadUnloadDeviceDrivers</li> 
+<li>UserRights/LockMemory</li> 
+<li>UserRights/ManageAuditingAndSecurityLog</li> 
+<li>UserRights/ManageVolume</li> 
+<li>UserRights/ModifyFirmwareEnvironment</li> 
+<li>UserRights/ModifyObjectLabel</li> 
+<li>UserRights/ProfileSingleProcess</li> 
+<li>UserRights/RemoteShutdown</li> 
+<li>UserRights/RestoreFilesAndDirectories</li> 
+<li>UserRights/TakeOwnership</li>
+<li>WindowsDefenderSecurityCenter/DisableAccountProtectionUI</li>
+<li>WindowsDefenderSecurityCenter/DisableDeviceSecurityUI</li>
+<li>WindowsDefenderSecurityCenter/HideRansomwareDataRecovery</li>
+<li>WindowsDefenderSecurityCenter/HideSecureBoot</li>
+<li>WindowsDefenderSecurityCenter/HideTPMTroubleshooting</li> 
+</ul>
+<p>Security/RequireDeviceEncrption - updated to show it is supported in desktop.</p>
+</tr>
+<tr class="odd">
+<td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
+<td style="vertical-align:top"><p>Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)</td>
+<td style="vertical-align:top"><p>Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, version 1803.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[DMClient CSP](dmclient-csp.md)</td>
+<td style="vertical-align:top"><p>Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:</p>
+<ul>
+<li>AADSendDeviceToken</li>
+<li>BlockInStatusPage</li>
+<li>AllowCollectLogsButton</li>
+<li>CustomErrorText</li>
+<li>SkipDeviceStatusPage</li>
+<li>SkipUserStatusPage</li>
+</ul>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[Defender CSP](defender-csp.md)</td>
+<td style="vertical-align:top"><p>Added new node (OfflineScan) in Windows 10, version 1803.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[UEFI CSP](uefi-csp.md)</td>
+<td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[Update CSP](update-csp.md)</td>
+<td style="vertical-align:top"><p>Added the following nodes in Windows 10, version 1803:</p>
+<ul>
+<li>Rollback</li>
+<li>Rollback/FeatureUpdate</li>
+<li>Rollback/QualityUpdateStatus</li>
+<li>Rollback/FeatureUpdateStatus</li>
+</ul>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[AssignedAccess CSP](assignedaccess-csp.md)</td>
+<td style="vertical-align:top"><p>Added the following nodes in Windows 10, version 1803:</p>
+<ul>
+<li>Status</li>
+<li>ShellLauncher</li>
+<li>StatusConfiguration</li>
+</ul>
+<p>Updated the AssigneAccessConfiguration schema.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[MultiSIM CSP](multisim-csp.md)</td>
+<td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)</td>
+<td style="vertical-align:top"><p>Added the following node in Windows 10, version 1803:</p>
+<ul>
+<li>MaintainProcessorArchitectureOnUpdate</li>
+</ul>
+</td></tr>
+<tr>
+<td style="vertical-align:top">[eUICCs CSP](euiccs-csp.md)</td>
+<td style="vertical-align:top"><p>Added the following node in Windows 10, version 1803:</p>
+<ul>
+<li>IsEnabled</li>
+</ul>
+</td></tr>
+<tr>
+<td style="vertical-align:top">[DeviceStatus CSP](devicestatus-csp.md)</td>
+<td style="vertical-align:top"><p>Added the following node in Windows 10, version 1803:</p>
+<ul>
+<li>OS/Mode</li>
+</ul>
+</td></tr>
+<tr>
+<<<<<<< HEAD
+<td style="vertical-align:top">[AccountManagement CSP](accountmanagement-csp.md)</td>
+<td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p>
+=======
+<td style="vertical-align:top">[RootCATrustedCertificates CSP](rootcacertificates-csp.md)</td>
+<td style="vertical-align:top"><p>Added the following node in Windows 10, version 1803:</p>
+<ul>
+<li>UntrustedCertificates</li>
+</ul>
+>>>>>>> 2aa0839b99c52229c7cf43d58f467019b1284a6a
+</td></tr>
+</tbody>
+</table>
+
 ## Breaking changes and known issues
 
 ### <a href="" id="getcommand"></a>Get command inside an atomic command is not supported
@@ -1425,6 +1644,51 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <li>[How to import a custom ADMX file to a device using Intune](https://www.microsoft.com/showcase/video.aspx?uuid=a59888b1-429f-4a49-8570-c39a143d9a73)</li>
 </ul>
 </td></tr>
+<tr>
+<td style="vertical-align:top">[AccountManagement CSP](accountmanagement-csp.md)</td>
+<td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p>
+</td></tr>
+<tr>
+<td style="vertical-align:top">[RootCATrustedCertificates CSP](rootcacertificates-csp.md)</td>
+<td style="vertical-align:top"><p>Added the following node in Windows 10, version 1803:</p>
+<ul>
+<li>UntrustedCertificates</li>
+</ul>
+</td></tr>
+<tr>
+<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
+<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1803:</p>
+<ul>
+<li>ApplicationDefaults/EnableAppUriHandlers</li>
+<li>ApplicationManagement/MSIAllowUserControlOverInstall</li>
+<li>ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges</li>
+<li>Connectivity/AllowPhonePCLinking</li>
+<li>Notifications/DisallowCloudNotification</li>
+<li>Notifications/DisallowTileNotification</li>
+<li>RestrictedGroups/ConfigureGroupMembership</li>
+</ul>
+<p>The following existing policies were updated:</p>
+<ul>
+<li>InternetExplorer/AllowSiteToZoneAssignmentList - updated the description and added an example SyncML</li>
+<li>TextInput/AllowIMENetworkAccess - introduced new suggestion services in Japanese IME in addition to cloud suggestion.</li>
+</ul>
+<p>Added a new section:</p>
+<ul>
+<li>[Policies supported by GP](policy-configuration-service-provider.md#policies-supported-by-gp) - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.</li>
+</ul>
+</td></tr>
+<tr>
+<td style="vertical-align:top">[Policy CSP - Bluetooth](policy-csp-bluetooth.md)</td>
+<td style="vertical-align:top"><p>Added new section [ServicesAllowedList usage guide](policy-csp-bluetooth.md#servicesallowedlist-usage-guide).</p>
+</td></tr>
+<tr>
+<td style="vertical-align:top">[MultiSIM CSP](multisim-csp.md)</td>
+<td style="vertical-align:top"><p>Added SyncML examples and updated the settings descriptions.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[RemoteWipe CSP](remotewipe-csp.md)</td>
+<td style="vertical-align:top"><p>Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.</p>
+</td></tr>
 </tbody>
 </table>
 
@@ -1532,14 +1796,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <li>LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia</li> 
 <li>LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters</li> 
 <li>LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</li> 
-<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways</li> 
-<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible</li> 
-<li>LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible</li> 
-<li>LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</li> 
-<li>LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge</li> 
-<li>LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey</li> 
 <li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</li> 
-<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways</li> 
 <li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</li> 
 <li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</li> 
 <li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</li> 
@@ -1550,10 +1807,8 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <li>LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers</li> 
 <li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares</li> 
 <li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</li> 
-<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM</li> 
 <li>LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange</li> 
 <li>LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</li> 
-<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</li> 
 <li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</li> 
 <li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</li> 
 <li>LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</li> 
@@ -1637,16 +1892,6 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 </ul>
 </td></tr>
 <tr class="odd">
-<td style="vertical-align:top">[RemoteWipe CSP](remotewipe-csp.md)</td>
-<td style="vertical-align:top"><p>Added the following nodes in Windows 10, version 1803:</p>
-<ul>
-<li>AutomaticRedeployment</li>
-<li>doAutomaticRedeployment</li>
-<li>LastError</li>
-<li>Status</li>
-</ul>
-</td></tr>
-<tr class="odd">
 <td style="vertical-align:top">[Defender CSP](defender-csp.md)</td>
 <td style="vertical-align:top"><p>Added new node (OfflineScan) in Windows 10, version 1803.</p>
 </td></tr>
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index c94b2fe9d3..3abd56fb99 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 03/05/2018
+ms.date: 03/16/2018
 ---
 
 # Policy CSP
@@ -193,6 +193,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-applicationdefaults.md#applicationdefaults-defaultassociationsconfiguration" id="applicationdefaults-defaultassociationsconfiguration">ApplicationDefaults/DefaultAssociationsConfiguration</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-applicationdefaults.md#applicationdefaults-enableappurihandlers" id="applicationdefaults-enableappurihandlers">ApplicationDefaults/EnableAppUriHandlers</a>
+  </dd>
 </dl>
 
 ### ApplicationManagement policies
@@ -222,6 +225,12 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-applicationmanagement.md#applicationmanagement-disablestoreoriginatedapps" id="applicationmanagement-disablestoreoriginatedapps">ApplicationManagement/DisableStoreOriginatedApps</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-msiallowusercontroloverinstall" id="applicationmanagement-msiallowusercontroloverinstall">ApplicationManagement/MSIAllowUserControlOverInstall</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-msialwaysinstallwithelevatedprivileges" id="applicationmanagement-msialwaysinstallwithelevatedprivileges">ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges</a>
+  </dd>
   <dd>
     <a href="./policy-csp-applicationmanagement.md#applicationmanagement-requireprivatestoreonly" id="applicationmanagement-requireprivatestoreonly">ApplicationManagement/RequirePrivateStoreOnly</a>
   </dd>
@@ -570,6 +579,9 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-connectivity.md#connectivity-allownfc" id="connectivity-allownfc">Connectivity/AllowNFC</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-connectivity.md#connectivity-allowphonepclinking" id="connectivity-allowphonepclinking">Connectivity/AllowPhonePCLinking</a>
+  </dd>
   <dd>
     <a href="./policy-csp-connectivity.md#connectivity-allowusbconnection" id="connectivity-allowusbconnection">Connectivity/AllowUSBConnection</a>
   </dd>
@@ -1903,6 +1915,14 @@ The following diagram shows the Policy configuration service provider in tree fo
   </dd>
 </dl>
 
+### LanmanWorkstation  policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-lanmanworkstation.md#lanmanworkstation-enableinsecureguestlogons" id="lanmanworkstation-enableinsecureguestlogons">LanmanWorkstation/EnableInsecureGuestLogons</a>
+  </dd>
+</dl>
+
 ### Licensing policies
 
 <dl>
@@ -2064,9 +2084,15 @@ The following diagram shows the Policy configuration service provider in tree fo
 ### Notifications policies
 
 <dl>
+  <dd>
+    <a href="./policy-csp-notifications.md#notifications-disallowcloudnotification" id="notifications-disallowcloudnotification">Notifications/DisallowCloudNotification</a>
+  </dd>
   <dd>
     <a href="./policy-csp-notifications.md#notifications-disallownotificationmirroring" id="notifications-disallownotificationmirroring">Notifications/DisallowNotificationMirroring</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-notifications.md#notifications-disallowtilenotification" id="notifications-disallowtilenotification">Notifications/DisallowTileNotification</a>
+  </dd>
 </dl>
 
 ### Power policies
@@ -4119,9 +4145,6 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia)
 -   [LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters)
 -   [LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly)
--   [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways)
--   [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible)
--   [LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges)
 -   [LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked)
 -   [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin)
 -   [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin)
@@ -4445,72 +4468,6 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc)
 -   [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing)
 
-<!--StartIoTCore-->
-## <a href="" id="iotcore"></a>Policies supported by IoT Core  
-
--   [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)  
--   [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)  
--   [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)  
--   [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)  
--   [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)  
--   [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)  
--   [Browser/AllowAutofill](#browser-allowautofill)  
--   [Browser/AllowBrowser](#browser-allowbrowser)  
--   [Browser/AllowCookies](#browser-allowcookies)  
--   [Browser/AllowDoNotTrack](#browser-allowdonottrack)  
--   [Browser/AllowInPrivate](#browser-allowinprivate)  
--   [Browser/AllowPasswordManager](#browser-allowpasswordmanager)  
--   [Browser/AllowPopups](#browser-allowpopups)  
--   [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)  
--   [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist)  
--   [Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl)  
--   [Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer)  
--   [Camera/AllowCamera](#camera-allowcamera)  
--   [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)  
--   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)  
--   [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)  
--   [Connectivity/AllowNFC](#connectivity-allownfc)  
--   [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)  
--   [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular)  
--   [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular)  
--   [Connectivity/DiablePrintingOverHTTP](#connectivity-diableprintingoverhttp)  
--   [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](#connectivity-disabledownloadingofprintdriversoverhttp)  
--   [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)  
--   [Connectivity/HardenedUNCPaths](#connectivity-hardeneduncpaths)  
--   [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](#connectivity-prohibitinstallationandconfigurationofnetworkbridge)  
--   [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon)  
--   [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword)  
--   [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)  
--   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
--   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
--   [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)  
--   [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)  
--   [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)  
--   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
--   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
--   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
--   [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage)  
--   [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage)  
--   [Security/RequireDeviceEncryption](#security-requiredeviceencryption)  
--   [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)  
--   [System/AllowEmbeddedMode](#system-allowembeddedmode)  
--   [System/AllowFontProviders](#system-allowfontproviders)  
--   [System/AllowStorageCard](#system-allowstoragecard)  
--   [System/TelemetryProxy](#system-telemetryproxy)  
--   [Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate)  
--   [Update/AllowUpdateService](#update-allowupdateservice)  
--   [Update/PauseDeferrals](#update-pausedeferrals)  
--   [Update/RequireDeferUpgrade](#update-requiredeferupgrade)  
--   [Update/RequireUpdateApproval](#update-requireupdateapproval)  
--   [Update/ScheduledInstallDay](#update-scheduledinstallday)  
--   [Update/ScheduledInstallTime](#update-scheduledinstalltime)  
--   [Update/UpdateServiceUrl](#update-updateserviceurl)  
--   [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots)  
--   [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)  
--   [Wifi/AllowWiFi](#wifi-allowwifi)  
--   [Wifi/WLANScanMode](#wifi-wlanscanmode)  
-<!--EndIoTCore-->
-
 <!--StartHoloLens-->
 ## <a href="" id="hololenspolicies"></a>Policies supported by Windows Holographic for Business  
 
@@ -4534,14 +4491,6 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [Experience/AllowCortana](#experience-allowcortana)  
 -   [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment)  
 -   [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)  
--   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
--   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
--   [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)  
--   [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)  
--   [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)  
--   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
--   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
--   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
 -   [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)  
 -   [Security/RequireDeviceEncryption](#security-requiredeviceencryption)  
 -   [Settings/AllowDateTime](#settings-allowdatetime)  
@@ -4555,125 +4504,6 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [Update/UpdateServiceUrl](#update-updateserviceurl)  
 <!--EndHoloLens-->
 
-<!--StartSurfaceHub-->
-## <a href="" id="surfacehubpolicies"></a>Policies supported by Microsoft Surface Hub  
-  
--   [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)  
--   [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)  
--   [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing)  
--   [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)  
--   [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)  
--   [Browser/AllowAddressBarDropdown](#browser-allowaddressbardropdown)  
--   [Browser/AllowCookies](#browser-allowcookies)  
--   [Browser/AllowDeveloperTools](#browser-allowdevelopertools)  
--   [Browser/AllowDoNotTrack](#browser-allowdonottrack)  
--   [Browser/AllowMicrosoftCompatibilityList](#browser-allowmicrosoftcompatibilitylist)  
--   [Browser/AllowPopups](#browser-allowpopups)  
--   [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)  
--   [Browser/AllowSmartScreen](#browser-allowsmartscreen)  
--   [Browser/ClearBrowsingDataOnExit](#browser-clearbrowsingdataonexit)  
--   [Browser/ConfigureAdditionalSearchEngines](#browser-configureadditionalsearchengines)  
--   [Browser/DisableLockdownOfStartPages](#browser-disablelockdownofstartpages)  
--   [Browser/HomePages](#browser-homepages)  
--   [Browser/PreventLiveTileDataCollection](#browser-preventlivetiledatacollection)  
--   [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride)  
--   [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles)  
--   [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine)  
--   [Camera/AllowCamera](#camera-allowcamera)  
--   [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)  
--   [ConfigOperations/ADMXInstall](#configoperations-admxinstall)  
--   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)  
--   [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices)  
--   [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)  
--   [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)  
--   [Defender/AllowArchiveScanning](#defender-allowarchivescanning)  
--   [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring)  
--   [Defender/AllowCloudProtection](#defender-allowcloudprotection)  
--   [Defender/AllowEmailScanning](#defender-allowemailscanning)  
--   [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives)  
--   [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning)  
--   [Defender/AllowIOAVProtection](#defender-allowioavprotection)  
--   [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem)  
--   [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection)  
--   [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring)  
--   [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles)  
--   [Defender/AllowScriptScanning](#defender-allowscriptscanning)  
--   [Defender/AllowUserUIAccess](#defender-allowuseruiaccess)  
--   [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor)  
--   [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware)  
--   [Defender/ExcludedExtensions](#defender-excludedextensions)  
--   [Defender/ExcludedPaths](#defender-excludedpaths)  
--   [Defender/ExcludedProcesses](#defender-excludedprocesses)  
--   [Defender/PUAProtection](#defender-puaprotection)  
--   [Defender/RealTimeScanDirection](#defender-realtimescandirection)  
--   [Defender/ScanParameter](#defender-scanparameter)  
--   [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime)  
--   [Defender/ScheduleScanDay](#defender-schedulescanday)  
--   [Defender/ScheduleScanTime](#defender-schedulescantime)  
--   [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval)  
--   [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent)  
--   [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction)  
--   [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)  
--   [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)  
--   [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)  
--   [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)  
--   [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)  
--   [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)  
--   [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)  
--   [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)  
--   [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)  
--   [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)  
--   [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)  
--   [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)  
--   [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)  
--   [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)  
--   [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)  
--   [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders)  
--   [Privacy/EnableActivityFeed](#privacy-enableactivityfeed)  
--   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
--   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
--   [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)  
--   [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)  
--   [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)  
--   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
--   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
--   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
--   [Privacy/PublishUserActivities](#privacy-publishuseractivities)  
--   [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)  
--   [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot)  
--   [Start/StartLayout](#start-startlayout)
--   [System/AllowFontProviders](#system-allowfontproviders)  
--   [System/AllowLocation](#system-allowlocation)  
--   [System/AllowTelemetry](#system-allowtelemetry)  
--   [TextInput/AllowIMELogging](#textinput-allowimelogging)  
--   [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess)  
--   [TextInput/AllowInputPanel](#textinput-allowinputpanel)  
--   [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters)  
--   [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters)  
--   [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph)  
--   [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary)  
--   [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall)  
--   [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208)  
--   [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc)  
--   [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis)  
--   [Update/AllowAutoUpdate](#update-allowautoupdate)  
--   [Update/AllowUpdateService](#update-allowupdateservice)  
--   [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule)  
--   [Update/AutoRestartRequiredNotificationDismissal](#update-autorestartrequirednotificationdismissal)  
--   [Update/BranchReadinessLevel](#update-branchreadinesslevel)  
--   [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays)  
--   [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays)  
--   [Update/DetectionFrequency](#update-detectionfrequency)  
--   [Update/PauseFeatureUpdates](#update-pausefeatureupdates)  
--   [Update/PauseQualityUpdates](#update-pausequalityupdates)  
--   [Update/ScheduleImminentRestartWarning](#update-scheduleimminentrestartwarning)  
--   [Update/ScheduleRestartWarning](#update-schedulerestartwarning)  
--   [Update/SetAutoRestartNotificationDisable](#update-setautorestartnotificationdisable)  
--   [Update/UpdateServiceUrl](#update-updateserviceurl)  
--   [Update/UpdateServiceUrlAlternate](#update-updateserviceurlalternate)  
--   [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting)  
-<!--EndSurfaceHub-->
-
 <!--StartEAS-->
 ## <a href="" id="eas"></a>Policies that can be set using Exchange Active Sync (EAS)  
 
@@ -4701,7 +4531,6 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [Wifi/AllowWiFi](#wifi-allowwifi)  
 <!--EndEAS-->
 
-
 ## Examples
 
 Set the minimum password length to 4 characters.
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index 5aaf01d6fb..774334df19 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -11,6 +11,8 @@ ms.date: 03/12/2018
 
 # Policy CSP - ApplicationDefaults
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 
 <hr/>
@@ -22,6 +24,9 @@ ms.date: 03/12/2018
   <dd>
     <a href="#applicationdefaults-defaultassociationsconfiguration">ApplicationDefaults/DefaultAssociationsConfiguration</a>
   </dd>
+  <dd>
+    <a href="#applicationdefaults-enableappurihandlers">ApplicationDefaults/EnableAppUriHandlers</a>
+  </dd>
 </dl>
 
 
@@ -132,6 +137,73 @@ Here is the SyncMl example:
 
 <!--/Example-->
 <!--/Policy-->
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="applicationdefaults-enableappurihandlers"></a>**ApplicationDefaults/EnableAppUriHandlers**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td></td>
+	<td></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting determines whether Windows supports web-to-app linking with app URI handlers.
+
+Enabling this policy setting enables web-to-app linking so that apps can be launched with a http(s) URI.
+
+Disabling this policy disables web-to-app linking and http(s) URIs will be opened in the default browser instead of launching the associated app.
+
+If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
+
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:  
+-   GP English name: *Configure web-to-app linking with app URI handlers*
+-   GP name: *EnableAppUriHandlers*
+-   GP ADMX file name: *GroupPolicy.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+This setting supports a range of values between 0 and 1.
+
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
 <hr/>
 
 Footnote:
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index 47b9d1e09d..4abd17e1d1 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -11,6 +11,8 @@ ms.date: 03/12/2018
 
 # Policy CSP - ApplicationManagement
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 
 <hr/>
@@ -43,6 +45,12 @@ ms.date: 03/12/2018
   <dd>
     <a href="#applicationmanagement-disablestoreoriginatedapps">ApplicationManagement/DisableStoreOriginatedApps</a>
   </dd>
+  <dd>
+    <a href="#applicationmanagement-msiallowusercontroloverinstall">ApplicationManagement/MSIAllowUserControlOverInstall</a>
+  </dd>
+  <dd>
+    <a href="#applicationmanagement-msialwaysinstallwithelevatedprivileges">ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges</a>
+  </dd>
   <dd>
     <a href="#applicationmanagement-requireprivatestoreonly">ApplicationManagement/RequirePrivateStoreOnly</a>
   </dd>
@@ -538,6 +546,144 @@ The following list shows the supported values:
 
 <hr/>
 
+<!--Policy-->
+<a href="" id="applicationmanagement-msiallowusercontroloverinstall"></a>**ApplicationManagement/MSIAllowUserControlOverInstall**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Added in Windows 10, version 1803. This policy setting permits users to change installation options that typically are available only to system administrators.
+
+If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to a security violation.
+
+If you disable or do not configure this policy setting, the security features of Windows Installer prevent users from changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed.
+
+If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user.
+
+This policy setting is designed for less restrictive environments. It can be used to circumvent errors in an installation program that prevents software from being installed.
+
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:  
+-   GP English name: *Allow user control over installs*
+-   GP name: *EnableUserControl*
+-   GP ADMX file name: *MSI.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+This setting supports a range of values between 0 and 1.
+
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="applicationmanagement-msialwaysinstallwithelevatedprivileges"></a>**ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Added in Windows 10, version 1803. This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system.
+
+If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers.
+
+If you disable or do not configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer.
+
+Note: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders.
+
+Caution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed to be secure.
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:  
+-   GP English name: *Always install with elevated privileges*
+-   GP name: *AlwaysInstallElevated*
+-   GP ADMX file name: *MSI.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+This setting supports a range of values between 0 and 1.
+
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="applicationmanagement-requireprivatestoreonly"></a>**ApplicationManagement/RequirePrivateStoreOnly**  
 
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index fb08f30dc0..7c004110fe 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -282,7 +282,7 @@ If this policy is not set or it is deleted, the default local radio name is used
 <!--Description-->
 Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}.
 
-The default value is an empty string.
+The default value is an empty string. For more information, see [ServicesAllowedList usage guide](#servicesallowedlist-usage-guide)
 
 <!--/Description-->
 <!--/Policy-->
@@ -297,6 +297,95 @@ Footnote:
 
 <!--/Policies-->
 
+## ServicesAllowedList usage guide
+
+When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly define Bluetooth profiles and services. It is an allowed list, enabling admins to still allow custom Bluetooth profiles that are not defined by the Bluetooth Special Interests Group (SIG).
+
+To define which profiles and services are allowed, enter the profile or service Universally Unique Identifiers (UUID) using semicolon delimiter. To get a profile UUID, refer to the [Service Discovery](https://www.bluetooth.com/specifications/assigned-numbers/service-discovery) page on the Bluetooth SIG website. 
+
+These UUIDs all use the same base UUID with the profile identifiers added to the beginning of the base UUID.
+
+Here are some examples:
+
+**Bluetooth Headsets for Voice (HFP)**
+
+BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB
+
+|UUID name  |Protocol specification  |UUID  |
+|---------|---------|---------|
+|HFP(Hands Free Profile)     |Hands-Free Profile (HFP) *         |0x111E         |
+
+Footnote: * Used as both Service Class Identifier and Profile Identifier.
+
+Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000111E-0000-1000-8000-00805F9B34FB
+
+**Allow Audio Headsets only (Voice)**
+
+|Profile  |Reasoning  |UUID  |
+|---------|---------|---------|
+|HFP (Hands Free Profile)     |For voice enabled headsets         |0x111E        |
+|GAP (Generic Access Profile)*     |Generic service used by Bluetooth         |0x1800         |
+|DID (Device ID)*     |Generic service used by Bluetooth         |0x180A         |
+|Scan Parameters*     |Generic service used by Bluetooth         |0x1813         |
+
+Footnote: * *GAP, DID, and Scan Parameter are required, as these are underlying profiles and services used by all Bluetooth devices.
+
+This means that if you only want Bluetooth headsets, the UUIDs are:
+
+{0000111E-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
+
+**Allow Audio Headsets and Speakers (Voice & Music)**
+
+|Profile  |Reasoning  |UUID  |
+|---------|---------|---------|
+|HFP (Hands Free Profile)     |For voice enabled headsets         |0x111E         |
+|A2DP Source (Advance Audio Distribution)|For streaming to Bluetooth speakers         |0x110A         |
+|GAP (Generic Access Profile)     |Generic service used by Bluetooth         |0x1800         |
+|Device ID (DID)     |Generic service used by Bluetooth         |0x180A         |
+|Scan Parameters     |Generic service used by Bluetooth         |0x1813         |
+
+{0000111E-0000-1000-8000-00805F9B34FB};{0000110A-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
+
+**Classic Keyboards and Mice**
+
+|Profile  |Reasoning  |UUID  |
+|---------|---------|---------|
+|HID (Human Interface Device)     |For classic BR/EDR keyboards and mice         |0x1124         |
+|GAP (Generic Access Profile)     |Generic service used by Bluetooth         |0x1800         |
+|DID (Device ID)     |Generic service used by Bluetooth         |0x180A         |
+|Scan Parameters     |Generic service used by Bluetooth         |0x1813         |
+
+{00001801-0000-1000-8000-00805F9B34FB};{00001812-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
+
+> [!Note]  
+> For both Classic and LE use a super set of the two formula’s UUIDs
+
+**LE Keyboards and Mice**  
+
+|Profile  |Reasoning  |UUID  |
+|---------|---------|---------|
+|Generic Access Atribute     |For the LE Protocol         |0x1801         |
+|HID Over GATT *     |For LE keyboards and mice         |0x1812         |
+|GAP (Generic Access Profile)     |Generic service used by Bluetooth         |0x1800         |
+|DID (Device ID)     |Generic service used by Bluetooth         |0x180A         |
+|Scan Parameters     |Generic service used by Bluetooth         |0x1813         |
+
+Footnote: * The Surface pen uses the HID over GATT profile
+
+{00001801-0000-1000-8000-00805F9B34FB};{00001812-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
+
+**Allow File Transfer**
+
+|Profile  |Reasoning  |UUID  |
+|---------|---------|---------|
+|OBEX Object Push (OPP)     |For file transfer         |0x1105         |
+|Object Exchange (OBEX)     |Protocol for file transfer         |0x0008         |
+|Generic Access Profile (GAP)     |Generic service used by Bluetooth         |0x1800         |
+|Device ID (DID)     |Generic service used by Bluetooth         |0x180A         |
+|Scan Parameters     |Generic service used by Bluetooth         |0x1813         |
+
+{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{0000111E-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
+
 <!--StartHoloLens-->
 ## <a href="" id="hololenspolicies"></a>Bluetooth policies supported by Windows Holographic for Business  
 
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index faf33814cc..e07d5f9e02 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -6,11 +6,13 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 03/12/2018
+ms.date: 03/14/2018
 ---
 
 # Policy CSP - Connectivity
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 
 <hr/>
@@ -34,6 +36,9 @@ ms.date: 03/12/2018
   <dd>
     <a href="#connectivity-allownfc">Connectivity/AllowNFC</a>
   </dd>
+  <dd>
+    <a href="#connectivity-allowphonepclinking">Connectivity/AllowPhonePCLinking</a>
+  </dd>
   <dd>
     <a href="#connectivity-allowusbconnection">Connectivity/AllowUSBConnection</a>
   </dd>
@@ -355,6 +360,76 @@ The following list shows the supported values:
 
 <hr/>
 
+<!--Policy-->
+<a href="" id="connectivity-allowphonepclinking"></a>**Connectivity/AllowPhonePCLinking**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td></td>
+	<td></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Added in Windows 10, version 1803. This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue tasks, such as reading, email, and other tasks that require linking between Phone and PC.
+
+If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in 'Continue on PC experiences'. If you disable this policy setting, the Windows device is not allowed to be linked to phones, will remove itself from the device list of any linked Phones, and cannot participate in 'Continue on PC experiences'.
+If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
+
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:  
+-   GP name: *enableMMX*
+-   GP ADMX file name: *grouppolicy.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+This setting supports a range of values between 0 and 1.  
+
+- 0 - Do not link
+- 1 (default) - Allow phone-PC linking
+
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+Validation:  
+
+If the Connectivity/AllowPhonePCLinking policy is configured to value 0, the add a phone button in the Phones section in settings will be greyed out and clicking it will not launch the window for a user to enter their phone number.
+
+Device that has previously opt-in to MMX will also stop showing on the device list.
+<!--/Validation-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="connectivity-allowusbconnection"></a>**Connectivity/AllowUSBConnection**  
 
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index 304792e860..38156a6d35 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -2129,6 +2129,11 @@ Value - A number indicating the zone with which this site should be associated f
 
 If you disable or do not configure this policy, users may choose their own site-to-zone assignments.
 
+> [!Note]  
+> This policy is a list that contains the site and index value.
+
+The list is a set of pairs of strings. Each string is seperated by F000. Each pair of string are stored as a registry name and value.  The registry name is the site and the value is an index. The index has to be sequential. See an example below.
+
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -2145,6 +2150,31 @@ ADMX Info:
 -   GP ADMX file name: *inetres.admx*
 
 <!--/ADMXBacked-->
+<!--Example-->
+```syntax
+  <SyncBody>
+      <Replace>
+          <CmdID>2</CmdID>
+           <Item>
+               <Meta>
+                  <Format>chr</Format>
+                  <Type>text/plain</Type>
+              </Meta>
+              <Target>
+                  <LocURI>./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList</LocURI>
+              </Target>
+               <Data>&lt;Enabled/&gt;&lt;Data id=&quot;IZ_ZonemapPrompt&quot; value=&quot;http://adfs.contoso.org&#xF000;1&#xF000;http://microsoft.com&#xF000;2&quot;/&gt;</Data>
+          </Item>
+      </Replace>
+      <Final/>
+  </SyncBody>
+```
+
+Value and index pairs in the SyncML example:  
+- http://adfs.contoso.org 1
+- http://microsoft.com 2
+
+<!--/Example-->
 <!--/Policy-->
 
 <hr/>
diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
new file mode 100644
index 0000000000..5c860249fc
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
@@ -0,0 +1,106 @@
+---
+title: Policy CSP - LanmanWorkstation
+description: Policy CSP - LanmanWorkstation
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 03/16/2018
+---
+
+# Policy CSP - LanmanWorkstation
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+<hr/>
+
+<!--Policies-->
+## LanmanWorkstation policies  
+
+<dl>
+  <dd>
+    <a href="#lanmanworkstation-enableinsecureguestlogons">LanmanWorkstation/EnableInsecureGuestLogons</a>
+  </dd>
+</dl>
+
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="lanmanworkstation-enableinsecureguestlogons"></a>**LanmanWorkstation/EnableInsecureGuestLogons**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Added in Windows 10, version 1803. This policy setting determines if the SMB client will allow insecure guest logons to an SMB server.
+
+If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons.
+
+If you disable this policy setting, the SMB client will reject insecure guest logons.
+
+Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and do not use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access.
+
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:  
+-   GP English name: *Enable insecure guest logons*
+-   GP name: *Pol_EnableInsecureGuestLogons*
+-   GP ADMX file name: *LanmanWorkstation.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+This setting supports a range of values between 0 and 1.
+
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+-   4 - Added in Windows 10, version 1803.
+
+<!--/Policies-->
+
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 27c960d639..327397bc54 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 03/12/2018
+ms.date: 03/16/2018
 ---
 
 # Policy CSP - LocalPoliciesSecurityOptions
@@ -51,24 +51,6 @@ ms.date: 03/12/2018
   <dd>
     <a href="#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly">LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</a>
   </dd>
-  <dd>
-    <a href="#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways">LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways</a>
-  </dd>
-  <dd>
-    <a href="#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible">LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible</a>
-  </dd>
-  <dd>
-    <a href="#localpoliciessecurityoptions-domainmember-digitallysignsecurechanneldatawhenpossible">LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible</a>
-  </dd>
-  <dd>
-    <a href="#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges">LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</a>
-  </dd>
-  <dd>
-    <a href="#localpoliciessecurityoptions-domainmember-maximummachineaccountpasswordage">LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge</a>
-  </dd>
-  <dd>
-    <a href="#localpoliciessecurityoptions-domainmember-requirestrongsessionkey">LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey</a>
-  </dd>
   <dd>
     <a href="#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked">LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</a>
   </dd>
@@ -93,9 +75,6 @@ ms.date: 03/12/2018
   <dd>
     <a href="#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior">LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</a>
   </dd>
-  <dd>
-    <a href="#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways</a>
-  </dd>
   <dd>
     <a href="#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</a>
   </dd>
@@ -126,9 +105,6 @@ ms.date: 03/12/2018
   <dd>
     <a href="#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam">LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</a>
   </dd>
-  <dd>
-    <a href="#localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm">LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM</a>
-  </dd>
   <dd>
     <a href="#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests">LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</a>
   </dd>
@@ -138,9 +114,6 @@ ms.date: 03/12/2018
   <dd>
     <a href="#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel">LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</a>
   </dd>
-  <dd>
-    <a href="#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</a>
-  </dd>
   <dd>
     <a href="#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</a>
   </dd>
@@ -784,375 +757,6 @@ GP Info:
 
 <hr/>
 
-<!--Policy-->
-<a href="" id="localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways"></a>**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways**  
-
-<!--SupportedSKUs-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--/SupportedSKUs-->
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-Domain member: Digitally encrypt or sign secure channel data (always)
-
-This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
-
-When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
-
-This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
-
-Domain member: Digitally encrypt secure channel data (when possible)
-Domain member: Digitally sign secure channel data (when possible)
-
-Default: Enabled.
-
-Notes:
-
-If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
-If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
-Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
-
-<!--/Description-->
-<!--RegistryMapped-->
-GP Info:  
--   GP English name: *Domain member: Digitally encrypt or sign secure channel data (always)*
--   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-<!--/RegistryMapped-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible"></a>**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible**  
-
-<!--SupportedSKUs-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--/SupportedSKUs-->
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-Domain member: Digitally encrypt secure channel data (when possible)
-
-This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.
-
-When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc.
-
-This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.
-
-Default: Enabled.
-
-Important
-
-There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
-
-Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
-
-<!--/Description-->
-<!--RegistryMapped-->
-GP Info:  
--   GP English name: *Domain member: Digitally encrypt secure channel data (when possible)*
--   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-<!--/RegistryMapped-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="localpoliciessecurityoptions-domainmember-digitallysignsecurechanneldatawhenpossible"></a>**LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible**  
-
-<!--SupportedSKUs-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--/SupportedSKUs-->
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-Domain member: Digitally sign secure channel data (when possible)
-
-This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.
-
-When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
-
-This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.
-
-Default: Enabled.
-
-<!--/Description-->
-<!--RegistryMapped-->
-GP Info:  
--   GP English name: *Domain member: Digitally sign secure channel data (when possible)*
--   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-<!--/RegistryMapped-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges"></a>**LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges**  
-
-<!--SupportedSKUs-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--/SupportedSKUs-->
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-Domain member: Disable machine account password changes
-
-Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.
-
-Default: Disabled.
-
-Notes
-
-This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.
-This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
-
-<!--/Description-->
-<!--RegistryMapped-->
-GP Info:  
--   GP English name: *Domain member: Disable machine account password changes*
--   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-<!--/RegistryMapped-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="localpoliciessecurityoptions-domainmember-maximummachineaccountpasswordage"></a>**LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge**  
-
-<!--SupportedSKUs-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--/SupportedSKUs-->
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-Domain member: Maximum machine account password age
-
-This security setting determines how often a domain member will attempt to change its computer account password.
-
-Default: 30 days.
-
-Important
-
-This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.
-
-<!--/Description-->
-<!--RegistryMapped-->
-GP Info:  
--   GP English name: *Domain member: Maximum machine account password age*
--   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-<!--/RegistryMapped-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="localpoliciessecurityoptions-domainmember-requirestrongsessionkey"></a>**LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey**  
-
-<!--SupportedSKUs-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--/SupportedSKUs-->
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-Domain member: Require strong (Windows 2000 or later) session key
-
-This security setting determines whether 128-bit key strength is required for encrypted secure channel data.
-
-When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup, and so on.
-
-Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters:
-
-Domain member: Digitally encrypt or sign secure channel data (always)
-Domain member: Digitally encrypt secure channel data (when possible)
-Some or all of the information that is transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that is encrypted.
-
-If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed. If this setting is disabled, then the key strength is negotiated with the domain controller.
-
-Default: Enabled.
-
-Important
-
-In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later.
-In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.
-
-<!--/Description-->
-<!--RegistryMapped-->
-GP Info:  
--   GP English name: *Domain member: Require strong (Windows 2000 or later) session key*
--   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-<!--/RegistryMapped-->
-<!--/Policy-->
-
-<hr/>
-
 <!--Policy-->
 <a href="" id="localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**  
 
@@ -1650,77 +1254,6 @@ GP Info:
 
 <hr/>
 
-<!--Policy-->
-<a href="" id="localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways"></a>**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways**  
-
-<!--SupportedSKUs-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--/SupportedSKUs-->
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-Microsoft network client: Digitally sign communications (always)
-
-This security setting determines whether packet signing is required by the SMB client component.
-
-The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
-
-If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
-
-Default: Disabled.
-
-Important
-
-For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees).
-
-Notes
-
-All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
-Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
-Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
-Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
-Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
-SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
-For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
-
-<!--/Description-->
-<!--RegistryMapped-->
-GP Info:  
--   GP English name: *Microsoft network client: Digitally sign communications (always)*
--   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-<!--/RegistryMapped-->
-<!--/Policy-->
-
-<hr/>
-
 <!--Policy-->
 <a href="" id="localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees"></a>**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees**  
 
@@ -2334,63 +1867,6 @@ GP Info:
 
 <hr/>
 
-<!--Policy-->
-<a href="" id="localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM**  
-
-<!--SupportedSKUs-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--/SupportedSKUs-->
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-Network security: Allow Local System to use computer identity for NTLM
-
-This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication.
-
-If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.
-
-If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.
-
-By default, this policy is enabled on Windows 7 and above.
-
-By default, this policy is disabled on Windows Vista.
-
-This policy is supported on at least Windows Vista or Windows Server 2008.
-
-Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy.
-
-<!--/Description-->
-<!--/Policy-->
-
-<hr/>
-
 <!--Policy-->
 <a href="" id="localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests**  
 
@@ -2586,66 +2062,6 @@ GP Info:
 
 <hr/>
 
-<!--Policy-->
-<a href="" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients**  
-
-<!--SupportedSKUs-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--/SupportedSKUs-->
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
-
-This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
-
-Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated.
-Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.
-
-Default:
-
-Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
-
-Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
-
-<!--/Description-->
-<!--RegistryMapped-->
-GP Info:  
--   GP English name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) clients*
--   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-<!--/RegistryMapped-->
-<!--/Policy-->
-
-<hr/>
-
 <!--Policy-->
 <a href="" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers**  
 
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
index 8dddbe0d18..bd162cb868 100644
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -6,11 +6,13 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 03/12/2018
+ms.date: 03/15/2018
 ---
 
 # Policy CSP - Notifications
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 
 <hr/>
@@ -19,12 +21,90 @@ ms.date: 03/12/2018
 ## Notifications policies  
 
 <dl>
+  <dd>
+    <a href="#notifications-disallowcloudnotification">Notifications/DisallowCloudNotification</a>
+  </dd>
   <dd>
     <a href="#notifications-disallownotificationmirroring">Notifications/DisallowNotificationMirroring</a>
   </dd>
+  <dd>
+    <a href="#notifications-disallowtilenotification">Notifications/DisallowTileNotification</a>
+  </dd>
 </dl>
 
 
+<hr/>
+
+<!--Policy-->
+<a href="" id="notifications-disallowcloudnotification"></a>**Notifications/DisallowCloudNotification**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td></td>
+	<td></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Added in Windows 10, version 1803. This policy setting blocks applications from using the network to send tile, badge, toast, and raw notifications. Specifically, this policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications from being able to use [periodic (polling) notifications](https://docs.microsoft.com/windows/uwp/design/shell/tiles-and-notifications/periodic-notification-overview).
+
+If you enable this policy setting, applications and system features will not be able receive notifications from the network from WNS or via notification polling APIs.
+
+If you enable this policy setting, notifications can still be raised by applications running on the machine via local API calls from within the application.
+
+If you disable or do not configure this policy setting, the client computer will connect to WNS at user login and applications will be allowed to use periodic (polling) notifications.
+
+No reboots or service restarts are required for this policy setting to take effect.
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:  
+-   GP English name: *Turn off notifications network usage*
+-   GP name: *NoCloudNotification*
+-   GP ADMX file name: *WPN.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+This setting supports a range of values between 0 and 1.
+
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+Validation:  
+1. Enable policy
+2. Reboot machine
+3. Ensure that you can't receive a notification from Facebook app while FB app isn't running
+<!--/Policy-->
+
 <hr/>
 
 <!--Policy-->
@@ -86,6 +166,75 @@ The following list shows the supported values:
 
 <!--/SupportedValues-->
 <!--/Policy-->
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="notifications-disallowtilenotification"></a>**Notifications/DisallowTileNotification**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td></td>
+	<td></td>
+</table>
+
+<!--/SupportedSKUs-->
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Added in Windows 10, version 1803. This policy setting turns off tile notifications.
+
+If you enable this policy setting, applications and system features will not be able to update their tiles and tile badges in the Start screen.
+
+If you disable or do not configure this policy setting, tile and badge notifications are enabled and can be turned off by the administrator or user.
+
+No reboots or service restarts are required for this policy setting to take effect.
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:  
+-   GP English name: *Turn off tile notifications*
+-   GP name: *NoTileNotification*
+-   GP ADMX file name: *WPN.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+This setting supports a range of values between 0 and 1.
+
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+Validation:  
+1. Enable policy
+2. Reboot machine
+3. Ensure that all tiles are default (no live tile content showing, like no weather forecast on the Weather tile)
+
+<!--/Validation-->
+<!--/Policy-->
 <hr/>
 
 Footnote:
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index c084709cd0..932edbd301 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -4493,14 +4493,6 @@ Footnote:
 ## <a href="" id="hololenspolicies"></a>Privacy policies supported by Windows Holographic for Business  
 
 -   [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)  
--   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
--   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
--   [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)  
--   [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)  
--   [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)  
--   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
--   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
--   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
 <!--EndHoloLens-->
 
 <!--StartIoTCore-->
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index 8b0251476c..8e59202bfb 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 01/12/2018
+ms.date: 03/15/2018
 ---
 
 # Policy CSP - RestrictedGroups
@@ -17,20 +17,22 @@ ms.date: 01/12/2018
 
 <hr/>
 
-<!--StartPolicies-->
+<!--Policies-->
 ## RestrictedGroups policies  
 
 <dl>
   <dd>
-    <a href="policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership" id="restrictedgroups-configuregroupmembership">RestrictedGroups/ConfigureGroupMembership</a>
+    <a href="#restrictedgroups-configuregroupmembership">RestrictedGroups/ConfigureGroupMembership</a>
   </dd>
 </dl>
 
+
 <hr/>
-<!--StartPolicy-->
+
+<!--Policy-->
 <a href="" id="restrictedgroups-configuregroupmembership"></a>**RestrictedGroups/ConfigureGroupMembership**  
 
-<!--StartSKU-->
+<!--SupportedSKUs-->
 <table>
 <tr>
 	<th>Home</th>
@@ -47,13 +49,13 @@ ms.date: 01/12/2018
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td></td>
 </tr>
 </table>
 
-<!--EndSKU-->
-<!--StartScope-->
+<!--/SupportedSKUs-->
+<!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 
 > [!div class = "checklist"]
@@ -61,19 +63,13 @@ ms.date: 01/12/2018
 
 <hr/>
 
-<!--EndScope-->
-<!--StartDescription-->
-This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership.  
+<!--/Scope-->
+<!--Description-->
+This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.  
 
-> [!Note]  
-> This policy is only scoped to the Administrators group at this time.  
+Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
 
-Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
-
-> [!Note]  
-> If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
-
-<!--EndDescription-->
+<!--/Description-->
 <!--SupportedValues-->
 
 <!--/SupportedValues-->
@@ -83,7 +79,7 @@ Using the policy, you can specify what members are part of a group. Any members
 <!--Validation-->
 
 <!--/Validation-->
-<!--EndPolicy-->
+<!--/Policy-->
 <hr/>
 
 Footnote:
@@ -91,6 +87,7 @@ Footnote:
 -   1 - Added in Windows 10, version 1607.
 -   2 - Added in Windows 10, version 1703.
 -   3 - Added in Windows 10, version 1709.
+-   4 - Added in Windows 10, version 1803.
 
-<!--EndPolicies-->
+<!--/Policies-->
 
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index 6b2f4389e8..07ba3d94de 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -54,6 +54,9 @@ ms.date: 03/12/2018
   <dd>
     <a href="#textinput-allowlanguagefeaturesuninstall">TextInput/AllowLanguageFeaturesUninstall</a>
   </dd>
+  <dd>
+    <a href="#textinput-allowlinguisticdatacollection">TextInput/AllowLinguisticDataCollection</a>
+  </dd>
   <dd>
     <a href="#textinput-enabletouchkeyboardautoinvokeindesktopmode">TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode</a>
   </dd>
@@ -218,7 +221,7 @@ The following list shows the supported values:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
@@ -237,20 +240,18 @@ The following list shows the supported values:
 
 <!--/Scope-->
 <!--Description-->
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
 Allows the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary.
 
 Most restricted value is 0.
 
+In Windows 10, version 1803, we introduced new suggestion services in Japanese IME in addition to cloud suggestion. When AllowIMENetworkAccess is set to 1, all suggestion services are available as predictive input.
+
 <!--/Description-->
 <!--SupportedValues-->
 The following list shows the supported values:
 
 -   0 – Not allowed.
--   1 (default) – Allowed.
+-   1 (default) – Allowed. In Windows 10, version 1803, suggestion services are also available in Japanese IME.
 
 <!--/SupportedValues-->
 <!--/Policy-->
@@ -676,6 +677,65 @@ The following list shows the supported values:
 
 <hr/>
 
+<!--Policy-->
+<a href="" id="textinput-allowlinguisticdatacollection"></a>**TextInput/AllowLinguisticDataCollection**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td></td>
+	<td></td>
+	<td></td>
+	<td></td>
+	<td></td>
+	<td></td>
+	<td></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:  
+-   GP name: *AllowLinguisticDataCollection*
+-   GP ADMX file name: *TextInput.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+This setting supports a range of values between 0 and 1.
+
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="textinput-enabletouchkeyboardautoinvokeindesktopmode"></a>**TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode**  
 
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 27677b6c69..fc9618891f 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -7,15 +7,12 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 01/29/2018
+ms.date: 03/23/2018
 ---
 
 # RemoteWipe CSP
 
 
-> [!WARNING]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
 The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely wipe a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely wiped after being lost or stolen.
 
 The following diagram shows the RemoteWipe configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. Enterprise IT Professionals can update these settings by using the Exchange Server.
@@ -47,29 +44,6 @@ Supported operation is Exec.
 
 <a href="" id="doWipePersistUserData"></a>**doWipePersistUserData**  
 Added in Windows 10, version 1709.  Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
-
-<a href="" id="automaticredeployment"></a>**AutomaticRedeployment**  
-Added in Windows 10, version 1803. Node for the Automatic Redeployment operation.
-
-<a href="" id="doautomaticredeployment"></a>**AutomaticRedeployment/doAutomaticRedeployment**  
-Added in Windows 10, version 1803. Exec on this node triggers Automatic Redeployment operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard.
-
-<a href="" id="lasterror"></a>**AutomaticRedeployment/LastError**  
-Added in Windows 10, version 1803. Error value, if any, associated with Automatic Redeployment operation (typically an HRESULT).
-
-<a href="" id="status"></a>**AutomaticRedeployment/Status**  
-Added in Windows 10, version 1803. Status value indicating current state of an Automatic Redeployment operation. 
-
-Supported values:  
-
--  0: Never run (not started). The default state. 
--  1: Complete. 
--  10: Reset has been scheduled. 
--  20: Reset is scheduled and waiting for a reboot. 
--  30: Failed during CSP Execute ("Exec" in SyncML). 
--  40: Failed: power requirements not met. 
--  50: Failed: reset internals failed during reset attempt.
-
  
 
 ## Related topics
diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md
index 215cc85669..a9ec625e99 100644
--- a/windows/client-management/mdm/remotewipe-ddf-file.md
+++ b/windows/client-management/mdm/remotewipe-ddf-file.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 01/29/2018
+ms.date: 03/23/2018
 ---
 
 # RemoteWipe DDF file
@@ -17,7 +17,7 @@ This topic shows the OMA DM device description framework (DDF) for the **RemoteW
 
 Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
 
-The XML below is the DDF for Windows 10, version 1803.
+The XML below is the DDF for Windows 10, version 1709.
 
 ``` syntax
 <?xml version="1.0" encoding="UTF-8"?>
@@ -43,7 +43,7 @@ The XML below is the DDF for Windows 10, version 1803.
                 <Permanent />
             </Scope>
             <DFType>
-                <MIME>com.microsoft/1.1/MDM/RemoteWipe</MIME>
+                <DDFName></DDFName>
             </DFType>
             <Description>The root node for remote wipe function.</Description>
         </DFProperties>
@@ -131,94 +131,8 @@ The XML below is the DDF for Windows 10, version 1803.
               <Description>Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command.</Description>
             </DFProperties>
         </Node>
-        <Node>
-          <NodeName>AutomaticRedeployment</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <DFFormat>
-              <node />
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <DDFName></DDFName>
-            </DFType>
-          </DFProperties>
-          <Node>
-            <NodeName>doAutomaticRedeployment</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-                <Exec />
-              </AccessType>
-              <DFFormat>
-                <chr />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Permanent />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>LastError</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-              </AccessType>
-              <DefaultValue>0</DefaultValue>
-              <Description>Error value, if any, associated with Automatic Redeployment operation (typically an HRESULT).</Description>
-              <DFFormat>
-                <int />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Permanent />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>Status</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-              </AccessType>
-              <DefaultValue>0</DefaultValue>
-              <Description>Status value indicating current state of an Automatic Redeployment operation. 0: Never run (not started). The default state. 1: Complete. 10: Reset has been scheduled. 20: Reset is scheduled and waiting for a reboot. 30: Failed during CSP Execute ("Exec" in SyncML). 40: Failed: power requirements not met. 50: Failed: reset internals failed during reset attempt.</Description>
-              <DFFormat>
-                <int />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Permanent />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-       </Node>
     </Node>
 </MgmtTree>
-
 ```
 
 ## Related topics
diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md
index 8f5c11db9d..b7fa5a8362 100644
--- a/windows/client-management/mdm/rootcacertificates-csp.md
+++ b/windows/client-management/mdm/rootcacertificates-csp.md
@@ -7,11 +7,14 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/26/2017
+ms.date: 03/06/2018
 ---
 
 # RootCATrustedCertificates CSP
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 The RootCATrustedCertificates configuration service provider enables the enterprise to set the Root Certificate Authority (CA) certificates.
 
 > [!Note]
@@ -44,6 +47,9 @@ Node for trusted publisher certificates.
 <a href="" id="rootcatrustedcertificates-trustedpeople"></a>**RootCATrustedCertificates/TrustedPeople**  
 Node for trusted people certificates.
 
+<a href="" id="rootcatrustedcertificates-untrustedcertificates"></a>**RootCATrustedCertificates/UntrustedCertificates**  
+Addeded in Windows 10, version 1803. Node for certificates that are not trusted. IT admin can use this node to immediately flag certificates that have been compromised and no longer usable.
+
 <a href="" id="certhash"></a>**_CertHash_**  
 Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
 
diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md
index 6e6492a240..03c352d150 100644
--- a/windows/client-management/mdm/rootcacertificates-ddf-file.md
+++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md
@@ -7,17 +7,19 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 12/05/2017
+ms.date: 03/07/2018
 ---
 
 # RootCATrustedCertificates DDF file
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 This topic shows the OMA DM device description framework (DDF) for the **RootCACertificates** configuration service provider. DDF files are used only with OMA DM provisioning XML.
 
 Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
 
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, version 1803.
 
 ``` syntax
 <?xml version="1.0" encoding="UTF-8"?>
@@ -28,7 +30,7 @@ The XML below is the current version for this CSP.
   <VerDTD>1.2</VerDTD>
       <Node>
         <NodeName>RootCATrustedCertificates</NodeName>
-        <Path>./Vendor/MSFT</Path>
+        <Path>./User/Vendor/MSFT</Path>
         <DFProperties>
           <AccessType>
             <Get />
@@ -43,7 +45,7 @@ The XML below is the current version for this CSP.
             <Permanent />
           </Scope>
           <DFType>
-            <DDFName></DDFName>
+            <MIME>com.microsoft/1.1/MDM/RootCATrustedCertificates</MIME>
           </DFType>
         </DFProperties>
         <Node>
@@ -74,8 +76,6 @@ The XML below is the current version for this CSP.
               <AccessType>
                 <Delete />
                 <Get />
-                <Add />
-                <Replace />
               </AccessType>
               <Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value</Description>
               <DFFormat>
@@ -100,12 +100,12 @@ The XML below is the current version for this CSP.
               <DFProperties>
                 <AccessType>
                   <Add />
-                  <Replace />
                   <Get />
+                  <Replace />
                 </AccessType>
                 <Description>Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.</Description>
                 <DFFormat>
-                  <chr />
+                  <b64 />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -117,7 +117,7 @@ The XML below is the current version for this CSP.
                   <CIS />
                 </CaseSense>
                 <DFType>
-                  <MIME>text/plain</MIME>
+                  <DDFName></DDFName>
                 </DFType>
               </DFProperties>
             </Node>
@@ -271,8 +271,6 @@ The XML below is the current version for this CSP.
               <AccessType>
                 <Delete />
                 <Get />
-                <Add />
-                <Replace />
               </AccessType>
               <Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value</Description>
               <DFFormat>
@@ -297,12 +295,12 @@ The XML below is the current version for this CSP.
               <DFProperties>
                 <AccessType>
                   <Add />
-                  <Replace />
                   <Get />
+                  <Replace />
                 </AccessType>
                 <Description>Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.</Description>
                 <DFFormat>
-                  <chr />
+                  <b64 />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -311,7 +309,7 @@ The XML below is the current version for this CSP.
                   <Dynamic />
                 </Scope>
                 <DFType>
-                  <MIME>text/plain</MIME>
+                  <DDFName></DDFName>
                 </DFType>
               </DFProperties>
             </Node>
@@ -363,7 +361,7 @@ The XML below is the current version for this CSP.
                 <AccessType>
                   <Get />
                 </AccessType>
-                <Description>Returns the starting date of the certificate's validity. This is equivalent to the NotBefore member in the CERT_INFO structure.</Description>
+                <Description>Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.</Description>
                 <DFFormat>
                   <chr />
                 </DFFormat>
@@ -384,7 +382,7 @@ The XML below is the current version for this CSP.
                 <AccessType>
                   <Get />
                 </AccessType>
-                <Description>Returns the expiration date of the certificate. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
+                <Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
                 <DFFormat>
                   <chr />
                 </DFFormat>
@@ -405,7 +403,7 @@ The XML below is the current version for this CSP.
                 <AccessType>
                   <Get />
                 </AccessType>
-                <Description>Returns the certificate template name. </Description>
+                <Description>Returns the certificate template name. Supported operation is Get.</Description>
                 <DFFormat>
                   <chr />
                 </DFFormat>
@@ -450,8 +448,6 @@ The XML below is the current version for this CSP.
               <AccessType>
                 <Delete />
                 <Get />
-                <Add />
-                <Replace />
               </AccessType>
               <Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value</Description>
               <DFFormat>
@@ -476,12 +472,12 @@ The XML below is the current version for this CSP.
               <DFProperties>
                 <AccessType>
                   <Add />
-                  <Replace />
                   <Get />
+                  <Replace />
                 </AccessType>
                 <Description>Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.</Description>
                 <DFFormat>
-                  <chr />
+                  <b64 />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -493,7 +489,7 @@ The XML below is the current version for this CSP.
                   <CIS />
                 </CaseSense>
                 <DFType>
-                  <MIME>text/plain</MIME>
+                  <DDFName></DDFName>
                 </DFType>
               </DFProperties>
             </Node>
@@ -551,7 +547,7 @@ The XML below is the current version for this CSP.
                 <AccessType>
                   <Get />
                 </AccessType>
-                <Description>Returns the starting date of the certificate's validity. This is equivalent to the NotBefore member in the CERT_INFO structure.</Description>
+                <Description>Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.</Description>
                 <DFFormat>
                   <chr />
                 </DFFormat>
@@ -575,7 +571,7 @@ The XML below is the current version for this CSP.
                 <AccessType>
                   <Get />
                 </AccessType>
-                <Description>Returns the expiration date of the certificate. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
+                <Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
                 <DFFormat>
                   <chr />
                 </DFFormat>
@@ -599,7 +595,7 @@ The XML below is the current version for this CSP.
                 <AccessType>
                   <Get />
                 </AccessType>
-                <Description>Returns the certificate template name. </Description>
+                <Description>Returns the certificate template name. Supported operation is Get.</Description>
                 <DFFormat>
                   <chr />
                 </DFFormat>
@@ -647,8 +643,6 @@ The XML below is the current version for this CSP.
               <AccessType>
                 <Delete />
                 <Get />
-                <Add />
-                <Replace />
               </AccessType>
               <Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value</Description>
               <DFFormat>
@@ -673,12 +667,12 @@ The XML below is the current version for this CSP.
               <DFProperties>
                 <AccessType>
                   <Add />
-                  <Replace />
                   <Get />
+                  <Replace />
                 </AccessType>
                 <Description>Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.</Description>
                 <DFFormat>
-                  <chr />
+                  <b64 />
                 </DFFormat>
                 <Occurrence>
                   <One />
@@ -690,7 +684,7 @@ The XML below is the current version for this CSP.
                   <CIS />
                 </CaseSense>
                 <DFType>
-                  <MIME>text/plain</MIME>
+                  <DDFName></DDFName>
                 </DFType>
               </DFProperties>
             </Node>
@@ -748,7 +742,7 @@ The XML below is the current version for this CSP.
                 <AccessType>
                   <Get />
                 </AccessType>
-                <Description>Returns the starting date of the certificate's validity. This is equivalent to the NotBefore member in the CERT_INFO structure.</Description>
+                <Description>Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.</Description>
                 <DFFormat>
                   <chr />
                 </DFFormat>
@@ -772,7 +766,7 @@ The XML below is the current version for this CSP.
                 <AccessType>
                   <Get />
                 </AccessType>
-                <Description>Returns the expiration date of the certificate. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
+                <Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
                 <DFFormat>
                   <chr />
                 </DFFormat>
@@ -796,7 +790,1180 @@ The XML below is the current version for this CSP.
                 <AccessType>
                   <Get />
                 </AccessType>
-                <Description>Returns the certificate template name. </Description>
+                <Description>Returns the certificate template name. Supported operation is Get.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>UntrustedCertificates</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <CaseSense>
+              <CIS />
+            </CaseSense>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName></NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Delete />
+              </AccessType>
+              <Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value</Description>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrMore />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <CaseSense>
+                <CIS />
+              </CaseSense>
+              <DFTitle>CertHash</DFTitle>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+            <Node>
+              <NodeName>EncodedCertificate</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Add />
+                  <Replace />
+                </AccessType>
+                <Description>Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.</Description>
+                <DFFormat>
+                  <b64 />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <DDFName></DDFName>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>IssuedBy</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the name of the certificate issuer.  This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>IssuedTo</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>ValidFrom</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>ValidTo</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>TemplateName</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the certificate template name. Supported operation is Get.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+          </Node>
+        </Node>
+      </Node>
+      <Node>
+        <NodeName>RootCATrustedCertificates</NodeName>
+        <Path>./Device/Vendor/MSFT</Path>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <MIME>com.microsoft/1.1/MDM/RootCATrustedCertificates</MIME>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>Root</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <CaseSense>
+              <CIS />
+            </CaseSense>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName></NodeName>
+            <DFProperties>
+              <AccessType>
+                <Delete />
+                <Get />
+              </AccessType>
+              <Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value</Description>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrMore />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <CaseSense>
+                <CIS />
+              </CaseSense>
+              <DFTitle>CertHash</DFTitle>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+            <Node>
+              <NodeName>EncodedCertificate</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Add />
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.</Description>
+                <DFFormat>
+                  <b64 />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <DDFName></DDFName>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>IssuedBy</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the name of the certificate issuer.  This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>IssuedTo</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>ValidFrom</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>ValidTo</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>TemplateName</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the certificate template name. Supported operation is Get.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>CA</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <CaseSense>
+              <CIS />
+            </CaseSense>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName></NodeName>
+            <DFProperties>
+              <AccessType>
+                <Delete />
+                <Get />
+              </AccessType>
+              <Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value</Description>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrMore />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <CaseSense>
+                <CIS />
+              </CaseSense>
+              <DFTitle>CertHash</DFTitle>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+            <Node>
+              <NodeName>EncodedCertificate</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Add />
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.</Description>
+                <DFFormat>
+                  <b64 />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <DDFName></DDFName>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>IssuedBy</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the name of the certificate issuer.  This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>IssuedTo</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>ValidFrom</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>ValidTo</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>TemplateName</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the certificate template name. Supported operation is Get.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>TrustedPublisher</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <CaseSense>
+              <CIS />
+            </CaseSense>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName></NodeName>
+            <DFProperties>
+              <AccessType>
+                <Delete />
+                <Get />
+              </AccessType>
+              <Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value</Description>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrMore />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <CaseSense>
+                <CIS />
+              </CaseSense>
+              <DFTitle>CertHash</DFTitle>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+            <Node>
+              <NodeName>EncodedCertificate</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Add />
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.</Description>
+                <DFFormat>
+                  <b64 />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <DDFName></DDFName>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>IssuedBy</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the name of the certificate issuer.  This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>IssuedTo</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>ValidFrom</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>ValidTo</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>TemplateName</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the certificate template name. Supported operation is Get.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>TrustedPeople</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <CaseSense>
+              <CIS />
+            </CaseSense>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName></NodeName>
+            <DFProperties>
+              <AccessType>
+                <Delete />
+                <Get />
+              </AccessType>
+              <Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value</Description>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrMore />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <CaseSense>
+                <CIS />
+              </CaseSense>
+              <DFTitle>CertHash</DFTitle>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+            <Node>
+              <NodeName>EncodedCertificate</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Add />
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.</Description>
+                <DFFormat>
+                  <b64 />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <DDFName></DDFName>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>IssuedBy</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the name of the certificate issuer.  This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>IssuedTo</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>ValidFrom</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>ValidTo</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>TemplateName</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the certificate template name. Supported operation is Get.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>UntrustedCertificates</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <CaseSense>
+              <CIS />
+            </CaseSense>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName></NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Delete />
+              </AccessType>
+              <Description>Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value</Description>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrMore />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <CaseSense>
+                <CIS />
+              </CaseSense>
+              <DFTitle>CertHash</DFTitle>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+            <Node>
+              <NodeName>EncodedCertificate</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Add />
+                  <Replace />
+                </AccessType>
+                <Description>Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.</Description>
+                <DFFormat>
+                  <b64 />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <DDFName></DDFName>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>IssuedBy</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the name of the certificate issuer.  This is equivalent to the Issuer member in the CERT_INFO data structure.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>IssuedTo</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>ValidFrom</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>ValidTo</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <CaseSense>
+                  <CIS />
+                </CaseSense>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>TemplateName</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>Returns the certificate template name. Supported operation is Get.</Description>
                 <DFFormat>
                   <chr />
                 </DFFormat>
@@ -818,14 +1985,4 @@ The XML below is the current version for this CSP.
         </Node>
       </Node>
 </MgmtTree>
-```
-
- 
-
- 
-
-
-
-
-
-
+```
\ No newline at end of file
diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md
index e08ae3f4bd..9768a7eb0b 100644
--- a/windows/configuration/TOC.md
+++ b/windows/configuration/TOC.md
@@ -12,7 +12,7 @@
 ## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
 ## [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md)
 ### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
-### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
+### [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md)
 ### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
 ### [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md)
 #### [Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md)
diff --git a/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md
index 819b8ca97a..6cf9614a7c 100644
--- a/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -831,9 +831,8 @@ This event represents the basic metadata about a file on the system.  The file m
 
 The following fields are available:
 
-- **AppraiserVersion**  The version of the Appraiser file generating the events.
-- **AvDisplayName** The version of the Appraiser file generating the events.
-- **AvProductState** If the app is an anti-virus app, this is its display name.
+- **AvDisplayName** If the app is an anti-virus app, this is its display name.
+- **AvProductState** Represents state of antivirus program with respect to whether it's turned on and the signatures are up-to-date.
 - **BinaryType**  A binary type.  Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
 - **BinFileVersion**  An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
 - **BinProductVersion**  An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
@@ -841,8 +840,8 @@ The following fields are available:
 - **CompanyName**  The company name of the vendor who developed this file.
 - **FileId**  A hash that uniquely identifies a file.
 - **FileVersion**  The File version field from the file metadata under Properties -> Details.
-- **HasUpgradeExe** Represents state of antivirus program with respect to whether it's turned on and the signatures are up-to-date.
-- **IsAv** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
+- **HasUpgradeExe** Does the anti-virus app have an upgrade.exe file?
+- **IsAv** Is the file an anti-virus reporting EXE?
 - **LinkDate**  The date and time that this file was linked on.
 - **LowerCaseLongPath**  The full file path to the file that was inventoried on the device.
 - **Name**  The name of the file that was inventoried.
@@ -1653,7 +1652,7 @@ The following fields are available:
 - **KvaShadow** Microcode info of the processor.
 - **MMSettingOverride** Microcode setting of the processor.
 - **MMSettingOverrideMask** Microcode setting override of the processor.
-- **ProcessorArchitecture**  Retrieves the processor architecture of the installed operating system. The complete list of values can be found in DimProcessorArchitecture.
+- **ProcessorArchitecture**  Retrieves the processor architecture of the installed operating system. 
 - **ProcessorClockSpeed**  Retrieves the clock speed of the processor in MHz.
 - **ProcessorCores**  Retrieves the number of cores in the processor.
 - **ProcessorIdentifier**  The processor identifier of a manufacturer.
@@ -1662,7 +1661,7 @@ The following fields are available:
 - **ProcessorPhysicalCores**  Number of physical cores in the processor.
 - **ProcessorUpdateRevision** The microcode version.
 - **SocketCount**  Number of physical CPU sockets of the machine.
-- **SpeculationControl** Clock speed of the processor in MHz.
+- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability. 
 
 
 ### Census.Speech
diff --git a/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
index dad1cbe857..06874ee41a 100644
--- a/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
+++ b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
@@ -21,7 +21,7 @@ ms.date: 03/13/2018
 - Windows 10, version 1709
 
 
-The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information.
+The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information.
 
 The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
 
@@ -317,8 +317,8 @@ This event represents the basic metadata about a file on the system.  The file m
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file generating the events.
-- **AvDisplayName** The version of the Appraiser file generating the events.
-- **AvProductState** If the app is an anti-virus app, this is its display name.
+- **AvDisplayName** If the app is an anti-virus app, this is its display name.
+- **AvProductState** Represents state of antivirus program with respect to whether it's turned on and the signatures are up-to-date.
 - **BinaryType**  A binary type.  Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
 - **BinFileVersion**  An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
 - **BinProductVersion**  An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
@@ -326,8 +326,8 @@ The following fields are available:
 - **CompanyName**  The company name of the vendor who developed this file.
 - **FileId**  A hash that uniquely identifies a file.
 - **FileVersion**  The File version field from the file metadata under Properties -> Details.
-- **HasUpgradeExe** Represents state of antivirus program with respect to whether it's turned on and the signatures are up-to-date.
-- **IsAv** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
+- **HasUpgradeExe** Does the anti-virus app have an upgrade.exe file?
+- **IsAv** Is the file an anti-virus reporting EXE?
 - **LinkDate**  The date and time that this file was linked on.
 - **LowerCaseLongPath**  The full file path to the file that was inventoried on the device.
 - **Name**  The name of the file that was inventoried.
@@ -1617,7 +1617,7 @@ The following fields are available:
 - **KvaShadow** Microcode info of the processor.
 - **MMSettingOverride** Microcode setting of the processor.
 - **MMSettingOverrideMask** Microcode setting override of the processor.
-- **ProcessorArchitecture**  Retrieves the processor architecture of the installed operating system. The complete list of values can be found in DimProcessorArchitecture.
+- **ProcessorArchitecture**  Retrieves the processor architecture of the installed operating system. 
 - **ProcessorClockSpeed**  Retrieves the clock speed of the processor in MHz.
 - **ProcessorCores**  Retrieves the number of cores in the processor.
 - **ProcessorIdentifier**  The processor identifier of a manufacturer.
@@ -1626,7 +1626,7 @@ The following fields are available:
 - **ProcessorPhysicalCores**  Number of physical cores in the processor.
 - **ProcessorUpdateRevision** The microcode version.
 - **SocketCount**  Number of physical CPU sockets of the machine.
-- **SpeculationControl** Clock speed of the processor in MHz.
+- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability.
 
 
 ### Census.Security
@@ -1723,7 +1723,7 @@ The following fields are available:
 - **AppraiserGatedStatus**  Indicates whether a device has been gated for upgrading.
 - **AppStoreAutoUpdate**  Retrieves the Appstore settings for auto upgrade. (Enable/Disabled).
 - **AppStoreAutoUpdateMDM**  Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured
-- **AppStoreAutoUpdatePolicy**  Retrieves the Windows Store App Auto Update group policy setting
+- **AppStoreAutoUpdatePolicy**  Retrieves the Microsoft Store App Auto Update group policy setting
 - **DelayUpgrade**  Retrieves the Windows upgrade flag for delaying upgrades.
 - **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it?
 - **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update?
@@ -2195,7 +2195,7 @@ The following fields are available:
 - **Publisher**  The Publisher of the application. Location pulled from depends on the 'Source' field.
 - **RootDirPath**  The path to the root directory where the program was installed.
 - **Source**  How the program was installed (ARP, MSI, Appx, etc...)
-- **StoreAppType**  A sub-classification for the type of Windows Store app, such as UWP or Win8StoreApp.
+- **StoreAppType**  A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
 - **Type**  "One of (""Application"", ""Hotfix"", ""BOE"", ""Service"", ""Unknown""). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen."
 - **Version**  The version number of the program.
 
@@ -2836,7 +2836,7 @@ The following fields are available:
 
 ### SoftwareUpdateClientTelemetry.UpdateDetected
 
-This event sends data about an AppX app that has been updated from the Windows Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates.
+This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates.
 
 The following fields are available:
 
@@ -2846,7 +2846,7 @@ The following fields are available:
 - **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
 - **WUDeviceID**  The unique device ID controlled by the software distribution client
 - **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
-- **ServiceGuid**  An ID which represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.)
+- **ServiceGuid**  An ID which represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.)
 
 
 ### SoftwareUpdateClientTelemetry.SLSDiscovery
@@ -2859,7 +2859,7 @@ The following fields are available:
 - **HResult**  Indicates the result code of the event (success, cancellation, failure code HResult)
 - **IsBackground**  Indicates whether the SLS discovery event took place in the foreground or background
 - **NextExpirationTime**  Indicates when the SLS cab expires
-- **ServiceID**  An ID which represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.)
+- **ServiceID**  An ID which represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.)
 - **SusClientId**  The unique device ID controlled by the software distribution client
 - **UrlPath**  Path to the SLS cab that was downloaded
 - **WUAVersion**  The version number of the software distribution client
@@ -2885,7 +2885,7 @@ The following fields are available:
 - **EventType**  "Possible values are ""Child"", ""Bundle"", or ""Driver""."
 - **HandlerType**  Indicates the kind of content (app, driver, windows patch, etc.)
 - **RevisionNumber**  Unique revision number of Update
-- **ServerId**  Identifier for the service to which the software distribution client is connecting, such as Windows Update and Windows Store.
+- **ServerId**  Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store.
 - **SystemBIOSMajorRelease**  Major version of the BIOS.
 - **SystemBIOSMinorRelease**  Minor version of the BIOS.
 - **UpdateId**  Unique Update ID
@@ -2930,7 +2930,7 @@ The following fields are available:
 - **MetadataSignature**  A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
 - **RevisionId**  The revision ID for a specific piece of content.
 - **RevisionNumber**  The revision number for a specific piece of content.
-- **ServiceGuid**  Identifies the service to which the software distribution client is connected, Example: Windows Update or Windows Store
+- **ServiceGuid**  Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store
 - **SHA256OfLeafCertPublicKey**  A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
 - **SHA256OfTimestampToken**  A base64-encoded string of hash of the timestamp token blob.
 - **SignatureAlgorithm**  The hash algorithm for the metadata signature.
@@ -3011,7 +3011,7 @@ The following fields are available:
 - **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
 - **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to download.
 - **RevisionNumber**  Identifies the revision number of this specific piece of content.
-- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
 - **Setup360Phase**  If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
 - **ShippingMobileOperator**  The mobile operator that a device shipped on.
 - **StatusCode**  Indicates the result of a Download event (success, cancellation, failure code HResult).
@@ -3079,7 +3079,7 @@ The following fields are available:
 - **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
 - **ScanDurationInSeconds**  The number of seconds a scan took
 - **ScanEnqueueTime**  The number of seconds it took to initialize a scan
-- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.).
+- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.).
 - **ServiceUrl**  The environment URL a device is configured to scan with
 - **ShippingMobileOperator**  The mobile operator that a device shipped on.
 - **StatusCode**  Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
@@ -3177,7 +3177,7 @@ The following fields are available:
 - **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to install.
 - **RepeatSuccessInstallFlag**  Indicates whether this specific piece of content had previously installed successful, for example if another user had already installed it.
 - **RevisionNumber**  The revision number of this specific piece of content.
-- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
 - **Setup360Phase**  If the install is for an operating system upgrade, indicates which phase of the upgrade is underway.
 - **ShippingMobileOperator**  The mobile operator that a device shipped on.
 - **StatusCode**  Indicates the result of an installation event (success, cancellation, failure code HResult).
@@ -3212,7 +3212,7 @@ The following fields are available:
 - **PowerState**  Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
 - **RelatedCV**  "The previous correlation vector that was used by the client, before swapping with a new one "
 - **ResumeCount**  Number of times this active download has resumed from a suspended state
-- **ServiceID**  "Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) "
+- **ServiceID**  "Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) "
 - **SuspendCount**  Number of times this active download has entered a suspended state
 - **SuspendReason**  Last reason for why this active download entered a suspended state
 - **CallerApplicationName**  Name provided by the caller who initiated API calls into the software distribution client
@@ -3220,7 +3220,7 @@ The following fields are available:
 - **EventType**  "Possible values are ""Child"", ""Bundle"", or ""Driver"""
 - **FlightId**  The unique identifier for each flight
 - **RevisionNumber**  Identifies the revision number of this specific piece of content
-- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
+- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc)
 - **UpdateId**  "Identifier associated with the specific piece of content "
 - **WUDeviceID**  "Unique device id controlled by the software distribution client "
 
@@ -3735,7 +3735,7 @@ The following fields are available:
 - **ReportId**  WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
 
 
-## Windows Store events
+## Microsoft Store events
 
 ### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation
 
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index 02dee783c1..822b8ec80b 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: high
 author: jdeckerms
-ms.date: 03/13/2018
+ms.date: 03/23/2018
 ---
 
 # Change history for Configure Windows 10
@@ -20,6 +20,8 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
 New or changed topic | Description
 --- | ---
 [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) and [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) | Added events and fields that were added in the March update.
+Set up a kiosk on Windows 10 Pro, Enterprise, or Education | Renamed it [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) and reorganized the information to make the choices clearer.
+
 
 ## February 2018
 
diff --git a/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md b/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md
index 9529995ecb..ec20ebc2bc 100644
--- a/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md
@@ -15,7 +15,7 @@ ms.date: 10/17/2017
 
 **Applies to**
 
--   Windows 10
+-   Windows 10 Enterprise
 -   Windows 10 Mobile
 -   Windows Server
 
diff --git a/windows/configuration/kiosk-shared-pc.md b/windows/configuration/kiosk-shared-pc.md
index e2c1689b92..e8eb951b8c 100644
--- a/windows/configuration/kiosk-shared-pc.md
+++ b/windows/configuration/kiosk-shared-pc.md
@@ -19,6 +19,6 @@ Some desktop devices in an enterprise serve a special purpose, such as a common
 | Topic | Description |
 | --- | --- |
 | [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail.  |
-| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select.  |
+|  [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select.  |
 | [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. This topic provides guidelines to help you choose an approprate app for a kiosk device.  |
 | [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. |
\ No newline at end of file
diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index f37871b6d2..ddc0530800 100644
--- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.localizationpriority: high
 author: brianlic-msft
 ms.author: brianlic-msft
-ms.date: 01/29/2018
+ms.date: 03/22/2018
 ---
 
 # Manage connections from Windows operating system components to Microsoft services
@@ -77,14 +77,13 @@ Here's a list of changes that were made to this article for Windows 10, version
 
 ## <a href="" id="bkmk-othersettings"></a>Management options for each setting
 
-
 The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections.
 
 If you're running Windows 10, they will be included in the next update for the Long Term Servicing Branch.
 
 ### Settings for Windows 10 Enterprise edition 
 
-See the following table for a summary of the management settings for Windows 10 Enterprise, version 1709 and Windows 10 Enterprise, version 1703.
+The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1703.
 
 | Setting | UI | Group Policy | MDM policy | Registry | Command line |
 | - | :-: | :-: | :-: | :-: | :-: |
@@ -1516,6 +1515,8 @@ To turn off **Let apps run in the background**:
     -   **1**. Force allow
     -   **2**. Force deny
 
+> [!NOTE]
+> Some apps, including Cortana and Search, might not function as expected if you set **Let apps run in the background** to **Force Deny**.
 
 ### <a href="" id="bkmk-priv-motion"></a>17.18 Motion
 
diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md
index 76176cb430..fe4f0b035a 100644
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@@ -41,7 +41,7 @@ You use Windows Configuration Designer to create a provisioning package (.ppkg)
     
         - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
         - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
-        - [Instructions for the kiosk wizard](../set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard)
+        - [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard)
         - [Instructions for HoloLens wizard](https://technet.microsoft.com/itpro/hololens/hololens-provisioning)
         - [Instructions for Surface Hub wizard](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub)
         
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index 2a0a5b4e8e..c61c9169d8 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -82,7 +82,7 @@ The following table describes settings that you can configure using the wizards
 
 - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
 - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
-- [Instructions for the kiosk wizard](../set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard)
+- [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard)
 
 
 
diff --git a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configuration/setup-kiosk-digital-signage.md
similarity index 60%
rename from windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
rename to windows/configuration/setup-kiosk-digital-signage.md
index d68048c98d..c9b84f0646 100644
--- a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/configuration/setup-kiosk-digital-signage.md
@@ -1,44 +1,124 @@
 ---
-title: Set up a kiosk on Windows 10 Pro, Enterprise, or Education (Windows 10)
-description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
+title: Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education (Windows 10)
+description: A single-use device such as a digital sign is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
 ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
-keywords: ["assigned access", "kiosk", "lockdown"]
+keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: high
-ms.date: 01/31/2018
+ms.date: 03/30/2018
 ---
 
-# Set up a kiosk on Windows 10 Pro, Enterprise, or Education
+# Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education
 
 
 **Applies to**
 
 -   Windows 10
 
->  **Looking for Windows Embedded 8.1 Industry information?** See [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653)
 
-A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions. 
 
-- Use the [Provision kiosk devices wizard](#wizard) in Windows Configuration Designer (Windows 10, version 1607 or later) to create a provisioning package that configures a kiosk device running either a Universal Windows app or a Classic Windows application (Windows 10 Enterprise or Education only). In Windows 10, version 1709, you can use the [Provision kiosk devices wizard](#wizard) to configure a kiosk device running a Universal Windows app for Windows 10 Pro.
+Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. A single-use, kiosk device is easy to set up in Windows 10. (For kiosks that run more than one more app, see [Create a Windows 10 kiosk that runs multiple apps.](lock-down-windows-10-to-specific-apps.md).)
 
-    or
-    
-- For a kiosk device to run a Universal Windows app, use the [assigned access](#assigned-access) feature (Windows 10 Pro, Enterprise, or Education). 
 
-    or
-    
-- For a kiosk device to run a Classic Windows application, use [Shell Launcher](#shell-launcher) to set a custom user interface as the shell (Windows 10 Enterprise or Education only). 
+
+## Choose a method for configuring your kiosks and digitals signs
+
+**Which type of app will your kiosk run?** Your kiosk can run a Universal Windows Platform (UWP) app or a Classic Windows desktop application. When the kiosk account signs in, the kiosk app will launch automatically. If the kiosk app is closed, it will automatically restart.
 
 >[!TIP]
->To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access).
+>For **digital signage**, simply select a digital sign player as your kiosk app. 
 
->[!NOTE]
->A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
+**Which type of user account will be the kiosk account?** The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. 
 
-## Using a local device as a kiosk
+>[!WARNING]
+>For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account.
+>
+>Assigned access can be configured via Windows Mangement Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
+
+**Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. 
+
+### Methods for kiosks and digital signs running a UWP app
+
+Choose this method | For this edition | For this kiosk account type 
+--- | --- | ---
+[Local settings](#local) (for 1 or a few devices) | Pro, Ent, Edu | Local standard user
+[PowerShell](#powershell)  | Pro, Ent, Edu | Local standard user
+[Provisioning](#wizard)  | Pro (version 1709), Ent, Edu | Local standard user 
+[Intune or other mobile device management (MDM)](#set-up-assigned-access-in-mdm)  | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
+
+### Methods for kiosks and digital signs running a Classic Windows app
+
+Choose this method | For this edition | For this kiosk account type 
+--- | --- | ---
+[Provisioning](#wizard) | Ent, Edu | Local standard user 
+[ShellLauncher](#shelllauncher) | Ent, Edu | Local standard user or administrator, Active Directory, Azure AD
+
+
+
+
+
+### Other settings to lock down
+
+For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk:
+
+Recommendation | How to
+--- | ---
+Replace "blue screen" with blank screen for OS errors   | Add the following registry key as DWORD (32-bit) type with a value of `1`:</br></br>`HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`</br></br>[Learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002)</br></br>You must restart the device after changing the registry.
+Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign.
+Hide **Ease of access** feature on the logon screen. |     Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
+Disable the hardware power button. |     Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
+Remove the power button from the sign-in screen. |     Go to **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Local Policies** &gt;**Security Options** &gt; **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
+Disable the camera. |     Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
+Turn off app notifications on the lock screen. |     Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
+Disable removable media. |     Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.</br></br>**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
+
+In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic logon.
+
+
+**How to edit the registry to have an account automatically logged on**
+
+1.  Open Registry Editor (regedit.exe).
+
+    >[!NOTE]  
+    >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
+  
+
+2.  Go to
+
+    **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon**
+
+3.  Set the values for the following keys.
+
+    -   *AutoAdminLogon*: set value as **1**.
+
+    -   *DefaultUserName*: set value as the account that you want logged in.
+
+    -   *DefaultPassword*: set value as the password for the account.
+
+       > [!NOTE]
+       > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** &gt; **String Value**.
+
+    -   *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key.
+
+4.  Close Registry Editor. The next time the computer restarts, the account will be logged on automatically.
+
+>[!TIP]
+>You can also configure automatic logon [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon).
+
+
+<span id="local"/>
+## Set up a kiosk or digital sign in local Settings
+
+>App type: UWP
+>
+>OS edition: Windows 10 Pro, Ent, Edu
+>
+>Account type: Local standard user
+
+You can use **Settings** to quickly configure one or a few devices as a kiosk. (Using **Settings** isn't practical for configuring a lot of devices, but it would work.) When you set up a kiosk (also known as *assigned access*) in **Settings**, you must select a local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
 
 When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
 
@@ -48,99 +128,33 @@ If you do not want the kiosk account signed in automatically when the device res
 
 ![Screenshot of automatic sign-in setting](images/auto-signin.png)
 
-<span id="wizard" />
-## Set up a kiosk using Windows Configuration Designer
+**To set up assigned access in PC settings**
 
-When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Classic Windows application.
-
->[!IMPORTANT]
->When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
-
-
-[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table.
-
-
-
-<table>
-<tr><td  style="width:45%" valign="top">![step one](images/one.png)![set up device](images/set-up-device.png)</br></br>Enable device setup if you want to configure settings on this page.</br></br>**If enabled:**</br></br>Enter a name for the device.</br></br>(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)</br></br>Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.</br></br>You can also select to remove pre-installed software from the device. </td><td>![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)</td></tr>
-<tr><td  style="width:45%" valign="top">![step two](images/two.png)  ![set up network](images/set-up-network.png)</br></br>Enable network setup if you want to configure settings on this page.</br></br>**If enabled:**</br></br>Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.</td><td>![Enter network SSID and type](images/set-up-network-details.png)</td></tr>
-<tr><td  style="width:45%" valign="top">![step three](images/three.png)  ![account management](images/account-management.png)</br></br>Enable account management if you want to configure settings on this page. </br></br>**If enabled:**</br></br>You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device</br></br>To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.</br></br>**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.</br></br>To create a local administrator account, select that option and enter a user name and password. </br></br>**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.  </td><td>![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)</td></tr>
-<tr><td  style="width:45%" valign="top">![step four](images/four.png) ![add applications](images/add-applications.png)</br></br>You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)</br></br>**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. </td><td>![add an application](images/add-applications-details.png)</td></tr>
-<tr><td  style="width:45%" valign="top">![step five](images/five.png) ![add certificates](images/add-certificates.png)</br></br>To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.</td><td>![add a certificate](images/add-certificates-details.png)</td></tr> 
-<tr><td  style="width:45%" valign="top">![step six](images/six.png)  ![Configure kiosk account and app](images/kiosk-account.png)</br></br>**Important:** You must use the Windows Configuration Designer app from Microsoft Store to select a Classic Windows application as the kiosk app in a provisioning package.</br></br>You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.</br></br>If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.</br></br>In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Classic Windows app) or the AUMID (for a Universal Windows app). For a Classic Windows app, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.</td><td>![Configure kiosk account and app](images/kiosk-account-details.png)</td></tr>
-<tr><td  style="width:45%" valign="top">![step seven](images/seven.png)  ![configure kiosk common settings](images/kiosk-common.png)</br></br>On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.</td><td>![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)</td></tr>
-<tr><td  style="width:45%" valign="top">  ![finish](images/finish.png)</br></br>You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.</td><td>![Protect your package](images/finish-details.png)</td></tr>
-</table>
-
-
->[!NOTE]
->If you want to use the advanced editor in Windows Configuration Designer, specify the user account and app (by AUMID) in **Runtime settings** &gt; **AssignedAccess** &gt; **AssignedAccessSettings**
-
-
-
-
-
-[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md)
-
-
-     
-<span id="assigned-access" />
-## Assigned access method for Universal Windows apps
-
-
-Using assigned access, Windows 10 runs the designated Universal Windows app above the lockscreen, so that the assigned access account has no access to any other functionality on the device. You have these choices for setting up assigned access:
-
-| Method | Account type | Windows 10 edition |
-| --- | --- | --- |
-| [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education |
-| [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Pro (1709 only), Enterprise, Education |
-| [Create a provisioning package using Windows Configuration Designer](#wizard) | All (domain, local standard, local administrator, etc) | Pro (1709 only), Enterprise, Education |
-| [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education |
-
-
-
-### Requirements
-
--   A domain or local user account. 
-    
--   A Universal Windows app that is installed or provisioned for that account and is an above lock screen app. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](https://go.microsoft.com/fwlink/p/?LinkId=708386).
-
-    The app can be your own company app that you have made available in your own app Store. To set up assigned access using MDM or PowerShell, you also need the Application User Model ID (AUMID) for the app. [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867).
-
-    The Universal Windows app must be able to handle multiple views and cannot launch other apps or dialogs.
-
->[!NOTE]  
->Assigned access does not work on a device that is connected to more than one monitor.
-
- 
-
-### Set up assigned access in PC settings
-
-1.  Go to **Start** &gt; **Settings** &gt; **Accounts** &gt; **Other users**.
+1.  Go to **Start** &gt; **Settings** &gt; **Accounts** &gt; **Other people**.
 
 2.  Choose **Set up assigned access**.
 
 3.  Choose an account.
 
-4.  Choose an app. Only apps that can run above the lock screen will be displayed. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
+4.  Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
 
 5.  Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on.
 
 To remove assigned access, choose **Turn off assigned access and sign out of the selected account**.
 
-### Set up assigned access in MDM
-
-Assigned Access has one setting, KioskModeApp. In the KioskModeApp setting, you enter the user account name and AUMID for the app to run in kiosk mode.
-
-[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867).
-
-[See the technical reference for the Assigned Access configuration service provider.](https://go.microsoft.com/fwlink/p/?LinkId=626608)
-
-<sp id="set-up-assigned-access-wcd" />
+>[!NOTE]  
+>Single-app kiosk configuration using assigned access does not work on a device that is connected to more than one monitor.
 
 
+<span id="powershell"/>
+## Set up a kiosk or digital sign using Windows PowerShell
 
-### Set up assigned access using Windows PowerShell
+ 
+>App type: UWP
+>
+>OS edition: Windows 10 Pro, Ent, Edu
+>
+>Account type: Local standard user
 
 You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. 
 
@@ -178,50 +192,91 @@ Clear-AssignedAccess
 ```
 
 
-### Set up automatic logon
+<span id="wizard" />
+## Set up a kiosk or digital sign using a provisioning package
 
-When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic logon.
+>App type: UWP or Classic Windows
+>
+>OS edition: Windows 10 Pro (version 1709) for UWP only; Ent, Edu for both app types
+>
+>Account type: Local standard user 
 
-Edit the registry to have an account automatically logged on.
+When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Classic Windows application.
 
-1.  Open Registry Editor (regedit.exe).
+>[!IMPORTANT]
+>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 
-    >[!NOTE]  
-    >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
-  
 
-2.  Go to
+[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table.
 
-    **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon**
 
-3.  Set the values for the following keys.
 
-    -   *AutoAdminLogon*: set value as **1**.
+<table>
+<tr><td  style="width:45%" valign="top">![step one](images/one.png)![set up device](images/set-up-device.png)</br></br>Enable device setup if you want to configure settings on this page.</br></br>**If enabled:**</br></br>Enter a name for the device.</br></br>(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)</br></br>Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.</br></br>You can also select to remove pre-installed software from the device. </td><td>![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)</td></tr>
+<tr><td  style="width:45%" valign="top">![step two](images/two.png)  ![set up network](images/set-up-network.png)</br></br>Enable network setup if you want to configure settings on this page.</br></br>**If enabled:**</br></br>Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.</td><td>![Enter network SSID and type](images/set-up-network-details.png)</td></tr>
+<tr><td  style="width:45%" valign="top">![step three](images/three.png)  ![account management](images/account-management.png)</br></br>Enable account management if you want to configure settings on this page. </br></br>**If enabled:**</br></br>You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device</br></br>To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.</br></br>**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.</br></br>To create a local administrator account, select that option and enter a user name and password. </br></br>**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.  </td><td>![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)</td></tr>
+<tr><td  style="width:45%" valign="top">![step four](images/four.png) ![add applications](images/add-applications.png)</br></br>You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)</br></br>**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. </td><td>![add an application](images/add-applications-details.png)</td></tr>
+<tr><td  style="width:45%" valign="top">![step five](images/five.png) ![add certificates](images/add-certificates.png)</br></br>To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.</td><td>![add a certificate](images/add-certificates-details.png)</td></tr> 
+<tr><td  style="width:45%" valign="top">![step six](images/six.png)  ![Configure kiosk account and app](images/kiosk-account.png)</br></br>You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.</br></br>If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.</br></br>In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Classic Windows app) or the AUMID (for a Universal Windows app). For a Classic Windows app, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.</td><td>![Configure kiosk account and app](images/kiosk-account-details.png)</td></tr>
+<tr><td  style="width:45%" valign="top">![step seven](images/seven.png)  ![configure kiosk common settings](images/kiosk-common.png)</br></br>On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.</td><td>![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)</td></tr>
+<tr><td  style="width:45%" valign="top">  ![finish](images/finish.png)</br></br>You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.</td><td>![Protect your package](images/finish-details.png)</td></tr>
+</table>
 
-    -   *DefaultUserName*: set value as the account that you want logged in.
 
-    -   *DefaultPassword*: set value as the password for the account.
+>[!NOTE]
+>If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** &gt; **AssignedAccess** &gt; **AssignedAccessSettings**
 
-       > [!NOTE]
-       > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** &gt; **String Value**.
 
-    -   *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key.
 
-4.  Close Registry Editor. The next time the computer restarts, the account will be logged on automatically.
 
-### Sign out of assigned access
 
-To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account.
+[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md)
 
-If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
 
-**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI**
 
-To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
 
-<span id="shell-launcher" />
-## Shell Launcher for Classic Windows applications
 
+ 
+
+
+
+## Set up a kiosk or digital sign in Intune or other MDM service
+
+>App type: UWP 
+>
+>OS edition: Windows 10 Pro (version 1709), Ent, Edu
+>
+>Account type: Local standard user, Azure AD
+
+Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a KioskModeApp setting. In the KioskModeApp setting, you enter the user account name and [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode.
+
+The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider.
+
+**To configure kiosk in Microsoft Intune**
+
+2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
+3. Select **Device configuration**.
+4. Select **Profiles**.
+5. Select **Create profile**.
+6. Enter a friendly name for the profile.
+7. Select **Windows 10 and later** for the platform.
+8. Select **Device restrictions** for the profile type.
+9. Select **Kiosk**.
+10. In **Kiosk Mode**, select **Single app kiosk**.
+1. Enter the user account (Azure AD or a local standard user account).
+11. Enter the Application User Model ID for an installed app.
+14. Select **OK**, and then select **Create**.
+18. Assign the profile to a device group to configure the devices in that group as kiosks.
+
+
+<span id="shelllauncher" />
+## Set up a kiosk or digital sign using Shell Launcher 
+
+>App type: Classic Windows
+>
+>OS edition: Windows 10 Ent, Edu
+>
+>Account type: Local standard user or administrator, Active Directory, Azure AD
 
 Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
 
@@ -229,7 +284,8 @@ Using Shell Launcher, you can configure a kiosk device that runs a Classic Windo
 >You can also configure a kiosk device that runs a Classic Windows application by using the [Provision kiosk devices wizard](#wizard).
 
 >[!WARNING]
->Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell.  
+>- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image.
+>- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell.  
 
 ### Requirements
 
@@ -239,6 +295,7 @@ Using Shell Launcher, you can configure a kiosk device that runs a Classic Windo
 
 [See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603)
 
+
 ### Configure Shell Launcher
 
 To set a Classic Windows application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell.
@@ -399,41 +456,15 @@ $IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
 "`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
 ```
 
-## Other settings to lock down
+## Sign out of assigned access
 
+To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account.
 
-For a more secure kiosk experience, we recommend that you make the following configuration changes to the device:
+If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
 
--   Put device in **Tablet mode**.
+**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI**
 
-    If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.**
-
--   Hide **Ease of access** feature on the logon screen.
-
-    Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
-
--   Disable the hardware power button.
-
-    Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
-
--   Remove the power button from the sign-in screen.
-
-    Go to **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Local Policies** &gt;**Security Options** &gt; **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
-
--   Disable the camera.
-
-    Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
-
--   Turn off app notifications on the lock screen.
-
-    Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
-
--   Disable removable media.
-
-    Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
-
-    >[!NOTE]  
-    >To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
+To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
 
  
 ## Related topics
diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md
index 2df8e81ee7..de3f2b1d0f 100644
--- a/windows/configuration/wcd/wcd-accounts.md
+++ b/windows/configuration/wcd/wcd-accounts.md
@@ -29,7 +29,7 @@ The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Di
 
 - [Instructions for desktop wizard](../provisioning-packages/provision-pcs-for-initial-deployment.md)
 - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
-- [Instructions for the kiosk wizard](../set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard)
+- [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard)
 
 ## ComputerAccount
 
diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md
index 9be7d411e7..fdc91f9f6c 100644
--- a/windows/configuration/wcd/wcd-smisettings.md
+++ b/windows/configuration/wcd/wcd-smisettings.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 09/06/2017
+ms.date: 03/30/2018
 ---
 
 # SMISettings (Windows Configuration Designer reference)
@@ -94,6 +94,9 @@ When you **enable** KeyboardFilter, a number of other settings become available
 
 Use ShellLauncher to specify the application or executable to use as the default custom shell. One use of ShellLauncher is to [create a kiosk (fixed-purpose) device running a Classic Windows application](https://docs.microsoft.com/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions#shell-launcher-for-classic-windows-applications).
 
+>[!WARNING]
+>Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image.
+
 You can also configure ShellLauncher to launch different shell applications for different users or user groups.
 
 >[!IMPORTANT]  
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index b110f3c3c8..94f70ce62d 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -8,6 +8,13 @@
 ### [Configure VDA for Subscription Activation](vda-subscription-activation.md)
 ### [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md)
 ## [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md)
+### [Quick fixes](upgrade\quick-fixes.md)
+### [SetupDiag](upgrade/setupdiag.md)
+### [Troubleshooting upgrade errors](upgrade/troubleshoot-upgrade-errors.md)
+### [Windows error reporting](upgrade/windows-error-reporting.md)
+### [Upgrade error codes](upgrade/upgrade-error-codes.md)
+### [Log files](upgrade/log-files.md)
+### [Resolution procedures](upgrade/resolution-procedures.md)
 ### [Submit Windows 10 upgrade errors](upgrade/submit-errors.md)
 
 ## [Deploy Windows 10](deploy.md)
@@ -241,7 +248,6 @@
 ##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md)
 ##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
 ##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
-#### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md)
 ### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
 #### [Get started with Update Compliance](update/update-compliance-get-started.md)
 #### [Use Update Compliance](update/update-compliance-using.md)
@@ -249,10 +255,13 @@
 ##### [Security Update Status report](update/update-compliance-security-update-status.md)
 ##### [Feature Update Status report](update/update-compliance-feature-update-status.md)
 ##### [Windows Defender AV Status report](update/update-compliance-wd-av-status.md)
+##### [Delivery Optimization in Update Compliance](update/update-compliance-delivery-optimization.md)
 ##### [Update Compliance Perspectives](update/update-compliance-perspectives.md)
 ### [Device Health](update/device-health-monitor.md)
 #### [Get started with Device Health](update/device-health-get-started.md)
 #### [Using Device Health](update/device-health-using.md)
+### [Enrolling devices in Windows Analytics](update/windows-analytics-get-started.md)
+### [Troubleshooting Windows Analytics and FAQ](update/windows-analytics-FAQ-troubleshooting.md)
 
 ## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md)
 
diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md
index 175f553534..4a72395427 100644
--- a/windows/deployment/update/device-health-get-started.md
+++ b/windows/deployment/update/device-health-get-started.md
@@ -5,7 +5,7 @@ keywords: Device Health, oms, operations management suite, prerequisites, requir
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.date: 11/14/2017
+ms.date: 03/20/2018
 ms.pagetype: deploy
 author: jaimeo
 ---
@@ -15,25 +15,11 @@ author: jaimeo
 This topic explains the steps necessary to configure your environment for Windows Analytics: Device Health. 
 
 Steps are provided in sections that follow the recommended setup process:
-1.	Ensure that [prerequisites](#device-health-prerequisites) are met.
-2.	[Add Device Health](#add-device-health-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite.
-3.	[Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices and set the telemetry level) to your organization’s devices.
 
-## Device Health prerequisites
+1. [Add Device Health](#add-device-health-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite.
+2. [Enroll devices in Windows Analytics](#deploy-your-commercial-id-to-your-windows-10-devices) to your organization’s devices.
+3. [Use Device Health to monitor frequency and causes of device crashes](#use-device-health-to-monitor-frequency-and-causes-of-device-crashes) once your devices are enrolled.
 
-Device Health has the following requirements: 
-1. Device Health is currently only compatible with Windows 10 and Windows Server 2016 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops). 
-2. The solution requires that at least the [enhanced level of diagnostic data](https://technet.microsoft.com/itpro/windows/manage/configure-windows-diagnostic-data-in-your-organization#basic-level) is enabled on all devices that are intended to be displayed in the solution. To learn more about Windows diagnostic data, see [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization). 
-3. The diagnostic data of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the diagnostic data services](/windows/configuration//configure-windows-diagnostic-data-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on diagnostic data endpoints and summarizes the use of each endpoint:
-
-Service | Endpoint
---- | ---
-Connected User Experiences and Telemetry component | v10.vortex-win.data.microsoft.com<BR>settings-win.data.microsoft.com
-Windows Error Reporting | watson.telemetry.microsoft.com
-Online Crash Analysis | oca.telemetry.microsoft.com
-
->[!NOTE]  
-> If your deployment includes devices running Windows 10 versions prior to Windows 10, version 1703, you must **exclude** *authentication* for the endpoints listed in Step 3. Windows Error Reporting did not support authenticating proxies until Windows 10, version 1703. See [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization) for steps to exclude authentication for these endpoints.
 
 
 ## Add Device Health to Microsoft Operations Management Suite
@@ -79,100 +65,14 @@ After you have added Device Health and devices have a Commercial ID, you will be
 >[!NOTE]
 >You can unsubscribe from the Device Health solution if you no longer want to monitor your organization’s devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic.
 
-## Deploy your Commercial ID to your Windows 10 devices and set the diagnostic data level
-
-In order for your devices to show up in Windows Analytics: Device Health, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM). 
-
-- Using Group Policy<BR><BR>
-    Deploying your Commercial ID using Group Policy can be accomplished by configuring domain Group Policy Objects with the Group Policy Management Editor, or by configuring local Group Policy using the Local Group Policy Editor.
-    1. In the console tree, navigate to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**
-    2. Double-click **Configure the Commercial ID**
-    3. In the **Options** box, under **Commercial Id**, type the Commercial ID GUID, and then click **OK**.<P>
-
-- Using Microsoft Mobile Device Management (MDM)<BR><BR>
-Microsoft’s Mobile Device Management can be used to deploy your Commercial ID to your organization’s devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. You can find more information on deployment using MDM at the [DMClient Configuration Service Provider topic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp).  
-
-## Perform checks to ensure and verify successful deployment
-
-While you're waiting for the initial data to populate, there are some configuration details it's worth confirming to ensure that the necessary data connections are set up properly.
-
-### Check for disabled Windows Error Reporting (WER)
- 
-If WER is disabled or redirected on your Windows devices, then reliability information cannot be shown in Device Health. 
-
-Check these Registry settings in **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting**:
-
-- Verify that the value "Disabled" (REG_DWORD), if set, is 0.
-- Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0.
-- Verify that the value "CorporateWERServer" (REG_SZ) is not configured.
- 
-If you need further information on Windows Error Reporting (WER) settings, see [WER Settings](https://msdn.microsoft.com/library/windows/desktop/bb513638(v=vs.85).aspx).
- 
-
-### Endpoint connectivity
-
-Devices must be able to reach the endpoints specified in the "Device Health prerequisites" section of this topic. 
-
->[!NOTE]  
-> If your deployment includes devices running Windows 10 versions prior to Windows 10, version 1703, you must **exclude** *authentication* for the endpoints listed in Step 3 of the "Device Health prerequisites" section of this topic. Windows Error Reporting did not support authenticating proxies until Windows 10, version 1703. (If you need more information about diagnostic data endpoints and how to manage them, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
-
-If you are using proxy server authentication, it is worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER uploads error reports in the machine context. Both user (typically authenticated) and machine (typically anonymous) contexts require access through proxy servers to the diagnostic endpoints. In Windows 10, version 1703, and later WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access.
-
-Therefore, it's important to ensure that both machine and user accounts have access to the endpoints using authentication (or to whitelist the endpoints so that outbound proxy authentication is not required).
-
-To test access as a given user, you can run this Windows PowerShell cmdlet *while logged on as that user*: 
-
-```powershell
-
-$endPoints = @(
-        'v10.vortex-win.data.microsoft.com'
-        'settings-win.data.microsoft.com'
-        'watson.telemetry.microsoft.com'
-        'oca.telemetry.microsoft.com'
-        'vortex.data.microsoft.com'
-    )
-
-$endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded
-
-```
-
-If this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints.
-
-To test access in the machine context (requires administrative rights), run the above as SYSTEM using PSexec or Task Scheduler, as in this example:
-
-```powershell
-
-[scriptblock]$accessTest = {
-    $endPoints = @(
-        'v10.vortex-win.data.microsoft.com'
-        'settings-win.data.microsoft.com'
-        'watson.telemetry.microsoft.com'
-        'oca.telemetry.microsoft.com'
-        'vortex.data.microsoft.com'
-    )
-
-    $endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded
-}
-
-$scriptFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints.ps1"
-$outputFileFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints_Output.txt"
-$accessTest.ToString() > $scriptFullPath
-$null > $outputFileFullPath
-$taskAction = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "-ExecutionPolicy Bypass -Command `"&{$scriptFullPath > $outputFileFullPath}`"" 
-$taskTrigger = New-ScheduledTaskTrigger -Once -At (Get-Date).Addseconds(10)
-$task = Register-ScheduledTask -User 'NT AUTHORITY\SYSTEM' -TaskName 'MicrosoftTelemetryAccessTest' -Trigger $taskTrigger -Action $taskAction -Force
-Start-Sleep -Seconds 120
-Unregister-ScheduledTask -TaskName $task.TaskName -Confirm:$false
-Get-Content $outputFileFullPath
-
-```
-
-As in the other example, if this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints.
-
+## Enroll devices in Windows Analytics
 
+Once you've added Update Compliance to Microsoft Operations Management Suite, you can now start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
 
 
+## Use Device Health to monitor frequency and causes of device crashes
 
+Once your devices are enrolled, you can move on to [Using Device Health](device-health-using.md).
 
 
 ## Related topics
diff --git a/windows/deployment/update/device-health-monitor.md b/windows/deployment/update/device-health-monitor.md
index 078a95742a..96aec57103 100644
--- a/windows/deployment/update/device-health-monitor.md
+++ b/windows/deployment/update/device-health-monitor.md
@@ -67,7 +67,7 @@ These steps are illustrated in following diagram:
  [![](images/analytics-architecture.png)](images/analytics-architecture.png)
 
 >[!NOTE]
->This process assumes that Windows diagnostic data is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started.md#deploy-your-commercial-id-to-your-windows-10-devices).
+>This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
 
 
 
diff --git a/windows/deployment/update/device-health-using.md b/windows/deployment/update/device-health-using.md
index 3526ae3850..19e2365401 100644
--- a/windows/deployment/update/device-health-using.md
+++ b/windows/deployment/update/device-health-using.md
@@ -4,7 +4,7 @@ description: Explains how to begin usihg Device Health.
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.date: 10/10/2017
+ms.date: 03/30/2018
 ms.pagetype: deploy
 author: jaimeo
 ---
@@ -90,6 +90,144 @@ Clicking a listed driver on the Driver-Induced OS Crashes blade opens a driver p
 The driver version table can help you determine whether deploying a newer version of the driver might help you reduce the crash rate. In the example shown above, the most commonly installed driver version (19.15.1.5) has a crash rate of about one-half of one percent--this is low, so this driver is probably fine. However, driver version 19.40.0.3 has a crash rate of almost 20%. If that driver had been widely deployed, updating it would substantially reduce the overal number of crashes in your organization.
 
 
+## App Reliability
+
+The App Reliability report shows you useful data on app usage and behavior so that you can identify apps that are misbehaving and then take steps to resolve the problem.
+
+### App reliability events
+
+The default view includes the **Devices with events** count, which shows the number of devices in your organization that have logged a reliability event for a given app over the last 14 days. A "reliability event" occurs when an app either exits unexpectedly or stops responding. The table also includes a **Devices with Usage** count. This enables you to see how widely used the app was over the same period to put the Devices with Events count into perspective.
+
+![Main App Reliability view](images/app-reliability-main.png)
+
+When you click a particular app, the detailed **App reliability** view opens. The first element in the view is the App Information summary:
+
+![App reliability view with columns for app name, publisher, devices with usage, devices with events, percentage of devices with events logged for that app, and percentage of devices with events as a "commercial average"](images/app-reliability-app-detail.png)
+
+This table contains:
+
+- App name
+- Publisher
+- Devices with usage: the number of unique devices that logged any usage of the app
+- Devices with events: the number of unique devices that logged any reliability event for the app
+- % with events: the ratio of "devices with events" to "devices with usage"
+- % with events (commercial average): the ratio of "devices with events" to "devices with usage" in data collected from deployments with a mix of operating system versions and device models that is similar to yours. This can help you decide if a given app is having problems specifically in your environment or more generally in many environments.
+
+#### Trend section
+Following the App Information summary is the trend section:
+
+![Trend view](images/app-reliability-trend-view.png)
+
+With these trend graphs you can more easily detect if an issue is growing, shrinking, or steady. The trend graph on the left shows the number of devices that logged any reliability event for the app. The trend graph on the right shows the ratio of "devices with events" to "devices with usage."
+
+Each graph displays two lines:
+
+- Trailing window: in this line, each day’s value reflects reliability events that occurred in the 14 days leading up to that day. This is useful for gauging the long-term trend with reduced volatility due to weekends and small populations.
+- Single day: Each day’s value reflects reliability events that occurred in a single day. This is useful if an issue is quickly emerging (or being resolved).
+
+#### App and OS versions table
+The next element in the view is the App and OS versions table:
+
+
+![App/OS version view](images/app-reliability-app-OS-version.png)
+
+This table breaks out the metrics by combinations of App and OS version. This enables you to identify patterns in that might indicate devices needing an update or configuration change.
+
+For example, if the table shows that a later version of an app is more reliable than an earlier version in your environment, then prioritizing deployment of the later version is likely the best path forward. If you are already running the latest version of the app, but reliability events are increasing, then you might need to do some troubleshooting, or seek support from Microsoft or the app vendor.
+
+By default the table is limited to the most-used version combinations in your environment. To see all version combinations click anywhere in the table.
+
+
+#### Reliability event history table
+
+The next element in the view is the reliability event history table:
+
+![event history view](images/app-reliability-event-history.png)
+
+This table shows the most detailed information. Although Device Health is not a debugging tool, the details available in this table can help with troubleshooting by providing the specific devices, versions, and dates of the reliability events.
+
+This view also includes the **Diagnostic Signature** column. This value can be helpful when you are working with product support or troubleshooting on your own. The value (also known as Failure ID or Failure Name) is the same identifier used to summarize crash statistics for Microsoft and partner developers.
+
+The Diagnostic Signature value contains the type of reliability event, error code, DLL name, and function name involved. You can use this information to narrow the scope of troubleshooting. For example, a value like *APPLICATION_HANG_ThreadHang_Contoso-Add-In.dll!GetRegistryValue()* implies that the app stopped responding when Contoso-Add-In was trying to read a registry value. In this case you might prioritize updating or disabling the add-in, or using Process Monitor to identify the registry value it was trying to read, which could lead to a resolution through antivirus exclusions, fixing missing keys, or similar remedies.
+
+
+By default the table is limited to a few recent rows. To see all rows click anywhere in the table.
+
+
+### FAQs and limitations
+
+#### Why does a particular app not appear in the views?
+When we allow reliability events from all processes, the list of apps fills with noisy processes which don't feel like meaningful end-user apps (for example, taskhost.exe or odd-test-thing.exe). In order to draw focus to the apps which matter most to users, App Reliability uses a series of filters to limit what appears in the list. The filter criteria include the following:
+
+- Filter out background processes which have no detected user interaction.
+- Filter out operating system processes which, despite having user interaction, do not feel like apps (for example, Logonui.exe, Winlogon.exe). **Known limitation:** Some processes which may feel like apps are not currently detected as such (and are therefore filtered out as OS processes). These include Explorer.exe, Iexplore.exe, Microsoftedge.exe, and several others.
+- Remove apps which are not widely used in your environment. **Known limitation:** This might result in an app that you consider important being filtered out when that app is not among the 30 most widely used in your environment.
+
+
+We welcome your suggestions and feedback on this filtering process at the [Device Health Tech Community](https://aka.ms/community/DeviceHealth).
+
+#### Why are there multiple names and entries for the same app?
+For example, you might see *Skype for Business*, *‘skype for business’*, and *Lync* listed separately, but you only use *Skype for Business*. Or you might see *MyApp Pro* and *MyApp Professional* listed separately, even though they feel like the same thing.
+
+Apps have many elements of metadata which describe them. These include an Add/Remove programs title (“Contoso Suite 12”), executable file names (“ContosoCRM.exe”), executable display name (“Contoso CRM”), and others. App publishers (and in some cases app re-packagers) set these values. For the most part we leave the data as set by the publisher which can lead to some report splitting. In certain cases we apply transformations to reduce splitting, for example we (by design) convert many values to lower case so that incoming data such as "Contoso CRM" and "CONTOSO CRM" become the same app name for reporting. 
+ 
+
+
+#### Clicking an app in the App Reliability Events blade sometimes results a List view of records instead of the App Reliability view
+To work around this, click the **App Reliability** tab above the results to see the expected view.
+ 
+![Click app reliability tab](images/app-reliability-tab.png)
+
+
+#### Clicking "See all…" from the App Reliability Events blade followed by clicking an app from the expanded list results in raw records instead of the App Reliability view
+To work around this, replace all of the text in the Log Search query box with the following:
+
+*DHAppReliability | where AppFileDisplayName == "<Name of app as it appeared in the list>"*
+
+For example:
+
+*DHAppReliability | where AppFileDisplayName == "Microsoft Outlook"*
+
+
+
+## Login Health
+
+Login Health provides reports on Windows login attempts in your environment, including metrics on the login methods being used (such as Windows Hello, face recognition, fingerprint recognition, PIN, or password), the rates and patterns of login success and failure, and the specific reasons logins have failed.
+
+The Login Health blades appear in the Device Health dashboard:
+
+
+![Main Login health view](images/login-health.png)
+
+### Login Errors
+The **Login errors** blade displays data on the frequency and type of errors, with statistics on specific errors. They are generally categorized into user-generated (caused by bad input) or non-user-generated (might need IT intervention) errors. Click any individual error to see all instances of the error's occurence for the specified time period.
+
+### Login Metrics by Type
+The **Login metrics by type** blade shows the success rate for your devices, as well as the success rate for other environments with a mix of operating system versions and device models similar to yours (the **Commercial average success rate**).
+
+In the table (by type) you can gauge how broadly each login type is attempted, the number of devices that prefer the type (most used), and the success rate. If migration from passwords to an alternative such as Hello: PIN is going well, you would see high usage and high success rates for the new type.
+
+Click any of the login types to see detailed login health data for that type:
+
+![Login type detail](images/login-health-detail.png)
+
+This view shows trends over time of usage, preferred credentials, and success rate along with the most frequent errors and frequently failing devices for that login type.
+
+Click a specific login error in this view to see a list of all instances for that error and login type within the specified time range:
+
+![Login error detail](images/login-health-detail-failure.png)
+
+Included in this view are device attributes and error attributes such as the following:
+
+- LogonStatus/LogonSubStatus: Status code for the login attempt
+- SignInFailureReason: Known failure reasons evaluated from status or sub-status
+- SuggestedSignInRemediation: Suggested remediation that was presented to the user at the time of error
+
+The filters in the left pane allow you to filter errors to a particular operating system, device model, or other parameters. Alternatively, clicking the most frequently failing models from the Login Health perspective will take you to a list of error instances filtered to the login type and specified device model within the specified time range.
+
+>[!NOTE]
+> Windows Hello: Face authentication errors are not currently included in the login health reports.
+
 
 
 
diff --git a/windows/deployment/update/images/WA-data-flow-v1.png b/windows/deployment/update/images/WA-data-flow-v1.png
new file mode 100644
index 0000000000..072502b2c7
Binary files /dev/null and b/windows/deployment/update/images/WA-data-flow-v1.png differ
diff --git a/windows/deployment/update/images/WA-device-enrollment.png b/windows/deployment/update/images/WA-device-enrollment.png
new file mode 100644
index 0000000000..06408def68
Binary files /dev/null and b/windows/deployment/update/images/WA-device-enrollment.png differ
diff --git a/windows/deployment/update/images/app-reliability-app-OS-version.png b/windows/deployment/update/images/app-reliability-app-OS-version.png
new file mode 100644
index 0000000000..c281dcc316
Binary files /dev/null and b/windows/deployment/update/images/app-reliability-app-OS-version.png differ
diff --git a/windows/deployment/update/images/app-reliability-app-detail.png b/windows/deployment/update/images/app-reliability-app-detail.png
new file mode 100644
index 0000000000..8c402bb91f
Binary files /dev/null and b/windows/deployment/update/images/app-reliability-app-detail.png differ
diff --git a/windows/deployment/update/images/app-reliability-event-history.png b/windows/deployment/update/images/app-reliability-event-history.png
new file mode 100644
index 0000000000..f28ab02908
Binary files /dev/null and b/windows/deployment/update/images/app-reliability-event-history.png differ
diff --git a/windows/deployment/update/images/app-reliability-main.png b/windows/deployment/update/images/app-reliability-main.png
new file mode 100644
index 0000000000..abbcc72690
Binary files /dev/null and b/windows/deployment/update/images/app-reliability-main.png differ
diff --git a/windows/deployment/update/images/app-reliability-tab.png b/windows/deployment/update/images/app-reliability-tab.png
new file mode 100644
index 0000000000..17eae401f4
Binary files /dev/null and b/windows/deployment/update/images/app-reliability-tab.png differ
diff --git a/windows/deployment/update/images/app-reliability-trend-view.png b/windows/deployment/update/images/app-reliability-trend-view.png
new file mode 100644
index 0000000000..2d26df93d3
Binary files /dev/null and b/windows/deployment/update/images/app-reliability-trend-view.png differ
diff --git a/windows/deployment/update/images/login-health-detail-failure.png b/windows/deployment/update/images/login-health-detail-failure.png
new file mode 100644
index 0000000000..76865225a1
Binary files /dev/null and b/windows/deployment/update/images/login-health-detail-failure.png differ
diff --git a/windows/deployment/update/images/login-health-detail.png b/windows/deployment/update/images/login-health-detail.png
index 2d3871fc42..45867cefc5 100644
Binary files a/windows/deployment/update/images/login-health-detail.png and b/windows/deployment/update/images/login-health-detail.png differ
diff --git a/windows/deployment/update/images/login-health.png b/windows/deployment/update/images/login-health.png
index fd4f6740bd..e250351fb5 100644
Binary files a/windows/deployment/update/images/login-health.png and b/windows/deployment/update/images/login-health.png differ
diff --git a/windows/deployment/update/images/outdated_incomplete.png b/windows/deployment/update/images/outdated_incomplete.png
new file mode 100644
index 0000000000..61d9343b05
Binary files /dev/null and b/windows/deployment/update/images/outdated_incomplete.png differ
diff --git a/windows/deployment/update/images/outdated_outdated.png b/windows/deployment/update/images/outdated_outdated.png
new file mode 100644
index 0000000000..761d9066c2
Binary files /dev/null and b/windows/deployment/update/images/outdated_outdated.png differ
diff --git a/windows/deployment/update/images/uc-DO-status.png b/windows/deployment/update/images/uc-DO-status.png
new file mode 100644
index 0000000000..d4b47be324
Binary files /dev/null and b/windows/deployment/update/images/uc-DO-status.png differ
diff --git a/windows/deployment/update/images/upgrade-analytics-unsubscribe.png b/windows/deployment/update/images/upgrade-analytics-unsubscribe.png
new file mode 100644
index 0000000000..402db94d6f
Binary files /dev/null and b/windows/deployment/update/images/upgrade-analytics-unsubscribe.png differ
diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md
new file mode 100644
index 0000000000..92c577feea
--- /dev/null
+++ b/windows/deployment/update/update-compliance-delivery-optimization.md
@@ -0,0 +1,42 @@
+---
+title: Delivery Optimization in Update Compliance (Windows 10)
+description: new Delivery Optimization data displayed in Update Compliance
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: jaimeo
+ms.author: jaimeo
+ms.date: 03/27/2018
+---
+
+# Delivery Optimization in Update Compliance
+The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
+
+## Delivery Optimization Status
+ 
+The Delivery Optimization Status section includes three blades:
+
+- The **Device Configuration** blade shows a breakdown of download configuration for each device
+- The **Content Distribution (%)** blade shows the percentage of bandwidth savings for each category
+- The **Content Distribution (GB)** blade shows the total amount of data seen from each content type broken down by the download source (peers vs non-peers).
+
+![DO status](images/uc-DO-status.png)
+
+ 
+## Device Configuration blade
+Devices can be set to use different download modes; these download modes determine in what situations Delivery Optimization will use peer-to-peer distribution to accomplish the downloads. The top section shows the number of devices configured to use peer-to-peer distribution in *Peering On* compared to *Peering Off* modes. The table shows a breakdown of the various download mode configurations seen in your environment. For more information about the different configuration options, see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md#download-mode).
+ 
+## Content Distribution (%) blade
+The first of two blades showing information on content breakdown, this blade shows a ring chart summarizing **Bandwidth Savings %**, which is the percentage of data received from peer sources out of the total data downloaded (for any device that used peer-to-peer distribution).
+The table breaks down the Bandwidth Savings % into specific content categories along with the number of devices seen downloading the given content type that used peer-to-peer distribution.
+ 
+## Content Distribution (GB) blade
+The second of two blades showing information on content breakdown, this blade shows a ring chart summarizing the total bytes downloaded by using peer-to-peer distribution compared to HTTP distribution. 
+The table breaks down the number of bytes from each download source into specific content categories, along with the number of devices seen downloading the given content type that used peer-to-peer distribution.
+
+The download sources that could be included are:
+- LAN Bytes: Bytes downloaded from LAN Peers which are other devices on the same local network
+- Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the “Group” download mode is used)
+- HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an SCCM Distribution Point for Express Updates. 
+
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 354ad86c3d..d5059b3973 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -6,9 +6,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
-author: DaniHalfin
-ms.author: daniha
-ms.date: 10/13/2017
+author: Jaimeo
+ms.author: jaimeo
+ms.date: 03/15/2018
 ---
 
 # Get started with Update Compliance
@@ -16,29 +16,10 @@ ms.date: 10/13/2017
 This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance. 
 
 Steps are provided in sections that follow the recommended setup process:
-1. Ensure that [prerequisites](#update-compliance-prerequisites) are met.
-2. [Add Update Compliance](#add-update-compliance-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite.
-3. [Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices) to your organization’s devices.
+1. [Add Update Compliance](#add-update-compliance-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite.
+2. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics) to your organization’s devices.
+3. [Use Update Compliance to monitor Windows Updates](#use-update-compliance-to-monitor-windows-updates) once your devices are enrolled.
 
-## Update Compliance prerequisites
-
-Update Compliance has the following requirements: 
-1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops). 
-2. The solution requires that Windows 10 diagnostic data is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of diagnostic data](/configuration/configure-windows-diagnostic-data-in-your-organization#basic-level) enabled. To learn more about Windows diagnostic data, see [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization). 
-3. The diagnostic data of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the diagnostic data services](/configuration/configure-windows-diagnostic-data-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on diagnostic data endpoints and summarizes the use of each endpoint:
-
-    Service | Endpoint
-    --- | ---
-    Connected User Experiences and Telemetry component | v10.vortex-win.data.microsoft.com<BR>settings-win.data.microsoft.com
-    Windows Error Reporting | watson.telemetry.microsoft.com
-    Online Crash Analysis | oca.telemetry.microsoft.com
-
-
- 4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Troublehsoot Windows Defender Antivirus reporting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md) topic for help on ensuring the configuration is correct.
- 
-     For endpoints running Windows 10, version 1607 or earlier, [Windows diagnostic data must also be set to **Enhanced**](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level), to be compatible with Windows Defender Antivirus. 
-    
-    See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
 
 
 ## Add Update Compliance to Microsoft Operations Management Suite
@@ -81,20 +62,11 @@ After you are subscribed to OMS Update Compliance and your devices have a Commer
 >[!NOTE]
 >You can unsubscribe from the Update Compliance solution if you no longer want to monitor your organization’s devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic.
 
-## Deploy your Commercial ID to your Windows 10 devices
+## Enroll devices in Windows Analytics
 
-In order for your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM). 
-
-- Using Group Policy<BR><BR>
-    Deploying your Commercial ID using Group Policy can be accomplished by configuring domain Group Policy Objects with the Group Policy Management Editor, or by configuring local Group Policy using the Local Group Policy Editor.
-    1. In the console tree, navigate to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**
-    2. Double-click **Configure the Commercial ID**
-    3. In the **Options** box, under **Commercial Id**, type the Commercial ID GUID, and then click **OK**.<P>
-
-- Using Microsoft Mobile Device Management (MDM)<BR><BR>
-    Microsoft’s Mobile Device Management can be used to deploy your Commercial ID to your organization’s devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. More information on deployment using MDM can be found [here](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp).  
+Once you've added Update Compliance to Microsoft Operations Management Suite, you can now start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
 
 
-## Related topics
+## Use Update Compliance to monitor Windows Updates
 
-[Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
\ No newline at end of file
+Once your devices are enrolled, you can starte to [Use Update Compliance to monitor Windows Updates](update-compliance-using.md).
\ No newline at end of file
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 638cb4079e..a7ed74d098 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -54,7 +54,7 @@ These steps are illustrated in following diagram:
 ![Update Compliance architecture](images/uc-01-wdav.png)
 
 >[!NOTE]
->This process assumes that Windows diagnostic data is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started.md#deploy-your-commercial-id-to-your-windows-10-devices).
+>This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
 
 
 
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index fe2d443d21..f2ecc2a75b 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -5,8 +5,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
-author: DaniHalfin
-ms.author: daniha
+author: jaimeo
+ms.author: jaimeo
 ms.date: 10/13/2017
 ---
 
@@ -32,7 +32,7 @@ In Update Compliance, data is separated into vertically-sliced sections. Each se
 After Update Compliance has successfully been added from the solution gallery, you’ll see this tile:
 ![Empty Update Compliance Tile](images/uc-emptyworkspacetile.png)
 
-When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that is associated with the Commercial ID associated with the device. If you haven’t read about assigning your Commercial ID to your devices, refer to [this topic](update-compliance-get-started.md#deploy-your-commercial-id-to-your-windows-10-devices). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary:
+When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that is associated with the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary:
 
 ![Filled Update Compliance Tile](images/uc-filledworkspacetile.png)
 
diff --git a/windows/deployment/update/waas-windows-insider-for-business.md b/windows/deployment/update/waas-windows-insider-for-business.md
index 52a170184a..dc35477a1b 100644
--- a/windows/deployment/update/waas-windows-insider-for-business.md
+++ b/windows/deployment/update/waas-windows-insider-for-business.md
@@ -145,6 +145,7 @@ The Slow Windows Insider level is for users who prefer to see new builds of Wind
 * Builds are sent to the Slow Ring after feedback has been received from Windows Insiders within the Fast Ring and analyzed by our Engineering teams.  
 * These builds will include updates to fix key issues that would prevent many Windows Insiders from being able to use the build on a daily basis.  
 * These builds still might have issues that would be addressed in a future flight.
+* These builds are typically released once a month.
 
 ### Fast
 
@@ -154,6 +155,7 @@ Best for Windows Insiders who prefer being the first to get access to builds and
 * Because we are also validating a build on a smaller set of devices before going to Fast, there is also a chance that some features might work on some devices but might fail in other device configurations. 
 * Windows Insiders should be ready to reinstall Windows using the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) when you are significantly blocked.
 * Remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community forum.
+* These builds are typically released once a week.
 
 >[!NOTE]
 >Once your device is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your device will be auto-targeted for the next available flight for your selected ring. For the first build on any given device, this might take up to 24 hours to complete.
diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
new file mode 100644
index 0000000000..1edb363d0b
--- /dev/null
+++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
@@ -0,0 +1,242 @@
+---
+title: Frequently asked questions and troubleshooting Windows Analytics
+description: Frequently asked questions about Windows Analytics and steps to take when things go wrong
+keywords: windows analytics, oms, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, FAQ, problems, troubleshooting, error
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: jaimeo
+ms.author: jaimeo
+ms.date: 03/20/2018
+---
+
+# Frequently asked questions and troubleshooting Windows Analytics
+
+This topic compiles the most common issues encountered with configuring and using Windows Analytics, as well as general questions.
+
+## Troubleshooting common problems
+
+If you've followed the steps in the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic and are still encountering problems, you might find the solution here.
+
+[Devices not showing up](#devices-not-showing-up)
+
+[Device Health crash data not appearing](#device-health-crash-data-not-appearing)
+
+[Upgrade Readiness reports outdated updates](#upgrade-readiness-reports-outdated-updates)
+
+[Upgrade Readiness shows many "Computers with outdated KB"](#upgrade-readiness-shows-many-computers-with-outdated-kb)
+
+[Upgrade Readiness doesn't show app inventory data on some devices](#upgrade-readiness-doesnt-show-app-inventory-data-on-some-devices)
+
+[Upgrade Readiness doesn't show IE site discovery data from some devices](#upgrade-readiness-doesnt-show-ie-site-discovery-data-from-some-devices)
+
+[Disable Upgrade Readiness](#disable-upgrade-readiness)
+
+
+### Devices not showing up
+
+In Log Analytics, go to **Settings > Connected sources > Windows telemetry** and verify that you are subscribed to the Windows Analytics solutions you intend to use.
+
+Even though devices can take 2-3 days after enrollment to show up due to latency in the system, you can now verify the status of your devices with a few hours of running the deployment script as described in [You can now check on the status of your computers within hours of running the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/05/12/wheres-my-data/) on the Windows Analytics blog.
+>[!NOTE]
+> If you generate the status report and get an error message saying "Sorry! We’re not recognizing your Commercial Id," please go to **Settings > Connected sources > Windows telemetry** and unsubscribe, wait a minute and then re-subscribe to Upgrade Readiness. This is a known issue and we are working on a fix.
+ 
+If devices are not showing up as expected, find a representative device and follow these steps to run the latest pilot version of the Upgrade Readiness deployment script on it to troubleshoot issues:
+
+1. Download and extract the [Upgrade Readiness Deployment Script](https://www.microsoft.com/download/details.aspx?id=53327). Ensure that the **Pilot/Diagnostics** folder is included.
+2. Edit the script as described in [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md).
+3. Check that `isVerboseLogging` is set to `$true`.
+4. Run the script again. Log files will be saved to the directory specified in the script.
+5. Check the output of the script in the command window and/or log **UA_dateTime_machineName.txt** to ensure that all steps were completed successfully.
+6. If you are still seeing errors you can't diagnose, then consider open a support case with Microsoft Support through your regular channel and provide this information.
+
+If you want to check a large number of devices, you should run the latest script at scale from your management tool of choice (for example, System Center Configuration Manager) and check the results centrally.
+
+If you think the issue might be related to a network proxy, check "Enable data sharing" section of the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic. Also see [Understanding connectivity scenarios and the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog.
+
+
+### Device Health crash data not appearing
+
+#### Is WER disabled?
+If Windows Error Reporting (WER) is disabled or redirected on your Windows devices, then reliability information cannot be shown in Device Health.
+
+Check these registry settings in **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting**:
+
+- Verify that the value "Disabled" (REG_DWORD), if set, is 0.
+- Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0.
+- Verify that the value "CorporateWERServer" (REG_SZ) is not configured.
+
+If you need further information on Windows Error Reporting (WER) settings, see WER Settings. 
+
+#### Endpoint connectivity
+
+Devices must be able to reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
+
+If you are using proxy server authentication, it is worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER uploads error reports in the machine context. Both user (typically authenticated) and machine (typically anonymous) contexts require access through proxy servers to the diagnostic endpoints. In Windows 10, version 1703, and later WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access.
+ 
+Therefore, it's important to ensure that both machine and user accounts have access to the endpoints using authentication (or to whitelist the endpoints so that outbound proxy authentication is not required). For suggested methods, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md#configuring-endpoint-access-with-proxy-servers).
+ 
+To test access as a given user, you can run this Windows PowerShell cmdlet *while logged on as that user*: 
+
+```powershell
+
+$endPoints = @(
+        'watson.telemetry.microsoft.com'
+        'oca.telemetry.microsoft.com'
+        'v10.events.data.microsoft.com'
+    )
+
+$endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded
+
+```
+
+If this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints.
+
+To test access in the machine context (requires administrative rights), run the above as SYSTEM using PSexec or Task Scheduler, as in this example:
+
+```powershell
+
+[scriptblock]$accessTest = {
+    $endPoints = @(
+        'watson.telemetry.microsoft.com'
+        'oca.telemetry.microsoft.com'
+        'v10.events.data.microsoft.com'
+    )
+
+    $endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded
+}
+
+$scriptFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints.ps1"
+$outputFileFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints_Output.txt"
+$accessTest.ToString() > $scriptFullPath
+$null > $outputFileFullPath
+$taskAction = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "-ExecutionPolicy Bypass -Command `"&{$scriptFullPath > $outputFileFullPath}`"" 
+$taskTrigger = New-ScheduledTaskTrigger -Once -At (Get-Date).Addseconds(10)
+$task = Register-ScheduledTask -User 'NT AUTHORITY\SYSTEM' -TaskName 'MicrosoftTelemetryAccessTest' -Trigger $taskTrigger -Action $taskAction -Force
+Start-Sleep -Seconds 120
+Unregister-ScheduledTask -TaskName $task.TaskName -Confirm:$false
+Get-Content $outputFileFullPath
+
+```
+
+As in the other example, if this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints.
+
+### Upgrade Readiness shows many "Computers with outdated KB"
+If you see a large number of devices reported as shown in this screenshot of the Upgrade Readiness tile:
+
+[![Upgrade Readiness tile showing Computers with outdated KB datum in red box](images/outdated_outdated.png)](images/outdated_outdated.png)
+
+On Windows 7 SP1 and Windows 8.1 devices, you must deploy the compatibility update as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
+
+Note that the compatibility update retains the same KB number when a new version is released, so even if the update is installed on your devices, *they might not be running the latest version*. The compatibility update is now a critical update, so you can check that the latest version is installed from your management tool.
+
+
+### Upgrade Readiness shows many "Computers with incomplete data"
+If you see a large number of devices reported as shown in this screenshot of the Upgrade Readiness tile:
+
+[![Upgrade Readiness tile showing Computers with incomplete data datum in red box](images/outdated_incomplete.png)](images/outdated_incomplete.png)
+
+Download the latest deployment script and run it on an affected device to check for issues. See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. Remember to wait up to 48-72 hours to see the results.
+See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity.
+
+
+If this becomes a recurring issue, schedule a full inventory scan monthly, as per the device enrollment guidelines for deployment at scale.
+
+
+
+### Upgrade Readiness doesn't show app inventory data on some devices
+Upgrade Readiness only collects app inventory on devices that are not yet upgraded to the target operating system version specified in the Upgrade Readiness Overview blade. This is because Upgrade Readiness targets upgrade planning (for devices not yet upgraded).
+
+
+### Upgrade Readiness doesn't show IE site discovery data from some devices
+Double-check that IE site discovery opt-in has been configured in the deployment script. (See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity.)
+
+Also, on Windows 10 devices remember that IE site discovery requires data diagnostics set to the Enhanced level.
+Finally, Upgrade Readiness only collects IE site discovery data on devices that are not yet upgraded to the target operating system version specified in the Upgrade Readiness Overview blade. This is because Upgrade Readiness targets upgrade planning (for devices not yet upgraded).
+
+### Device Names don't show up on Windows 10 devices
+Starting with the build currently available in the Windows Insider Program, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
+
+### Disable Upgrade Readiness
+
+If you want to stop using Upgrade Readiness and stop sending diagnostic data data to Microsoft, follow these steps:
+
+1.  Unsubscribe from the Upgrade Readiness solution in the OMS portal. In the OMS portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option.
+
+  ![Upgrade Readiness unsubscribe](images/upgrade-analytics-unsubscribe.png)
+
+2.  Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the diagnostic data level to **Security**:
+
+  **Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*
+  **Windows 10**: Follow the instructions in the [Configure Windows diagnostic data in your organization](/configuration/configure-windows-diagnostic-data-in-your-organization.md) topic.
+
+3.	If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0".  The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*.
+4.	**Optional step:** You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". 
+
+
+## Other common questions
+
+### What are the requirements and costs for Windows Analytics solutions?
+| Windows Analytics solution| Windows license requirements | Windows version requirements | Minimum diagnostic data requirements |
+|----------------------|-----------------------------------|------------------------------|------------------------------|
+| Upgrade Readiness | No additional requirements  |  Windows 7 with Service Pack 1, Windows 8.1, Windows 10 | Basic level in most cases; Enhanced level to support Windows 10 app usage data and IE site discovery |
+|  Update Compliance | No additional requirements | Windows 10 | Basic level |
+| Device Health  |  **Any** of the following licenses: <br>- Windows 10 Enterprise or Windows 10 Education per-device with active Software Assurance<br>- Windows 10 Enterprise E3 or E5 per-device or per-user subscription (including Microsoft 365 F1, E3, or E5)<br>- Windows 10 Education A3 or A5 (including Microsoft 365 Education A3 or A5)<br>- Windows VDA E3 or E5 per-device or per-user subscription<br>- Windows Server 2016 or later    | Windows 10 | - For Windows 10 version 1709 or later: Enhanced (Limited)<br>- For earlier versions: Enhanced
+
+>[!NOTE]
+> Regarding licensing requirements for Device Health, you do not need per-seat licensing, but only enough licenses to cover your total device usage. For example, if you have 100 E3 licenses, you can monitor 100 devices with Device Health.
+
+Beyond the cost of Windows operating system licenses, there is no additional cost for using Windows Analytics. Within Azure Log Analytics, Windows Analytics is "zero-rated;" this means it is excluded from data limits and costs regardless of the Azure Log Analytics pricing tier you have chosen. To be more specific, Azure Log Analytics is available in different pricing tiers as described in [Pricing - Log Analytics](https://azure.microsoft.com/pricing/details/log-analytics/).
+- If you are using the free tier, which has a cap on the amount of data collected per day, the Windows Analytics data will not count towards this cap. You will be able to collect all the Windows Analytics data from your devices and still have the full cap available for collecting additional data from other sources.
+- If you are using a paid tier that charges per GB of data collected, the Windows Analytics data will not be charged. You will be able to collect all the Windows Analytics data from your devices and not incur any costs.
+
+Note that different Azure Log Analytics plans have different data retention periods, and the Windows Analytics solutions inherit the workspace's data retention policy. So, for example, if your workspace is on the free plan then Windows Analytics will retain the last week's worth of "daily snapshots" that are collected in the workspace.
+
+
+### How does Windows Analytics support privacy?
+
+Windows Analytics is fully committed to privacy, centering on these tenets:
+
+- **Transparency:** We fully document the Windows Analytics diagnostic events (see the links for additional information) so you can review them with your company’s security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) for details).
+- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics
+- **Security:** Your data is protected with strong security and encryption
+- **Trust:** Windows Analytics supports the Microsoft Online Service Terms
+
+The following illustration shows how diagnostic data flows from individual devices through the Diagnostic Data Service, Azure Log Analytics storage, and to your Log Analytics workspace:
+
+[![Diagram illustrating flow of diagnostic data from devices](images/WA-data-flow-v1.png)](images/WA-data-flow-v1.png)
+
+The data flow sequence is as follows:
+
+1.	Diagnostic data is sent from devices to the Microsoft Diagnostic Data Management service, which is hosted in the US.
+2.	An IT administrator creates an Azure Log Analytics workspace. The administrator chooses the location, copies the Commercial ID (which identifies that workspace), and then pushes Commercial ID to devices they want to monitor. This is the mechanism that specifies which devices appear in which workspaces.
+3.	Each day Microsoft produces a "snapshot" of IT-focused insights for each workspace in the Diagnostic Data Management service.
+4.	These snapshots are copied to transient storage which is used only by Windows Analytics (also hosted in US data centers) where they are segregated by Commercial ID.
+5.	The snapshots are then copied to the appropriate Azure Log Analytics workspace.
+6.	If the IT administrator is using the Upgrade Readiness solution, user input from the IT administrator (specifically, the target operating system release and the importance and upgrade readiness per app) is stored in the Windows Analytics Azure Storage. (Upgrade Readiness is the only Windows Analytics solution that takes such user input.)
+
+
+See these topics for additional background information about related privacy issues:
+
+- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
+- [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965) (link downloads a PDF file)
+- [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
+- [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields)
+- [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview)
+- [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31)
+- [Learn about security and privacy at Microsoft datacenters](http://www.microsoft.com/datacenters)
+- [Confidence in the trusted cloud](https://azure.microsoft.com/en-us/support/trust-center/) 
+
+### Can Windows Analytics be used without a direct client connection to the Microsoft Data Management Service?
+No, the entire service is powered by Windows diagnostic data, which requires that devices have this direct connectivity.
+
+### Can I choose the data center location?
+Yes for Azure Log Analytics, but no for the Microsoft Data Management Service (which is hosted in the US).
+
+### Why do SCCM and Upgrade Readiness show different counts of devices that are ready to upgrade?
+System Center Configuration Manager (SCCM) considers a device ready to upgrade if *no installed app* has an upgrade decision of “not ready” (that is, they are all "ready" or "in progress"), while Upgrade Readiness considers a device ready to upgrade only if *all* installed apps are marked “ready”.
+ 
+Currently, you can choose the criteria you wish to use:
+- To use the SCCM criteria, create the collection of devices ready to upgrade within the SCCM console (using the analytics connector).
+- To use the Upgrade Readiness criteria, export the list of ready-to-upgrade devices from the corresponding Upgrade Readiness report, and then build the SCCM collection from that spreadsheet.
diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md
new file mode 100644
index 0000000000..d2655a4cb3
--- /dev/null
+++ b/windows/deployment/update/windows-analytics-get-started.md
@@ -0,0 +1,157 @@
+---
+title: Enrolling devices in Windows Analytics (Windows 10)
+description: Enroll devices to enable use of Update Compliance, Upgrade Readiness, and Device Health in Windows Analytics.
+keywords: windows analytics, oms, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: jaimeo
+ms.author: jaimeo
+ms.date: 03/08/2018
+---
+
+# Enrolling devices in Windows Analytics
+
+If you have not already done so, consult the topics for any of the three Windows Analytics solutions (Update Compliance, Upgrade Readiness, and Device Health) you intend to use and follow the steps there to add the solutions to Microsoft Operations Management Suite.
+
+- [Get started with Device Health](device-health-get-started.md)
+- [Get started with Update Compliance](update-compliance-get-started.md)
+- [Get started with Upgrade Readiness](../upgrade/upgrade-readiness-get-started.md)
+
+If you've already done that, you're ready to enroll your devices in Windows Analytics by following these steps:
+
+
+
+## Copy your Commercial ID key
+
+Microsoft uses a unique commercial ID to map information from user computers to your OMS workspace. This should be generated for you automatically. Copy your commercial ID key in OMS and then deploy it to user computers. 
+
+
+
+1.  On the **Settings** dashboard, navigate to the **Windows Telemetry** panel under **Connected Sources** .
+
+    ![Operations Management Suite Settings dialog showing Connected sources and Windows telemetry selected and the commercial ID location marked by a black box in the lower right.](images/WA-device-enrollment.png)
+
+2. Copy your Commercial ID (which should already be populated). Save this Commercial ID because you will need it later for use in the deployment scripts and policies.
+
+    >**Important**<br> Regenerate a Commercial ID key only if your original ID key can no longer be used. Regenerating a commercial ID key resets the data in your workspace for all solutions that use the ID. Additionally, you’ll need to deploy the new commercial ID key to user computers again.
+
+
+## Enable data sharing
+
+To enable data sharing, configure your proxy sever to whitelist the following endpoints. You might need to get approval from your security group to do this.
+
+| **Endpoint**  | **Function**  |
+|---------------------------------------------------------|-----------|
+| `https://v10.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with the build of Windows 10 available in the Windows Insider Program|
+| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier |
+| `https://vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for operating systems older than Windows 10 |
+| `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. 
+| `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. |
+| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. |
+| `https://oca.telemetry.microsoft.com`  | Online Crash Analysis; required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. |
+
+
+
+
+### Configuring endpoint access with proxy servers
+If your organization uses proxy server authentication for outbound traffic, use one or more of the following approaches to ensure that the diagnostic data is not blocked by proxy authentication:
+
+- **Best option:** Configure your proxy servers to **not** require proxy authentication for any traffic to the diagnostic data endpoints. In particular, disable SSL inspection. Windows checks for a Microsoft SSL certificate on the site, and this will be stripped and replaced if the proxy performs inspection. This is the most comprehensive solution and it works for all versions of Windows 10.
+- **User proxy authentication:** Alternatively, you can configure devices on the user side. First, update the devices to Windows 10, version 1703 or later. Then, ensure that users of the devices have proxy permission to reach the diagnostic data endpoints. This requires that the devices have console users with proxy permissions, so you couldn't use this method with headless devices.
+- **Device proxy authentication:** Another option--the most complex--is as follows: First, configure a system level proxy server on the devices. Then, configure these devices to use machine-account-based outbound proxy authentication. Finally, configure proxy servers to allow the machine accounts access to the diagnostic data endpoints. 
+
+
+## Deploy the compatibility update and related updates
+
+The compatibility update scans your devices and enables application usage tracking. If you don’t already have these updates installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
+
+| **Operating System** | **Updates** |
+|----------------------|-----------------------------------------------------------------------------|
+| Windows 10        | Windows 10 includes the compatibility update, so you will automatically have the latest compatibility update so long as you continue to keep your Windows 10 devices up-to-date with cummulative updates. <P>Note: Windows 10 LTSB is not supported by Upgrade Readiness. See [Upgrade readiness requirements](../upgrade/upgrade-readiness-requirements.md) for more information. |
+| Windows 8.1          | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)<br>Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed. <br>For more information about this update, see <https://support.microsoft.com/kb/2976978>|
+| Windows 7 SP1        | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664) <br>Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed. <br>For more information about this update, see <https://support.microsoft.com/kb/2952664>|
+
+>[!IMPORTANT] 
+>Restart devices after you install the compatibility updates for the first time.
+
+>[!NOTE] 
+>We recommend you configure your update management tool to automatically install the latest version of these updates. There is a related optional update, [KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513), which can provide updated configuration and definitions for older compatibiltiy updates. For more information about this optional update, see <https://support.microsoft.com/kb/3150513>.
+
+
+
+If you are planning to enable IE Site Discovery in Upgrade Readiness, you will need to install a few additional updates.
+
+| **Site discovery** | **Update** |
+|----------------------|-----------------------------------------------------------------------------|
+| [Review site discovery](../upgrade/upgrade-readiness-additional-insights.md#site-discovery)         | [KB3080149](http://www.catalog.update.microsoft.com/Search.aspx?q=3080149)<br>Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices. <br>For more information about this update, see <https://support.microsoft.com/kb/3150513><br><br>Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update.  |
+
+## Enroll a few pilot devices
+
+You can use the Upgrade Readiness deployment script to automate and verify your deployment. We always recommend manually running this script on a few representative devices to verify things are properly configured and the device can connect to the diagnostic data endpoints. Make sure to run the pilot version of the script, which will provide extra diagnostics.
+
+See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity.
+
+After data is sent from devices to Microsoft, it generally takes 48-56 hours for the data to populate in Windows Analytics. The compatibility update takes several minutes to run. If the update does not get a chance to finish running or if the computers are inaccessible (turned off or sleeping for example), data will take longer to populate in Windows Analytics. For this reason, you can expect most of your devices to be populated in Windows Analytics in about 1-2 weeks after deploying the update and configuration to user computers. As described in the Windows Analytics blog post ["You can now check on the status of your computers within hours of running the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/05/12/wheres-my-data/), you can verify that devices have successfully connected to the service within a few hours. Most of those devices should start to show up in the Windows Analytics console within a few days.
+
+## Deploy additional optional settings
+
+Certain of the Windows Analytics features have additional settings you can use.
+
+- **Update Compliance** is only compatible with Windows 10 desktop devices (workstations and laptops). To use the Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a partner antivirus application), and must have enabled cloud-delivered protection, as described in [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting) topic for help with ensuring that the configuration is correct.
+
+- For devices running Windows 10, version 1607 or earlier, Windows diagnostic data must also be set to Enhanced (see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level)) in order to be compatible with Windows Defender Antivirus. See the [Windows Defender Antivirus in Windows 10 and Windows Server 2016](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) for more information about enabling, configuring, and validating Windows Defender AV.
+
+- **Device Health** is only compatible with Windows 10 desktop devices (workstations and laptops) and Windows Server 2016. The solution requires that at least the Enhanced level of diagnostic data is enabled on all devices that are intended to be displayed in the solution. In Windows 10, version 1709, a new policy was added to "limit enhanced telemetry to the minimum required by Windows Analytics". To learn more about Windows diagnostic data, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
+ 
+- **IE site discovery** is an optional feature of Upgrade Readiness that provides an inventory of websites that are accessed by client devices using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. To enable IE site discovery, make sure the required updates are installed (per previous section) and enable IE site discovery in the deployment script batch file.
+
+## Deploying Windows Analytics at scale
+
+When you have completed a pilot deployment, you are ready to automate data collection and distribute the deployment script to the remaining devices in your organization. 
+
+### Automate data collection
+
+To ensure that user computers are receiving the most up-to-date data from Microsoft, we recommend that you establish the following data sharing and analysis processes: 
+
+- Enable automatic updates for the compatibility update and related updates. These updates include the latest application and driver issue information as we discover it during testing.
+- Schedule the Upgrade Readiness deployment script to automatically run monthly. Scheduling the script ensures that full inventory is sent monthly even if devices were not connected or had low battery power at the time the system normally sends inventory. Make sure to run the production version of the script, which is lighter weight and non-interactive. The script also has a number of built-in error checks, so you can monitor the results. If you can't run the deployment script at scale, another option is to configure things centrally via Group Policy or Mobile Device Management (MDM). Although we recommend using the deployment script, both options are discussed in the sections below.
+
+When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the changes is created when the update package is installed. For Windows 10 devices, this task is already included in the operating system. A full scan averages about 2 MB, but the scans for changes are very small. The scheduled task is named "Windows Compatibility Appraiser" and can be found in the Task Scheduler Library under Microsoft > Windows > Application Experience. Changes are invoked via the nightly scheduled task. It attempts to run around 3:00AM every day. If the system is powered off at that time, the task will run when the system is turned on. 
+
+### Distribute the deployment script at scale
+
+Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see [New version of the Upgrade Analytics Deployment Script available](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/) on the Upgrade Readiness blog. For information on how to deploy PowerShell scripts by using Windows Intune, see [Manage PowerShell scripts in Intune for Windows 10 devices](https://docs.microsoft.com/intune/intune-management-extension).
+
+### Distributing policies at scale
+There are a number of policies that can be centrally managed to control Windows Analytics device configuration. All of these policies have *preference* registry key equivalents that can be set by using the deployment script. Policy settings override preference settings if both are set.
+
+>[!NOTE]
+>You can only set the diagnostic data level to Enhanced by using policy. For example, this is necessary for using Device Health.
+
+These policies are under Microsoft\Windows\DataCollection:
+
+| Policy   | Value  |
+|-----------------------|------------------|
+| CommercialId | In order for your devices to show up in Windows Analytics, they must be configured with your organization’s Commercial ID. |
+| AllowTelemetry (in Windows 10) |	1 (Basic), 2 (Enhanced) or 3 (Full) diagnostic data. Windows Analytics will work with basic diagnostic data, but more features are available when you use the Enhanced level (for example, Device Health requires Enhanced diagnostic data and Upgrade Readiness only collects app usage and site discovery data on Windows 10 devices with Enhanced diagnostic data). For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). |
+| LimitEnhancedDiagnosticDataWindowsAnalytics (in Windows 10) |	Only applies when AllowTelemetry=2. Limits the Enhanced diagnostic data events sent to Microsoft to just those needed by Windows Analytics. For more information, see [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields).|
+| AllowDeviceNameInTelemetry (in Windows 10) |	In the build currently available in the Windows Insider Program for Windows 10, a separate opt-in is required to enable devices to continue to send the device name. |
+| CommercialDataOptIn (in Windows 7 and Windows 8) |	1 is required for Upgrade Readiness, which is the only solution that runs on Windows 7 or Windows 8. |
+
+
+You can set these values by using Group Policy (in Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds) or by using Mobile Device Management (in Provider/ProviderID/CommercialID). For more information about deployment using MDM, see the [DMClient CSP](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp) topic in MDM documentation.
+
+The corresponding preference registry values are available in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** and can be configured by the deployment script. If a given setting is configured by both preference registry settings and policy, the policy values will override. However, the **IEDataOptIn** setting is different--you can only set this with the preference registry keys: 
+
+- IEOptInLevel = 0 Internet Explorer data collection is disabled
+- IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones
+- IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones
+- IEOptInLevel = 3 Data collection is enabled for all sites
+
+For more information about Internet Explorer Security Zones, see [About URL Security Zones](https://docs.microsoft.com/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537183(v=vs.85)). 
+
+### Distribution at scale without using the deployment script
+
+We recommend using the deployment script to configure devices. However if this is not an option, you can still manage settings by policy as described in the previous section. However, if you don't run the deployment script, you might have to wait a long time (possibly weeks) before devices send the initial full inventory scan.
diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md
new file mode 100644
index 0000000000..72d23e920b
--- /dev/null
+++ b/windows/deployment/upgrade/log-files.md
@@ -0,0 +1,168 @@
+---
+title: Log files - Windows IT Pro
+description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
+keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.date: 03/30/2018
+ms.localizationpriority: high
+---
+
+# Log files
+
+**Applies to**
+-   Windows 10
+
+>[!NOTE]
+>This is a 400 level topic (advanced).<br>
+>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
+
+
+Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that you can determine the phase from the extend code. 
+
+Note: Also see the [Windows Error Reporting](windows-error-reporting.md) section in this document for help locating error codes and log files. 
+
+The following table describes some log files and how to use them for troubleshooting purposes:<br>
+
+<br>
+
+<table>
+<tr><td BGCOLOR="#a0e4fa"><B>Log file</td><td BGCOLOR="#a0e4fa"><B>Phase: Location</td><td BGCOLOR="#a0e4fa"><B>Description</td><td BGCOLOR="#a0e4fa"><B>When to use</td>
+<tr><td rowspan="5">setupact.log</td><td>Down-Level:<br>$Windows.~BT\Sources\Panther</td><td>Contains information about setup actions during the downlevel phase. </td>
+<td>All down-level failures and starting point for rollback investigations.<br> This is the most important log for diagnosing setup issues.</td>
+<tr><td>OOBE:<br>$Windows.~BT\Sources\Panther\UnattendGC</td>
+<td>Contains information about actions during the OOBE phase.</td><td>Investigating rollbacks that failed during OOBE phase and operations – 0x4001C, 0x4001D, 0x4001E, 0x4001F.</td>
+<tr><td>Rollback:<br>$Windows.~BT\Sources\Rollback<td>Contains information about actions during rollback.<td>Investigating generic rollbacks - 0xC1900101.</td>
+<tr><td>Pre-initialization (prior to downlevel):<br>Windows</td><td>Contains information about initializing setup.<td>If setup fails to launch.</td>
+<tr><td>Post-upgrade (after OOBE):<br>Windows\Panther<td>Contains information about setup actions during the installation.<td>Investigate post-upgrade related issues.</td>
+<tr><td>setuperr.log<td>Same as setupact.log<td>Contains information about setup errors during the installation.<td>Review all errors encountered during the installation phase.</td>
+<tr><td>miglog.xml<td>Post-upgrade (after OOBE):<br>Windows\Panther<td>Contains information about what was migrated during the installation.<td>Identify post upgrade data migration issues.</td>
+<tr><td>BlueBox.log<td>Down-Level:<br>Windows\Logs\Mosetup<td>Contains information communication between setup.exe and Windows Update.<td>Use during WSUS and WU down-level failures or for 0xC1900107.</td>
+<tr><td>Supplemental rollback logs:<br>
+Setupmem.dmp<br>
+setupapi.dev.log<br>
+Event logs (*.evtx)</td>
+<td>$Windows.~BT\Sources\Rollback<td>Additional logs collected during rollback.</td>
+<td>
+Setupmem.dmp: If OS bugchecks during upgrade, setup will attempt to extract a mini-dump.<br>
+Setupapi: Device install issues - 0x30018<br>
+Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.</td>
+</table>
+
+## Log entry structure
+
+A setupact.log or setuperr.log entry includes the following elements:
+
+<ol>
+<LI><B>The date and time</B> - 2016-09-08 09:20:05.
+<LI><B>The log level</B> - Info, Warning, Error, Fatal Error.
+<LI><B>The logging component</B> - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS.
+<UL>
+<LI>The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are particularly useful for troubleshooting Windows Setup errors.
+</UL>
+<LI><B>The message</B> - Operation completed successfully.
+</OL>
+
+See the following example:
+
+| Date/Time | Log level | Component | Message |
+|------|------------|------------|------------|
+|2016-09-08 09:23:50,|  Warning |         MIG  |   Could not replace object C:\Users\name\Cookies. Target Object cannot be removed.|
+
+
+## Analyze log files
+
+>The following instructions are meant for IT professionals. Also see the [Upgrade error codes](upgrade-error-codes.md) section in this guide to familiarize yourself with [result codes](upgrade-error-codes.md#result-codes) and [extend codes](upgrade-error-codes.md#extend-codes).
+
+<br>To analyze Windows Setup log files:
+
+<ol>
+<LI>Determine the Windows Setup error code. This code should be returned by Windows Setup if it is not successful with the upgrade process.
+<LI>Based on the [extend code](upgrade-error-codes.md#extend-codes) portion of the error code, determine the type and location of a [log files](#log-files) to investigate.
+<LI>Open the log file in a text editor, such as notepad.
+<LI>Using the [result code](upgrade-error-codes.md#result-codes) portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
+<LI>To find the last occurrence of the result code:
+  <OL type="a">
+  <LI>Scroll to the bottom of the file and click after the last character.
+  <LI>Click <B>Edit</B>.
+  <LI>Click <B>Find</B>.
+  <LI>Type the result code.
+  <LI>Under <B>Direction</B> select <b>Up</b>.
+  <LI>Click <b>Find Next</b>.
+  </OL>
+<LI> When you have located the last occurrence of the result code, scroll up a few lines from this location in the file and review the processes that failed just prior to generating the result code.
+<LI> Search for the following important text strings:
+  <UL>
+  <LI><B>Shell application requested abort</B>
+  <LI><B>Abandoning apply due to error for object</B>
+  </UL>
+<LI> Decode Win32 errors that appear in this section.
+<LI> Write down the timestamp for the observed errors in this section.
+<LI> Search other log files for additional information matching these timestamps or errors.
+</OL>
+
+For example, assume that the error code for an error is 0x8007042B - 0x2000D. Searching for "8007042B" reveals the following content from the setuperr.log file:
+
+>Some lines in the text below are shortened to enhance readability. The date and time at the start of each line (ex: 2016-10-05 15:27:08) is shortened to minutes and seconds, and the certificate file name which is a long text string is shortened to just "CN."
+
+<br><B>setuperr.log</B> content:
+
+<pre style="font-size: 10px; overflow-y: visible">
+27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
+27:08, Error           MIG    Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
+27:08, Error                  Gather failed. Last error: 0x00000000
+27:08, Error           SP     SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
+27:09, Error           SP     CMigrateFramework: Gather framework failed. Status: 44
+27:09, Error           SP     Operation failed: Migrate framework (Full). Error: 0x8007042B[gle=0x000000b7]
+27:09, Error           SP     Operation execution failed: 13. hr = 0x8007042B[gle=0x000000b7]
+27:09, Error           SP     CSetupPlatformPrivate::Execute: Execution of operations queue failed, abandoning. Error: 0x8007042B[gle=0x000000b7]
+</PRE>
+
+The first line indicates there was an error **0x00000570** with the file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]** (shown below):
+
+<pre style="font-size: 10px; overflow-y: visible">
+27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
+</PRE>
+
+</B>The error 0x00000570 is a [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx) corresponding to: ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable.
+
+Therefore, Windows Setup failed because it was not able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**.  This file is a local system certificate and can be safely deleted. Searching the setupact.log file for additional details, the phrase "Shell application requested abort" is found in a location with the same timestamp as the lines in setuperr.log. This confirms our suspicion that this file is the cause of the upgrade failure:
+
+<br><B>setupact.log</B> content:
+
+<pre style="font-size: 10px; overflow-y: visible">
+27:00, Info                   Gather started at 10/5/2016 23:27:00
+27:00, Info [0x080489] MIG    Setting system object filter context (System)
+27:00, Info [0x0803e5] MIG    Not unmapping HKCU\Software\Classes; it is not mapped
+27:00, Info [0x0803e5] MIG    Not unmapping HKCU; it is not mapped
+27:00, Info            SP     ExecuteProgress: Elapsed events:1 of 4, Percent: 12
+27:00, Info [0x0802c6] MIG    Processing GATHER for migration unit: <System>\UpgradeFramework (CMXEAgent)
+27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
+27:08, Error           MIG    Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
+27:08, Info            SP     ExecuteProgress: Elapsed events:2 of 4, Percent: 25
+27:08, Info            SP     ExecuteProgress: Elapsed events:3 of 4, Percent: 37
+27:08, Info [0x080489] MIG    Setting system object filter context (System)
+27:08, Info [0x0803e5] MIG    Not unmapping HKCU\Software\Classes; it is not mapped
+27:08, Info [0x0803e5] MIG    Not unmapping HKCU; it is not mapped
+27:08, Info            MIG    COutOfProcPluginFactory::FreeSurrogateHost: Shutdown in progress.
+27:08, Info            MIG    COutOfProcPluginFactory::LaunchSurrogateHost::CommandLine: -shortened-
+27:08, Info            MIG    COutOfProcPluginFactory::LaunchSurrogateHost: Successfully launched host and got control object.
+27:08, Error                  Gather failed. Last error: 0x00000000
+27:08, Info                   Gather ended at 10/5/2016 23:27:08 with result 44
+27:08, Info                   Leaving MigGather method
+27:08, Error           SP     SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
+</pre>
+
+
+<br>This analysis indicates that the Windows upgrade error can be resolved by deleting the C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN] file. Note: In this example, the full, unshortened file name is  C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f. 
+
+## Related topics
+
+[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/en-us/windows/dn798755.aspx)
+<br>[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
+<br>[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+<br>[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
+<br>[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md
new file mode 100644
index 0000000000..d11f924e4d
--- /dev/null
+++ b/windows/deployment/upgrade/quick-fixes.md
@@ -0,0 +1,56 @@
+---
+title: Quick fixes - Windows IT Pro
+description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
+keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.date: 03/30/2018
+ms.localizationpriority: high
+---
+
+# Quick fixes
+
+**Applies to**
+-   Windows 10
+
+>[!NOTE]
+>This is a 100 level topic (basic).<br>
+>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
+
+The following steps can resolve many Windows upgrade problems.
+
+<ol>
+<LI>Remove nonessential external hardware, such as docks and USB devices.</LI> 
+<LI>Check all hard drives for errors and attempt repairs. To automatically repair hard drives, open an elevated command prompt, switch to the drive you wish to repair, and type the following command. You will be required to reboot the computer if the hard drive being repaired is also the system drive.
+<UL>
+<LI>chkdsk /F</LI>
+</UL>
+</LI>
+<LI>Attempt to restore and repair system files by typing the following commands at an elevated command prompt. It may take several minutes for the command operations to be completed. For more information, see [Repair a Windows Image](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/repair-a-windows-image).
+<UL>
+<LI>DISM.exe /Online /Cleanup-image /Restorehealth</LI>
+<LI>sfc /scannow</LI>
+</UL>
+</LI>
+<LI>Update Windows so that all available recommended updates are installed, and ensure the computer is rebooted if this is necessary to complete installation of an update.</LI>
+<LI>Uninstall non-Microsoft antivirus software.
+  <UL> 
+  <LI>Use Windows Defender for protection during the upgrade. 
+  <LI>Verify compatibility information and re-install antivirus applications after the upgrade.</LI></LI>
+  </UL>
+<LI>Uninstall all nonessential software.</LI>
+<LI>Update firmware and drivers.</LI>
+<LI>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.</LI>
+<LI>Verify at least 16 GB of free space is available to upgrade a 32-bit OS, or 20 GB for a 64-bit OS.
+</OL>
+
+## Related topics
+
+[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/en-us/windows/dn798755.aspx)
+<br>[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
+<br>[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+<br>[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
+<br>[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md
new file mode 100644
index 0000000000..ae8d50adda
--- /dev/null
+++ b/windows/deployment/upgrade/resolution-procedures.md
@@ -0,0 +1,684 @@
+---
+title: Resolution procedures - Windows IT Pro
+description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
+keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.date: 03/30/2018
+ms.localizationpriority: high
+---
+
+# Resolution procedures
+
+**Applies to**
+-   Windows 10
+
+>[!NOTE]
+>This is a 200 level topic (moderate).<br>
+>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
+
+
+## 0xC1900101
+
+A frequently observed result code is 0xC1900101. This result code can be thrown at any stage of the upgrade process, with the exception of the downlevel phase. 0xC1900101 is a generic rollback code, and usually indicates that an incompatible driver is present. The incompatible driver can cause blue screens, system hangs, and unexpected reboots. Analysis of supplemental log files is often helpful, such as:<br>
+
+- The minidump file: $Windows.~bt\Sources\Rollback\setupmem.dmp, 
+- Event logs: $Windows.~bt\Sources\Rollback\*.evtx 
+- The device install log: $Windows.~bt\Sources\Rollback\setupapi\setupapi.dev.log
+
+The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018).  To resolve a rollback due to driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/en-us/kb/929135) before initiating the upgrade process. 
+
+<br>See the following general troubleshooting procedures associated with a result code of 0xC1900101:
+
+
+<table border="1" cellspacing="0" cellpadding="0">
+
+<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x20004</B>
+</table>
+
+<br><table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation
+<br>This is generally caused by out-of-date drivers. 
+</table>
+</td>
+
+<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Uninstall antivirus applications.
+<br>Remove all unused SATA devices.
+<br>Remove all unused devices and drivers.
+<br>Update drivers and BIOS.
+</table>
+</td>
+</tr>
+
+<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x2000c</B>
+</table>
+
+<br><table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows Setup encountered an unspecified error during Wim apply in the WinPE phase.
+<br>This is generally caused by out-of-date drivers. 
+</table>
+</td>
+
+<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
+<br>Contact your hardware vendor to obtain updated device drivers.
+<br>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. 
+</table>
+</td>
+</tr>
+
+
+<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x20017
+
+</table>
+
+<br><table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A driver has caused an illegal operation.
+<br>Windows was not able to migrate the driver, resulting in a rollback of the operating system.
+<br>This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software. 
+</table>
+</td>
+
+<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+Ensure that all that drivers are updated.<br>
+Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.
+<br>For more information, see [Understanding Failures and Log Files](https://technet.microsoft.com/en-us/library/ee851579.aspx).
+<br>Update or uninstall the problem drivers.
+</table>
+</td>
+</tr>
+
+<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x30018</B>
+</table>
+
+<br><table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A device driver has stopped responding to setup.exe during the upgrade process.
+</table>
+</td>
+
+<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
+<br>Contact your hardware vendor to obtain updated device drivers.
+<br>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. 
+</table>
+</td>
+</tr>
+
+<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x3000D</B>
+</table>
+
+<br><table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation.
+<br>This can occur due to a problem with a display driver.
+
+</table>
+</td>
+
+<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
+<br>Update or uninstall the display driver.
+</table>
+</td>
+</tr>
+
+<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x4000D</B>
+</table>
+
+<br><table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A rollback occurred due to a driver configuration issue.
+<br>Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.  
+
+<br>This can occur due to incompatible drivers.  
+
+</table>
+</td>
+
+<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+<br>Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors. 
+<br>Review the rollback log and determine the stop code.
+<br>The rollback log is located in the **C:\$Windows.~BT\Sources\Panther** folder.  An example analysis is shown below. This example is not representative of all cases:
+<br>Info SP     Crash 0x0000007E detected
+<br>Info SP       Module name           : 
+<br>Info SP       Bugcheck parameter 1  : 0xFFFFFFFFC0000005
+<br>Info SP       Bugcheck parameter 2  : 0xFFFFF8015BC0036A
+<br>Info SP       Bugcheck parameter 3  : 0xFFFFD000E5D23728
+<br>Info SP       Bugcheck parameter 4  : 0xFFFFD000E5D22F40
+<br>Info SP     Cannot recover the system.
+<br>Info SP     Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.
+
+
+<br>Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:<br>
+
+1. Make sure you have enough disk space.<br>
+2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.<br>
+3. Try changing video adapters.<br>
+4. Check with your hardware vendor for any BIOS updates.<br>
+5. Disable BIOS memory options such as caching or shadowing.
+</p>
+</table>
+</td>
+</tr>
+
+
+<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x40017</B>
+</table>
+
+<br><table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows 10 upgrade failed after the second reboot.
+<br>This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers.
+</table>
+</td>
+
+<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Clean boot into Windows, and then attempt the upgrade to Windows 10.<br>
+
+For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/en-us/kb/929135).
+
+<br><br>Ensure you select the option to "Download and install updates (recommended)."
+</table>
+</td>
+</tr>
+
+</table>
+
+<h2 id="0x800xxxxx">0x800xxxxx</h2>
+
+<br>Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
+
+<br>See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:<br>
+
+<br><table border="1" cellspacing="0" cellpadding="0">
+
+<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+80040005 - 0x20007
+
+</table>
+
+<br><table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+An unspecified error occurred with a driver during the SafeOS phase.
+
+</table>
+</td>
+
+<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+This error has more than one possible cause. Attempt [quick fixes](quick-fixes.md), and if not successful, [analyze log files](log-files.md#analyze-log-files) in order to determine the problem and solution.
+
+</table>
+</td>
+</tr>
+
+<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+0x80073BC3 - 0x20009<br>
+0x8007002 - 0x20009<br>
+0x80073B92 - 0x20009
+
+</table>
+
+<br><table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+The requested system device cannot be found, there is a sharing violation, or there are multiple devices matching the identification criteria.
+
+</table>
+</td>
+
+<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+These errors occur during partition analysis and validation, and can be caused by the presence of multiple system partitions. For example, if you installed a new system drive but left the previous system drive connected, this can cause a conflict. To resolve the errors, disconnect or temporarily disable drives that contain the unused system partition. You can reconnect the drive after the upgrade has completed. Alternatively, you can delete the unused system partition.
+
+</table>
+</td>
+</tr>
+
+<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+800704B8 - 0x3001A
+
+</table>
+
+<br><table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+An extended error has occurred during the first boot phase.
+
+</table>
+</td>
+
+<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+Disable or uninstall non-Microsoft antivirus applications, disconnect all unnecessary devices, and perform a [clean boot](https://support.microsoft.com/en-us/kb/929135).
+
+</table>
+</td>
+</tr>
+
+<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+8007042B - 0x4000D
+
+</table>
+
+<br><table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+The installation failed during the second boot phase while attempting the MIGRATE_DATA operation. 
+<br>This issue can occur due to file system, application, or driver issues.
+
+</table>
+</td>
+
+<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+[Analyze log files](log-files.md#analyze-log-files) in order to determine the file, application, or driver that is not able to be migrated. Disconnect, update, remove, or replace the device or object.
+
+</table>
+</td>
+</tr>
+
+<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+8007001F - 0x3000D
+
+</table>
+
+<br><table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation.  
+
+</table>
+</td>
+
+<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+[Analyze log files](log-files.md#analyze-log-files) in order to determine the files or registry entries that are blocking data migration. 
+
+This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory. 
+
+Note: If a previous upgrade did not complete, invalid profiles might exist in the **Windows.old\\Users** directory.
+
+To repair this error, ensure that deleted accounts are not still present in the Windows registry and that files under the \\Users directory are valid. Delete the invalid files or user profiles that are causing this error. The specific files and profiles that are causing the error will be recorded in the Windows setup log files.  
+
+</table>
+</td>
+</tr>
+
+<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+8007001F - 0x4000D
+
+</table>
+
+<br><table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+General failure, a device attached to the system is not functioning.  
+
+</table>
+</td>
+
+<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+[Analyze log files](log-files.md#analyze-log-files) in order to determine the device that is not functioning properly. Disconnect, update, or replace the device.
+
+</table>
+</td>
+</tr>
+
+<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+8007042B - 0x4001E
+
+</table>
+
+<br><table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+The installation failed during the second boot phase while attempting the PRE_OOBE operation.
+
+</table>
+</td>
+
+<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
+<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
+
+This error has more than one possible cause. Attempt [quick fixes](quick-fixes.md), and if not successful, [analyze log files](log-files.md#analyze-log-files) in order to determine the problem and solution.
+
+</table>
+</td>
+</tr>
+
+</table>
+
+
+## Other result codes
+
+<table>
+
+<tr>
+<td BGCOLOR="#a0e4fa"><B>Error code</th>
+<td BGCOLOR="#a0e4fa"><B>Cause</th>
+<td BGCOLOR="#a0e4fa"><B>Mitigation</th>
+</tr>
+
+<tr>
+<td>0xC1800118</td>
+<td>WSUS has downloaded content that it cannot use due to a missing decryption key.</td>
+<td>See [Steps to resolve error 0xC1800118](https://blogs.technet.microsoft.com/wsus/2016/09/21/resolving-error-0xc1800118/) for information.</td>
+</tr>
+
+<tr>
+<td>0xC1900200</td>
+<td>Setup.exe has detected that the machine does not meet the minimum system requirements.</td>
+<td>Ensure the system you are trying to upgrade meets the minimum system requirements. <br>See [Windows 10 specifications](https://www.microsoft.com/en-us/windows/windows-10-specifications)  for information.</td>
+</tr>
+
+
+<tr>
+<td>0x80090011</td>
+<td>A device driver error occurred during user data migration.</td>
+<td>Contact your hardware vendor and get all the device drivers updated. It is recommended to have an active internet connection during upgrade process. 
+<br>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.</td>
+</tr>
+<tr>
+<td>0xC7700112</td>
+<td>Failure to complete writing data to the system drive, possibly due to write access failure on the hard disk.</td>
+<td>This issue is resolved in the latest version of Upgrade Assistant. 
+<br>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.</td>
+</tr>
+
+<tr>
+<td>0x80190001</td>
+<td>An unexpected error was encountered while attempting to download files required for upgrade.</td>
+<td>To resolve this issue, download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/en-us/software-download/windows10).
+</td>
+</tr>
+<tr>
+<td>0x80246007</td>
+<td>The update was not downloaded successfully.</td>
+<td>Attempt other methods of upgrading the operating system.<br>
+Download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/en-us/software-download/windows10). 
+<br>Attempt to upgrade using .ISO or USB.<br>
+**Note**: Windows 10 Enterprise isn’t available in the media creation tool. For more information, go to the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx).
+</td>
+</tr>
+<tr>
+<td>0xC1900201</td>
+<td>The system did not pass the minimum requirements to install the update.</td>
+<td>Contact the hardware vendor to get the latest updates.</td>
+</tr>
+<tr>
+<td>0x80240017</td>
+<td>The upgrade is unavailable for this edition of Windows.</td>
+<td>Administrative policies enforced by your organization might be preventing the upgrade. Contact your IT administrator.</td>
+</tr>
+
+<tr>
+<td>0x80070020</td>
+<td>The existing process cannot access the file because it is being used by another process.</td>
+<td>Use the MSCONFIG tool to perform a clean boot on the machine and then try to perform the update again. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/en-us/kb/929135).</td>
+</tr>
+<tr>
+<td>0x80070522</td>
+<td>The user doesn’t have required privilege or credentials to upgrade.</td>
+<td>Ensure that you have signed in as a local administrator or have local administrator privileges.</td>
+</tr>
+<tr>
+<td>0xC1900107</td>
+<td>A cleanup operation from a previous installation attempt is still pending and a system reboot is required in order to continue the upgrade.
+</td>
+<td>Reboot the device and run setup again. If restarting device does not resolve the issue, then use the Disk Cleanup utility and cleanup the temporary as well as the System files. For more information, see [Disk cleanup in Windows 10](https://support.microsoft.com/en-us/instantanswers/8fef4121-711b-4be1-996f-99e02c7301c2/disk-cleanup-in-windows-10).</td>
+</tr>
+<tr>
+<td>0xC1900209</td>
+<td>The user has chosen to cancel because the system does not pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications.</td>
+<td>Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See [Windows 10 Pre-Upgrade Validation using SETUP.EXE](https://blogs.technet.microsoft.com/mniehaus/2015/08/23/windows-10-pre-upgrade-validation-using-setup-exe/) for more information.
+
+<br>You can also download the [Windows Assessment and Deployment Kit (ADK) for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=526740) and install Application Compatibility Tools.
+</td>
+</tr>
+
+
+<tr>
+<td>0x8007002 </td>
+<td>This error is specific to upgrades using System Center Configuration Manager 2012 R2 SP1 CU3 (5.00.8238.1403)</td>
+<td>Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760)
+
+<br>The error 80072efe means that the connection with the server was terminated abnormally.
+
+<br>To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN.
+</td>
+</tr>
+
+<tr>
+<td>0x80240FFF </td>
+<td>Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with System Center Configuration Manager. If you enable update synchronization before you install <a href="https://support.microsoft.com/help/3095113/en-us">hotfix 3095113</a>, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update.</td>
+<td> You can prevent this by installing <a href="http://blogs.technet.com/b/wsus/archive/2015/12/04/important-update-for-wsus-4-0-kb-3095113.aspx">hotfix 3095113</a> before you enable update synchronization. However, if you have already run into this problem, do the following: 
+
+<ol>
+<li>Disable the Upgrades classification.</li>
+<li>Install hotfix 3095113.</li>
+<li>Delete previously synched updates.</li>
+<li>Enable the Upgrades classification.</li>
+<li>Perform a full synch.</li>
+</ol>
+<br>For detailed information on how to run these steps check out <a href="http://blogs.technet.com/b/wsus/archive/2016/01/30/quot-help-i-synched-upgrades-too-soon-quot.aspx">How to delete upgrades in WSUS</a>.</p>
+</td>
+</tr>
+
+<tr>
+<td>0x8007007E</td>
+<td>Occurs when update synchronization fails because you do not have <a href="https://support.microsoft.com/help/3095113/en-us">hotfix 3095113</a> installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with System Center Configuration Manager.</td>
+<td> Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadata before you installed the hotfix.
+
+<ol>
+<li>Stop the Windows Update service. Sign in as a user with administrative privileges, and then do the following:
+<ol>
+<li>Open <b>Administrative Tools</b> from the Control Panel.</li>
+<li>Double-click <b>Services</b>.</li>
+<li>Find the <b>Windows Update</b> service, right-click it, and then click <b>Stop</b>. If prompted, enter your credentials.</li>
+</ol>
+</li>
+<li>Delete all files and folders under c:\Windows\SoftwareDistribution\DataStore.</li>
+<li>Restart the Windows Update service.</li>
+</ol>
+</td>
+</tr>
+
+</table>
+
+## Other error codes
+
+<table>
+
+<tr><td BGCOLOR="#a0e4fa">Error Codes<td BGCOLOR="#a0e4fa">Cause<td BGCOLOR="#a0e4fa">Mitigation</td></tr>
+<tr><td>0x80070003- 0x20007
+<td>This is a failure during SafeOS phase driver installation. 
+
+<td>[Verify device drivers](https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver.
+</td></tr>
+<tr><td>0x8007025D - 0x2000C
+<td>This error occurs if the ISO file's metadata is corrupt.<td>"Re-download the ISO/Media and re-attempt the upgrade.
+
+Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/en-us/software-download/windows10).
+
+</td></tr>
+<tr><td>0x80070490 - 0x20007<td>An incompatible device driver is present.
+
+<td>[Verify device drivers](https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver.
+
+</td></tr>
+<tr><td>0xC1900101 - 0x2000c
+<td>An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption.
+<td>Run checkdisk to repair the file system. For more information, see the [quick fixes](quick-fixes.md) section in this guide.
+<br>Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display.</td></tr>
+<tr><td>0xC1900200 - 0x20008
+
+<td>The computer doesn’t meet the minimum requirements to download or upgrade to Windows 10.
+
+<td>See [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/windows-10-specifications) and verify the computer meets minimum requirements.
+
+<br>Review logs for [compatibility information](https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/).</td></tr>
+<tr><td>0x80070004 - 0x3000D
+<td>This is a problem with data migration during the first boot phase. There are multiple possible causes.
+
+<td>[Analyze log files](log-files.md#analyze-log-files) to determine the issue.</td></tr>
+<tr><td>0xC1900101 - 0x4001E
+<td>Installation failed in the SECOND_BOOT phase with an error during PRE_OOBE operation.
+<td>This is a generic error that occurs during the OOBE phase of setup. See the [0xC1900101](#0xc1900101) section of this guide and review general troubleshooting procedures described in that section.</td></tr>
+<tr><td>0x80070005 - 0x4000D
+<td>The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation. This error indicates that access was denied while attempting to migrate data.
+<td>[Analyze log files](log-files.md#analyze-log-files) to determine the data point that is reporting access denied.</td></tr>
+<tr><td>0x80070004 - 0x50012
+<td>Windows Setup failed to open a file. 
+<td>[Analyze log files](log-files.md#analyze-log-files) to determine the data point that is reporting access problems.</td></tr>
+<tr><td>0xC190020e 
+<br>0x80070070 - 0x50011
+<br>0x80070070 - 0x50012
+<br>0x80070070 - 0x60000
+<td>These errors indicate the computer does not have enough free space available to install the upgrade.
+<td>To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to [free up drive space](https://support.microsoft.com/en-us/help/17421/windows-free-up-drive-space) before proceeding with the upgrade.
+ 
+<br>Note: If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS.  Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby.
+</td></tr>
+
+</table>
+
+## Related topics
+
+[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/en-us/windows/dn798755.aspx)
+<br>[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
+<br>[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+<br>[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
+<br>[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
index d3d5edf9a2..347b42dee1 100644
--- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
-ms.date: 02/22/2018
+ms.date: 03/30/2018
 ms.localizationpriority: high
 ---
 
@@ -18,1073 +18,37 @@ ms.localizationpriority: high
 
 >**Important**: This topic contains technical instructions for IT administrators. If you are not an IT administrator, see the following topic: [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/en-us/help/10587/windows-10-get-help-with-upgrade-installation-errors). You can also [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md).
 
-## In this topic
-
-This topic contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. The following sections and procedures are provided in this guide:
-
-- [Troubleshooting upgrade errors](#troubleshooting-upgrade-errors): General advice and techniques for troubleshooting Windows 10 upgrade errors.<br>
-- [The Windows 10 upgrade process](#the-windows-10-upgrade-process): An explanation of phases used during the upgrade process.<br>
-- [Quick fixes](#quick-fixes): Steps you can take to eliminate many Windows upgrade errors.<br>
-- [Upgrade error codes](#upgrade-error-codes): The components of an error code are explained.
-    - [Result codes](#result-codes): Information about result codes.
-    - [Extend codes](#extend-codes): Information about extend codes.
-- [Windows Error Reporting](#windows-error-reporting): How to use Event Viewer to review details about a Windows 10 upgrade.
-- [Log files](#log-files): A list and description of log files useful for troubleshooting.
-    - [Log entry structure](#log-entry-structure): The format of a log entry is described.
-    - [Analyze log files](#analyze-log-files): General procedures for log file analysis, and an example.
-- [Resolution procedures](#resolution-procedures): Causes and mitigation procedures associated with specific error codes.
-    - [0xC1900101](#0xc1900101): Information about the 0xC1900101 result code.
-    - [0x800xxxxx](#0x800xxxxx): Information about result codes that start with 0x800.
-    - [Other result codes](#other-result-codes): Additional causes and mitigation procedures are provided for some result codes.
-    - [Other error codes](#other-error-codes): Additional causes and mitigation procedures are provided for some error codes.
-
-## Troubleshooting upgrade errors
-
-If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process. 
-
-Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. 
-
-These phases are explained in greater detail [below](#the-windows-10-upgrade-process). First, let's summarize the actions performed during each phase because this affects the type of errors that can be encountered.
-
-1. **Downlevel phase**: Because this phase runs on the source OS, upgrade errors are not typically seen. If you do encounter an error, ensure the source OS is stable. Also ensure the Windows setup source and the destination drive are accessible. 
-
-2. **SafeOS phase**: Errors most commonly occur during this phase due to hardware issues, firmware issues, or non-microsoft disk encryption software.
-
-    Since the computer is booted into Windows PE during the SafeOS phase, a useful troubleshooting technique is to boot into [Windows PE](https://docs.microsoft.com/windows-hardware/manufacture/desktop/winpe-intro) using installation media. You can use the [media creation tool](https://www.microsoft.com/software-download/windows10) to create bootable media, or you can use tools such as the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), and then boot your device from this media to test for hardware and firmware compatibility issues.
-
-    **Do not proceed with the Windows 10 installation after booting from this media**. This method can only be used to perform a clean install which will not migrate any of your apps and settings, and you will be required re-enter your Windows 10 license information.
-
-    If the computer does not successfully boot into Windows PE using the media that you created, this is likely due to a hardware or firmware issue. Check with your hardware manufacturer and apply any recommended BIOS and firmware updates. If you are still unable to boot to installation media after applying updates, disconnect or replace legacy hardware.
-
-    If the computer successfully boots into Windows PE, but you are not able to browse the system drive on the computer, it is possible that non-Microsoft disk encryption software is blocking your ability to perform a Windows 10 upgrade. Update or temporarily remove the disk encryption.
-
-3. **First boot phase**: Boot failures in this phase are relatively rare, and almost exclusively caused by device drivers.  Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, then retry the upgrade.
-
-4. **Second boot phase**: In this phase, the system is running under the target OS with new drivers. Boot failures are most commonly due to anti-virus software or filter drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, temporarily uninstall anti-virus software, then retry the upgrade.
- 
-If the general troubleshooting techniques described above or the [quick fixes](#quick-fixes) detailed below do not resolve your issue, you can attempt to analyze [log files](#log-files) and interpret [upgrade error codes](#upgrade-error-codes). You can also [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md) so that Microsoft can diagnose your issue.
-
-## The Windows 10 upgrade process
-
-The **Windows Setup** application is used to upgrade a computer to Windows 10, or to perform a clean installation. Windows Setup starts and restarts the computer, gathers information, copies files, and creates or adjusts configuration settings. 
-
-When performing an operating system upgrade, Windows Setup uses phases described below. A reboot occurs between each of the phases. After the first reboot, the user interface will remain the same until the upgrade is completed. Percent progress is displayed and will advance as you move through each phase, reaching 100% at the end of the second boot phase.
-
-1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Windows files are copied and installation components are gathered.
-
-    ![downlevel phase](../images/downlevel.png)  
-
-2. **Safe OS phase**: A recovery partition is configured, Windows files are expanded, and updates are installed. An OS rollback is prepared if needed. Example error codes: 0x2000C, 0x20017.
-
-    ![safeOS phase](../images/safeos.png) 
-
-3. **First boot phase**: Initial settings are applied. Example error codes: 0x30018, 0x3000D.
-
-    ![first boot phase](../images/firstboot.png) 
-
-4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**. Example error codes: 0x4000D, 0x40017. 
-
-    At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed.
-
-    ![second boot phase](../images/secondboot.png) 
-
-    ![second boot phase](../images/secondboot2.png) 
-
-    ![second boot phase](../images/secondboot3.png) 
-
-5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015.
-
-**Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown):
-
-![Upgrade process](../images/upgrade-process.png)
-
-DU = Driver/device updates.<br>
-OOBE = Out of box experience.<br>
-WIM = Windows image (Microsoft)
-
-
-## Quick fixes
-
-The following steps can resolve many Windows upgrade problems.
-
-<ol>
-<LI>Remove nonessential external hardware, such as docks and USB devices.</LI> 
-<LI>Check all hard drives for errors and attempt repairs. To automatically repair hard drives, open an elevated command prompt, switch to the drive you wish to repair, and type the following command. You will be required to reboot the computer if the hard drive being repaired is also the system drive.
-<UL>
-<LI>chkdsk /F</LI>
-</UL>
-</LI>
-<LI>Attempt to restore and repair system files by typing the following commands at an elevated command prompt. It may take several minutes for the command operations to be completed. For more information, see [Repair a Windows Image](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/repair-a-windows-image).
-<UL>
-<LI>DISM.exe /Online /Cleanup-image /Restorehealth</LI>
-<LI>sfc /scannow</LI>
-</UL>
-</LI>
-<LI>Update Windows so that all available recommended updates are installed, and ensure the computer is rebooted if this is necessary to complete installation of an update.</LI>
-<LI>Uninstall non-Microsoft antivirus software.
-  <UL> 
-  <LI>Use Windows Defender for protection during the upgrade. 
-  <LI>Verify compatibility information and re-install antivirus applications after the upgrade.</LI></LI>
-  </UL>
-<LI>Uninstall all nonessential software.</LI>
-<LI>Update firmware and drivers.</LI>
-<LI>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.</LI>
-<LI>Verify at least 16 GB of free space is available to upgrade a 32-bit OS, or 20 GB for a 64-bit OS.
-</OL>
-
-
-## Upgrade error codes
-
-If the upgrade process is not successful, Windows Setup will return two codes:
-
-1. **A result code**: The result code corresponds to a specific Win32 or NTSTATUS error.
-2. **An extend code**: The extend code contains information about both the *phase* in which an error occurred, and the *operation* that was being performed when the error occurred.
-
->For example, a result code of **0xC1900101** with an extend code of **0x4000D** will be returned as: **0xC1900101 - 0x4000D**.
-
-Note: If only a result code is returned, this can be because a tool is being used that was not able to capture the extend code. For example, if you are using the [Windows 10 Upgrade Assistant](https://support.microsoft.com/en-us/kb/3159635) then only a result code might be returned.
-
->[!TIP]
->If you are unable to locate the result and extend error codes, you can attempt to find these codes using Event Viewer.  For more information, see [Windows Error Reporting](#windows-error-reporting).
-
-### Result codes
-
->A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue. <br>To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](#resolution-procedures) section later in this topic.
-
-Result codes can be matched to the type of error encountered. To match a result code to an error:
-
-1. Identify the error code type as either Win32 or NTSTATUS using the first hexadecimal digit:
-        <br>**8** = Win32 error code (ex: 0x**8**0070070)
-        <br>**C** = NTSTATUS value (ex: 0x**C**1900107)
-2. Write down the last 4 digits of the error code (ex: 0x8007**0070** = 0070). These digits are the actual error code type as defined in the [HRESULT](https://msdn.microsoft.com/en-us/library/cc231198.aspx) or the [NTSTATUS](https://msdn.microsoft.com/en-us/library/cc231200.aspx) structure. Other digits in the code identify things such as the device type that produced the error.
-3. Based on the type of error code determined in the first step (Win32 or NTSTATUS), match the 4 digits derived from the second step to either a Win32 error code or NTSTATUS value using the following links:
-    - [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx)
-    - [NTSTATUS value](https://msdn.microsoft.com/en-us/library/cc704588.aspx)
-
-Examples:
-- 0x80070070 
-    - Based on the "8" this is a Win32 error code 
-    - The last four digits are 0070, so look up 0x00000070 in the [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx) table
-    - The error is: **ERROR_DISK_FULL**
-- 0xC1900107 
-    - Based on the "C" this is an NTSTATUS error code
-    - The last four digits are 0107, so look up 0x00000107 in the [NTSTATUS value](https://msdn.microsoft.com/en-us/library/cc704588.aspx) table 
-    - The error is: **STATUS_SOME_NOT_MAPPED**
-
-Some result codes are self-explanatory, whereas others are more generic and require further analysis. In the examples shown above, ERROR_DISK_FULL indicates that the hard drive is full and additional room is needed to complete Windows upgrade. The message STATUS_SOME_NOT_MAPPED is more ambiguous, and means that an action is pending. In this case, the action pending is often the cleanup operation from a previous installation attempt, which can be resolved with a system reboot. 
-
-### Extend codes
-
->**Important**: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update.
-
-Extend codes can be matched to the phase and operation when an error occurred. To match an extend code to the phase and operation:
-
-1. Use the first digit to identify the phase (ex: 0x4000D  = 4).
-2. Use the last two digits to identify the operation (ex: 0x4000D  = 0D).
-3. Match the phase and operation to values in the tables provided below.
-
-The following tables provide the corresponding phase and operation for values of an extend code:
-
-<br>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td colspan="2" align="center" valign="top" BGCOLOR="#a0e4fa"><b>Extend code: phase</b></td>
-<tr><td style='padding:0in 4pt 0in 4pt'><b>Hex</b><td style='padding:0in 5.4pt 0in 5.4pt'><b>Phase</b>
-<tr><td style='padding:0in 4pt 0in 4pt'>0<td style='padding:0in 4pt 0in 4pt'>SP_EXECUTION_UNKNOWN
-<tr><td style='padding:0in 4pt 0in 4pt'>1<td style='padding:0in 4pt 0in 4pt'>SP_EXECUTION_DOWNLEVEL
-<tr><td style='padding:0in 4pt 0in 4pt'>2<td style='padding:0in 4pt 0in 4pt'>SP_EXECUTION_SAFE_OS
-<tr><td style='padding:0in 4pt 0in 4pt'>3<td style='padding:0in 4pt 0in 4pt'>SP_EXECUTION_FIRST_BOOT
-<tr><td style='padding:0in 4pt 0in 4pt'>4<td style='padding:0in 4pt 0in 4pt'>SP_EXECUTION_OOBE_BOOT
-<tr><td style='padding:0in 4pt 0in 4pt'>5<td style='padding:0in 4pt 0in 4pt'>SP_EXECUTION_UNINSTALL
-</table>
-
-
-<table border="0" style='border-collapse:collapse;border:none'>
-<tr><td colspan="2" align="center" valign="top" BGCOLOR="#a0e4fa"><B>Extend code: operation</B></td>
-<tr><td align="left" valign="top" style='border:dotted #A6A6A6 1.0pt;'>
-<table>
-<tr><td style='padding:0in 4pt 0in 4pt'><b>Hex</b><td style='padding:0in 4pt 0in 4pt'><span style='padding:0in 5.4pt 0in 5.4pt;'><b>Operation</b>
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>0<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_UNKNOWN
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_COPY_PAYLOAD
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>2<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_DOWNLOAD_UPDATES
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>3<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_INSTALL_UPDATES
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>4<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_INSTALL_RECOVERY_ENVIRONMENT
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>5<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_INSTALL_RECOVERY_IMAGE
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>6<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_REPLICATE_OC
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>7<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_INSTALL_DRVIERS
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>8<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PREPARE_SAFE_OS
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>9<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PREPARE_ROLLBACK
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>A<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PREPARE_FIRST_BOOT
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>B<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PREPARE_OOBE_BOOT
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>C<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_APPLY_IMAGE
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>D<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_MIGRATE_DATA
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>E<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_SET_PRODUCT_KEY
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>F<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_ADD_UNATTEND
-</table>
-</td>
-<td align="left" valign="top" style='border:dotted #A6A6A6 1.0pt;'>
-<table>
-<tr><td style='padding:0in 4pt 0in 4pt'><b>Hex</b><td style='padding:0in 4pt 0in 4pt'><b>Operation</b>
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>10<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_ADD_DRIVER
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>11<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_ENABLE_FEATURE
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>12<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_DISABLE_FEATURE
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>13<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_REGISTER_ASYNC_PROCESS
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>14<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_REGISTER_SYNC_PROCESS
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>15<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_CREATE_FILE
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>16<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_CREATE_REGISTRY
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>17<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_BOOT
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>18<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_SYSPREP
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>19<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_OOBE
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1A<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_BEGIN_FIRST_BOOT
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1B<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_END_FIRST_BOOT
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1C<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_BEGIN_OOBE_BOOT
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1D<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_END_OOBE_BOOT
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1E<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PRE_OOBE
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1F<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_POST_OOBE
-<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>20<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_ADD_PROVISIONING_PACKAGE
-</table>
-</td>
-</tr>
-</table>
-
-For example: An extend code of **0x4000D**, represents a problem during phase 4 (**0x4**) with data migration (**000D**).
-
-## Windows Error Reporting
-
-When Windows Setup fails, the result and extend code are recorded as an informational event in the Application log by Windows Error Reporting as event 1001. The event name is **WinSetupDiag02**.  You can use Event Viewer to review this event, or you can use Windows PowerShell.
-
-To use Windows PowerShell, type the following commands from an elevated Windows PowerShell prompt:
-
-```
-$events = Get-WinEvent -FilterHashtable @{LogName="Application";ID="1001";Data="WinSetupDiag02"}
-$event = [xml]$events[0].ToXml()
-$event.Event.EventData.Data
-```
-
-To use Event Viewer: 
-1. Open Event Viewer and navigate to **Windows Logs\Application**.
-2. Click **Find**, and then search for **winsetupdiag02**.
-3. Double-click the event that is highlighted.
-
-Note: For legacy operating systems, the Event Name was WinSetupDiag01. 
-
-Ten parameters are listed in the event:
-<br>
-<table border="0">
-<tr><td>P1: The Setup Scenario (1=Media,5=WindowsUpdate,7=Media Creation Tool)</td></tr>
-<tr><td>P2: Setup Mode (x=default,1=Downlevel,5=Rollback)</td></tr>
-<tr><td>P3: New OS Architecture (x=default,0=X86,9=AMD64)</td></tr>
-<tr><td>P4: Install Result (x=default,0=Success,1=Failure,2=Cancel,3=Blocked)</td></tr>
-<tr><td><b>P5: Result Error Code</b>  (Ex: 0xc1900101)</td></tr>
-<tr><td><b>P6: Extend Error Code</b>  (Ex: 0x20017)</td></tr>
-<tr><td>P7: Source OS build (Ex: 9600)</td></tr>
-<tr><td>P8: Source OS branch (not typically available)</td></tr>
-<tr><td>P9: New OS build (Ex: 16299}</td></tr>
-<tr><td>P10: New OS branch (Ex: rs3_release}</td></tr>
-</table>
-
-The event will also contain links to log files that can be used to perform a detailed diagnosis of the error.  An example of this event from a successful upgrade is shown below.
-
-![Windows Error Reporting](../images/event.png)
-
-## Log files
-
-Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that you can determine the phase from the extend code. 
-
-Note: Also see the [Windows Error Reporting](#windows-error-reporting) section in this document for help locating error codes and log files. 
-
-The following table describes some log files and how to use them for troubleshooting purposes:<br>
-
-<br>
-
-<table>
-<tr><td BGCOLOR="#a0e4fa"><B>Log file</td><td BGCOLOR="#a0e4fa"><B>Phase: Location</td><td BGCOLOR="#a0e4fa"><B>Description</td><td BGCOLOR="#a0e4fa"><B>When to use</td>
-<tr><td rowspan="5">setupact.log</td><td>Down-Level:<br>$Windows.~BT\Sources\Panther</td><td>Contains information about setup actions during the downlevel phase. </td>
-<td>All down-level failures and starting point for rollback investigations.<br> This is the most important log for diagnosing setup issues.</td>
-<tr><td>OOBE:<br>$Windows.~BT\Sources\Panther\UnattendGC</td>
-<td>Contains information about actions during the OOBE phase.</td><td>Investigating rollbacks that failed during OOBE phase and operations – 0x4001C, 0x4001D, 0x4001E, 0x4001F.</td>
-<tr><td>Rollback:<br>$Windows.~BT\Sources\Rollback<td>Contains information about actions during rollback.<td>Investigating generic rollbacks - 0xC1900101.</td>
-<tr><td>Pre-initialization (prior to downlevel):<br>Windows</td><td>Contains information about initializing setup.<td>If setup fails to launch.</td>
-<tr><td>Post-upgrade (after OOBE):<br>Windows\Panther<td>Contains information about setup actions during the installation.<td>Investigate post-upgrade related issues.</td>
-<tr><td>setuperr.log<td>Same as setupact.log<td>Contains information about setup errors during the installation.<td>Review all errors encountered during the installation phase.</td>
-<tr><td>miglog.xml<td>Post-upgrade (after OOBE):<br>Windows\Panther<td>Contains information about what was migrated during the installation.<td>Identify post upgrade data migration issues.</td>
-<tr><td>BlueBox.log<td>Down-Level:<br>Windows\Logs\Mosetup<td>Contains information communication between setup.exe and Windows Update.<td>Use during WSUS and WU down-level failures or for 0xC1900107.</td>
-<tr><td>Supplemental rollback logs:<br>
-Setupmem.dmp<br>
-setupapi.dev.log<br>
-Event logs (*.evtx)</td>
-<td>$Windows.~BT\Sources\Rollback<td>Additional logs collected during rollback.</td>
-<td>
-Setupmem.dmp: If OS bugchecks during upgrade, setup will attempt to extract a mini-dump.<br>
-Setupapi: Device install issues - 0x30018<br>
-Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.</td>
-</table>
-
-### Log entry structure
-
-A setupact.log or setuperr.log entry includes the following elements:
-
-<ol>
-<LI><B>The date and time</B> - 2016-09-08 09:20:05.
-<LI><B>The log level</B> - Info, Warning, Error, Fatal Error.
-<LI><B>The logging component</B> - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS.
-<UL>
-<LI>The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are particularly useful for troubleshooting Windows Setup errors.
-</UL>
-<LI><B>The message</B> - Operation completed successfully.
-</OL>
-
-See the following example:
-
-| Date/Time | Log level | Component | Message |
-|------|------------|------------|------------|
-|2016-09-08 09:23:50,|  Warning |         MIG  |   Could not replace object C:\Users\name\Cookies. Target Object cannot be removed.|
-
-
-### Analyze log files
-
->The following instructions are meant for IT professionals. Also see the [Upgrade error codes](#upgrade-error-codes) section in this guide to familiarize yourself with [result codes](#result-codes) and [extend codes](#extend-codes).
-
-<br>To analyze Windows Setup log files:
-
-<ol>
-<LI>Determine the Windows Setup error code. This code should be returned by Windows Setup if it is not successful with the upgrade process.
-<LI>Based on the [extend code](#extend-codes) portion of the error code, determine the type and location of a [log files](#log-files) to investigate.
-<LI>Open the log file in a text editor, such as notepad.
-<LI>Using the [result code](#result-codes) portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
-<LI>To find the last occurrence of the result code:
-  <OL type="a">
-  <LI>Scroll to the bottom of the file and click after the last character.
-  <LI>Click <B>Edit</B>.
-  <LI>Click <B>Find</B>.
-  <LI>Type the result code.
-  <LI>Under <B>Direction</B> select <b>Up</b>.
-  <LI>Click <b>Find Next</b>.
-  </OL>
-<LI> When you have located the last occurrence of the result code, scroll up a few lines from this location in the file and review the processes that failed just prior to generating the result code.
-<LI> Search for the following important text strings:
-  <UL>
-  <LI><B>Shell application requested abort</B>
-  <LI><B>Abandoning apply due to error for object</B>
-  </UL>
-<LI> Decode Win32 errors that appear in this section.
-<LI> Write down the timestamp for the observed errors in this section.
-<LI> Search other log files for additional information matching these timestamps or errors.
-</OL>
-
-For example, assume that the error code for an error is 0x8007042B - 0x2000D. Searching for "8007042B" reveals the following content from the setuperr.log file:
-
->Some lines in the text below are shortened to enhance readability. The date and time at the start of each line (ex: 2016-10-05 15:27:08) is shortened to minutes and seconds, and the certificate file name which is a long text string is shortened to just "CN."
-
-<br><B>setuperr.log</B> content:
-
-<pre style="font-size: 10px; overflow-y: visible">
-27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
-27:08, Error           MIG    Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
-27:08, Error                  Gather failed. Last error: 0x00000000
-27:08, Error           SP     SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
-27:09, Error           SP     CMigrateFramework: Gather framework failed. Status: 44
-27:09, Error           SP     Operation failed: Migrate framework (Full). Error: 0x8007042B[gle=0x000000b7]
-27:09, Error           SP     Operation execution failed: 13. hr = 0x8007042B[gle=0x000000b7]
-27:09, Error           SP     CSetupPlatformPrivate::Execute: Execution of operations queue failed, abandoning. Error: 0x8007042B[gle=0x000000b7]
-</PRE>
-
-The first line indicates there was an error **0x00000570** with the file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]** (shown below):
-
-<pre style="font-size: 10px; overflow-y: visible">
-27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
-</PRE>
-
-</B>The error 0x00000570 is a [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx) corresponding to: ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable.
-
-Therefore, Windows Setup failed because it was not able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**.  This file is a local system certificate and can be safely deleted. Searching the setupact.log file for additional details, the phrase "Shell application requested abort" is found in a location with the same timestamp as the lines in setuperr.log. This confirms our suspicion that this file is the cause of the upgrade failure:
-
-<br><B>setupact.log</B> content:
-
-<pre style="font-size: 10px; overflow-y: visible">
-27:00, Info                   Gather started at 10/5/2016 23:27:00
-27:00, Info [0x080489] MIG    Setting system object filter context (System)
-27:00, Info [0x0803e5] MIG    Not unmapping HKCU\Software\Classes; it is not mapped
-27:00, Info [0x0803e5] MIG    Not unmapping HKCU; it is not mapped
-27:00, Info            SP     ExecuteProgress: Elapsed events:1 of 4, Percent: 12
-27:00, Info [0x0802c6] MIG    Processing GATHER for migration unit: <System>\UpgradeFramework (CMXEAgent)
-27:08, Error           SP     Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
-27:08, Error           MIG    Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
-27:08, Info            SP     ExecuteProgress: Elapsed events:2 of 4, Percent: 25
-27:08, Info            SP     ExecuteProgress: Elapsed events:3 of 4, Percent: 37
-27:08, Info [0x080489] MIG    Setting system object filter context (System)
-27:08, Info [0x0803e5] MIG    Not unmapping HKCU\Software\Classes; it is not mapped
-27:08, Info [0x0803e5] MIG    Not unmapping HKCU; it is not mapped
-27:08, Info            MIG    COutOfProcPluginFactory::FreeSurrogateHost: Shutdown in progress.
-27:08, Info            MIG    COutOfProcPluginFactory::LaunchSurrogateHost::CommandLine: -shortened-
-27:08, Info            MIG    COutOfProcPluginFactory::LaunchSurrogateHost: Successfully launched host and got control object.
-27:08, Error                  Gather failed. Last error: 0x00000000
-27:08, Info                   Gather ended at 10/5/2016 23:27:08 with result 44
-27:08, Info                   Leaving MigGather method
-27:08, Error           SP     SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C
-</pre>
-
-
-<br>This analysis indicates that the Windows upgrade error can be resolved by deleting the C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN] file. Note: In this example, the full, unshortened file name is  C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f. 
-
-## Resolution procedures
-
-### 0xC1900101
-
-A frequently observed result code is 0xC1900101. This result code can be thrown at any stage of the upgrade process, with the exception of the downlevel phase. 0xC1900101 is a generic rollback code, and usually indicates that an incompatible driver is present. The incompatible driver can cause blue screens, system hangs, and unexpected reboots. Analysis of supplemental log files is often helpful, such as:<br>
-
-- The minidump file: $Windows.~bt\Sources\Rollback\setupmem.dmp, 
-- Event logs: $Windows.~bt\Sources\Rollback\*.evtx 
-- The device install log: $Windows.~bt\Sources\Rollback\setupapi\setupapi.dev.log
-
-The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018).  To resolve a rollback due to driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/en-us/kb/929135) before initiating the upgrade process. 
-
-<br>See the following general troubleshooting procedures associated with a result code of 0xC1900101:
-
-
-<table border="1" cellspacing="0" cellpadding="0">
-
-<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x20004</B>
-</table>
-
-<br><table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation
-<br>This is generally caused by out-of-date drivers. 
-</table>
-</td>
-
-<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Uninstall antivirus applications.
-<br>Remove all unused SATA devices.
-<br>Remove all unused devices and drivers.
-<br>Update drivers and BIOS.
-</table>
-</td>
-</tr>
-
-<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x2000c</B>
-</table>
-
-<br><table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows Setup encountered an unspecified error during Wim apply in the WinPE phase.
-<br>This is generally caused by out-of-date drivers. 
-</table>
-</td>
-
-<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
-<br>Contact your hardware vendor to obtain updated device drivers.
-<br>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. 
-</table>
-</td>
-</tr>
-
-
-<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x20017
-
-</table>
-
-<br><table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A driver has caused an illegal operation.
-<br>Windows was not able to migrate the driver, resulting in a rollback of the operating system.
-<br>This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software. 
-</table>
-</td>
-
-<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-Ensure that all that drivers are updated.<br>
-Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.
-<br>For more information, see [Understanding Failures and Log Files](https://technet.microsoft.com/en-us/library/ee851579.aspx).
-<br>Update or uninstall the problem drivers.
-</table>
-</td>
-</tr>
-
-<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x30018</B>
-</table>
-
-<br><table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A device driver has stopped responding to setup.exe during the upgrade process.
-</table>
-</td>
-
-<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
-<br>Contact your hardware vendor to obtain updated device drivers.
-<br>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. 
-</table>
-</td>
-</tr>
-
-<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x3000D</B>
-</table>
-
-<br><table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation.
-<br>This can occur due to a problem with a display driver.
-
-</table>
-</td>
-
-<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
-<br>Update or uninstall the display driver.
-</table>
-</td>
-</tr>
-
-<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x4000D</B>
-</table>
-
-<br><table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>A rollback occurred due to a driver configuration issue.
-<br>Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.  
-
-<br>This can occur due to incompatible drivers.  
-
-</table>
-</td>
-
-<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-<br>Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors. 
-<br>Review the rollback log and determine the stop code.
-<br>The rollback log is located in the **C:\$Windows.~BT\Sources\Panther** folder.  An example analysis is shown below. This example is not representative of all cases:
-<br>Info SP     Crash 0x0000007E detected
-<br>Info SP       Module name           : 
-<br>Info SP       Bugcheck parameter 1  : 0xFFFFFFFFC0000005
-<br>Info SP       Bugcheck parameter 2  : 0xFFFFF8015BC0036A
-<br>Info SP       Bugcheck parameter 3  : 0xFFFFD000E5D23728
-<br>Info SP       Bugcheck parameter 4  : 0xFFFFD000E5D22F40
-<br>Info SP     Cannot recover the system.
-<br>Info SP     Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.
-
-
-<br>Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:<br>
-
-1. Make sure you have enough disk space.<br>
-2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.<br>
-3. Try changing video adapters.<br>
-4. Check with your hardware vendor for any BIOS updates.<br>
-5. Disable BIOS memory options such as caching or shadowing.
-</p>
-</table>
-</td>
-</tr>
-
-
-<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>0xC1900101 - 0x40017</B>
-</table>
-
-<br><table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Windows 10 upgrade failed after the second reboot.
-<br>This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers.
-</table>
-</td>
-
-<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>Clean boot into Windows, and then attempt the upgrade to Windows 10.<br>
-
-For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/en-us/kb/929135).
-
-<br><br>Ensure you select the option to "Download and install updates (recommended)."
-</table>
-</td>
-</tr>
-
-</table>
-
-<h3 id="0x800xxxxx">0x800xxxxx</h3>
-
-<br>Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
-
-<br>See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:<br>
-
-<br><table border="1" cellspacing="0" cellpadding="0">
-
-<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-
-80040005 - 0x20007
-
-</table>
-
-<br><table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-
-An unspecified error occurred with a driver during the SafeOS phase.
-
-</table>
-</td>
-
-<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-
-This error has more than one possible cause. Attempt [quick fixes](#quick-fixes), and if not successful, [analyze log files](#analyze-log-files) in order to determine the problem and solution.
-
-</table>
-</td>
-</tr>
-
-<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-
-0x80073BC3 - 0x20009<br>
-0x8007002 - 0x20009<br>
-0x80073B92 - 0x20009
-
-</table>
-
-<br><table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-
-The requested system device cannot be found, there is a sharing violation, or there are multiple devices matching the identification criteria.
-
-</table>
-</td>
-
-<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-
-These errors occur during partition analysis and validation, and can be caused by the presence of multiple system partitions. For example, if you installed a new system drive but left the previous system drive connected, this can cause a conflict. To resolve the errors, disconnect or temporarily disable drives that contain the unused system partition. You can reconnect the drive after the upgrade has completed. Alternatively, you can delete the unused system partition.
-
-</table>
-</td>
-</tr>
-
-<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-
-800704B8 - 0x3001A
-
-</table>
-
-<br><table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-
-An extended error has occurred during the first boot phase.
-
-</table>
-</td>
-
-<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-
-Disable or uninstall non-Microsoft antivirus applications, disconnect all unnecessary devices, and perform a [clean boot](https://support.microsoft.com/en-us/kb/929135).
-
-</table>
-</td>
-</tr>
-
-<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-
-8007042B - 0x4000D
-
-</table>
-
-<br><table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-
-The installation failed during the second boot phase while attempting the MIGRATE_DATA operation. 
-<br>This issue can occur due to file system, application, or driver issues.
-
-</table>
-</td>
-
-<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-
-[Analyze log files](#analyze-log-files) in order to determine the file, application, or driver that is not able to be migrated. Disconnect, update, remove, or replace the device or object.
-
-</table>
-</td>
-</tr>
-
-<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-
-8007001F - 0x3000D
-
-</table>
-
-<br><table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-
-The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation.  
-
-</table>
-</td>
-
-<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-
-[Analyze log files](#analyze-log-files) in order to determine the files or registry entries that are blocking data migration. 
-
-This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory. 
-
-Note: If a previous upgrade did not complete, invalid profiles might exist in the **Windows.old\\Users** directory.
-
-To repair this error, ensure that deleted accounts are not still present in the Windows registry and that files under the \\Users directory are valid. Delete the invalid files or user profiles that are causing this error. The specific files and profiles that are causing the error will be recorded in the Windows setup log files.  
-
-</table>
-</td>
-</tr>
-
-<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-
-8007001F - 0x4000D
-
-</table>
-
-<br><table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-
-General failure, a device attached to the system is not functioning.  
-
-</table>
-</td>
-
-<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-
-[Analyze log files](#analyze-log-files) in order to determine the device that is not functioning properly. Disconnect, update, or replace the device.
-
-</table>
-</td>
-</tr>
-
-<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-
-8007042B - 0x4001E
-
-</table>
-
-<br><table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-
-The installation failed during the second boot phase while attempting the PRE_OOBE operation.
-
-</table>
-</td>
-
-<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
-
-<table cellspacing="0" cellpadding="0">
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
-<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
-
-This error has more than one possible cause. Attempt [quick fixes](#quick-fixes), and if not successful, [analyze log files](#analyze-log-files) in order to determine the problem and solution.
-
-</table>
-</td>
-</tr>
-
-</table>
-
-
-### Other result codes
-
-<table>
-
-<tr>
-<td BGCOLOR="#a0e4fa"><B>Error code</th>
-<td BGCOLOR="#a0e4fa"><B>Cause</th>
-<td BGCOLOR="#a0e4fa"><B>Mitigation</th>
-</tr>
-
-<tr>
-<td>0xC1800118</td>
-<td>WSUS has downloaded content that it cannot use due to a missing decryption key.</td>
-<td>See [Steps to resolve error 0xC1800118](https://blogs.technet.microsoft.com/wsus/2016/09/21/resolving-error-0xc1800118/) for information.</td>
-</tr>
-
-<tr>
-<td>0xC1900200</td>
-<td>Setup.exe has detected that the machine does not meet the minimum system requirements.</td>
-<td>Ensure the system you are trying to upgrade meets the minimum system requirements. <br>See [Windows 10 specifications](https://www.microsoft.com/en-us/windows/windows-10-specifications)  for information.</td>
-</tr>
-
-
-<tr>
-<td>0x80090011</td>
-<td>A device driver error occurred during user data migration.</td>
-<td>Contact your hardware vendor and get all the device drivers updated. It is recommended to have an active internet connection during upgrade process. 
-<br>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.</td>
-</tr>
-<tr>
-<td>0xC7700112</td>
-<td>Failure to complete writing data to the system drive, possibly due to write access failure on the hard disk.</td>
-<td>This issue is resolved in the latest version of Upgrade Assistant. 
-<br>Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.</td>
-</tr>
-
-<tr>
-<td>0x80190001</td>
-<td>An unexpected error was encountered while attempting to download files required for upgrade.</td>
-<td>To resolve this issue, download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/en-us/software-download/windows10).
-</td>
-</tr>
-<tr>
-<td>0x80246007</td>
-<td>The update was not downloaded successfully.</td>
-<td>Attempt other methods of upgrading the operating system.<br>
-Download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/en-us/software-download/windows10). 
-<br>Attempt to upgrade using .ISO or USB.<br>
-**Note**: Windows 10 Enterprise isn’t available in the media creation tool. For more information, go to the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx).
-</td>
-</tr>
-<tr>
-<td>0xC1900201</td>
-<td>The system did not pass the minimum requirements to install the update.</td>
-<td>Contact the hardware vendor to get the latest updates.</td>
-</tr>
-<tr>
-<td>0x80240017</td>
-<td>The upgrade is unavailable for this edition of Windows.</td>
-<td>Administrative policies enforced by your organization might be preventing the upgrade. Contact your IT administrator.</td>
-</tr>
-
-<tr>
-<td>0x80070020</td>
-<td>The existing process cannot access the file because it is being used by another process.</td>
-<td>Use the MSCONFIG tool to perform a clean boot on the machine and then try to perform the update again. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/en-us/kb/929135).</td>
-</tr>
-<tr>
-<td>0x80070522</td>
-<td>The user doesn’t have required privilege or credentials to upgrade.</td>
-<td>Ensure that you have signed in as a local administrator or have local administrator privileges.</td>
-</tr>
-<tr>
-<td>0xC1900107</td>
-<td>A cleanup operation from a previous installation attempt is still pending and a system reboot is required in order to continue the upgrade.
-</td>
-<td>Reboot the device and run setup again. If restarting device does not resolve the issue, then use the Disk Cleanup utility and cleanup the temporary as well as the System files. For more information, see [Disk cleanup in Windows 10](https://support.microsoft.com/en-us/instantanswers/8fef4121-711b-4be1-996f-99e02c7301c2/disk-cleanup-in-windows-10).</td>
-</tr>
-<tr>
-<td>0xC1900209</td>
-<td>The user has chosen to cancel because the system does not pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications.</td>
-<td>Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See [Windows 10 Pre-Upgrade Validation using SETUP.EXE](https://blogs.technet.microsoft.com/mniehaus/2015/08/23/windows-10-pre-upgrade-validation-using-setup-exe/) for more information.
-
-<br>You can also download the [Windows Assessment and Deployment Kit (ADK) for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=526740) and install Application Compatibility Tools.
-</td>
-</tr>
-
-
-<tr>
-<td>0x8007002 </td>
-<td>This error is specific to upgrades using System Center Configuration Manager 2012 R2 SP1 CU3 (5.00.8238.1403)</td>
-<td>Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760)
-
-<br>The error 80072efe means that the connection with the server was terminated abnormally.
-
-<br>To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN.
-</td>
-</tr>
-
-<tr>
-<td>0x80240FFF </td>
-<td>Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with System Center Configuration Manager. If you enable update synchronization before you install <a href="https://support.microsoft.com/help/3095113/en-us">hotfix 3095113</a>, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update.</td>
-<td> You can prevent this by installing <a href="http://blogs.technet.com/b/wsus/archive/2015/12/04/important-update-for-wsus-4-0-kb-3095113.aspx">hotfix 3095113</a> before you enable update synchronization. However, if you have already run into this problem, do the following: 
-
-<ol>
-<li>Disable the Upgrades classification.</li>
-<li>Install hotfix 3095113.</li>
-<li>Delete previously synched updates.</li>
-<li>Enable the Upgrades classification.</li>
-<li>Perform a full synch.</li>
-</ol>
-<br>For detailed information on how to run these steps check out <a href="http://blogs.technet.com/b/wsus/archive/2016/01/30/quot-help-i-synched-upgrades-too-soon-quot.aspx">How to delete upgrades in WSUS</a>.</p>
-</td>
-</tr>
-
-<tr>
-<td>0x8007007E</td>
-<td>Occurs when update synchronization fails because you do not have <a href="https://support.microsoft.com/help/3095113/en-us">hotfix 3095113</a> installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with System Center Configuration Manager.</td>
-<td> Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadata before you installed the hotfix.
-
-<ol>
-<li>Stop the Windows Update service. Sign in as a user with administrative privileges, and then do the following:
-<ol>
-<li>Open <b>Administrative Tools</b> from the Control Panel.</li>
-<li>Double-click <b>Services</b>.</li>
-<li>Find the <b>Windows Update</b> service, right-click it, and then click <b>Stop</b>. If prompted, enter your credentials.</li>
-</ol>
-</li>
-<li>Delete all files and folders under c:\Windows\SoftwareDistribution\DataStore.</li>
-<li>Restart the Windows Update service.</li>
-</ol>
-</td>
-</tr>
-
-</table>
-
-### Other error codes
-
-<table>
-
-<tr><td BGCOLOR="#a0e4fa">Error Codes<td BGCOLOR="#a0e4fa">Cause<td BGCOLOR="#a0e4fa">Mitigation</td></tr>
-<tr><td>0x80070003- 0x20007
-<td>This is a failure during SafeOS phase driver installation. 
-
-<td>[Verify device drivers](https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](#analyze-log-files) to determine the problem driver.
-</td></tr>
-<tr><td>0x8007025D - 0x2000C
-<td>This error occurs if the ISO file's metadata is corrupt.<td>"Re-download the ISO/Media and re-attempt the upgrade.
-
-Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/en-us/software-download/windows10).
-
-</td></tr>
-<tr><td>0x80070490 - 0x20007<td>An incompatible device driver is present.
-
-<td>[Verify device drivers](https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](#analyze-log-files) to determine the problem driver.
-
-</td></tr>
-<tr><td>0xC1900101 - 0x2000c
-<td>An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption.
-<td>Run checkdisk to repair the file system. For more information, see the [quick fixes](#quick-fixes) section in this guide.
-<br>Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display.</td></tr>
-<tr><td>0xC1900200 - 0x20008
-
-<td>The computer doesn’t meet the minimum requirements to download or upgrade to Windows 10.
-
-<td>See [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/windows-10-specifications) and verify the computer meets minimum requirements.
-
-<br>Review logs for [compatibility information](https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/).</td></tr>
-<tr><td>0x80070004 - 0x3000D
-<td>This is a problem with data migration during the first boot phase. There are multiple possible causes.
-
-<td>[Analyze log files](#analyze-log-files) to determine the issue.</td></tr>
-<tr><td>0xC1900101 - 0x4001E
-<td>Installation failed in the SECOND_BOOT phase with an error during PRE_OOBE operation.
-<td>This is a generic error that occurs during the OOBE phase of setup. See the [0xC1900101](#0xc1900101) section of this guide and review general troubleshooting procedures described in that section.</td></tr>
-<tr><td>0x80070005 - 0x4000D
-<td>The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation. This error indicates that access was denied while attempting to migrate data.
-<td>[Analyze log files](#analyze-log-files) to determine the data point that is reporting access denied.</td></tr>
-<tr><td>0x80070004 - 0x50012
-<td>Windows Setup failed to open a file. 
-<td>[Analyze log files](#analyze-log-files) to determine the data point that is reporting access problems.</td></tr>
-<tr><td>0xC190020e 
-<br>0x80070070 - 0x50011
-<br>0x80070070 - 0x50012
-<br>0x80070070 - 0x60000
-<td>These errors indicate the computer does not have enough free space available to install the upgrade.
-<td>To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to [free up drive space](https://support.microsoft.com/en-us/help/17421/windows-free-up-drive-space) before proceeding with the upgrade.
- 
-<br>Note: If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS.  Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby.
-</td></tr>
-
-</table>
-
-
-
+This topic contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. 
+
+The topic was originally one page, but has been divided into sub-topics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods.
+
+The following four levels are assigned:
+
+Level 100: Basic <br>
+Level 200: Moderate <br>
+Level 300: Moderate advanced <br>
+Level 400: Advanced <br>
+
+## In this guide
+
+See the following topics:
+
+- [Quick fixes](quick-fixes.md): \Level 100\ Steps you can take to eliminate many Windows upgrade errors.<br>
+- [SetupDiag](setupdiag.md): \Level 300\ SetupDiag is a new tool to help you isolate the root cause of an upgrade failure.
+- [Troubleshooting upgrade errors](troubleshoot-upgrade-errors.md): \Level 300\ General advice and techniques for troubleshooting Windows 10 upgrade errors, and an explanation of phases used during the upgrade process.<br>
+- [Windows Error Reporting](windows-error-reporting.md): \Level 300\ How to use Event Viewer to review details about a Windows 10 upgrade.
+- [Upgrade error codes](upgrade-error-codes.md): \Level 400\ The components of an error code are explained.
+    - [Result codes](upgrade-error-codes.md#result-codes): Information about result codes.
+    - [Extend codes](upgrade-error-codes.md#extend-codes): Information about extend codes.
+- [Log files](log-files.md): \Level 400\ A list and description of log files useful for troubleshooting.
+    - [Log entry structure](log-files.md#log-entry-structure): The format of a log entry is described.
+    - [Analyze log files](log-files.md#analyze-log-files): General procedures for log file analysis, and an example.
+- [Resolution procedures](resolution-procedures.md): \Level 200\ Causes and mitigation procedures associated with specific error codes.
+    - [0xC1900101](resolution-procedures.md#0xc1900101): Information about the 0xC1900101 result code.
+    - [0x800xxxxx](resolution-procedures.md#0x800xxxxx): Information about result codes that start with 0x800.
+    - [Other result codes](resolution-procedures.md#other-result-codes): Additional causes and mitigation procedures are provided for some result codes.
+    - [Other error codes](resolution-procedures.md#other-error-codes): Additional causes and mitigation procedures are provided for some error codes.
+- [Submit Windows 10 upgrade errors](submit-errors.md): \Level 100\ Submit upgrade errors to Microsoft for analysis.
 
 ## Related topics
 
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
new file mode 100644
index 0000000000..a460f3c8b5
--- /dev/null
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -0,0 +1,251 @@
+---
+title: SetupDiag
+description: How to use the SetupDiag tool to diagnose Windows Setup errors
+keywords: deploy, troubleshoot, windows, 10, upgrade, update, setup, diagnose
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.date: 03/30/2018
+ms.localizationpriority: high
+---
+
+# SetupDiag
+
+**Applies to**
+-   Windows 10
+
+>[!NOTE]
+>This is a 300 level topic (moderate advanced).<br>
+>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
+
+[SetupDiag.exe](https://go.microsoft.com/fwlink/?linkid=870142) is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. 
+
+SetupDiag works by examining Windows Setup log files. It attempts to parse these log files to determine the root cause of a failure to update or upgrade the computer to Windows 10. SetupDiag can be run on the computer that failed to update, or you can export logs from the computer to another location and run SetupDiag in offline mode.
+
+See the [Release notes](#release-notes) section at the bottom of this topic for information about updates to this tool. 
+
+## Requirements
+
+1. The destination OS must be Windows 10.
+2. [.NET Framework 4.6](https://www.microsoft.com/download/details.aspx?id=48137) must be installed. If you are not sure what version of .NET is currently installed, see [How to: Determine Which .NET Framework Versions Are Installed](https://docs.microsoft.com/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed). You can also use the following command-line query to display the installed v4 versions:
+
+    ```
+    reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4" /s
+    ```
+
+## Parameters
+
+| Parameter | Description |
+| --- | --- |
+| /? | <ul><li>Displays interactive help</ul> |
+| /Output:\<path to results file\> | <ul><li>This optional parameter enables you to specify the output file for results. This is where you will find what SetupDiag was able to determine.  Only text format output is supported.  UNC paths will work, provided the context under which SetupDiag runs has access to the UNC path.  If the path has a space in it, you must enclose the entire path in double quotes (see the example section below). <li>Default: If not specified, SetupDiag will create the file **SetupDiagResults.log** in the same  directory where SetupDiag.exe is run.</ul> |
+| /Mode:\<Offline \| Online\>  |  <ul><li>This optional parameter allows you to specify the mode in which SetupDiag will operate: Offline or Online.<li>Offline: tells SetupDiag to run against a set of log files already captured from a failed system.  In this mode you can run anywhere you have access to the log files.  This mode does not require SetupDiag to be run on the computer that failed to update. When you specify offline mode, you must also specify the /LogsPath: parameter.<li>Online: tells SetupDiag that it is being run on the computer that failed to update. SetupDiag will attempt find log files and resources in standard Windows locations, such as the **%SystemDrive%\$Windows.~bt** directory for setup log files.<li>Log file search paths are configurable in the SetupDiag.exe.config file, under the SearchPath key.  Search paths are comma separated.  Note: A large number of search paths will extend the time required for SetupDiag to return results.<li>Default: If not specified, SetupDiag will run in Online mode.</ul> |
+| /LogsPath:\<Path to logs\> | <ul><li>This optional parameter is required only when **/Mode:Offline** is specified.  This tells SetupDiag.exe where to find the log files. These log files can be in a flat folder format, or containing multiple subdirectories.  SetupDiag will recursively search all child directories. This parameter should be omitted when the **/Mode:Online** is specified.</ul> |
+| /ZipLogs:\<True \| False\> | <ul><li>This optional parameter tells SetupDiag.exe to create a zip file continuing its results and all the log files it parsed.  The zip file is created in the same directory where SetupDiag.exe is run.<li>Default: If not specified, a value of 'true' is used.</ul> |
+| /Verbose | <ul><li>This optional parameter will output much more data to the log file produced by SetupDiag.exe.  By default SetupDiag will only produce a log file entry for serious errors.  Using **/Verbose** will cause SetupDiag to always produce a log file with debugging details, which can be useful when reporting a problem with SetupDiag.</ul> |
+
+### Examples:
+
+In the following example, SetupDiag is run with default parameters (online mode, results file is SetupDiagResults.log in the same folder where SetupDiag is run).
+
+```
+SetupDiag.exe
+```
+
+In the following example, SetupDiag is specified to run in Online mode (this is the default).  It will know where to look for logs on the current (failing) system, so there is no need to gather logs ahead of time. A custom location for results is specified.
+
+```
+SetupDiag.exe /Output:C:\SetupDiag\Results.log /Mode:Online
+```
+
+The following example uses the /Output parameter to save results to a path name that contains a space:
+
+```
+SetupDiag /Output:"C:\Tools\SetupDiag\SetupDiag Results\Results.log"
+```
+
+The following example specifies that SetupDiag is to run in offline mode, and to process the log files found in **D:\Temp\Logs\LogSet1**.
+
+```
+SetupDiag.exe /Output:C:\SetupDiag\Results.log /Mode:Offline /LogsPath:D:\Temp\Logs\LogSet1
+```
+
+## Log files
+
+[Windows Setup Log Files and Event Logs](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs) has information about where logs are created during Windows Setup. For offline processing, you should run SetupDiag against the contents of the entire folder. For example, depending on when the upgrade failed, copy one of the following folders to your offline location:
+
+\\$Windows.~bt\sources\panther
+<br>\\$Windows.~bt\Sources\Rollback
+<br>\Windows\Panther
+<br>\Windows\Panther\NewOS
+
+If you copy the parent folder and all sub-folders, SetupDiag will automatically search for log files in all subdirectories.
+
+## Setup bug check analysis
+
+When Microsoft Windows encounters a condition that compromises safe system operation, the system halts. This condition is called a bug check. It is also commonly referred to as a system crash, a kernel error, a Stop error, or BSOD. Typically a hardware device, hardware driver, or related software causes this error.
+
+If crash dumps [are enabled](https://docs.microsoft.com/windows-hardware/drivers/debugger/enabling-a-kernel-mode-dump-file) on the system, a crash dump file is created. If the bug check occurs during an upgrade, Windows Setup will extract a minidump (setupmem.dmp) file. SetupDiag can also debug these setup related minidumps.
+
+To debug a setup related bug check, you must:
+- Specify the **/Mode:Offline** and **/LogsPath** parameters. You cannot debug memory dumps in online mode. 
+- Gather the setup memory dump file (setupmem.dmp) from the failing system. 
+    - Setupmem.dmp will be created in either **%SystemDrive%\$Windows.~bt\Sources\Rollback**, or in **%WinDir%\Panther\NewOS\Rollback** depending on when the bug check occurs.
+- Install the [Windows Debugging Tools](https://docs.microsoft.com/windows-hardware/drivers/debugger/debugger-download-tools) on the computer that runs SetupDiag.
+
+In the following example, the **setupmem.dmp** file is copied to the **D:\Dump** directory and the Windows Debugging Tools are installed prior to running SetupDiag:
+
+```
+SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /Mode:Offline /LogsPath:D:\Dump
+```
+
+## Known issues
+
+1. Some rules can take a long time to process if the log files involved as large.
+2. SetupDiag only outputs data in a text format. If another format is desired, please provide this [feedback](#feedback).
+3. If the failing computer is opted into the Insider program and getting regular pre-release updates, or an update is already pending on the computer when SetupDiag is run, it can encounter problems trying to open these log files. This will likely cause a failure to determine a root cause.  In this case, try gathering the log files and running SetupDiag in offline mode.
+
+
+## Sample output
+
+The following is an example where SetupDiag is run in offline mode. In this example, it is found that disk space is not sufficient to complete Windows Setup:
+
+```
+C:\setupdiag>SetupDiag /Output:C:\setupdiag\results.log /Mode:Offline /LogsPath:C:\setupdiag\logfiles
+
+
+SetupDiag v1.00
+Copyright (c) Microsoft Corporation. All rights reserved.
+
+
+Searching for setup logs, this can take a minute or more depending on the number and size of the logs...please wait.
+        Found 1 setupact.logs.
+        Processing setupact.log 1 of 1
+Gathering information from setup logs.
+
+SetupDiag: processing rule: CompatScanOnly.
+...No match.
+
+
+SetupDiag: processing rule: BitLockerHardblock.
+...No match.
+
+
+SetupDiag: processing rule: VHDHardblock.
+...No match.
+
+
+SetupDiag: processing rule: PortableWorkspaceHardblock.
+...No match.
+
+
+SetupDiag: processing rule: AuditModeHardblock.
+...No match.
+
+
+SetupDiag: processing rule: SafeModeHardblock.
+...No match.
+
+
+SetupDiag: processing rule: InsufficientSystemPartitionDiskSpaceHardblock.
+...No match.
+
+
+SetupDiag: processing rule: HardblockApplication.
+...No match.
+
+
+SetupDiag: processing rule: HardblockDeviceOrDriver.
+...No match.
+
+
+SetupDiag: processing rule: HardblockMismatchedLanguage.
+..No match.
+
+
+SetupDiag: processing rule: HardblockFlightSigning.
+..No match.
+
+
+SetupDiag: processing rule: DiskSpaceBlockInDownLevel.
+...
+
+Matching Profile found: DiskSpaceBlockInDownLevel - 6080AFAC-892E-4903-94EA-7A17E69E549E
+Warning: Found Disk Space Hard Block.
+Warning: You must free up at least 6603 MB of space on the System Drive, and try again.
+
+SetupDiag found 1 matching issue.
+SetupDiag results were logged to: c:\setupdiag\results.log
+Logs ZipFile created at: c:\setupdiag\Logs.zip
+
+```
+
+## Rules
+
+When searching log files, SetupDiag uses a set of rules to match known issues. These rules are contained in the rules.xml file which is extracted when SetupDiag is run. The rules.xml file might be updated as new versions of SetupDiag are made available. See [Release notes](#release-notes) for more information.
+
+Each rule name and its associated unique rule identifier are listed with a description of the known upgrade-blocking issue. In the rule descriptions, the term "down-level" refers to the first phase of the upgrade process, which runs under the starting OS.
+
+1. CompatScanOnly - FFDAFD37-DB75-498A-A893-472D49A1311D
+    - This rule indicates that setup.exe was called with a specific command line parameter that indicated setup was to do a compat scan only, not an upgrade.
+2. BitLockerHardblock - C30152E2-938E-44B8-915B-D1181BA635AE
+    - This is a block when the target OS does not support BitLocker, yet the host OS has BitLocker enabled.
+3. VHDHardblock - D9ED1B82-4ED8-4DFD-8EC0-BE69048978CC
+    - This block happens when the host OS is booted to a VHD image.  Upgrade is not supported when the host OS is booted from a VHD image.
+4. PortableWorkspaceHardblock - 5B0D3AB4-212A-4CE4-BDB9-37CA404BB280
+    - This indicates that the host OS is booted from a Windows To-Go device (USB key).  Upgrade is not supported in the Windows To-Go environment.
+5. AuditModeHardblock - A03BD71B-487B-4ACA-83A0-735B0F3F1A90
+    - This block indicates that the host OS is currently booted into Audit Mode, a special mode for modifying the Windows state.  Upgrade is not supported from this state.
+6. SafeModeHardblock - 404D9523-B7A8-4203-90AF-5FBB05B6579B
+    - This block indicates that the host OS is booted to Safe Mode, where upgrade is not supported.
+7. InsufficientSystemPartitionDiskSpaceHardblock - 3789FBF8-E177-437D-B1E3-D38B4C4269D1
+    - This block is encountered when setup determines the system partition (where the boot loader files are stored) does not have enough space to be serviced with the newer boot files required during the upgrade process.
+8. HardblockApplication - D6FBF046-5927-4FCD-B998-FE21CA7F6AC9
+    - This rule indicates the host OS had one or more hard blocked applications that need to be uninstalled prior to continuing.  This typically is only a problem when /Quiet is specified on the command line.
+9. HardblockDeviceOrDriver - ED3AEFA1-F3E2-4F33-8A21-184ADF215B1B
+    - This indicates a device driver that is loaded on the host OS is not compatible with the newer OS version and needs to be removed prior to the upgrade.
+10. HardblockMismatchedLanguage - 60BA8449-CF23-4D92-A108-D6FCEFB95B45
+    - This rule indicates the host OS and the target OS language editions do not match.
+11. HardblockFlightSigning - 598F2802-3E7F-4697-BD18-7A6371C8B2F8
+    - This rule indicates the target OS is a pre-release, Windows Insider build, and the target machine has Secure Boot enabled.  This will block the pre-release signed build from booting if installed on the machine.
+12. DiskSpaceBlockInDownLevel - 6080AFAC-892E-4903-94EA-7A17E69E549E
+    - This failure indicates the system ran out of disk space during the down-level operations of upgrade.
+13. DiskSpaceFailure - 981DCBA5-B8D0-4BA7-A8AB-4030F7A10191
+    - This failure indicates the system drive ran out of available disk space at some point after the first reboot into the upgrade.
+14. DeviceInstallHang - 37BB1C3A-4D79-40E8-A556-FDA126D40BC6
+    - This failure rule indicates the system hung or bug checked during the device installation phase of upgrade. 
+15. DebugSetupMemoryDump - C7C63D8A-C5F6-4255-8031-74597773C3C6
+    - This offline only rule indicates a bug check occurred during setup.  If the debugger tools are available on the system, SetupDiag will debug the memory dump and provide details.
+16. DebugSetupCrash - CEEBA202-6F04-4BC3-84B8-7B99AED924B1
+    - This offline only rule indicates that setup itself encountered a failure that resulted in a process memory dump.  If the debugger tools are installed on the system, SetupDiag will debug the memory dump and give further details.
+17. DebugMemoryDump - 505ED489-329A-43F5-B467-FCAAF6A1264C
+    - This offline only rule is for any memory.dmp file that resulted during the setup/upgrade operation.  If the debugger tools are installed on the system, SetupDiag will debug the memory dump and give further details.
+18. FindDebugInfoFromRollbackLog - 9600EB68-1120-4A87-9FE9-3A4A70ACFC37
+    - This rule will determine and give details when a bug check occurs during the setup/upgrade process that resulted in a memory dump, but without the requirement of the debugger package being on the executing machine.
+19. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC
+    - Finds fatal advanced installer operations that cause setup failures.
+20. FindSuccessfulUpgrade - 8A0824C8-A56D-4C55-95A0-22751AB62F3E
+    - Determines if the given setup was a success or not based off the logs.
+21. FindSetupHostReportedFailure - 6253C04F-2E4E-4F7A-B88E-95A69702F7EC
+    - Gives information about failures surfaced early in the upgrade process by setuphost.exe
+22. FindDownlevelFailure - 716334B7-F46A-4BAA-94F2-3E31BC9EFA55
+    - Gives failure information surfaced by SetupPlatform, later in the down-level phase.
+23. FindAbruptDownlevelFailure - 55882B1A-DA3E-408A-9076-23B22A0472BD
+    - Gives last operation failure information when the system fails in the down-level, but the log just ends abruptly.
+24. FindSetupPlatformDownlevelFailure - 307A0133-F06B-4B75-AEA8-116C3B53C2D1
+    - Gives last operation and phase failure information when Setup indicates a down-level failure.
+25. FindSetupPlatformDownlevelFailedOperation - 087610ED-329A-4DE9-A54C-38A3A07B5B8B
+    - Gives last phase and error information when Setup indicates a down-level failure.
+26. FindRollbackFailure - 3A43C9B5-05B3-4F7C-A955-88F991BB5A48
+    - Gives last operation, failure phase and error information when a rollback occurs.
+
+
+## Release notes
+
+03/30/2018 - SetupDiag v1.00 released with 26 rules, as a standalone tool available from the Download Center.
+
+## Related topics
+
+[Resolve Windows 10 upgrade errors: Technical information for IT Pros](https://docs.microsoft.com/en-us/windows/deployment/upgrade/resolve-windows-10-upgrade-errors)
\ No newline at end of file
diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md
index 2118867a21..32eddd5c45 100644
--- a/windows/deployment/upgrade/submit-errors.md
+++ b/windows/deployment/upgrade/submit-errors.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
-ms.date: 02/01/2018
+ms.date: 03/16/2018
 ms.localizationpriority: high
 ---
 
@@ -16,6 +16,10 @@ ms.localizationpriority: high
 **Applies to**
 -   Windows 10
 
+>[!NOTE]
+>This is a 100 level topic (basic).<br>
+>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
+
 ## In this topic
 
 This topic describes how to submit problems with a Windows 10 upgrade to Microsoft using the Windows 10 Feedback Hub.
@@ -47,7 +51,7 @@ The Feedback Hub will open.
     - Are there any external devices connected? 
 - If you used the link above, the category and subcategory will be automatically selected. If it is not selected, choose **Install and Update** and **Windows Installation**. 
 
-You can attach a screenshot or file if desired. This is optional.
+You can attach a screenshot or file if desired. This is optional, but can be extremely helpful when diagnosing your upgrade issue. The location of these files is described here: [Windows Setup log files and event logs](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs).
 
 Click **Submit** to send your feedback.
 
diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
new file mode 100644
index 0000000000..a7f5d26c91
--- /dev/null
+++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
@@ -0,0 +1,91 @@
+---
+title: Troubleshoot Windows 10 upgrade errors - Windows IT Pro
+description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
+keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.date: 03/30/2018
+ms.localizationpriority: high
+---
+
+# Troubleshooting upgrade errors
+
+**Applies to**
+-   Windows 10
+
+>[!NOTE]
+>This is a 300 level topic (moderately advanced).<br>
+>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
+
+If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process. 
+
+Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. 
+
+These phases are explained in greater detail [below](#the-windows-10-upgrade-process). First, let's summarize the actions performed during each phase because this affects the type of errors that can be encountered.
+
+1. **Downlevel phase**: Because this phase runs on the source OS, upgrade errors are not typically seen. If you do encounter an error, ensure the source OS is stable. Also ensure the Windows setup source and the destination drive are accessible. 
+
+2. **SafeOS phase**: Errors most commonly occur during this phase due to hardware issues, firmware issues, or non-microsoft disk encryption software.
+
+    Since the computer is booted into Windows PE during the SafeOS phase, a useful troubleshooting technique is to boot into [Windows PE](https://docs.microsoft.com/windows-hardware/manufacture/desktop/winpe-intro) using installation media. You can use the [media creation tool](https://www.microsoft.com/software-download/windows10) to create bootable media, or you can use tools such as the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), and then boot your device from this media to test for hardware and firmware compatibility issues.
+
+    **Do not proceed with the Windows 10 installation after booting from this media**. This method can only be used to perform a clean install which will not migrate any of your apps and settings, and you will be required re-enter your Windows 10 license information.
+
+    If the computer does not successfully boot into Windows PE using the media that you created, this is likely due to a hardware or firmware issue. Check with your hardware manufacturer and apply any recommended BIOS and firmware updates. If you are still unable to boot to installation media after applying updates, disconnect or replace legacy hardware.
+
+    If the computer successfully boots into Windows PE, but you are not able to browse the system drive on the computer, it is possible that non-Microsoft disk encryption software is blocking your ability to perform a Windows 10 upgrade. Update or temporarily remove the disk encryption.
+
+3. **First boot phase**: Boot failures in this phase are relatively rare, and almost exclusively caused by device drivers.  Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, then retry the upgrade.
+
+4. **Second boot phase**: In this phase, the system is running under the target OS with new drivers. Boot failures are most commonly due to anti-virus software or filter drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, temporarily uninstall anti-virus software, then retry the upgrade.
+ 
+If the general troubleshooting techniques described above or the [quick fixes](quick-fixes.md) detailed below do not resolve your issue, you can attempt to analyze [log files](log-files.md) and interpret [upgrade error codes](upgrade-error-codes.md). You can also [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md) so that Microsoft can diagnose your issue.
+
+## The Windows 10 upgrade process
+
+The **Windows Setup** application is used to upgrade a computer to Windows 10, or to perform a clean installation. Windows Setup starts and restarts the computer, gathers information, copies files, and creates or adjusts configuration settings. 
+
+When performing an operating system upgrade, Windows Setup uses phases described below. A reboot occurs between each of the phases. After the first reboot, the user interface will remain the same until the upgrade is completed. Percent progress is displayed and will advance as you move through each phase, reaching 100% at the end of the second boot phase.
+
+1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Windows files are copied and installation components are gathered.
+
+    ![downlevel phase](../images/downlevel.png)  
+
+2. **Safe OS phase**: A recovery partition is configured, Windows files are expanded, and updates are installed. An OS rollback is prepared if needed. Example error codes: 0x2000C, 0x20017.
+
+    ![safeOS phase](../images/safeos.png) 
+
+3. **First boot phase**: Initial settings are applied. Example error codes: 0x30018, 0x3000D.
+
+    ![first boot phase](../images/firstboot.png) 
+
+4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**. Example error codes: 0x4000D, 0x40017. 
+
+    At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed.
+
+    ![second boot phase](../images/secondboot.png) 
+
+    ![second boot phase](../images/secondboot2.png) 
+
+    ![second boot phase](../images/secondboot3.png) 
+
+5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015.
+
+**Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown):
+
+![Upgrade process](../images/upgrade-process.png)
+
+DU = Driver/device updates.<br>
+OOBE = Out of box experience.<br>
+WIM = Windows image (Microsoft)
+
+## Related topics
+
+[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/en-us/windows/dn798755.aspx)
+<br>[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
+<br>[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+<br>[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
+<br>[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-readiness.md b/windows/deployment/upgrade/troubleshoot-upgrade-readiness.md
index a837d861dc..e020be4aad 100644
--- a/windows/deployment/upgrade/troubleshoot-upgrade-readiness.md
+++ b/windows/deployment/upgrade/troubleshoot-upgrade-readiness.md
@@ -1,39 +1,3 @@
 ---
-title: Troubleshoot Upgrade Readiness (Windows 10)
-description: Provides troubleshooting information for Upgrade Readiness.
-ms.prod: w10
-author: greg-lindsay
-ms.date: 04/19/2017
----
-
-# Troubleshoot Upgrade Readiness
-
-If you’re having issues seeing data in Upgrade Readiness after running the Upgrade Readiness Deployment script, make sure it completes successfully without any errors. Check the output of the script in the command window and/or log UA_dateTime_machineName.txt to ensure all steps were completed successfully. In addition, we recommend that you wait at least 48 hours before checking OMS for data after the script first completes without reporting any error.
-
-If you still don’t see data in Upgrade Readiness, follow these steps:
-
-1.  Download and extract the [Upgrade Readiness Deployment Script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409). Ensure the “Pilot/Diagnostics” folder is included .
-
-2.  Edit the script as described in [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md).
-
-3.  Check that isVerboseLogging is set to $true.
-
-4.  Run the script again. Log files will be saved to the directory specified in the script.
-
-5.  Open a support case with Microsoft Support through your regular channel and provide this information.
-
-## Disable Upgrade Readiness
-
-If you want to stop using Upgrade Readiness and stop sending diagnostic data data to Microsoft, follow these steps:
-
-1.  Unsubscribe from the Upgrade Readiness solution in the OMS portal. In the OMS portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option.
-
-  ![Upgrade Readiness unsubscribe](../images/upgrade-analytics-unsubscribe.png)
-
-2.  Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the diagnostic data level to **Security**:
-
-  **Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*
-  **Windows 10**: Follow the instructions in the [Configure Windows diagnostic data in your organization](/configuration/configure-windows-diagnostic-data-in-your-organization.md) topic.
-
-3.	If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0".  The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*.
-4.	You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". **This is an optional step**.
+redirect_url: /windows/deployment/update/windows-analytics-FAQ-troubleshooting
+---
\ No newline at end of file
diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md
new file mode 100644
index 0000000000..cdd4fe37c9
--- /dev/null
+++ b/windows/deployment/upgrade/upgrade-error-codes.md
@@ -0,0 +1,144 @@
+---
+title: Upgrade error codes - Windows IT Pro
+description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
+keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.date: 03/30/2018
+ms.localizationpriority: high
+---
+
+# Upgrade error codes
+
+**Applies to**
+-   Windows 10
+
+>[!NOTE]
+>This is a 400 level topic (advanced).<br>
+>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
+
+
+If the upgrade process is not successful, Windows Setup will return two codes:
+
+1. **A result code**: The result code corresponds to a specific Win32 or NTSTATUS error.
+2. **An extend code**: The extend code contains information about both the *phase* in which an error occurred, and the *operation* that was being performed when the error occurred.
+
+>For example, a result code of **0xC1900101** with an extend code of **0x4000D** will be returned as: **0xC1900101 - 0x4000D**.
+
+Note: If only a result code is returned, this can be because a tool is being used that was not able to capture the extend code. For example, if you are using the [Windows 10 Upgrade Assistant](https://support.microsoft.com/en-us/kb/3159635) then only a result code might be returned.
+
+>[!TIP]
+>If you are unable to locate the result and extend error codes, you can attempt to find these codes using Event Viewer.  For more information, see [Windows Error Reporting](windows-error-reporting.md).
+
+## Result codes
+
+>A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue. <br>To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](resolution-procedures.md) section later in this article.
+
+Result codes can be matched to the type of error encountered. To match a result code to an error:
+
+1. Identify the error code type as either Win32 or NTSTATUS using the first hexadecimal digit:
+        <br>**8** = Win32 error code (ex: 0x**8**0070070)
+        <br>**C** = NTSTATUS value (ex: 0x**C**1900107)
+2. Write down the last 4 digits of the error code (ex: 0x8007**0070** = 0070). These digits are the actual error code type as defined in the [HRESULT](https://msdn.microsoft.com/en-us/library/cc231198.aspx) or the [NTSTATUS](https://msdn.microsoft.com/en-us/library/cc231200.aspx) structure. Other digits in the code identify things such as the device type that produced the error.
+3. Based on the type of error code determined in the first step (Win32 or NTSTATUS), match the 4 digits derived from the second step to either a Win32 error code or NTSTATUS value using the following links:
+    - [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx)
+    - [NTSTATUS value](https://msdn.microsoft.com/en-us/library/cc704588.aspx)
+
+Examples:
+- 0x80070070 
+    - Based on the "8" this is a Win32 error code 
+    - The last four digits are 0070, so look up 0x00000070 in the [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx) table
+    - The error is: **ERROR_DISK_FULL**
+- 0xC1900107 
+    - Based on the "C" this is an NTSTATUS error code
+    - The last four digits are 0107, so look up 0x00000107 in the [NTSTATUS value](https://msdn.microsoft.com/en-us/library/cc704588.aspx) table 
+    - The error is: **STATUS_SOME_NOT_MAPPED**
+
+Some result codes are self-explanatory, whereas others are more generic and require further analysis. In the examples shown above, ERROR_DISK_FULL indicates that the hard drive is full and additional room is needed to complete Windows upgrade. The message STATUS_SOME_NOT_MAPPED is more ambiguous, and means that an action is pending. In this case, the action pending is often the cleanup operation from a previous installation attempt, which can be resolved with a system reboot. 
+
+## Extend codes
+
+>**Important**: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update.
+
+Extend codes can be matched to the phase and operation when an error occurred. To match an extend code to the phase and operation:
+
+1. Use the first digit to identify the phase (ex: 0x4000D  = 4).
+2. Use the last two digits to identify the operation (ex: 0x4000D  = 0D).
+3. Match the phase and operation to values in the tables provided below.
+
+The following tables provide the corresponding phase and operation for values of an extend code:
+
+<br>
+
+<table cellspacing="0" cellpadding="0">
+<tr><td colspan="2" align="center" valign="top" BGCOLOR="#a0e4fa"><b>Extend code: phase</b></td>
+<tr><td style='padding:0in 4pt 0in 4pt'><b>Hex</b><td style='padding:0in 5.4pt 0in 5.4pt'><b>Phase</b>
+<tr><td style='padding:0in 4pt 0in 4pt'>0<td style='padding:0in 4pt 0in 4pt'>SP_EXECUTION_UNKNOWN
+<tr><td style='padding:0in 4pt 0in 4pt'>1<td style='padding:0in 4pt 0in 4pt'>SP_EXECUTION_DOWNLEVEL
+<tr><td style='padding:0in 4pt 0in 4pt'>2<td style='padding:0in 4pt 0in 4pt'>SP_EXECUTION_SAFE_OS
+<tr><td style='padding:0in 4pt 0in 4pt'>3<td style='padding:0in 4pt 0in 4pt'>SP_EXECUTION_FIRST_BOOT
+<tr><td style='padding:0in 4pt 0in 4pt'>4<td style='padding:0in 4pt 0in 4pt'>SP_EXECUTION_OOBE_BOOT
+<tr><td style='padding:0in 4pt 0in 4pt'>5<td style='padding:0in 4pt 0in 4pt'>SP_EXECUTION_UNINSTALL
+</table>
+
+
+<table border="0" style='border-collapse:collapse;border:none'>
+<tr><td colspan="2" align="center" valign="top" BGCOLOR="#a0e4fa"><B>Extend code: operation</B></td>
+<tr><td align="left" valign="top" style='border:dotted #A6A6A6 1.0pt;'>
+<table>
+<tr><td style='padding:0in 4pt 0in 4pt'><b>Hex</b><td style='padding:0in 4pt 0in 4pt'><span style='padding:0in 5.4pt 0in 5.4pt;'><b>Operation</b>
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>0<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_UNKNOWN
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_COPY_PAYLOAD
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>2<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_DOWNLOAD_UPDATES
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>3<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_INSTALL_UPDATES
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>4<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_INSTALL_RECOVERY_ENVIRONMENT
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>5<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_INSTALL_RECOVERY_IMAGE
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>6<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_REPLICATE_OC
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>7<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_INSTALL_DRVIERS
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>8<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PREPARE_SAFE_OS
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>9<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PREPARE_ROLLBACK
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>A<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PREPARE_FIRST_BOOT
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>B<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PREPARE_OOBE_BOOT
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>C<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_APPLY_IMAGE
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>D<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_MIGRATE_DATA
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>E<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_SET_PRODUCT_KEY
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>F<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_ADD_UNATTEND
+</table>
+</td>
+<td align="left" valign="top" style='border:dotted #A6A6A6 1.0pt;'>
+<table>
+<tr><td style='padding:0in 4pt 0in 4pt'><b>Hex</b><td style='padding:0in 4pt 0in 4pt'><b>Operation</b>
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>10<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_ADD_DRIVER
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>11<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_ENABLE_FEATURE
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>12<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_DISABLE_FEATURE
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>13<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_REGISTER_ASYNC_PROCESS
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>14<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_REGISTER_SYNC_PROCESS
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>15<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_CREATE_FILE
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>16<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_CREATE_REGISTRY
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>17<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_BOOT
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>18<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_SYSPREP
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>19<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_OOBE
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1A<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_BEGIN_FIRST_BOOT
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1B<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_END_FIRST_BOOT
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1C<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_BEGIN_OOBE_BOOT
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1D<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_END_OOBE_BOOT
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1E<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_PRE_OOBE
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>1F<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_POST_OOBE
+<tr><td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>20<td style='padding:0in 4pt 0in 4pt'><span style='font-size:9.0pt'>SP_EXECUTION_OP_ADD_PROVISIONING_PACKAGE
+</table>
+</td>
+</tr>
+</table>
+
+For example: An extend code of **0x4000D**, represents a problem during phase 4 (**0x4**) with data migration (**000D**).
+
+## Related topics
+
+[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/en-us/windows/dn798755.aspx)
+<br>[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
+<br>[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+<br>[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
+<br>[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
index 858aed34fc..5594afcec8 100644
--- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
+++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
@@ -20,36 +20,7 @@ The site discovery feature in Upgrade Readiness provides an inventory of web sit
 > [!NOTE] 
 > Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
 
-### Install prerequisite security update for Internet Explorer
-
-Ensure the following prerequisites are met before using site discovery:
-
-1. Install the prerequisite KBs to add Site Discovery support and the latest fixes from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/home.aspx). Install the following:
-   - For Windows 7 and Windows 8.1 - March, 2017 (or later) Security Monthly Rollup
-   - For Windows 10 - Cumulative Update for Windows 10 Version 1607 (KB4015217) (or later)
-2. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) to allow Internet Explorer data collection before you run it. In addition, to enable Site Discovery on Windows 10 you must set computers to the **Enhanced** diagnostic data level for the Feedback and Diagnostics setting (Privacy > Feedback & Diagnostics settings), and enable **Page Prediction within Internet Explorer 11**.
-
-    If you do not plan to use the Upgrade Readiness deployment script to enable Site discovery, you must create the following registry entry. 
-
-    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection 
-
-    Entry name: IEDataOptIn
-
-    Data type: DWORD
-
-    Values:
-
-    > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
-    >
-    > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
-    >
-    > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
-    >
-    > *IEOptInLevel = 3 Data collection is enabled for all sites*
-
-    For more information about Internet Explorer Security Zones, see [About URL Security Zones](https://msdn.microsoft.com/library/ms537183.aspx). 
-
-    ![Create the IEDataOptIn registry key](../images/upgrade-analytics-create-iedataoptin.png)
+[In order to use site discovery, a separate opt-in is required; see Enrolling]
 
 ### Review most active sites
 
diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md
index 8691c8f111..8468224bf5 100644
--- a/windows/deployment/upgrade/upgrade-readiness-get-started.md
+++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: jaimeo
-ms.date: 09/20/2017
+ms.date: 03/20/2018
 ---
 
 # Get started with Upgrade Readiness
@@ -25,24 +25,19 @@ When you are ready to begin using Upgrade Readiness, perform the following steps
 
 1. Review [data collection and privacy](#data-collection-and-privacy) information.
 2. [Add Upgrade Readiness to OMS](#add-upgrade-readiness-to-operations-management-suite).
-3. [Enable data sharing](#enable-data-sharing).
-4. [Deploy required updates](#deploy-the-compatibility-update-and-related-kbs) to computers, and validate using a pilot deployment.
-5. [Deploy Upgrade Readiness at scale](#deploy-upgrade-readiness-at-scale).
+3. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics).
+4. [Use Upgrade Readiness to manage Windows Upgrades](#use-upgrade-readiness-to-manage-windows-upgrades) once your devices are enrolled.
 
 ## Data collection and privacy 
 
-To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see the following topics:
-
-- [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
-- [Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
-- [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
+To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see the following topics, refer to [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-FAQ-troubleshooting), which discusses the issues and provides links to still more detailed information.
 
 ## Add Upgrade Readiness to Operations Management Suite
 
 Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/).
 
 >[!IMPORTANT]
->Upgrade Readiness is a free solution for Azure subsribers. When configured correctly, all data associated with the Upgrade Readiness solution are exempt from billing in both OMS and Azure. Upgrade Readiness data **do not** count toward OMS daily upload limits.
+>Upgrade Readiness is a free solution for Azure subscribers. When configured correctly, all data associated with the Upgrade Readiness solution are exempt from billing in both OMS and Azure. Upgrade Readiness data **do not** count toward OMS daily upload limits. The Upgrade Readiness service will ingest a full snapshot of your data into your OMS workspace on a daily basis. Each snapshot includes all of your devices that have been active within the past 30 days regardless of your OMS retention period.
 
 If you are already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace. While you have this dialog open, you should also consider adding the [Device Health](../update/device-health-monitor.md) and [Update Compliance](../update/update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions.
 
@@ -57,87 +52,12 @@ If you are not using OMS:
 
 5.  To add the Upgrade Readiness solution to your workspace, go to the **Solutions Gallery**. Select the **Upgrade Readiness** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace. Note that you may need to scroll to find Upgrade Readiness.
 
-### Copy your commercial ID key
+## Enroll devices in Windows Analytics
 
-Microsoft uses a unique commercial ID to map information from user computers to your OMS workspace. This should be generated for you automatically. Copy your commercial ID key in OMS and then deploy it to user computers.
+Once you've added Update Compliance to Microsoft Operations Management Suite, you can now start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started).
 
 
 
+## Use Upgrade Readiness to manage Windows Upgrades
 
-
-1.  On the **Settings** dashboard, navigate to the **Windows telemetry** panel.
-
-    ![Operations Management Suite dialog showing settings icon (a gear) in the title bar indicated by a red box.](../images/upgrade-analytics-settings.png)
-
-2. On the **Connected Sources** tab, navigate to the Windows telemetry panel.
-
-    >**Important**<br> Regenerate a commercial ID key only if your original ID key can no longer be used. Regenerating a commercial ID key resets the data in your workspace for all solutions that use the ID. Additionally, you’ll need to deploy the new commercial ID key to user computers again.
-
-
-
-## Enable data sharing
-
-To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this.
-
-| **Endpoint**  | **Function**  |
-|---------------------------------------------------------|-----------|
-| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Telemetry component endpoint for Windows 10 computers. User computers send data to Microsoft through this endpoint.
-| `https://vortex-win.data.microsoft.com` | Connected User Experience and Telemetry component endpoint for operating systems older than Windows 10
-| `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. 
-| `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. |
-
-Note: The compatibility update KB runs under the computer’s system account. 
-
-### Connection settings
-
-The settings that are used to enable client computers to connect to Windows diagnostic data depend on the type of connection scenario you use. These scenarios are discussed in [this blog post](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) and are summarized below.
-
-| **Connection scenario** | **ClientProxy setting** <BR>in **runconfig.bat**  | **Local computer configuration** |
-|---------------------------------------------------------|-----------|-----------|
-| Direct connection to the Internet (no proxy) | **ClientProxy=Direct** | No additional configuration necessary |
-| WinHTTP proxy  | **ClientProxy=System**  | Specify `netsh winhttp set proxy <server>:<port>` on client computers |
-| Other proxy  |  **ClientProxy=User** | Configure the Windows Registry value: <p style="font-size: 12px"> **HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection\DisableEnterpriseAuthProxy** </p> to 0 on client computers |
-
-## Deploy the compatibility update and related KBs
-
-The compatibility update KB scans your computers and enables application usage tracking. If you don’t already have these KBs installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
-
-| **Operating System** | **KBs** |
-|----------------------|-----------------------------------------------------------------------------|
-| Windows 10        | The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com) <P>Note: Windows 10 LTSB is not supported by Upgrade Readiness. See [Upgrade readiness requirements](upgrade-readiness-requirements.md) for more information. |
-| Windows 8.1          | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)<br>Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2976978><br><BR>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2976978 must be installed before you can download and install KB3150513.   |
-| Windows 7 SP1        | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664) <br>Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2952664><br><BR>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2952664 must be installed before you can download and install KB3150513. |
-
-IMPORTANT: Restart user computers after you install the compatibility update KBs for the first time.
-
-If you are planning to enable IE Site Discovery, you will need to install a few additional KBs.
-
-| **Site discovery** | **KB** |
-|----------------------|-----------------------------------------------------------------------------|
-| [Review site discovery](upgrade-readiness-additional-insights.md#site-discovery)         | [KB3080149](http://www.catalog.update.microsoft.com/Search.aspx?q=3080149)<br>Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices. <br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br><br>Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update.  |
-
-### Deploy the Upgrade Readiness deployment script
-
-You can use the Upgrade Readiness deployment script to automate and verify your deployment. 
-
-See [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) for information on obtaining and running the script, and for a description of the error codes that can be displayed.
-
->After data is sent from computers to Microsoft, it generally takes 48 hours for the data to populate in Upgrade Readiness. The compatibility update KB takes several minutes to run. If the KB does not get a chance to finish running or if the computers are inaccessible (turned off or sleeping for example), data will take longer to populate in Upgrade Readiness. For this reason, you can expect most your computers to be populated in OMS in about 1-2 weeks after deploying the KB and configuration to user computers.
-
-## Deploy Upgrade Readiness at scale
-
-When you have completed a pilot deployment, you are ready to automate data collection and distribute the deployment script to the remaining computers in your organization.
-
-### Automate data collection
-
-To ensure that user computers are receiving the most up to date data from Microsoft, we recommend that you establish the following data sharing and analysis processes.
-
-- Enable automatic updates for the compatibility update and related KBs. These KBs are updated frequently to include the latest application and driver issue information as we discover it during testing.
-- Schedule the Upgrade Readiness deployment script to automatically run so that you don’t have to manually initiate an inventory scan each time the compatibility update KBs are updated. 
-- Schedule monthly user computer scans to view monthly active computer and usage information.
-
->When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the deltas is created when the update package is installed. For Windows 10 devices, it's already part of the OS. A full scan averages about 2 MB, but the delta scans are very small. The scheduled task is named **Windows Compatibility Appraiser** and can be found in the Task Scheduler Library under Microsoft > Windows > Application Experience. Deltas are invoked via the nightly scheduled task. It attempts to run around 3:00AM every day. If the system is powered off at that time, the task will run when the system is turned on. 
-
-### Distribute the deployment script at scale
-
-Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see the [Upgrade Readiness blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
+Now that your devices are enrolled, you can move on to [Use Upgrade Readiness to manage Windows Upgrades](https://docs.microsoft.com/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades).
diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md
index 023c8405c5..252ed481b1 100644
--- a/windows/deployment/upgrade/upgrade-readiness-requirements.md
+++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md
@@ -2,8 +2,8 @@
 title: Upgrade Readiness requirements (Windows 10)
 description: Provides requirements for Upgrade Readiness.
 ms.prod: w10
-author: greg-lindsay
-ms.date: 11/08/2017
+author: jaimeo
+ms.date: 03/15/2018
 ---
 
 # Upgrade Readiness requirements
@@ -16,7 +16,7 @@ This article introduces concepts and steps needed to get up and running with Upg
 
 To perform an in-place upgrade, user computers must be running the latest version of either Windows 7 SP1 or Windows 8.1. After you enable Windows diagnostic data, Upgrade Readiness performs a full inventory of computers so that you can see which version of Windows is installed on each computer.
 
-The compatibility update KB that sends diagnostic data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Readiness cannot evaluate Windows XP or Windows Vista for upgrade eligibility.
+The compatibility update that sends diagnostic data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Readiness cannot evaluate Windows XP or Windows Vista for upgrade eligibility.
 
 <!--With Windows 10, edition 1607, the compatibility update KB is installed automatically.-->
 
@@ -29,7 +29,7 @@ See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-1
 ### Windows 10
 
 Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates.
-The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility KBs are installed.  You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com). 
+The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed.  You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com). 
 
 Windows 10 LTSB is not supported by Upgrade Readiness. The Long-Term Servicing Channel of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not compatible with Upgrade Readiness.  See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-channel) to understand more about LTSB.
 
@@ -47,34 +47,7 @@ Important: You can use either a Microsoft Account or a Work or School account to
 
 Upgrade Readiness can be integrated with your installation of Configuration Manager. For more information, see [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics).
 
-## Diagnostic data and data sharing 
 
-After you’ve signed in to Operations Management Suite and added the Upgrade Readiness solution to your workspace, you’ll need to complete the following tasks to allow user computer data to be shared with and assessed by Upgrade Readiness.
-
-See [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) for more information about what user computer data Upgrade Readiness collects and assesses. See [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization) for more information about how Microsoft uses Windows diagnostic data.
-
-**Whitelist diagnostic data endpoints.** To enable diagnostic data to be sent to Microsoft, you’ll need to whitelist the following Microsoft endpoints on your proxy server or firewall. You may need to get approval from your security group to do this.
-
-`https://v10.vortex-win.data.microsoft.com/collect/v1`<BR>
-`https://vortex-win.data.microsoft.com/health/keepalive`<BR>
-`https://settings.data.microsoft.com/qos`<BR>
-`https://settings-win.data.microsoft.com/qos`<BR>
-`https://go.microsoft.com/fwlink/?LinkID=544713`<BR>
-`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc`<BR>
-
->**Note** The compatibility update KB runs under the computer’s system account and does not support user authentication in this release.
-
-**Generate your commercial ID key.** Microsoft uses a unique commercial ID GUID to map data from your computers to your OMS workspace. You’ll need to generate your commercial ID key in OMS. We recommend that you save your commercial ID key as you’ll need it later.
-
-**Subscribe your OMS workspace to Upgrade Readiness.** For Upgrade Readiness to receive and display upgrade readiness data from Microsoft, you’ll need to subscribe your OMS workspace to Upgrade Readiness.
-
-**Enable diagnostic data and connect data sources.** To allow Upgrade Readiness to collect system, application, and driver data and assess your organization’s upgrade readiness, communication must be established between Upgrade Readiness and user computers. You’ll need to connect Upgrade Readiness to your data sources and enable diagnostic data to establish communication.
-
-**Deploy compatibility update and related KBs.** The compatibility update KB scans your systems and enables application usage tracking. If you don’t already have this KB installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
-
->**Important**<br> The compatibility update and related KBs are updated frequently to include new compatibility issues as they become known to Microsoft. We recommend that you use a deployment system that allows for automatic updates of these KBs. The compatibility update KB collects inventory information from computers only when it is updated. 
-
-**Configure and deploy Upgrade Readiness deployment script.** Configure and deploy the Upgrade Readiness deployment script to user computers to finish setting up.
 
 ## Important information about this release
 
diff --git a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
index f1e9422095..d33af45a70 100644
--- a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
+++ b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
@@ -33,9 +33,9 @@ The following color-coded status changes are reflected on the upgrade overview b
     - If the current value is an older OS version than the recommended value, but not deprecated, the version is displayed in amber.
     - If the current value is a deprecated OS version, the version is displayed in red.
 
-Click on a row to drill down and see details about individual computers. If KBs are missing, see [Deploy the compatibility update and related KBs](upgrade-readiness-get-started.md#deploy-the-compatibility-update-and-related-kbs) for information on required KBs.
+Click a row to drill down and see details about individual computers. If updates are missing, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md) for information on required updates.
 
-In the following example, there is no delay in data processing, more than 10% of computers (6k\8k) have incomplete data, more than 30% of computers (6k/8k) require a KB update, there are no pending user changes, and the currently selected target OS version is the same as the recommended version:
+In the following example, there is no delay in data processing, more than 10% of computers (6k\8k) have incomplete data, more than 30% of computers (6k/8k) require an update, there are no pending user changes, and the currently selected target OS version is the same as the recommended version:
 
 ![Upgrade overview](../images/ur-overview.png)
 
@@ -45,7 +45,7 @@ In the following example, there is no delay in data processing, more than 10% of
 
 If data processing is delayed, the "Last updated" banner will indicate the date on which data was last updated. You can continue using your workspace as normal. However, any changes or additional information that is added might not be displayed until data is refreshed. When your workspace is in this state, there is no action required; data is typically refreshed and the display will return to normal again within 24 hours. 
 
-If there are computers with incomplete data, verify that you have installed the latest compatibilty update KBs. Install the updated KBs if necessary and then run the most recent [Update Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the Microsoft download center. The updated data payload should appear in Upgrade Readiness within 48 hours of a successful run on the deployment script.
+If there are computers with incomplete data, verify that you have installed the latest compatibilty updates. Install the updates if necessary and then run the most recent [Update Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the Microsoft download center. The updated data payload should appear in Upgrade Readiness within 48 hours of a successful run on the deployment script.
 
 Select **Total computers** for a list of computers and details about them, including:
 
diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
new file mode 100644
index 0000000000..e8c3251320
--- /dev/null
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -0,0 +1,66 @@
+---
+title: Windows error reporting - Windows IT Pro
+description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
+keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.date: 03/30/2018
+ms.localizationpriority: high
+---
+
+# Windows error reporting
+
+**Applies to**
+-   Windows 10
+
+>[!NOTE]
+>This is a 300 level topic (moderately advanced).<br>
+>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
+
+
+When Windows Setup fails, the result and extend code are recorded as an informational event in the Application log by Windows Error Reporting as event 1001. The event name is **WinSetupDiag02**.  You can use Event Viewer to review this event, or you can use Windows PowerShell.
+
+To use Windows PowerShell, type the following commands from an elevated Windows PowerShell prompt:
+
+```
+$events = Get-WinEvent -FilterHashtable @{LogName="Application";ID="1001";Data="WinSetupDiag02"}
+$event = [xml]$events[0].ToXml()
+$event.Event.EventData.Data
+```
+
+To use Event Viewer: 
+1. Open Event Viewer and navigate to **Windows Logs\Application**.
+2. Click **Find**, and then search for **winsetupdiag02**.
+3. Double-click the event that is highlighted.
+
+Note: For legacy operating systems, the Event Name was WinSetupDiag01. 
+
+Ten parameters are listed in the event:
+<br>
+<table border="0">
+<tr><td>P1: The Setup Scenario (1=Media,5=WindowsUpdate,7=Media Creation Tool)</td></tr>
+<tr><td>P2: Setup Mode (x=default,1=Downlevel,5=Rollback)</td></tr>
+<tr><td>P3: New OS Architecture (x=default,0=X86,9=AMD64)</td></tr>
+<tr><td>P4: Install Result (x=default,0=Success,1=Failure,2=Cancel,3=Blocked)</td></tr>
+<tr><td><b>P5: Result Error Code</b>  (Ex: 0xc1900101)</td></tr>
+<tr><td><b>P6: Extend Error Code</b>  (Ex: 0x20017)</td></tr>
+<tr><td>P7: Source OS build (Ex: 9600)</td></tr>
+<tr><td>P8: Source OS branch (not typically available)</td></tr>
+<tr><td>P9: New OS build (Ex: 16299}</td></tr>
+<tr><td>P10: New OS branch (Ex: rs3_release}</td></tr>
+</table>
+
+The event will also contain links to log files that can be used to perform a detailed diagnosis of the error.  An example of this event from a successful upgrade is shown below.
+
+![Windows Error Reporting](../images/event.png)
+
+## Related topics
+
+[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/en-us/windows/dn798755.aspx)
+<br>[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
+<br>[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+<br>[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
+<br>[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index bab7d12f57..51a8bd92fe 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: high
 ms.sitesec: library
-ms.date: 01/10/2018
+ms.date: 03/16/2018
 author: greg-lindsay
 ---
 
@@ -36,7 +36,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
       Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured.
     </td>
     <td align="center" style="width:16%; border:1;"> 
-<a href="https://docs.microsoft.com/en-us/windows/deployment/windows-10-autopilot">Overview of Windows AutoPilot</a>
+<a href="https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot">Overview of Windows AutoPilot</a>
     </td>
   </tr>
   <tr>
diff --git a/windows/hub/index.md b/windows/hub/index.md
index 73eff095ff..40d4c2db5e 100644
--- a/windows/hub/index.md
+++ b/windows/hub/index.md
@@ -8,13 +8,14 @@ author: greg-lindsay
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.date: 02/02/2018
+ms.date: 03/28/2018
 ---
 
 # Windows 10 and Windows 10 Mobile
 
 Find the latest how to and support content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10 or Windows 10 Mobile.
 
+
 &nbsp;
 
 > [!video https://www.microsoft.com/en-us/videoplayer/embed/43942201-bec9-4f8b-8ba7-2d9bfafa8bba?autoplay=false]
@@ -56,6 +57,9 @@ Find the latest how to and support content that IT pros need to evaluate, plan,
   </tr>
 </table>
 
+>[!TIP]
+> Looking for information about older versions of Windows? Check out our other [Windows libraries](/previous-versions/windows/) on docs.microsoft.com. You can also search this site to find specific information, like this [Windows 8.1 content](https://docs.microsoft.com/search/index?search=Windows+8.1&dataSource=previousVersions).
+
 ## Get to know Windows as a Service (WaaS)
 
 ![Get to know Windows as a Service (WaaS)](images/w10-WaaS-poster.png)
diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md
new file mode 100644
index 0000000000..06913f7aef
--- /dev/null
+++ b/windows/privacy/TOC.md
@@ -0,0 +1 @@
+# [Index](index.md)
\ No newline at end of file
diff --git a/windows/privacy/breadcrumb/toc.yml b/windows/privacy/breadcrumb/toc.yml
new file mode 100644
index 0000000000..61d8fca61e
--- /dev/null
+++ b/windows/privacy/breadcrumb/toc.yml
@@ -0,0 +1,3 @@
+- name: Docs
+  tocHref: /
+  topicHref: /
\ No newline at end of file
diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json
new file mode 100644
index 0000000000..e1cbc9d653
--- /dev/null
+++ b/windows/privacy/docfx.json
@@ -0,0 +1,46 @@
+{
+  "build": {
+    "content": [
+      {
+        "files": [
+          "**/*.md",
+          "**/*.yml"
+        ],
+        "exclude": [
+          "**/obj/**",
+          "**/includes/**",
+          "_themes/**",
+          "_themes.pdf/**",
+          "README.md",
+          "LICENSE",
+          "LICENSE-CODE",
+          "ThirdPartyNotices"
+        ]
+      }
+    ],
+    "resource": [
+      {
+        "files": [
+          "**/*.png",
+          "**/*.jpg"
+        ],
+        "exclude": [
+          "**/obj/**",
+          "**/includes/**",
+          "_themes/**",
+          "_themes.pdf/**"
+        ]
+      }
+    ],
+    "overwrite": [],
+    "externalReference": [],
+    "globalMetadata": {
+      "breadcrumb_path": "/windows/privacy/breadcrumb/toc.json",
+      "extendBreadcrumb": true
+    },
+    "fileMetadata": {},
+    "template": [],
+    "dest": "privacy",
+    "markdownEngineName": "markdig"
+  }
+}
\ No newline at end of file
diff --git a/windows/privacy/index.md b/windows/privacy/index.md
new file mode 100644
index 0000000000..f20ef925b9
--- /dev/null
+++ b/windows/privacy/index.md
@@ -0,0 +1 @@
+# Welcome to privacy!
\ No newline at end of file
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index ea5e2203dd..4d1ebc58cb 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -312,211 +312,218 @@ The following tables provide descriptions of the default groups that are located
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
-</tr>
+</tr>    
 <tr class="even">
+<td><p>[Enterprise Key Admins](#bkmk-enterprise-key-admins)</p></td>
+<td><p>Yes</p></td>
+<td><p></p></td>
+<td><p></p></td>
+<td><p></p></td>
+</tr>    
+<tr class="odd">
 <td><p>[Enterprise Read-only Domain Controllers](#bkmk-entrodc)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Event Log Readers](#bkmk-eventlogreaders)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Group Policy Creator Owners](#bkmk-gpcreatorsowners)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Guests](#bkmk-guests)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Hyper-V Administrators](#bkmk-hypervadministrators)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p></p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[IIS_IUSRS](#bkmk-iis-iusrs)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Incoming Forest Trust Builders](#bkmk-inforesttrustbldrs)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Key Admins](#key-admins)</p></td>
 <td><p>Yes</p></td>
 <td><p></p></td>
 <td><p></p></td>
 <td><p></p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Network Configuration Operators](#bkmk-networkcfgoperators)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Performance Log Users](#bkmk-perflogusers)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Performance Monitor Users](#bkmk-perfmonitorusers)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Pre–Windows 2000 Compatible Access](#bkmk-pre-ws2kcompataccess)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Print Operators](#bkmk-printoperators)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Protected Users](#bkmk-protectedusers)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p></p></td>
 <td><p></p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[RAS and IAS Servers](#bkmk-rasandias)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[RDS Endpoint Servers](#bkmk-rdsendpointservers)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p></p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[RDS Management Servers](#bkmk-rdsmanagementservers)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p></p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[RDS Remote Access Servers](#bkmk-rdsremoteaccessservers)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p></p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Read-only Domain Controllers](#bkmk-rodc)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Remote Desktop Users](#bkmk-remotedesktopusers)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Remote Management Users](#bkmk-remotemanagementusers)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p></p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Replicator](#bkmk-replicator)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Schema Admins](#bkmk-schemaadmins)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Server Operators](#bkmk-serveroperators)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Storage Replica Administrators](#storage-replica-administrators)</p></td>
 <td><p>Yes</p></td>
 <td><p></p></td>
 <td><p></p></td>
 <td><p></p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[System Managed Accounts Group](#system-managed-accounts-group)</p></td>
 <td><p>Yes</p></td>
 <td><p></p></td>
 <td><p></p></td>
 <td><p></p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Terminal Server License Servers](#bkmk-terminalserverlic)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[Users](#bkmk-users)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td><p>[Windows Authorization Access Group](#bkmk-winauthaccess)</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 <td><p>Yes</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td><p>[WinRMRemoteWMIUsers_](#bkmk-winrmremotewmiusers-)</p></td>
 <td><p></p></td>
 <td><p>Yes</p></td>
@@ -1756,8 +1763,25 @@ This security group has not changed since Windows Server 2008.
 </tbody>
 </table>
 
- 
+### Enterprise Key Admins
 
+Members of this group can perform administrative actions on key objects within the forest.
+
+The Enterprise Key Admins group was introduced in Windows Server 2016.
+
+| Attribute | Value |
+|-----------|-------|
+| Well-Known SID/RID | S-1-5-21-&lt;domain&gt;-527 |
+| Type | Global |
+| Default container | CN=Users, DC=&lt;domain&gt;, DC= |
+| Default members | None |
+| Default member of | None |
+| Protected by ADMINSDHOLDER? | No |
+| Safe to move out of default container? | Yes |
+| Safe to delegate management of this group to non-Service admins? | No |
+| Default User Rights | None |
+
+ 
 ### <a href="" id="bkmk-entrodc"></a>Enterprise Read-Only Domain Controllers
 
 Members of this group are Read-Only Domain Controllers in the enterprise. Except for account passwords, a Read-only domain controller holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the Read-only domain controller. Changes must be made on a writable domain controller and then replicated to the Read-only domain controller.
@@ -2226,7 +2250,7 @@ The Key Admins group applies to versions of the Windows Server operating system
 
 | Attribute | Value |
 |-----------|-------|
-| Well-Known SID/RID | S-1-5-21-4195037842-338827918-94892514-526 |
+| Well-Known SID/RID | S-1-5-21-&lt;domain&gt;-526 |
 | Type | Global |
 | Default container | CN=Users, DC=&lt;domain&gt;, DC= |
 | Default members | None |
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
new file mode 100644
index 0000000000..b2d6b3e54b
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -0,0 +1,290 @@
+---
+title: Multifactor Unlock
+description: Multifactor Unlock
+keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 03/20/2018
+---
+# Multifactor Unlock
+
+**Requirements:**
+* Windows Hello for Business deployment (Hybrid or On-premises)
+* Hybird Azure AD joined (Hybrid deployments)
+* Domain Joined (on-premises deployments) 
+* Windows 10, version 1709
+* Bluetooth, Bluetooth capable phone - optional
+
+Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
+
+Windows 10 offers Multifactor device unlock by extending Windows Hello with trusted signals, administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices. 
+
+Which organizations can take advanage of Multifactor unlock? Those who:
+* Have expressed that PINs alone do not meet their security needs.
+* Want to prevent Information Workers from sharing credentials.
+* Want their orgs to comply with regulatory two-factor authentication policy.
+* Want to retain the familiar Windows logon UX and not settle for a custom solution.
+ 
+You enable multifactor unlock using Group Policy.  The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**.
+
+## The Basics: How it works
+
+First unlock factor credential provider and Second unlock credential provider are repsonsible for the bulk of the configuration.  Each of these components contains a globally unqiue identifier (GUID) that represents a different Windows credential provider.  With the policy setting enabled, users unlock the device using at least one credenital provider from each category before Windows allows the user to proceed to their desktop.
+
+The policy setting has three components:
+* First unlock factor credential provider
+* Second unlock factor credential provider 
+* Signal rules for device unlock
+
+## Configuring Unlock Factors
+
+The **First unlock factor credential providers** and **Second unlock factor credential providers** portion of the policy setting each contain a comma separated list of credential providers. 
+
+Supported credential providers include: 
+
+|Credential Provider| GUID|
+|:------------------|:----|
+|PIN | \{D6886603-9D2F-4EB2-B667-1971041FA96B}|  
+|Fingerprint | \{BEC09223-B018-416D-A0AC-523971B639F5}|
+|Facial Recognition | \{8AF662BF-65A0-4D0A-A540-A338A999D36F}|
+|Trusted Signal<br>(Phone proximity, Network location) | \{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}|
+
+>[!NOTE]
+>Multifactor unlock does not support third-party credential providers or credential providers not listed in the above table.
+
+The default credential providers for the **First unlock factor credential provider** include:
+* PIN
+* Fingerprint
+* Facial Recongition
+
+The default credential providers for the **Second unlock factor credential provider** include:
+* Trusted Signal
+* PIN
+
+Configure a comma separated list of credential provider GUIDs you want to use as first and second unlock factors. While a credential provider can appear in both lists, remember that a credential supported by that provider can only satisfy one of the unlock factors. Listed credential providers do not need to be in any specific order. 
+
+For example, if you include the PIN and fingerprint credential providers in both first and second factor lists, a user can use their fingerprint or PIN as the first unlock factor.  However, whichever factor they used to satisfy the first unlock factor cannot be used to satisfy the second unlock factor.  Each factor can therefore be used exactly once. The Trusted Signal provider can *only* be specified as part of the Second unlock factor credential provider list.  
+
+
+## Configure Signal Rules for the Trusted Signal Credential Provider
+
+The **Signal rules for device unlock** setting contains the rules the Trusted Signal credential provider uses to satisfy unlocking the device.
+
+### Rule element
+You represent signal rules in XML.  Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value.  The current supported scheam version is 1.0.<br>
+**Example**
+```
+<rule schemaVersion="1.0">
+</rule>
+```
+
+### Signal element
+Each rule element has a **signal** element.  All signal elements have a **type** element and value.  Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values.<br>
+
+|Attribute|Value|
+|---------|-----|
+| type| "bluetooth" or "ipConfig" (Windows 10, version 1709)| 
+
+#### Bluetooth
+You define the bluetooth signal with additional attribute in the signal elment. The bluetooth configuration does not use any other elements. You can end the signal element with short ending tag "\/>".
+
+|Attribute|Value|Required|
+|---------|-----|--------|
+|type|"bluetooth"|yes|
+|scenario|"Authentication"|yes|
+|classOfDevice|"*number*"|no|
+|rssiMin|"*number*"|no|
+|rssiMaxDelta|"*number*"|no|
+
+Example:
+```
+<rule schemaVersion="1.0">
+    <signal type="bluetooth" scenario="Authentication" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
+</rule>
+```
+The **classofDevice** attribute defaults Phones and uses the values from the following table 
+
+|Description|Value|
+|:-------------|:-------:|
+|Miscellaneous|0|
+|Computer|256|
+|Phone|512|
+|LAN/Network Access Point|768|
+|Audio/Video|1024|
+|Peripheral|1280|
+|Imaging|1536|
+|Wearable|1792|
+|Toy|2048|
+|Health|2304|
+|Uncategorized|7936|
+
+The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range".  The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device.  The **rssiMaxDelta** has a default value of **-10**, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10.  
+
+RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
+
+>[!IMPORTANT]
+>Microsoft recommends using the default values for this policy settings.  Measurements are relative, based on the varying conditions of each environment.  Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting.  Use the rssiMIN and rssiMaxDelta values from the XML file created by the Group Policy Management Editor or remove both attributes to use the default values.
+
+#### IP Configuration
+You define IP configuration signals using one or more ipConfiguration elements.  Each element has a string value.  IpConfiguration elements do not have attributes or nested elements.
+
+##### IPv4Prefix
+The IPv4 network prefix represented in Internet standard dotted-decimal notation. A network prefix that uses the Classless Inter-Domain Routing (CIDR) notation is required as part of the network string. A network port must not be present in the network string.  A **signal** element may only contain one **ipv4Prefix** element.<br>
+**Example**
+```
+<ipv4Prefix>192.168.100.0/24</ipv4Prefix>
+```
+The assigned IPv4 addresses in the range of 192.168.100.1 to 192.168.100.254 match this signal configuration.
+
+##### IPv4Gateway
+The IPv4 network gateway represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.  A **signal** element may only contain one **ipv4Gateway** element.<br>
+**Example**
+```
+<ipv4Gateway>192.168.100.10</ipv4Gateway>
+```
+##### IPv4DhcpServer
+The IPv4 DHCP server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.  A **signal** element may only contain one **ipv4DhcpServer** element.<br>
+**Example**
+```
+<ipv4DhcpServer>192.168.100.10</ipv4DhcpServer>
+```
+##### IPv4DnsServer
+The IPv4 DNS server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.The **signal** element may contain one or more **ipv4DnsServer** elements.<br>
+**Example:**
+```
+<ipv4DnsServer>192.168.100.10</ipv4DnsServer>
+```
+
+##### IPv6Prefix
+The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string.  A **signal** element may only contain one **ipv6Prefix** element.<br>
+**Example** 
+```
+<ipv6Prefix>21DA:D3::/48</ipv6Prefix>
+```
+
+##### IPv6Gateway
+The IPv6 network gateway represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string.  A **signal** element may only contain one **ipv6Gateway** element.<br>
+**Example** 
+```
+<ipv6Gateway>21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2</ipv6Gateway>
+```
+
+##### IPv6DhcpServer
+The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string.  A **signal** element may only contain one **ipv6DhcpServer** element.<br>
+**Example**
+```
+<ipv6DhcpServer>21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2</ipv6DhcpServer
+```
+
+##### IPv6DnsServer
+The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. The **signal** element may contain one or more **ipv6DnsServer** elements.<br>
+**Example**
+```
+<ipv6DnsServer>21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2</ipv6DnsServer>
+```
+##### dnsSuffix
+The fully qualified domain name of your organizations internal dns suffix where any part of the fully qualified domain name in this setting exists in the computer's primary dns suffix.  The **signal** element may contain one or more **dnsSuffix** elements.<br>
+**Example**
+```
+<dnsSuffix>corp.contoso.com</dnsSuffix>
+```
+
+### Sample Trusted Signal Congfigurations
+
+These examples are wrapped for readability.  Once properly formatted, the entire XML contents must be a single line.
+
+#### Example 1
+This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer, and DnsSuffix elements.
+```
+<rule schemaVersion="1.0"> 
+    <signal type="ipConfig"> 
+        <ipv4Prefix>10.10.10.0/24</ipv4Prefix>
+        <ipv4DnsServer>10.10.0.1</ipv4DnsServer>
+        <ipv4DnsServer>10.10.0.2</ipv4DnsServer>
+        <dnsSuffix>corp.contoso.com</dnsSuffix> 
+	</signal> 
+</rule>
+```
+
+
+#### Example 2
+This example configures an IpConfig signal type using a dnsSuffix element and a bluetooth signal for phones.  This configuration is wrapped for reading.  Once properly formatted, the entire XML contents must be a single line.  This example implies that either the ipconfig **or** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true.
+>[!NOTE] 
+>Separate each rule element using a comma.
+
+```
+<rule schemaVersion="1.0"> 
+	<signal type="ipConfig"> 
+	    <dnsSuffix>corp.contoso.com</dnsSuffix> 
+	</signal> 
+</rule>,
+<rule schemaVersion="1.0">
+	<signal type="bluetooth" scenario="Authentication" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
+</rule>
+```
+#### Example 3
+This example configures the same as example 2 using compounding And elements.  This example implies that the ipconfig **and** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true.
+```
+<rule schemaVersion="1.0">
+<and>
+  <signal type="ipConfig">
+   <dnsSuffix>corp.microsoft.com</dnsSuffix>
+  </signal> 
+  <signal type="bluetooth" scenario="Authentication" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
+</and>
+</rule>
+```
+
+
+## Deploying Multifactor Unlock
+
+>[!IMPORTANT]
+>You need to remove all third party credential providers to ensure users cannot unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed).
+
+### How to configure Multifactor Unlock policy settings
+
+You need a Windows 10, version 1709 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business  Group Policy settings, which includes muiltifactor unlock. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1709.
+
+Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
+
+
+### Create the Multifactor Unlock Group Policy object
+
+The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed.
+
+>[!IMPORTANT]
+> * PIN **must** be in at least one of the groups
+> * Trusted signals **must** be combined with another credential provider
+> * You cannot use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in both categories, it means it can satisfy either category, but not both.
+
+1. Start the **Group Policy Management Console** (gpmc.msc)
+2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+3. Right-click **Group Policy object** and select **New**.
+4. Type *Multifactor Unlock* in the name box and click **OK**.
+5. In the content pane, right-click the **Multifactor Unlock** Group Policy object and click **Edit**.
+6. In the navigation pane, expand **Policies** under **Computer Configuration**.
+7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.<br>
+![Group Policy Editor](images/multifactorUnlock/gpme.png)
+8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**.  The **Options** section populates the policy setting with default values.<br>
+![Multifactor Policy Setting](images/multifactorUnlock/gp-setting.png)
+9. Configure first and second unlock factors using the information in the [Configure Unlock Factors](#configuring-unlock-factors) section.
+10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in the [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider) section.
+11. Click **Ok** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers.
+
+ ## Troubleshooting
+Mulitfactor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**.
+
+### Events
+
+|Event ID|Details|
+|:------:|:------|
+|3520|Unlock attempt initiated|
+|5520|Unlock policy not configured|
+|6520|Warning event|
+|7520|Error event|
+|8520|Success event|
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index 227053e01a..10032d6303 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -6,10 +6,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
-author: DaniHalfin
-ms.localizationpriority: high
-ms.author: daniha
-ms.date: 09/08/2017
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 03/26/2018
 ---
 # Prepare and Deploy Windows Server 2016 Active Directory Federation Services
 
@@ -36,7 +36,7 @@ Prepare the Active Directory Federation Services deployment by installing and up
 
 Sign-in the federation server with _local admin_ equivalent credentials.
 1.	Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please advise the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed.
-2.	Ensure the latest server updates to the federation server includes [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658).
+2.	Ensure the latest server updates to the federation server includes [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889).
 
 >[!IMPORTANT]
 >The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers.
@@ -346,13 +346,6 @@ Sign-in the AD FS server with Domain Admin equivalent credentials.
     ```PowerShell
     Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication
     ```
-
-
-The `Set-AdfsCertificateAuthority` cmdlet may show the following warning:
->WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured.  These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured.
-
-This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates.  Windows 10, version 1703 clients check this configuration during prerequisite checks.  If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in.
-
 >[!NOTE]
 > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates.  It’s important that you use the template name rather than the template display name.  You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc).  Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
index d2126063c5..99a39e91b2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
@@ -6,10 +6,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
-author: DaniHalfin
-ms.localizationpriority: high
-ms.author: daniha
-ms.date: 07/27/2017
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 03/5/2018
 ---
 # Configure or Deploy Multifactor Authentication Services
 
@@ -523,7 +523,7 @@ Before you continue with the deployment, validate your deployment progress by re
 * Confirm you saved the changes to the web.config file.
 * Confirm you restarted the AD FS Service after completing the configuration.
 
-## Test AD FS with the Multifactor Authentication connector
+## Test Multifactor Authentication
 
 Now, you should test your Azure Multi-Factor Authentication server configuration before proceeding any further in the deployment.  The AD FS and Azure Multi-Factor Authentication server configurations are complete.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md
index 5c6fcc07d2..b53fb11810 100644
--- a/windows/security/identity-protection/hello-for-business/hello-features.md
+++ b/windows/security/identity-protection/hello-for-business/hello-features.md
@@ -10,7 +10,7 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 localizationpriority: high
-ms.date: 12/04/2017
+ms.date: 3/5/2018
 ---
 # Windows Hello for Business Features
 
@@ -20,7 +20,6 @@ Consider these additional features you can use after your organization deploys W
 * [Dynamic lock](#dynamic-lock)
 * [PIN reset](#pin-reset)
 * [Privileged credentials](#privileged-credentials)
-* [Mulitfactor Unlock](#multifactor-unlock)
 
 
 ## Conditional access 
@@ -151,79 +150,6 @@ On-premises deployments provide users with the ability to reset forgotton PINs e
 
 The privileged credentials scenario enables administrators to perform elevated, admistrative funcions by enrolling both their non-privileged and privileged credentials on their device.
 
-By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session.  Using the computer Group Policy setting, Allow enumeration of emulated smartd card for all users, you can configure a device to all this enumeration on selected devices.  
+By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session.  Using the computer Group Policy setting, Allow enumeration of emulated smart card for all users, you can configure a device to all this enumeration on selected devices.  
 
 With this setting, administrative users can sign-in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal workflow such as email, but can launch Microsoft Managment Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN.  Administrators can also take advantage of this feature with command line applications by using **runas.exe** combined with the **/smartcard** argument.  This enables administrators to perform their day-to-day operations without needing to sign-in and out, or use fast user switching when alternativing between privileged and non-privileged workloads.
-
-## Multifactor Unlock
-
-**Requirements:**
-* Windows Hello for Business deployment (Hybrid or On-premises)
-* Hybird Azure AD joined (Hybrid deployments)
-* Domain Joined (on-premises deployments) 
-* Windows 10, version 1709
-* Bluetooth, Bluetooth capable smartphone - optional
-
-Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
-
-Windows 10 offers Multifactor device unlock by extending Windows Hello with trusted signals, administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices. 
-
-Which organizations can take advanage of Multifactor unlock? Those who:
-* Have expressed that PINs alone do not meet their security needs.
-* Want to prevent Information Workers from sharing credentials.
-* Want their orgs to comply with regulatory two-factor authentication policy.
-* Want to retain the familiar Windows logon UX and not settle for a custom solution.
-
->[!IMPORTANT]
->Once the you deploy multifactor unlock policies, users are not be able to unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed).
- 
-You enable multifactor unlock using Group Policy.  The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**.
-
-The policy setting has three components:
-* First unlock factor credential provider
-* Second unlock factor credential provider 
-* Signal rules for device unlock 
-
-### The Basics: How it works
-
-First unlock factor credential provider and Second unlock credential provider are repsonsible for the bulk of the configuration.  Each of these components contains a globally unqiue identifier (GUID) that represents a different Windows credential provider.  With the policy setting enabled, users unlock the device using at least one credenital provider from each category before Windows allows the user to proceed to their desktop.
-
-The credenital providers included in the default policy settings are:
-
-|Credential Provider| GUID|
-|:------------------|:----:|
-|PIN | \{D6886603-9D2F-4EB2-B667-1971041FA96B}|  
-|Fingerprint | \{BEC09223-B018-416D-A0AC-523971B639F5}|
-|Facial Recognition | \{8AF662BF-65A0-4D0A-A540-A338A999D36F}|
-|Trusted Signal | \{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}|
-
-The default credential providers for the **First unlock factor credential provider** include:
-* PIN
-* Fingerprint
-* Facial Recongition
-
-The default credential providers for the **Second unlock factor credential provider** include:
-* Trusted Signal
-* PIN
-
-The **Signal rules for device unlock** setting contains the rules the Trusted Signal credential provider uses to satisfy unlocking the device. 
-
-The default signal rules for the policy setting include the proximity of any paired bluetooth smartphone.
-
-To successfully reach their desktop, the user must satisfy one credential provider from each category.  The order in which the user satisfies each credential provider does not matter.  Therefore, using the default policy setting a user can provide:
-* PIN and Fingerprint
-* PIN and Facial Recognition
-* Fingerprint and PIN
-* Facial Recognition and Trusted Signal (bluetooth paired smartphone)
-
->[!IMPORTANT]
-> * PIN **must** be in at least one of the groups
-> * Trusted signals **must** be combined with another credential provider
-> * You cannot use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in both categories, it means it can be used to satisfy either category, but not both.  
-
-
-
-
-
-
-
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index 57a3df8925..0ed566fedc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -9,7 +9,7 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 localizationpriority: high
-ms.date: 10/23/2017
+ms.date: 03/26/2018
 ---
 # Configure Device Registration for Hybrid Windows Hello for Business
 
@@ -88,7 +88,7 @@ Once you have your AD FS design ready, review [Deploying a Federation Server far
 > [!IMPORTANT]
 > During your AD FS deployment, skip the **Configure a federation server with Device Registration Service** and the **Configure Corporate DNS for the Federation Service and DRS** procedures.      
 
-The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658), which is automatically downloaded and installed through Windows Update.  If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
+The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889).  If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
 
 #### ADFS Web Proxy ###
 Federation server proxies are computers that run AD FS software that have been configured manually to act in the proxy role. You can use federation server proxies in your organization to provide intermediary services between an Internet client and a federation server that is behind a firewall on your corporate network.
@@ -495,8 +495,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
 
 ![Device Registration](images/hybridct/device8.png) 
  
-- object of type serviceConnectionpoint at CN=&lt;guid&gt;, CN=Device Registration
-- Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt;  
+- object of type serviceConnectionpoint at CN=&lt;guid&gt;, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt;  
   - read/write access to the specified AD connector account name on the new object 
 - object of type msDS-DeviceRegistrationServiceContainer at CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt;
 - object of type msDS-DeviceRegistrationService in the above container
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index 6b742dba4b..ed3b027ada 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -9,7 +9,7 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 localizationpriority: high
-ms.date: 11/08/2017
+ms.date: 03/26/2018
 ---
 # Hybrid Windows Hello for Business Prerequisites
 
@@ -80,12 +80,12 @@ Organizations using older directory synchronization technology, such as DirSync
 ## Federation ##
 Federating your on-premises Active Directory with Azure Active Directory ensures all identities have access to all resources regardless if they reside in cloud or on-premises.  Windows Hello for Business hybrid certificate trust needs Windows Server 2016 Active Directory Federation Services.  All nodes in the AD FS farm must run the same version of AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices.
 
-The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658), which is automatically downloaded and installed through Windows Update.  If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
+The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889).  If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
 
 ### Section Review ###
 > [!div class="checklist"]
 > * Windows Server 2016 Active Directory Federation Services
-> * Minimum update of [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658)
+> * Minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889)
 
 <br>
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 5109222155..622367ea79 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -9,7 +9,7 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 localizationpriority: high
-ms.date: 10/23/2017
+ms.date: 03/26/2018
 ---
 # Hybrid Windows Hello for Business Provisioning
 
@@ -48,12 +48,14 @@ The provisioning flow has all the information it needs to complete the Windows H
 The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key.  AAD Connect syncrhonizes the user's key to the on-prem Active Directory.
 
 > [!IMPORTANT]
-> The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. 
+> The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889).
+
+> The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. 
 > **This synchronization latency delays the the user's ability to authenticate and use on-premises resouces until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
 > Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
 
 > [!NOTE]
-> Microsoft is actively investigating ways to reduce the syncrhonization latency and delays in certificate enrollment with the goal to make certificate enrollment occur real-time.  
+> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning.  With this update, users no longer need to wait for Azure AD Connect to sync their  public key on-premises.  Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning. 
   
 After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate.  Windows send the certificate request to the AD FS server for certificate enrollment.
   
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index 4acb7d887b..732ecc5a7e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -9,7 +9,7 @@ ms.pagetype: security, mobile
 localizationpriority: high
 author: mikestephens-MS
 ms.author: mstephen
-ms.date: 10/23/2017
+ms.date: 03/26/2018
 ---
 # Configure Windows Hello for Business: Active Directory Federation Services
 
@@ -36,11 +36,6 @@ Sign-in the AD FS server with *Domain Admin* equivalent credentials.
     ```
 
 
-The `Set-AdfsCertificateAuthority` cmdlet should show the following warning:
->WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured.  These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured.
-
-This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates.  Windows 10, version 1703 clients check this configuration during prerequisite checks.  If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in.
-
 >[!NOTE]
 > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates.  It's important that you use the template name rather than the template display name.  You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc).  Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index 3ade5c7cd8..52ec97995f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -9,7 +9,7 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 localizationpriority: high
-ms.date: 10/20/2017
+ms.date: 03/26/2018
 ---
 # Windows Hello for Business Key Trust New Installation
 
@@ -70,7 +70,7 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o
     
 ## Configure a Production Public Key Infrastructure
 
-If you do have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure.   Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session.
+If you do not have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure.   Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session.
 
 > [!IMPORTANT]
 > For Azure AD joined device to authenticate to and use on-premises resources, ensure you:
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index cd36884d2c..645efb6bee 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -1,5 +1,5 @@
 ---
-title: Hybrid Key trust Windows Hello for Business Prerequistes (Windows Hello for Business)
+title: Hybrid Key trust Windows Hello for Business Prerequisites (Windows Hello for Business)
 description: Prerequisites for Hybrid Windows Hello for Business Deployments
 keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
 ms.prod: w10
@@ -99,7 +99,7 @@ Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Auth
 > [!div class="checklist"]
 > * Azure MFA Service
 > * Windows Server 2016 AD FS and Azure (optional, if federated)
-> * Windows Server 2016 AD FS and third party MFA Adapter (optiona, if federated)
+> * Windows Server 2016 AD FS and third party MFA Adapter (optional, if federated)
 
 <br>
 
@@ -136,4 +136,4 @@ For federerated and non-federated environments, start with **Configure Windows H
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
 6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
\ No newline at end of file
+7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index b0e4a403a4..c8fbfbe290 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -10,7 +10,7 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 localizationpriority: high
-ms.date: 12/04/2017
+ms.date: 03/26/2018
 ---
 # Windows Hello for Business
 
@@ -43,12 +43,12 @@ The table shows the minimum requirements for each deployment.
 
 | Key trust</br>Group Policy managed | Certificate trust</br>Mixed managed | Key trust</br>Modern managed | Certificate trust</br>Modern managed | 
 | --- | --- | --- | --- |
-| Windows 10, version 1511 or later| Windows 10, version 1703 or later (domain joined)</br>Windows 10, version 1511 or later (cloud joined) | Windows 10, version 1511 or later | Windows 10, version 1511 or later |
+| Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**<br>  *Minimum:* Windows 10, version 1703<br>  *Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).</br>**Azure AD Joined:**<br>  Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later |
 | Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema |
 | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level| Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level |
 | Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | 
 | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
-| N/A | Windows Server 2016 AD FS with KB4022723 update (domain joined), and</br>Windows Server 2012 or later Network Device Enrollment Service (cloud joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service |
+| N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/en-us/help/4088889) (hybrid Azure AD joined clients),<br> and</br>Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service |
 | Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter| Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter |
 | Azure Account | Azure Account | Azure Account | Azure Account |
 | Azure Active Directory | Azure Active Directory | Azure Active Directory | Azure Active Directory |
@@ -65,12 +65,15 @@ The table shows the minimum requirements for each deployment.
 | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
 | Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
 | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
-| Windows Server 2016 AD FS with [KB4022723 update](https://support.microsoft.com/en-us/help/4022723) | Windows Server 2016 AD FS with [KB4022723 update](https://support.microsoft.com/en-us/help/4022723) |
+| Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/en-us/help/4088889) | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/en-us/help/4088889) |
 | AD FS with Azure MFA Server, or</br>AD FS with 3rd Party MFA Adapter | AD FS with Azure MFA Server, or</br>AD FS with 3rd Party MFA Adapter |
 | Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing |
 
 ## Frequently Asked Questions
 
+### Can I deploy Windows Hello for Business using System Center Configuration Manager?
+Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deploymnet model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager wil no long be supported after November 2018.
+
 ### What is the password-less strategy?
 
 Watch Senior Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index da1578c94d..827025586d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -9,7 +9,7 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 localizationpriority: high
-ms.date: 10/10/2017
+ms.date: 03/26/2018
 ---
 # Prepare and Deploy Windows Server 2016 Active Directory Federation Services
 
@@ -36,7 +36,7 @@ Prepare the Active Directory Federation Services deployment by installing and up
 
 Sign-in the federation server with _local admin_ equivalent credentials.
 1.	Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please review the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed.
-2.	Ensure the latest server updates to the federation server includes [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658).
+2.	Ensure the latest server updates to the federation server includes [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889).
 
 >[!IMPORTANT]
 >The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers.
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 331d1f28df..61dc742a69 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -9,13 +9,12 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 localizationpriority: high
-ms.date: 10/20/2017
+ms.date: 03/26/2018
 ---
 # Planning a Windows Hello for Business Deployment
 
 **Applies to**
 -   Windows 10
--   Windows 10 Mobile
 
 > This guide only applies to Windows 10, version 1511 or higher.
 
@@ -70,7 +69,7 @@ It’s fundamentally important to understand which deployment model to use for a
 
 #### Trust types
 
-A deployments trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory.  There are two trusts types, key trust and certificate trust. 
+A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory.  There are two trust types: key trust and certificate trust. 
   
 The key trust type does not require issuing authentication certificates to end users.  Users authenticate using a hardware-bound key created during an in-box provisioning experience, which requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment.  Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
 
@@ -86,9 +85,9 @@ The in-box Windows Hello for Business provisioning experience creates a hardware
 
 #### Multifactor authentication
 
-The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that providers easy two-factor authentication.  The inbox provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.  
+The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication.  The inbox provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.  
 
-Cloud only and hybrid deployments provide many choices for multifactor authentication.  On-premises deployments must use a multifactor authentication that provides an AD FS multifactor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use from the on-premises Azure Multifactor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
+Cloud only and hybrid deployments provide many choices for multifactor authentication.  On-premises deployments must use a multifactor authentication that provides an AD FS multifactor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multifactor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
 >[!NOTE]
 > Azure Multi-Factor Authentication is available through:
 >* Microsoft Enterprise Agreement
@@ -102,11 +101,11 @@ Cloud only and hybrid deployments provide many choices for multifactor authentic
 
 #### Directory synchronization
 
-Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose.  Hybrid deployments use Azure Active Directory Connect to synchronization Active Directory identities or credentials between itself and Azure Active Directory. This helps enable single sign-on to Azure Active Directory and its federated components.
+Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose.  Hybrid deployments use Azure Active Directory Connect to synchronize Active Directory identities or credentials between itself and Azure Active Directory. This helps enable single sign-on to Azure Active Directory and its federated components.
 
 ### Management
 
-Windows Hello for Business provides organizations with a rich set of granular policy setting with which they can use to manage their devices and users.  There are three ways in which you can manage Windows Hello for Business: Group Policy, Modern Management, and Mixed.
+Windows Hello for Business provides organizations with a rich set of granular policy settings with which they can use to manage their devices and users.  There are three ways in which you can manage Windows Hello for Business: Group Policy, Modern Management, and Mixed.
 
 #### Group Policy
 
@@ -129,11 +128,11 @@ Hybrid and on-premises deployments include Active Directory as part of their inf
 
 ### Public Key Infrastructure
 
-The Windows Hello for Business deployment depends on an enterprise public key infrastructure a trust anchor for authentication. Domain controllers for hybrid and on-prem deployments need a certificate in order for Windows 10 devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users.  Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
+The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-prem deployments need a certificate in order for Windows 10 devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users.  Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
 
 ### Cloud
 
-Some deployment combinations require an Azure account and some require Azure Active Directory for user identities.  These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiate the components that are needed from the those that are optional.
+Some deployment combinations require an Azure account and some require Azure Active Directory for user identities.  These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from the those that are optional.
 
 ## Planning a Deployment
 
@@ -147,13 +146,13 @@ Choose the deployment model based on the resources your users access.  Use the f
 
 If your organization does not have on-premises resources, write **Cloud Only** in box **1a** on your planning worksheet.
 
-If your organization is federated with Azure or uses any online service, such as Office365 or OneDrive, or your users access cloud and on-premises resources, write **Hyrbid** in box **1a** on your planning worksheet.
+If your organization is federated with Azure or uses any online service, such as Office365 or OneDrive, or your users access cloud and on-premises resources, write **Hybrid** in box **1a** on your planning worksheet.
 
 If your organization does not have cloud resources, write **On-Premises** in box **1a** on your planning worksheet.
 >[!NOTE]
->If you’re unsure if your organization is federated, run the following Active Directory Windows PowerShell command from and elevated Windows PowerShell prompt and evaluate the results.  
->```Get-AdObject “CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=[forest_root_CN_name],DC=com -Properties keywords```
->* If the command returns an error stating it could not find the object, then you have yet to configured AAD Connect or on-premises Device Registration Services using AD FS.  Ensure the name is accurate and validate the object does not exist with another Active Directory Management tool such as **ADSIEdit.msc**.  If the object truly does not exists, then you environment does not bind you to a specific deployment or require changes to accommodate the desired deployment type.
+>If you’re unsure if your organization is federated, run the following Active Directory Windows PowerShell command from an elevated Windows PowerShell prompt and evaluate the results.  
+>```Get-AdObject “CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=[forest_root_CN_name],DC=com" -Properties keywords```
+>* If the command returns an error stating it could not find the object, then you have yet to configured AAD Connect or on-premises Device Registration Services using AD FS.  Ensure the name is accurate and validate the object does not exist with another Active Directory Management tool such as **ADSIEdit.msc**.  If the object truly does not exist, then you environment does not bind you to a specific deployment or require changes to accommodate the desired deployment type.
 >* If the command returns a value, compare that value with the values below.  The value indicates the deployment model you should implement
 >    * If the value begins with **azureADName:**  – write **Hybrid** in box **1a**on your planning worksheet.
  >   * If the value begins with **enterpriseDrsName:** – write **On-Premises** in box **1a** on your planning worksheet.
@@ -176,7 +175,7 @@ A successful Windows Hello for Business requires all devices to register with th
 
 If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Azure** in box **1c** on your planning worksheet.
 
-If box **1a** on your planning worksheet reads **on-premises**, write **AF FS** in box **1c** on your planning worksheet.
+If box **1a** on your planning worksheet reads **on-premises**, write **AD FS** in box **1c** on your planning worksheet.
 
 ### Key Registration
 
@@ -184,7 +183,7 @@ All users provisioning Windows Hello for Business have their public key register
 
 If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Azure** in box **1d** on your planning worksheet.
 
-If box **1a** on your planning worksheet reads **on-premises**, write **AF FS** in box **1d** on your planning worksheet.
+If box **1a** on your planning worksheet reads **on-premises**, write **AD FS** in box **1d** on your planning worksheet.
 
 ### Directory Synchronization
 
@@ -235,7 +234,7 @@ If box **1a** on your planning worksheet reads **on-prem**, write **GP** in box
 
 Managing hybrid deployments includes two categories of devices to consider for your Windows Hello for Business deployment—domain joined and non-domain joined.  All devices are registered, however, not all devices are domain joined.  You have the option of using Group Policy for domain joined devices and modern management for non-domain joined devices. Or, you can use modern management for both domain and non-domain joined devices.  
 
-If you use Group Policy to manage your domain joined devices, write **GP** in box **2a** on your planning worksheet, Write **modern management** in box **2b** if you decide to manage non-domain joined devices; otherwise, write **N/A**.  
+If you use Group Policy to manage your domain joined devices, write **GP** in box **2a** on your planning worksheet. Write **modern management** in box **2b** if you decide to manage non-domain joined devices; otherwise, write **N/A**.  
 
 If you use modern management for both domain and non-domain joined devices, write **modern management** in box **2a** and **2b** on your planning worksheet.
 
@@ -261,7 +260,7 @@ Write **1703 or later** in box **3a** on your planning worksheet if any of the f
 
 ### Active Directory
 
-The Active Directory portion of the planning guide should be complete.  Most of conditions are baseline prerequisites except for your domain controllers.  The domain controllers used in your deployment are decided by the chosen trust type. 
+The Active Directory portion of the planning guide should be complete.  Most of the conditions are baseline prerequisites except for your domain controllers.  The domain controllers used in your deployment are decided by the chosen trust type. 
 
 Review the trust type portion of this section if box **4d** on your planning worksheet remains empty.
 
@@ -306,7 +305,7 @@ Nearly all deployments of Windows Hello for Business require an Azure account.
 
 If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Yes** in boxes **6a** and **6b** on your planning worksheet.
 
-If box **1a** on your planning worksheet reads **on-premises**, and box **1f** reads **AD FS with third party**, write **No** in box **6a** on your planning worksheet. Otherwise, write **Yes** in box **1f** as you need an Azure account for per-consumption MFA billing. Write **No** in box **6b** on your planning worksheet—on-premises deployments do not use the cloud directory.
+If box **1a** on your planning worksheet reads **on-premises**, and box **1f** reads **AD FS with third party**, write **No** in box **6a** on your planning worksheet. Otherwise, write **Yes** in box **6a** as you need an Azure account for per-consumption MFA billing. Write **No** in box **6b** on your planning worksheet—on-premises deployments do not use the cloud directory.
 
 Windows Hello for Business does not require an Azure AD premium subscription.  However, some dependencies do.
 
diff --git a/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gp-setting.png b/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gp-setting.png
new file mode 100644
index 0000000000..47823d76a8
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gp-setting.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gpme.png b/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gpme.png
new file mode 100644
index 0000000000..fd7afd80cb
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gpme.png differ
diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md
index 81267549c1..ae838d1fcc 100644
--- a/windows/security/identity-protection/hello-for-business/toc.md
+++ b/windows/security/identity-protection/hello-for-business/toc.md
@@ -22,7 +22,7 @@
 #### [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
 
 ### [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
-#### [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
+#### [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
 #### [New Installation Baseline](hello-hybrid-cert-new-install.md)
 #### [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
 #### [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings.md)
@@ -43,4 +43,5 @@
 ##### [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md)
 #### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
 
-## [Windows Hello for Business Features](hello-features.md)
\ No newline at end of file
+## [Windows Hello for Business Features](hello-features.md)
+### [Multifactor Unlock](feature-multifactor-unlock.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
index 7ce6c1be29..04fceb336d 100644
--- a/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
+++ b/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
@@ -1,5 +1,5 @@
 ---
-title: Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security (Windows 10)
+title: Open the Group Policy Management Console to Windows Defender Firewall (Windows 10)
 description: Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security
 ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760
 ms.prod: w10
@@ -7,10 +7,10 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 08/17/2017
+ms.date: 04/02/2017
 ---
 
-# Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security
+# Open the Group Policy Management Console to Windows Defender Firewall
 
 **Applies to**
 -   Windows 10
@@ -18,10 +18,8 @@ ms.date: 08/17/2017
 
 To open a GPO to Windows Defender Firewall:
 
-1.  Open the Active Directory Users and Computers console.
+1.  Open the Group Policy Management console.
 
-2.  In the navigation pane, expand *YourDomainName*, right-click the container that your GPO is linked to, and then click **Properties**.
+2.  In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**.
 
-3.  Click the **Group Policy** tab, select your GPO, and then click **Edit**.
-
-4.  In the navigation pane of the Group Policy Object Editor, navigate to **Computer Configuration** > **Administrative Templates** > **Network** > **Network Connections** > **Windows Defender Firewall**.
\ No newline at end of file
+3.  In the navigation pane of the Group Policy Object Editor, navigate to **Computer Configuration** > **Administrative Templates** > **Network** > **Network Connections** > **Windows Defender Firewall**.
\ No newline at end of file
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index ca2703df29..e692472aa5 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -94,7 +94,7 @@ For many years, Microsoft has recommended using pre-boot authentication to prote
 
 Although effective, pre-boot authentication is inconvenient to users. In addition, if a user forgets their PIN or loses their startup key, they’re denied access to their data until they can contact their organization’s support team to obtain a recovery key. Today, most new PCs running Windows 10, Windows 8.1, or Windows 8 provide sufficient protection against DMA attacks without requiring pre-boot authentication. For example, most modern PCs include USB port options (which are not vulnerable to DMA attacks) but do not include FireWire or Thunderbolt ports (which are vulnerable to DMA attacks).
 
-BitLocker-encrypted devices with DMA ports enabled, including FireWire or Thunderbolt ports, should be configured with pre-boot authentication if they are running Windows 10, Windows 7, Windows 8, or Windows 8.1 and disabling the ports using policy or firmware configuration is not an option. Windows 8.1 and later Modern Standby devices do not need pre-boot authentication to defend against DMA-based port attacks, as the ports will not be present on certified devices. A non-Modern Standby Windows 8.1 and later device requires pre-boot authentication if DMA ports are enabled on the device and additional mitigations described in this document are not implemented. Many customers find that the DMA ports on their devices are never used, and they choose to eliminate the possibility of an attack by disabling the DMA ports themselves, either at the hardware level or through Group Policy.
+BitLocker-encrypted devices with DMA ports enabled, including FireWire or Thunderbolt ports, should be configured with pre-boot authentication if they are running Windows 10, Windows 7, Windows 8, or Windows 8.1 and disabling the ports using policy or firmware configuration is not an option. Many customers find that the DMA ports on their devices are never used, and they choose to eliminate the possibility of an attack by disabling the DMA ports themselves, either at the hardware level or through Group Policy.
 Many new mobile devices have the system memory soldered to the motherboard, which helps prevent the cold boot–style attack, where the system memory is frozen, removed, and then placed into another device. Those devices, and most PCs, can still be vulnerable when booting to a malicious operating system, however.
 
 You can mitigate the risk of booting to a malicious operating system:
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index 9e780394d7..6505ce3f4a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -24,15 +24,6 @@ This article assumes that you understand how to set up AD DS to back up BitLock
 
 This article does not detail how to configure AD DS to store the BitLocker recovery information.
 
-This article contains the following topics:
-
--   [What Is BitLocker Recovery?](#bkmk-whatisrecovery)
--   [Testing Recovery](#bkmk-testingrecovery)
--   [Planning Your Recovery Process](#bkmk-planningrecovery)
--   [Using Additional Recovery Information](#bkmk-usingaddrecovery)
--   [Resetting Recovery Passwords](#bkmk-appendixb)
--   [Retrieving the BitLocker Key Package](#bkmk-appendixc)
-
 ## <a href="" id="bkmk-whatisrecovery"></a>What is BitLocker recovery?
 
 BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario you have the following options to restore access to the drive:
@@ -109,7 +100,7 @@ Before you create a thorough BitLocker recovery process, we recommend that you t
 2.  At the command prompt, type the following command and then press ENTER:
     `manage-bde. -ComputerName <RemoteComputerName> -forcerecovery <BitLockerVolume>`
 
-> **Note:**  Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user.
+> **Note:**  Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx).
  
 ## <a href="" id="bkmk-planningrecovery"></a>Planning your recovery process
 
diff --git a/windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md
index 1cdb8061a7..0d9c04fc68 100644
--- a/windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -146,7 +146,7 @@ After the catalog file is signed, add the signing certificate to a WDAC policy,
 
 1.  If you have not already verified the catalog file digital signature, right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with the algorithm you expect.
 
-2.  If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) to create a WDAC policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**:
+2.  If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) to create a WDAC policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**:
 
     ` New-CIPolicy -Level PcaCertificate -FilePath C:\PolicyFolder\CatalogSignatureOnly.xml –UserPEs`
 
diff --git a/windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard.md b/windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard.md
index c3cefa3e19..b97a44ed0e 100644
--- a/windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard.md
+++ b/windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard.md
@@ -45,7 +45,9 @@ There are three primary steps to keep in mind:
 The identity of the managed installer executable(s) is specified in an AppLocker policy in a Managed Installer rule collection. 
 Currently the AppLocker policy creation UI and cmdlets do not allow for directly specifying rules for the Managed Installer rule collection, however a text editor can be used to make the simple changes needed to an EXE or DLL rule collection policy to specify Type="ManagedInstaller". 
 
-An example of a valid Managed Installer rule collection is shown below. 
+An example of a valid Managed Installer rule collection is shown below.
+For more information about creating an AppLocker policy that includes a managed installer and configuring client devices, see [Simplify application whitelisting with Configuration Manager and Windows 10](https://cloudblogs.microsoft.com/enterprisemobility/2016/06/20/configmgr-as-a-managed-installer-with-win10/).
+
 
 ```code
 <RuleCollection Type="ManagedInstaller" EnforcementMode="AuditOnly">
diff --git a/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md b/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md
index 891d33a3be..909c8b6e52 100644
--- a/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md
+++ b/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md
@@ -105,13 +105,13 @@ Table 3. Windows Defender Application Control policy - file rule levels
 | **WHQLPublisher** | This is a combination of the WHQL and the CN on the leaf certificate and is primarily for kernel binaries. |
 | **WHQLFilePublisher** | Specifies that the binaries are validated and signed by WHQL, with a specific publisher (WHQLPublisher), and that the binary is the specified version or newer. This is primarily for kernel binaries. |
 
-> **Note**&nbsp;&nbsp;When you create WDAC policies with the [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) cmdlet, you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
+> **Note**&nbsp;&nbsp;When you create WDAC policies with the [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) cmdlet, you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
 
 ## Example of file rule levels in use
 
 For example, consider some IT professionals in a department that runs many servers. They decide they want their servers to run only software signed by the providers of their software and drivers, that is, the companies that provide their hardware, operating system, antivirus, and other important software. They know that their servers also run an internally written application that is unsigned but is rarely updated. They want to allow this application to run.
 
-To create the WDAC policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They enable the policy in auditing mode and gather information about any necessary software that was not included on the reference server. They merge WDAC policies into the original policy to allow that additional software to run. Then they enable the WDAC policy in enforced mode for their servers.
+To create the WDAC policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They enable the policy in auditing mode and gather information about any necessary software that was not included on the reference server. They merge WDAC policies into the original policy to allow that additional software to run. Then they enable the WDAC policy in enforced mode for their servers.
 
 As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If they come to a time when the internally-written, unsigned application must be updated, they must also update the WDAC policy so that the hash in the policy matches the hash of the updated internal application.
 
diff --git a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
index be8ccb2590..64881457e7 100644
--- a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
@@ -797,7 +797,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi
 
     ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
 
-2.  Use [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) to create a new WDAC policy by scanning the system for installed applications:
+2.  Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) to create a new WDAC policy by scanning the system for installed applications:
 
     ` New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt `
 
@@ -887,7 +887,7 @@ Use the following procedure after you have been running a computer with a WDAC p
 
     ` $CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
 
-3.  Use [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) to generate a new WDAC policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
+3.  Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) to generate a new WDAC policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
 
     ` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt`
 
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
index 1adc579110..504909f266 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
@@ -29,7 +29,7 @@ This policy setting is dependent on the **Account lockout threshold** policy set
 
 If [Account lockout threshold](account-lockout-threshold.md) is configured, after the specified number of failed attempts, the account will be locked out. If th **Account lockout duration** is set to 0, the account will remain locked until an administrator unlocks it manually.
 
-It is advisable to set **Account lockout duration** to approximately 30 minutes. To specify that the account will never be locked out, set the value to 0. To configure the value for this policy setting so that it never automatically unlocks the account might seem like a good idea; however, doing so can increase the number of requests that your organization’s Help Desk receives to unlock accounts that were locked by mistake.
+It is advisable to set **Account lockout duration** to approximately 15 minutes. To specify that the account will never be locked out, set the Account lockout threshold value to 0. 
 
 ### Location
 
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
index 1b64be5e1d..09d483458c 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
@@ -84,7 +84,7 @@ Configure the **Maximum lifetime for user ticket renewal** setting to 7 days.
 
 ### Potential impact
 
-None. This is the default configuration.
+Seven (7) days is the default configuration. Changing the default configuration is a tradeoff between user convenience and security. A shorter time period requires users to authenticate with a DC more often, but remote users who authenticate with a DC infrequently can be locked out of services until they reauthenticate. 
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
index 5577c3b083..7057705ad8 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
@@ -59,15 +59,17 @@ None. Changes to this policy become effective without a computer restart when th
 
 ## Security considerations
 
-This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of implementation.
 
 ### Vulnerability
 
-The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the **Maximum password age** policy setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access.
+The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the **Maximum password age** policy setting to 0 so that users are never required to change their passwords allows a compromised password to be used by the malicious user for as long as the valid user is authorized access. 
 
-### Countermeasure
+### Considerations
 
-Configure the **Maximum password age** policy setting to a value that is suitable for your organization's business requirements.
+Mandated password changes are a long-standing security practice, but current research strongly indicates that password expiration has a negative effect. See [Microsoft Password Guidance](https://www.microsoft.com/en-us/research/publication/password-guidance/) for further information.
+
+Configure the **Maximum password age** policy setting to a value that is suitable for your organization's business requirements. For example, many organisations have compliance or insurance mandates requiring a short lifespan on passwords. Where such a requirement exists, the **Maximum password age** policy setting can be used to meet business requirements.
 
 ### Potential impact
 
diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
index 991d95bf12..5ed68d6744 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
@@ -29,7 +29,7 @@ These settings, located at **Computer Configuration\Administrative Templates\Net
 |Policy name|Supported versions|Description|
 |-----------|------------------|-----------|
 |Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
-|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) Please include a full domain name (www.contoso.com) in the configuration 2) You may use "." as a wildcard character to automatically trust subdomains. Configuring '.constoso.com' will automatically trust 'subdomain1.contoso.com', 'subdomain2.contoso.com etc. |
+|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) Please include a full domain name (www.contoso.com) in the configuration 2) You may optionally use "." as a wildcard character to automatically trust subdomains. Configuring ".constoso.com" will automatically trust "subdomain1.contoso.com", "subdomain2.contoso.com" etc. |
 |Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
 
 ### Application-specific settings
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index 1da2319b09..0ced4ceb82 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -40,6 +40,70 @@ For more information on enabling MDM with Microsoft Intune, see [Setup Windows D
 
 For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
 
+
+### Using the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher
+
+1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+
+    a.  Select **Endpoint management** > **Clients** on the **Navigation pane**.
+
+    b.  Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
+
+      ![Endpoint onboarding](images/atp-mdm-onboarding-package.png)
+
+2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
+
+3. Login to the [Microsoft Azure portal](https://portal.azure.com).
+
+4. From the Intune blade, choose **Device configuration**.
+
+  ![Image of device configuration menu in Microsoft Azure](images/atp-azure-intune-device-config.png)
+
+5. Under **Manage**, choose **Profiles** and click **Create Profile**.
+
+  ![Image of policy creation in Azure](images/atp-azure-intune-create-profile.png)
+
+6. Type a name, description and choose **Windows 10 and later** as the Platform and **Custom** as the Profile type.
+
+  ![Image of naming a policy](images/atp-intune-custom.png)
+
+7. Click **Settings** > **Configure**.
+
+  ![Image of settings](images/atp-intune-configure.png)
+
+8. Under Custom OMA-URI Settings, click **Add**.
+
+  ![Image of configuration settings](images/atp-custom-oma-uri.png)
+
+9. Enter the following values, then click **OK**.
+
+  ![Image of profile creation](images/atp-oma-uri-values.png)
+
+  - **Name**: Type a name for the setting.
+  - **Description**: Type a description for the setting.
+  - **OMA-URI**: _./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding_
+  - **Value**: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded.
+
+10. Save the settings by clicking **OK**.
+  
+11. Click **Create**.
+
+  ![Image of the policy being created](images/atp-intune-create-policy.png)
+
+12. To deploy the Profile, click **Assignments**. 
+
+  ![Image of groups](images/atp-intune-assignments.png)
+
+13. Search for and select the Group you want to apply the Configuration Profile to, then click **Select**.
+
+  ![Image of groups](images/atp-intune-group.png)
+
+14. Click **Save** to finish deploying the Configuration Profile.
+
+  ![Image of deployment](images/atp-intune-save-deployment.png)
+
+
+
 ### Onboard and monitor endpoints using the classic Intune console
 
 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
@@ -119,6 +183,7 @@ Configuration for onboarded machines: diagnostic data reporting frequency | ./De
 
 
 
+
 ### Offboard and monitor endpoints
 
 For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
diff --git a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
index c44eb648d5..05d249bdc3 100644
--- a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 10/16/2017
+ms.date: 03/27/2018
 ---
 
 # Create custom alerts using the threat intelligence (TI) application program interface (API)
@@ -184,6 +184,21 @@ Content-Type: application/json;
 ```
 If successful, you should get a 201 CREATED response containing the representation of the newly created indicators of compromise in the payload.
 
+The API currently supports the following IOC types:
+
+- Sha1
+- Sha256
+- Md5
+- FileName
+- IpAddress
+- DomainName 
+
+And the following operators:
+
+- Equals
+- StartWith
+- EndWith
+- Contains
 
 ## Bulk upload of alert definitions and IOCs
 Bulk upload of multiple entities can be done by sending an HTTP POST request to `/{resource}/Actions.BulkUpload`. </br>
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-appsource.png b/windows/security/threat-protection/windows-defender-atp/images/atp-appsource.png
new file mode 100644
index 0000000000..8fc27a91ef
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-appsource.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-data-ready.png b/windows/security/threat-protection/windows-defender-atp/images/atp-data-ready.png
new file mode 100644
index 0000000000..3495a90989
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-data-ready.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-get-data.png b/windows/security/threat-protection/windows-defender-atp/images/atp-get-data.png
new file mode 100644
index 0000000000..5f7bdc83b7
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-get-data.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-loading.png b/windows/security/threat-protection/windows-defender-atp/images/atp-loading.png
new file mode 100644
index 0000000000..54e4e01b78
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-loading.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-accept.png b/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-accept.png
new file mode 100644
index 0000000000..d36fb7296c
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-accept.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png b/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png
index 953e4af373..881c69c22c 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-extension.png b/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-extension.png
new file mode 100644
index 0000000000..eb02b6627a
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-extension.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-importing.png b/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-importing.png
new file mode 100644
index 0000000000..3b20c9a97d
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-importing.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
index 3027bbe7f9..368f43a52c 100644
--- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 11/17/2017
+ms.date: 03/21/2018
 ---
 
 # Minimum requirements for Windows Defender ATP
@@ -68,7 +68,7 @@ The hardware requirements for Windows Defender ATP on endpoints is the same as t
 #### Internet connectivity
 Internet connectivity on endpoints is required either directly or through proxy.
 
-The Windows Defender ATP sensor can utilize up to 5MB daily of bandwidth  to communicate with the Windows Defender ATP cloud service and report cyber data.
+The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data.
 
 For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .
 
diff --git a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
index 9f71bafa2b..36517f85e2 100644
--- a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: mjcaparas
 localizationpriority: high
-ms.date: 10/23/2017
+ms.date: 03/16/2018
 ---
 # Create and build Power BI reports using Windows Defender ATP data
 
@@ -32,33 +32,94 @@ Windows Defender ATP supports the use of Power BI data connectors to enable you
 Data connectors integrate seamlessly in Power BI, and make it easy for power users to query, shape and combine data to build reports and dashboards that meet the needs of your organization. 
 
 You can easily get started by:
-- Creating a dashboard on the Power BI service 
+- Creating a dashboard on the Power BI service:
+  - From the Windows Defender ATP portal or 
+  - From the Power BI portal
 - Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting requirements of your organization 
 
 You can access these options from the Windows Defender ATP portal. Both the Power BI service and Power BI Desktop are supported. 
 
-## Create a Windows Defender ATP dashboard on Power BI service
+## Create a Power BI dashboard from the Windows Defender ATP portal
 Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. 
 
 1. In the navigation pane, select **Preferences setup** > **Power BI reports**.
-
-2.	Click **Create dashboard**. This opens up a new tab in your browser and loads the Power BI service with data from your organization.
-
+    
     ![Preferences setup with create dashboard button](images/atp-create-dashboard.png)
 
+2.	Click **Create dashboard**. You'll see a notification that things are being loaded. 
+
+    ![Image of loading](images/atp-loading.png)
+
+
+3. Specify the following details:
+    - **extensionDataSourceKind**: WDATPConnector
+    - **extensionDataSourcePath**: WDATPConnector
+    - **Authentication method**: OAuth2
+
+    ![Image of Power BI authentication method](images/atp-powerbi-extension.png)
+
+4. Click **Sign in**. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
+
+      ![Consent image](images/atp-powerbi-accept.png)
+
+5.	Click **Accept**. Power BI service will start downloading your Windows Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported:
+
+    ![Image of importing data](images/atp-powerbi-importing.png)
+    
     >[!NOTE]
-    >Loading your data in the Power BI service can take a few minutes.
+    >Depending on the number of onboarded machines, loading your data in the Power BI service can take several minutes. A larger number of machines might take longer to load. 
 
-3. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data.
+    When importing data is completed and the dataset is ready, you’ll the following notification:
 
-      ![Consent image](images/atp-powerbi-consent.png)
+    ![Image of dataset is ready](images/atp-data-ready.png)
 
-4.	Click **Accept**. Power BI service will start downloading your Windows Defender ATP data from Microsoft Graph. 
+6. Click **View dataset** to explore your data.
 
-When the dashboard is ready, you’ll get a notification within the Power BI website. Use the link in the portal to the Power BI console after creating the dashboard.
 
 For more information, see [Create a Power BI dashboard from a report](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-create-a-dashboard/).
 
+
+## Create a Power BI dashboard from the Power BI portal
+
+1. Login to [Power BI](https://powerbi.microsoft.com/).
+
+2. Click **Get Data**.
+
+3. Select **Microsoft AppSource** > **My Organization** > **Get**.
+
+    ![Image of Microsoft AppSource to get data](images/atp-get-data.png)
+
+4. In the AppSource window, select **Apps** and search for Windows Defender Advanced Threat Protection.
+
+    ![Image of AppSource to get Windows Defender ATP](images/atp-appsource.png)
+
+5. Click **Get it now**.
+
+6. Specify the following details:
+    - **extensionDataSourceKind**: WDATPConnector
+    - **extensionDataSourcePath**: WDATPConnector
+    - **Authentication method**: OAuth2
+
+    ![Image of Power BI authentication method](images/atp-powerbi-extension.png)
+
+7. Click **Sign in**. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
+
+      ![Consent image](images/atp-powerbi-accept.png)
+
+8.	Click **Accept**. Power BI service will start downloading your Windows Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported:
+
+    ![Image of importing data](images/atp-powerbi-importing.png)
+    
+    >[!NOTE]
+    >Depending on the number of onboarded machines, loading your data in the Power BI service can take several minutes. A larger number of machines might take longer to load. 
+
+    When importing data is completed and the dataset is ready, you’ll the following notification:
+
+    ![Image of dataset is ready](images/atp-data-ready.png)
+
+9. Click **View dataset** to explore your data.
+
+
 ## Build a custom Windows Defender ATP dashboard in Power BI Desktop
 You can create a custom dashboard in Power BI Desktop to create visualizations that cater to the specific views that your organization requires.  
 
@@ -93,9 +154,9 @@ After completing the steps in the Before you begin section, you can proceed with
 
 1.	Open WDATPPowerBI.pbit from the zip with Power BI Desktop.
 
-2.	If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data.
+2.	If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
 
-    ![Consent image](images/atp-powerbi-consent.png)
+    ![Consent image](images/atp-powerbi-accept.png)
 
 3.	Click **Accept**. Power BI Desktop will start downloading your Windows Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
 
@@ -112,9 +173,9 @@ You can use Power BI Desktop to analyse data from Windows Defender ATP and mash
 
     ![Power BI preview connector](images/atp-powerbi-preview.png) 
 
-4.	If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data.
+4.	If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
 
-    ![Consent image](images/atp-powerbi-consent.png)
+    ![Consent image](images/atp-powerbi-accept.png)
 
 5.	Click **Accept**. Power BI Desktop will start downloading your Windows Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
 
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index 8bf610b344..fba100bb3c 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -114,6 +114,9 @@ The minimum PIN length is being changed from 6 to 4, with a default of 6. For mo
 
 Microsoft has released new [Windows security baselines](https://docs.microsoft.com/en-us/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/en-us/windows/device-security/security-compliance-toolkit-10).
 
+### SMBLoris vulnerability
+An issue, known as “SMBLoris”, which could result in denial of service, has been addressed.
+
 
 ## Windows Analytics