diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 7c6bb4d033..b6a2fe14ca 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -1,6 +1,22 @@
{
"build_entry_point": "",
"docsets_to_publish": [
+ {
+ "docset_name": "bcs-vsts",
+ "build_source_folder": "bcs",
+ "build_output_subfolder": "bcs-vsts",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
{
"docset_name": "education-VSTS",
"build_source_folder": "education",
@@ -449,7 +465,8 @@
"branches_to_filter": [
""
],
- "git_repository_url_open_to_public_contributors": "https://cpubwin.visualstudio.com/_git/it-client",
+ "git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/windows-itpro-docs",
+ "git_repository_branch_open_to_public_contributors": "master",
"skip_source_output_uploading": false,
"need_preview_pull_request": true,
"resolve_user_profile_using_github": true,
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 0f1448e671..599204ce64 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -13089,21 +13089,6 @@
"source_path": "windows/deployment/windows-10-auto-pilot.md",
"redirect_url": "/windows/deployment/windows-autopilot/windows-10-autopilot",
"redirect_document_id": true
-},
-{
-"source_path": "bcs/index.md",
-"redirect_url": "/microsoft-365/business/index",
-"redirect_document_id": true
-},
-{
-"source_path": "bcs/support/microsoft-365-business-faqs.md",
-"redirect_url": "/microsoft-365/business/support/microsoft-365-business-faqs",
-"redirect_document_id": true
-},
-{
-"source_path": "bcs/support/transition-csp-subscription.md",
-"redirect_url": "/microsoft-365/business/support/transition-csp-subscription",
-"redirect_document_id": true
}
]
-}
\ No newline at end of file
+}
diff --git a/bcs/TOC.md b/bcs/TOC.md
new file mode 100644
index 0000000000..06913f7aef
--- /dev/null
+++ b/bcs/TOC.md
@@ -0,0 +1 @@
+# [Index](index.md)
\ No newline at end of file
diff --git a/bcs/breadcrumb/toc.yml b/bcs/breadcrumb/toc.yml
new file mode 100644
index 0000000000..61d8fca61e
--- /dev/null
+++ b/bcs/breadcrumb/toc.yml
@@ -0,0 +1,3 @@
+- name: Docs
+ tocHref: /
+ topicHref: /
\ No newline at end of file
diff --git a/bcs/docfx.json b/bcs/docfx.json
new file mode 100644
index 0000000000..16e842d530
--- /dev/null
+++ b/bcs/docfx.json
@@ -0,0 +1,45 @@
+{
+ "build": {
+ "content": [
+ {
+ "files": [
+ "**/*.md",
+ "**/*.yml"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**",
+ "_themes/**",
+ "_themes.pdf/**",
+ "README.md",
+ "LICENSE",
+ "LICENSE-CODE",
+ "ThirdPartyNotices"
+ ]
+ }
+ ],
+ "resource": [
+ {
+ "files": [
+ "**/*.png",
+ "**/*.jpg"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**",
+ "_themes/**",
+ "_themes.pdf/**"
+ ]
+ }
+ ],
+ "overwrite": [],
+ "externalReference": [],
+ "globalMetadata": {
+ "breadcrumb_path": "/microsoft-365/business/breadcrumb/toc.json",
+ "extendBreadcrumb": true
+ },
+ "fileMetadata": {},
+ "template": [],
+ "dest": "bcs-vsts"
+ }
+}
\ No newline at end of file
diff --git a/bcs/index.md b/bcs/index.md
new file mode 100644
index 0000000000..aee1cc4e7a
--- /dev/null
+++ b/bcs/index.md
@@ -0,0 +1,3 @@
+---
+redirect_url: https://docs.microsoft.com/microsoft-365/business/index
+---
diff --git a/bcs/support/microsoft-365-business-faqs.md b/bcs/support/microsoft-365-business-faqs.md
new file mode 100644
index 0000000000..332b565f0c
--- /dev/null
+++ b/bcs/support/microsoft-365-business-faqs.md
@@ -0,0 +1,3 @@
+---
+redirect_url: https://docs.microsoft.com/microsoft-365/business/support/microsoft-365-business-faqs
+---
\ No newline at end of file
diff --git a/bcs/support/transition-csp-subscription.md b/bcs/support/transition-csp-subscription.md
new file mode 100644
index 0000000000..45a6e1c74c
--- /dev/null
+++ b/bcs/support/transition-csp-subscription.md
@@ -0,0 +1,3 @@
+---
+redirect_url: https://docs.microsoft.com/microsoft-365/business/support/transition-csp-subscription
+---
\ No newline at end of file
diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
index 6b4a3479c5..20d0866be8 100644
--- a/devices/hololens/change-history-hololens.md
+++ b/devices/hololens/change-history-hololens.md
@@ -8,13 +8,19 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.localizationpriority: medium
-ms.date: 12/20/2017
+ms.date: 02/02/2018
---
# Change history for Microsoft HoloLens documentation
This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
+## February 2018
+
+New or changed topic | Description
+--- | ---
+[Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) | Replaced the instructions for upgrading to Windows Holographic for Business using Microsoft Intune with a link to the new Intune topic.
+
## December 2017
New or changed topic | Description
diff --git a/devices/hololens/hololens-upgrade-enterprise.md b/devices/hololens/hololens-upgrade-enterprise.md
index d85bb461aa..cc97f37aba 100644
--- a/devices/hololens/hololens-upgrade-enterprise.md
+++ b/devices/hololens/hololens-upgrade-enterprise.md
@@ -7,12 +7,12 @@ ms.pagetype: hololens, devices
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 02/02/2018
---
# Unlock Windows Holographic for Business features
-Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://developer.microsoft.com/windows/mixed-reality/release_notes#introducing_microsoft_hololens_commercial_suite), which provides extra features designed for business.
+Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://developer.microsoft.com/windows/mixed-reality/release_notes_-_august_2016#introducing_microsoft_hololens_commercial_suite), which provides extra features designed for business.
When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic for Business. This license can be applied to the device either through the organization's [mobile device management (MDM) provider](#edition-upgrade-using-mdm) or a [provisioning package](#edition-upgrade-using-a-provisioning-package).
@@ -25,50 +25,12 @@ When you purchase the Commercial Suite, you receive a license that upgrades Wind
The enterprise license can be applied by any MDM provider that supports the [WindowsLicensing configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn904983.aspx). The latest version of the Microsoft MDM API will support WindowsLicensing CSP.
+For step-by-step instructions for upgrading HoloLens using Microsoft Intune, see [Upgrade devices running Windows Holographic to Windows Holographic for Business](https://docs.microsoft.com/intune/holographic-upgrade).
-**Overview**
-
-1. Set up the edition upgrade policy.
-2. Deploy the policy.
-3. [Enroll the device through the Settings app](hololens-enroll-mdm.md).
-
-The procedures in this topic use Microsoft Intune as an example. On other MDM providers, the specific steps for setting up and deploying the policy might vary.
-
-### Set up the Edition Upgrade policy
-
-1. Sign into the Intune Dashboard with your Intune admin account.
-
-2. In the **Policy** workspace, select **Configuration Policies** and then **Add**.
-
- 
-
-3. In **Create a new policy**, select the **Edition Upgrade Policy (Windows 10 Holographic and later** template, and click **Create Policy**.
-
- 
-
-4. Enter a name for the policy.
-
-5. In the **Edition Upgrade** section, in **License File**, browse to and select the XML license file that was provided when you purchased the Commercial Suite.
-
- 
-
-5. Click **Save Policy**.
+ On other MDM providers, the specific steps for setting up and deploying the policy might vary.
-### Deploy the Edition Upgrade policy
-
-Next, you will assign the Edition Upgrade policy to selected groups.
-
-1. In the **Policy** workspace, select the Edition upgrade policy that you created, and then choose **Manage Deployment**.
-
-2. In the **Manage Deployment** dialog box, select one or more groups to which you want to deploy the policy, and then choose **Add** > **OK**.
-
-When these users enroll their devices in MDM, the Edition Upgrade policy will be applied.
-
-
-For more information about groups, see [Use groups to manage users and devices in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune).
-
## Edition upgrade using a provisioning package
Provisioning packages are files created by the Windows Configuration Designer tool that apply a specified configuration to a device.
diff --git a/devices/surface-hub/surface-hub-downloads.md b/devices/surface-hub/surface-hub-downloads.md
index 838e8452a9..33ef0f983f 100644
--- a/devices/surface-hub/surface-hub-downloads.md
+++ b/devices/surface-hub/surface-hub-downloads.md
@@ -17,21 +17,21 @@ This topic provides links to useful Surface Hub documents, such as product datas
| Link | Description |
| --- | --- |
-| [Surface Hub Site Readiness Guide (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) | Make sure your site is ready for Surface Hub, including structural and power requirements, and get technical specs for Surface Hub. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov) |
-| [Surface Hub Setup Guide (English, French, Spanish) (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-setup-guide) | Get a quick overview of how to set up the environment for your new Surface Hub. |
-| [Surface Hub Quick Reference Guide (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-quick-reference-guide) | Use this quick reference guide to get information about key features and functions of the Surface Hub. |
+| [Surface Hub Site Readiness Guide (PDF)](http://download.microsoft.com/download/3/8/8/3883E991-DFDB-4E70-8D28-20B26045FC5B/Surface-Hub-Site-Readiness-Guide_EN.pdf) | Make sure your site is ready for Surface Hub, including structural and power requirements, and get technical specs for Surface Hub. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov) |
+| [Surface Hub Setup Guide (English, French, Spanish) (PDF)](http://download.microsoft.com/download/0/1/6/016363A4-8602-4F01-8281-9BE5C814DC78/Setup-Guide_EN-FR-SP.pdf) | Get a quick overview of how to set up the environment for your new Surface Hub. |
+| [Surface Hub Quick Reference Guide (PDF)](http://download.microsoft.com/download/9/E/E/9EE660F8-3FC6-4909-969E-89EA648F06DB/Surface Hub Quick Reference Guide_en-us.pdf) | Use this quick reference guide to get information about key features and functions of the Surface Hub. |
| [Surface Hub User Guide (PDF)](http://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf) | Learn how to use Surface Hub in scheduled or ad-hoc meetings. Invite remote participants, use the built-in tools, save data from your meeting, and more. |
| [Surface Hub Replacement PC Drivers](https://www.microsoft.com/download/details.aspx?id=52210) | The Surface Hub Replacement PC driver set is available for those customers who have chosen to disable the Surface Hub’s internal PC and use an external computer with their 84” or 55” Surface Hub. This download is meant to be used with the Surface Hub Admin Guide , which contains further details on configuring a Surface Hub Replacement PC. |
-| [Surface Hub SSD Replacement Guide (PDF)](https://www.microsoft.com/surface/en-us/support/surfacehubssd) | Learn how to replace the solid state drive (SSD) for the 55- and 84-inch Surface Hub. |
+| [Surface Hub SSD Replacement Guide (PDF)](http://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf) | Learn how to replace the solid state drive (SSD) for the 55- and 84-inch Surface Hub. |
| [Microsoft Surface Hub Rollout and Adoption Success Kit (ZIP)](http://download.microsoft.com/download/F/A/3/FA3ADEA4-4966-456B-8BDE-0A594FD52C6C/Surface_Hub_Adoption_Kit_Final_0519.pdf) | Best practices for generating awareness and implementing change management to maximize adoption, usage, and benefits of Microsoft Surface Hub. The Rollout and Adoption Success Kit zip file includes the Rollout and Adoption Success Kit detailed document, Surface Hub presentation, demo guidance, awareness graphics, and more. |
-| [Unpacking Guide for 84-inch Surface Hub (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-unpacking-guide-84) | Learn how to unpack your 84-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/75/2b/752b73dc-6e9d-4692-8ba1-0f9fc03bff6b.mov?n=04.07.16_installation_video_03_unpacking_84.mov) |
-| [Unpacking Guide for 55-inch Surface Hub (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-unpacking-guide-55) | Learn how to unpack your 55-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/a9/d6/a9d6b4d7-d33f-4e8b-be92-28f7fc2c06d7.mov?n=04.07.16_installation_video_02_unpacking_55.mov) |
-| [Wall Mounting and Assembly Guide (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-wall-mounting-assembly-guide) | Detailed instructions on how to safely and securely assemble the wall brackets, and how to mount your Surface Hub onto them. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/bf/4d/bf4d6f06-370c-45ee-88e6-c409873914e8.mov?n=04.07.16_installation_video_05_wall_mount.mov) |
-| [Floor-Supported Mounting and Assembly Guide (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-floor-supported-mounting-assembly-guide) | Detailed instructions on how to safely and securely assemble the floor-supported brackets, and how to mount your Surface Hub onto them. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/ed/de/edde468a-e1d4-4ce8-8b61-c4527dd25c81.mov?n=04.07.16_installation_video_06_floor_support_mount.mov) |
-| [Rolling Stand Mounting and Assembly Guide (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-rolling-stand-mounting-assembly-guide) | Detailed instructions on how to safely and securely assemble the rolling stand, and how to mount your Surface Hub onto it. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/1f/94/1f949613-3e4a-41e3-ad60-fe8aa7134115.mov?n=04.07.16_installation_video_04_rolling_stand_mount.mov) |
-| [Mounts and Stands Datasheet (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-mounts-and-stands-datasheet) | Specifications and prices for all Surface Hub add-on stands and mounts that turn your workspace into a Surface Hub workspace. |
-| [Surface Hub Stand and Wall Mount Specifications (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-stand-and-wall-mount-specs) | Illustrated specifications for the 55” and 84” Surface Hub rolling stands, wall mounts, and floor-supported wall mounts. |
-| [Surface Hub Onsite Installation and Onsite Repair/Exchange Services FAQ (PDF)](https://www.microsoft.com/surface/en-us/support/surface-hub/onsite-installation-repair-faq) | Get answers to the most common questions about Surface Hub onsite service offerings and delivery. |
+| [Unpacking Guide for 84-inch Surface Hub (PDF)](http://download.microsoft.com/download/5/2/B/52B4007E-D8C8-4EED-ACA9-FEEF93F6055C/84_Unpacking_Guide_English_French-Spanish.pdf) | Learn how to unpack your 84-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/75/2b/752b73dc-6e9d-4692-8ba1-0f9fc03bff6b.mov?n=04.07.16_installation_video_03_unpacking_84.mov) |
+| [Unpacking Guide for 55-inch Surface Hub (PDF)](http://download.microsoft.com/download/2/E/7/2E7616A2-F936-4512-8052-1E2D92DFD070/55_Unpacking_Guide_English-French-Spanish.PDF) | Learn how to unpack your 55-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/a9/d6/a9d6b4d7-d33f-4e8b-be92-28f7fc2c06d7.mov?n=04.07.16_installation_video_02_unpacking_55.mov) |
+| [Wall Mounting and Assembly Guide (PDF)](http://download.microsoft.com/download/7/0/2/702485E3-B55E-4DE8-B5DD-3B56F90DCF5D/SH-Guide_WACG_Wall_Mounts_EN-FR-ES-NL-DE-IT-PT-AR-DA-FI-NO-SV.pdf) | Detailed instructions on how to safely and securely assemble the wall brackets, and how to mount your Surface Hub onto them. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/bf/4d/bf4d6f06-370c-45ee-88e6-c409873914e8.mov?n=04.07.16_installation_video_05_wall_mount.mov) |
+| [Floor-Supported Mounting and Assembly Guide (PDF)](http://download.microsoft.com/download/7/0/2/702485E3-B55E-4DE8-B5DD-3B56F90DCF5D/SH-Guide_WACG_Floor_Support_Mount_EN-FR-ES-NL-DE-IT-AR-DA-FI-NO-SV.pdf) | Detailed instructions on how to safely and securely assemble the floor-supported brackets, and how to mount your Surface Hub onto them. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/ed/de/edde468a-e1d4-4ce8-8b61-c4527dd25c81.mov?n=04.07.16_installation_video_06_floor_support_mount.mov) |
+| [Rolling Stand Mounting and Assembly Guide (PDF)](http://download.microsoft.com/download/7/0/2/702485E3-B55E-4DE8-B5DD-3B56F90DCF5D/SH-Guide_WACG_Rolling_Stands_EN-FR-ES-NL-DE-IT-AR-DA-FI-NO-SV.pdf) | Detailed instructions on how to safely and securely assemble the rolling stand, and how to mount your Surface Hub onto it. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/1f/94/1f949613-3e4a-41e3-ad60-fe8aa7134115.mov?n=04.07.16_installation_video_04_rolling_stand_mount.mov) |
+| [Mounts and Stands Datasheet (PDF)](http://download.microsoft.com/download/5/0/1/501F98D9-1BCC-4448-A1DB-47056CEE33B6/20160711_Surface_Hub_Mounts_and_Stands_Datasheet.pdf) | Specifications and prices for all Surface Hub add-on stands and mounts that turn your workspace into a Surface Hub workspace. |
+| [Surface Hub Stand and Wall Mount Specifications (PDF)](http://download.microsoft.com/download/7/A/7/7A75BD0F-5A46-4BCE-B313-A80E47AEB581/20160720_Combined_Stand_Wall_Mount_Drawings.pdf) | Illustrated specifications for the 55” and 84” Surface Hub rolling stands, wall mounts, and floor-supported wall mounts. |
+| [Surface Hub Onsite Installation and Onsite Repair/Exchange Services FAQ (PDF)](http://download.microsoft.com/download/B/D/1/BD16D7C5-2662-4B7D-9C98-272CEB11A6F3/20160816%20SurfaceHub_Onsite%20Services%20FAQs%20FINAL.PDF) | Get answers to the most common questions about Surface Hub onsite service offerings and delivery. |
diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md
index 1f647b7dbb..125ea5cd60 100644
--- a/education/trial-in-a-box/educator-tib-get-started.md
+++ b/education/trial-in-a-box/educator-tib-get-started.md
@@ -40,8 +40,9 @@ ms.date: 01/12/2017
## 1. Log in and connect to the school network
To try out the educator tasks, start by logging in as a teacher.
-1. Log in to **Device A** using the **Teacher Username** and **Teacher Password** included in the **Credentials Sheet** located in your kit.
-2. Connect to your school's Wi-Fi network or connect with a local Ethernet connection.
+1. Turn on **Device A** and ensure you plug in the PC to an electrical outlet.
+2. Log in to **Device A** using the **Teacher Username** and **Teacher Password** included in the **Credentials Sheet** located in your kit.
+3. Connect to your school's Wi-Fi network or connect with a local Ethernet connection.
diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md
index 29f0a0de6c..5164c21a1d 100644
--- a/education/trial-in-a-box/itadmin-tib-get-started.md
+++ b/education/trial-in-a-box/itadmin-tib-get-started.md
@@ -45,9 +45,10 @@ If you run into any problems while following the steps in this guide, or you hav
## 1. Log in to Device A with your IT Admin credentials and connect to the school network
To try out the IT admin tasks, start by logging in as an IT admin.
-1. Log in to **Device A** using the **Administrator Username** and **Administrator Password** included in the **Credentials Sheet** located in your kit.
-2. Connect to your school's Wi-Fi network or connect with a local Ethernet connection.
-3. Note the serial numbers on the Trial in a Box devices and register both devices with the hardware manufacturer to activate the manufacturer's warranty.
+1. Turn on **Device A** and ensure you plug in the PC to an electrical outlet.
+2. Log in to **Device A** using the **Administrator Username** and **Administrator Password** included in the **Credentials Sheet** located in your kit.
+3. Connect to your school's Wi-Fi network or connect with a local Ethernet connection.
+4. Note the serial numbers on the Trial in a Box devices and register both devices with the hardware manufacturer to activate the manufacturer's warranty.
diff --git a/education/windows/images/mc-ee-video-icon.png b/education/windows/images/mc-ee-video-icon.png
new file mode 100644
index 0000000000..61c8a0f681
Binary files /dev/null and b/education/windows/images/mc-ee-video-icon.png differ
diff --git a/education/windows/images/mcee-icon.png b/education/windows/images/mcee-icon.png
new file mode 100644
index 0000000000..32ed1cf134
Binary files /dev/null and b/education/windows/images/mcee-icon.png differ
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
index 0e3dfcd0ba..f0c3df0aea 100644
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@@ -10,7 +10,7 @@ author: trudyha
searchScope:
- Store
ms.author: trudyha
-ms.date: 10/13/2017
+ms.date: 1/5/2018
---
# For IT administrators - get Minecraft: Education Edition
@@ -152,7 +152,7 @@ You can install the app on your PC. This gives you a chance to test the app and
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Install**.
- 
+
3. Click **Install**.
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
index 0deb4b8fbc..59d779962f 100644
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -9,7 +9,7 @@ ms.pagetype: edu
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
-ms.date: 12/12/2017
+ms.date: 02/02/2018
---
# Technical reference for the Set up School PCs app
@@ -292,7 +292,7 @@ The Set up School PCs app produces a specialized provisioning package that makes
Interactive logon: Sign-in last interactive user automatically after a system-initiated restart
Disabled
-
Shutdown: Allow system to be shut down without having to log on
Disabled
+
Shutdown: Allow system to be shut down without having to log on
Enabled
User Account Control: Behavior of the elevation prompt for standard users
Auto deny
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index 7cf6b0d940..14bbe54561 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -10,8 +10,7 @@ author: trudyha
searchScope:
- Store
ms.author: trudyha
-ms.date: 10/13/2017
----
+ms.date: 1/5/2018
# For teachers - get Minecraft: Education Edition
@@ -41,9 +40,9 @@ Learn how teachers can get and distribute Minecraft: Education Edition.
6. **Minecraft: Education Edition** opens in the Microsoft Store for Education. Select **Get the app**. This places **Minecraft: Education Edition** in your Microsoft Store inventory.
- 
+
-If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](https://technet.microsoft.com/edu/windows/education-scenarios-store-for-business#purchase-additional-licenses).
+If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](https://docs.microsoft.com/education/windows/education-scenarios-store-for-business#purchase-additional-licenses).
## Distribute Minecraft
@@ -53,7 +52,7 @@ After Minecraft: Education Edition is added to your Microsoft Store for Educatio
- You can assign the app to others.
- You can download the app to distribute.
-
+
### Install for me
You can install the app on your PC. This gives you a chance to work with the app before using it with your students.
@@ -61,7 +60,7 @@ You can install the app on your PC. This gives you a chance to work with the app
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Install**.
- 
+
3. Click **Install**.
@@ -72,7 +71,7 @@ Enter email addresses for your students, and each student will get an email with
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**.
- 
+
3. Click **Invite people**.
diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md
index 181fb19436..3c59ec92f0 100644
--- a/store-for-business/acquire-apps-microsoft-store-for-business.md
+++ b/store-for-business/acquire-apps-microsoft-store-for-business.md
@@ -56,9 +56,9 @@ There are a couple of things we need to know when you pay for apps. You can add
6. If you don’t have a payment method saved in **Billing - Payment methods**, we will prompt you for one.
7. Add your credit card or debit card info, and click **Next**. Your card info is saved as a payment option on **Billing - Payment methods**.
-You’ll also need to have your business address saved on ****Billing - Account profile***. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://docs.microsoft.com/microsoft-store/update-microsoft-store-for-business-account-settings#organization-tax-information).
+You’ll also need to have your business address saved on **Billing - Account profile**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://docs.microsoft.com/microsoft-store/update-microsoft-store-for-business-account-settings#organization-tax-information).
-Microsoft Store adds the app to your inventory. From **Inventory** or **Apps & software**, you can:
+Microsoft Store adds the app to your inventory. From **Products & services**, you can:
- Distribute the app: add to private store, or assign licenses
- View app licenses: review current licenses, reclaim and reassign licenses
- View app details: review the app details page and purchase more licenses
diff --git a/store-for-business/add-profile-to-devices.md b/store-for-business/add-profile-to-devices.md
index cee7f01a25..d63ff3800d 100644
--- a/store-for-business/add-profile-to-devices.md
+++ b/store-for-business/add-profile-to-devices.md
@@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: store
author: TrudyHa
ms.author: TrudyHa
-ms.date: 1/4/2018
+ms.date: 1/29/2018
ms.localizationpriority: high
---
@@ -20,7 +20,7 @@ Windows AutoPilot Deployment Program simplifies device set up for IT Admins. For
Watch this video to learn more about Windows AutoPilot in Micrsoft Store for Business.
-
+[!video https://www.microsoft.com/en-us/videoplayer/embed/3b30f2c2-a3e2-4778-aa92-f65dbc3ecf54?autoplay=false]
## What is Windows AutoPilot Deployment Program?
In Microsoft Store for Business, you can manage devices for your organization and apply an *AutoPilot deployment profile* to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the AutoPilot deployment profile you applied to the device.
diff --git a/store-for-business/education/TOC.md b/store-for-business/education/TOC.md
index 63f52ca1ce..f5ff057e17 100644
--- a/store-for-business/education/TOC.md
+++ b/store-for-business/education/TOC.md
@@ -26,6 +26,8 @@
### [Manage access to private store](/microsoft-store/manage-access-to-private-store?toc=/microsoft-store/education/toc.json)
### [Manage private store settings](/microsoft-store/manage-private-store-settings?toc=/microsoft-store/education/toc.json)
### [Configure MDM provider](/microsoft-store/configure-mdm-provider-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
+### [Manage Windows device deployment with Windows AutoPilot Deployment](/microsoft-store/add-profile-to-devices?toc=/microsoft-store/education/toc.json)
+### [Microsoft Store for Business and Education PowerShell module - preview](/microsoft-store/microsoft-store-for-business-education-powershell-module?toc=/microsoft-store/education/toc.json)
## [Device Guard signing portal](/microsoft-store/device-guard-signing-portal?toc=/microsoft-store/education/toc.json)
### [Add unsigned app to code integrity policy](/microsoft-store/add-unsigned-app-to-code-integrity-policy?toc=/microsoft-store/education/toc.json)
### [Sign code integrity policy with Device Guard signing](/microsoft-store/sign-code-integrity-policy-with-device-guard-signing?toc=/microsoft-store/education/toc.json)
diff --git a/store-for-business/images/mc-ee-video-icon.png b/store-for-business/images/mc-ee-video-icon.png
new file mode 100644
index 0000000000..61c8a0f681
Binary files /dev/null and b/store-for-business/images/mc-ee-video-icon.png differ
diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md
index 52451ac6a7..4d6181abe1 100644
--- a/windows/application-management/manage-windows-mixed-reality.md
+++ b/windows/application-management/manage-windows-mixed-reality.md
@@ -23,11 +23,7 @@ Windows 10, version 1709 (also known as the Fall Creators Update), introduces [W
## Enable Windows Mixed Reality in WSUS
-To enable users to download the Windows Mixed Reality software, enterprises using WSUS can approve Windows Mixed Reality package by unblocking the following KBs:
-
-- KB4016509: FeatureOnDemandOasis - Windows 10 version 1703 for x64-based Systems
-- KB3180030: language packs
-- KB3197985: language packs
+To enable users to download the Windows Mixed Reality software for devices running Windows 10, version 1703, enterprises using WSUS can approve Windows Mixed Reality package by unblocking **KB4016509: FeatureOnDemandOasis - Windows 10 version 1703 for x64-based Systems**.
Enterprises devices running Windows 10, version 1709, will not be able to install Windows Mixed Reality Feature on Demand (FOD) directly from WSUS. Instead, use one of the following options to install Windows Mixed Reality software:
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index cf0031cf4f..1ac5a9f388 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -228,6 +228,7 @@
#### [RemoteManagement](policy-csp-remotemanagement.md)
#### [RemoteProcedureCall](policy-csp-remoteprocedurecall.md)
#### [RemoteShell](policy-csp-remoteshell.md)
+#### [RestrictedGroups](policy-csp-restrictedgroups.md)
#### [Search](policy-csp-search.md)
#### [Security](policy-csp-security.md)
#### [Settings](policy-csp-settings.md)
@@ -280,6 +281,8 @@
#### [SurfaceHub DDF file](surfacehub-ddf-file.md)
### [TPMPolicy CSP](tpmpolicy-csp.md)
#### [TPMPolicy DDF file](tpmpolicy-ddf-file.md)
+### [UEFI CSP](uefi-csp.md)
+#### [UEFI DDF file](uefi-ddf.md)
### [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
#### [UnifiedWriteFilter DDF file](unifiedwritefilter-ddf.md)
### [Update CSP](update-csp.md)
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index a72cf5ff8f..5a601e0ca8 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/05/2017
+ms.date: 02/02/2018
---
# Configuration service provider reference
@@ -2079,6 +2079,34 @@ Footnotes:
+
+[Uefi CSP](uefi-csp.md)
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
4
+
4
+
4
+
4
+
+
+
+
+
+
+
+
[UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index c48d6ddd3b..e69e71e093 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -13,6 +13,9 @@ ms.date: 11/01/2017
# DMClient CSP
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
The DMClient configuration service provider is used to specify additional enterprise-specific mobile device management configuration settings for identifying the device in the enterprise domain, security mitigation for certificate renewal, and server-triggered enterprise unenrollment.
The following diagram shows the DMClient configuration service provider in tree format.
@@ -257,6 +260,11 @@ Optional. Number of days after last sucessful sync to unenroll.
Supported operations are Add, Delete, Get, and Replace. Value type is integer.
+**Provider/*ProviderID*/AADSendDeviceToken**
+Device. Added in Windows 10 next major update. For AZure AD backed enrollments, this will cause the client to send a Device Token if the User Token can not be obtained.
+
+Supported operations are Add, Delete, Get, and Replace. Value type is bool.
+
**Provider/*ProviderID*/Poll**
Optional. Polling schedules must utilize the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
@@ -690,19 +698,45 @@ Required. Added in Windows 10, version 1709. This node determines how long we wi
Supported operations are Get and Replace. Value type is integer.
**Provider/*ProviderID*/FirstSyncStatus/ServerHasFinishedProvisioning**
-Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED.
+Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
Supported operations are Get and Replace. Value type is boolean.
-**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone**Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times).
+**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone**
+Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is boolean.
**Provider/*ProviderID*/FirstSyncStatus/WasDeviceSuccessfullyProvisioned**
-Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true.
+Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is integer.
+**Provider/*ProviderID*/FirstSyncStatus/BlockInStatusPage**
+Required. Device Only. Added in Windows 10, next major update. This node determines whether or not the MDM progress page is blocking in the Azure AD joined or DJ++ case, as well as which remediation options are available.
+
+Supported operations are Get and Replace. Value type is integer.
+
+**Provider/*ProviderID*/FirstSyncStatus/AllowCollectLogsButton**
+Required. Added in Windows 10, next major update. This node decides whether or not the MDM progress page displays the Collect Logs button.
+
+Supported operations are Get and Replace. Value type is bool.
+
+**Provider/*ProviderID*/FirstSyncStatus/CustomErrorText**
+Required. Added in Windows 10, next major update. This node allows the MDM to set custom error text, detailing what the user needs to do in case of error.
+
+Supported operations are Add, Get, Delete, and Replace. Value type is string.
+
+**Provider/*ProviderID*/FirstSyncStatus/SkipDeviceStatusPage**
+Required. Device only. Added in Windows 10, next major update. This node decides wheter or not the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE.
+
+Supported operations are Get and Replace. Value type is bool.
+
+**Provider/*ProviderID*/FirstSyncStatus/SkipUserStatusPage**
+Required. Device only. Added in Windows 10, next major update. This node decides wheter or not the MDM user progress page skips after Azure AD joined or DJ++ after user login.
+
+Supported operations are Get and Replace. Value type is bool.
+
**Provider/*ProviderID*/EnhancedAppLayerSecurity**
Required node. Added in Windows 10, version 1709.
diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md
index 22082b40c3..51a46a8897 100644
--- a/windows/client-management/mdm/dmclient-ddf-file.md
+++ b/windows/client-management/mdm/dmclient-ddf-file.md
@@ -13,11 +13,14 @@ ms.date: 12/05/2017
# DMClient DDF file
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
This topic shows the OMA DM device description framework (DDF) for the **DMClient** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, version 1907.
+The XML below is for Windows 10, next major update.
``` syntax
@@ -28,7 +31,355 @@ The XML below is for Windows 10, version 1907.
1.2DMClient
- ./Vendor/MSFT
+ ./User/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ com.microsoft/1.5/MDM/DMClient
+
+
+
+ Provider
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ FirstSyncStatus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ExpectedPolicies
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ExpectedNetworkProfiles
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000". This is per user.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ExpectedMSIAppPackages
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ExpectedModernAppPackages
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ExpectedPFXCerts
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ExpectedSCEPCerts
+
+
+
+
+
+
+
+ This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ServerHasFinishedProvisioning
+
+
+
+
+
+ This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IsSyncDone
+
+
+
+
+
+ This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ WasDeviceSuccessfullyProvisioned
+
+
+
+
+
+ Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowCollectLogsButton
+
+
+
+
+
+ false
+ This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CustomErrorText
+
+
+
+
+
+
+
+ This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+
+
+ DMClient
+ ./Device/Vendor/MSFT
@@ -622,6 +973,30 @@ The XML below is for Windows 10, version 1907.
+
+ AADSendDeviceToken
+
+
+
+
+
+
+
+ Send the device AAD token, if the user one can't be returned
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ Push
@@ -1221,7 +1596,7 @@ The XML below is for Windows 10, version 1907.
- This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED.
+ This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
@@ -1243,7 +1618,7 @@ The XML below is for Windows 10, version 1907.
- This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times).
+ This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
@@ -1265,7 +1640,7 @@ The XML below is for Windows 10, version 1907.
- Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true.
+ Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
@@ -1280,6 +1655,137 @@ The XML below is for Windows 10, version 1907.
+
+ BlockInStatusPage
+
+
+
+
+
+ 0
+ Device Only. This node determines whether or not the MDM progress page is blocking in the AADJ or DJ++ case, as well as which remediation options are available.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowCollectLogsButton
+
+
+
+
+
+ false
+ This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the device MDM status page.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CustomErrorText
+
+
+
+
+
+
+
+ This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis).
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ SkipDeviceStatusPage
+
+
+
+
+
+ true
+ Device only. This node decides wheter or not the MDM device progress page skips after AADJ or Hybrid AADJ in OOBE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ SkipUserStatusPage
+
+
+
+
+
+ false
+ Device only. This node decides wheter or not the MDM user progress page skips after AADJ or DJ++ after user login.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ EnhancedAppLayerSecurity
diff --git a/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png b/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png
index 88398bc1c5..486779f038 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png and b/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-uefi.png b/windows/client-management/mdm/images/provisioning-csp-uefi.png
new file mode 100644
index 0000000000..6900dd0c83
Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-uefi.png differ
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 665dc021aa..8fdf97effb 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,12 +10,16 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/12/2018
+ms.date: 02/05/2018
---
# What's new in MDM enrollment and management
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](http://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
@@ -1385,6 +1389,27 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
## Change history in MDM documentation
+### February 2018
+
+
+
+
+
+
+
+
+
New or updated topic
+
Description
+
+
+
+
+
[VPNv2 ProfileXML XSD](vpnv2-profile-xsd.md)
+
Updated the XSD and Plug-in profile example for VPNv2 CSP.
+
+
+
+
### January 2018
@@ -1455,6 +1480,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
@@ -1516,6 +1542,18 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, next major update.
+
[DMClient CSP](dmclient-csp.md)
+
Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, next major update:
+
+
AADSendDeviceToken
+
BlockInStatusPage
+
AllowCollectLogsButton
+
CustomErrorText
+
SkipDeviceStatusPage
+
SkipUserStatusPage
+
+
+
[RemoteWipe CSP](remotewipe-csp.md)
Added the following nodes in Windows 10, next major update:
@@ -1529,6 +1567,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
[Defender CSP](defender-csp.md)
Added new node (OfflineScan) in Windows 10, next major update.
+
+
[UEFI CSP](uefi-csp.md)
+
Added a new CSP in Windows 10, next major update.
+
diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md
index b3eec1da15..f031f91a4b 100644
--- a/windows/client-management/mdm/office-csp.md
+++ b/windows/client-management/mdm/office-csp.md
@@ -6,13 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 01/26/2018
---
# Office CSP
-The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx).
+The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx).
This CSP was added in Windows 10, version 1703.
For additional information, see [Office DDF](office-ddf.md).
@@ -144,31 +144,54 @@ To get the current status of Office 365 on the device.
997
Installation in progress
-
Windows Information Protection
+
-
13 (ERROR_INVALID_DATA)
-
Cannot verify signature of the downloaded ODT
+
13
+
ERROR_INVALID_DATA
+
Cannot verify signature of the downloaded Office Deployment Tool (ODT)
Failure
-
1460 (ERROR_TIMEOUT)
-
Failed to download ODT
+
1460
+
ERROR_TIMEOUT
+
Failed to download ODT
Failure
-
1603 (ERROR_INSTALL_FAILURE)
-
Failed any pre-req check.
+
1602
+
ERROR_INSTALL_USEREXIT
+
User cancelled the installation
+
Failure
+
+
+
1603
+
ERROR_INSTALL_FAILURE
+
Failed any pre-req check.
SxS (Tried to install when 2016 MSI is installed)
-
Bit mismatch
+
Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)
Failure
+
17000
+
ERROR_PROCESSPOOL_INITIALIZATION
+
Failed to start C2RClient
+
Failure
+
+
+
17001
+
ERROR_QUEUE_SCENARIO
+
Failed to queue installation scenario in C2RClient
+
Failure
+
+
17002
-
Failed to complete the process. Possible reasons:
+
ERROR_COMPLETING_SCENARIO
+
Failed to complete the process. Possible reasons:
+
Installation cancelled by user
Installation cancelled by another installation
Out of disk space during installation
@@ -177,13 +200,60 @@ To get the current status of Office 365 on the device.
Failure
-
17004
-
Unknown SKU
+
17003
+
ERROR_ANOTHER_RUNNING_SCENARIO
+
Another scenario is running
Failure
-
0x8000ffff (E_UNEXPECTED)
-
Tried to uninstall when there is no C2R Office on the machine.
+
17004
+
ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
+
Possible reasons:
+
+
Unknown SKUs
+
Content does't exist on CDN
+
such as trying to install an unsupported LAP, like zh-sg
+
CDN issue that content is not available
+
+
Signature check issue, such as failed the signature check for Office content
+
User cancelled
+
+
+
Failure
+
+
+
17005
+
ERROR_SCENARIO_CANCELLED_AS_PLANNED
+
Failure
+
+
+
17006
+
ERROR_SCENARIO_CANCELLED
+
Blocked update by running apps
+
Failure
+
+
+
17007
+
ERROR_REMOVE_INSTALLATION_NEEDED
+
The client is requesting client clean up in a "Remove Installation" scenario
+
Failure
+
+
+
17100
+
ERROR_HANDLING_COMMAND_LINE
+
C2RClient command line error
+
Failure
+
+
+
0x80004005
+
E_FAIL
+
ODT cannot be used to install Volume license
+
Failure
+
+
+
0x8000ffff
+
E_UNEXPECTED
+
Tried to uninstall when there is no C2R Office on the machine.
Failure
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 6d072bbb43..07dec60956 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -376,30 +376,6 @@ The following diagram shows the Policy configuration service provider in tree fo
### Bluetooth policies
@@ -2487,6 +2463,13 @@ The following diagram shows the Policy configuration service provider in tree fo
+### RestrictedGroups policies
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership.
+
+> [!Note]
+> This policy is only scoped to the Administrators group at this time.
+
+Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
+
+> [!Note]
+> If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md
new file mode 100644
index 0000000000..0b6de467ab
--- /dev/null
+++ b/windows/client-management/mdm/uefi-csp.md
@@ -0,0 +1,87 @@
+---
+title: UEFI CSP
+description: The Uefi CSP interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes.
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 02/01/2018
+---
+
+# UEFI CSP
+
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, next major update.
+
+The following diagram shows the UEFI CSP in tree format.
+
+
+
+The following list describes the characteristics and parameters.
+
+**./Vendor/MSFT/Uefi**
+Root node.
+
+**UefiDeviceIdentifier**
+Retrieves XML from UEFI which describes the device identifier.
+
+Supported operation is Get.
+
+**IdentityInfo**
+Node for provisioned signers operations.
+
+
+**IdentityInfo/Current**
+Retrieves XML from UEFI which describes the current UEFI identity information.
+
+Supported operation is Get.
+
+**IdentityInfo/Apply**
+Apply an identity information package to UEFI. Input is the signed package in base64 encoded format.
+
+Supported operation is Replace.
+
+**IdentityInfo/ApplyResult**
+Retrieves XML describing the results of previous ApplyIdentityInfo operation.
+
+Supported operation is Get.
+
+**AuthInfo**
+Node for permission information operations.
+
+**AuthInfo/Current**
+Retrieves XML from UEFI which describes the current UEFI permission/authentication information.
+
+Supported operation is Get.
+
+**AuthInfo/Apply**
+Apply a permission/authentication information package to UEFI. Input is the signed package in base64 encoded format.
+
+Supported operation is Replace.
+
+**AuthInfo/ApplyResult**
+Retrieves XML describing the results of previous ApplyAuthInfo operation.
+
+Supported operation is Get.
+
+**Config**
+Node for device configuration
+
+**Config/Current**
+Retrieves XML from UEFI which describes the current UEFI configuration.
+
+Supported operation is Get.
+
+**Config/Apply**
+Apply a configuration package to UEFI. Input is the signed package in base64 encoded format.
+
+Supported operation is Replace.
+
+**Config/ApplyResult**
+Retrieves XML describing the results of previous ApplyConfig operation.
+
+Supported operation is Get.
diff --git a/windows/client-management/mdm/uefi-ddf.md b/windows/client-management/mdm/uefi-ddf.md
new file mode 100644
index 0000000000..5f8e6403eb
--- /dev/null
+++ b/windows/client-management/mdm/uefi-ddf.md
@@ -0,0 +1,330 @@
+---
+title: UEFI DDF file
+description: UEFI DDF file
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 02/01/2018
+---
+
+# UEFI DDF file
+
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+This topic shows the OMA DM device description framework (DDF) for the **Uefi** configuration service provider.
+
+Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
+
+The XML below is the current version for this CSP.
+
+``` syntax
+
+]>
+
+ 1.2
+
+ Uefi
+ ./Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ com.microsoft/1.0/MDM/Uefi
+
+
+
+ UefiDeviceIdentifier
+
+
+
+
+ Retrieves XML from UEFI which describes the device identifier.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IdentityInfo
+
+
+
+
+ Provisioned signers
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Current
+
+
+
+
+ Retrieves XML from UEFI which describes the current UEFI identity information
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Apply
+
+
+
+
+ Apply an identity information package to UEFI. Input is the signed package in base64 encoded format.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ApplyResult
+
+
+
+
+ Retrieves XML describing the results of previous ApplyIdentityInfo operation.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ AuthInfo
+
+
+
+
+ Permission Information
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Current
+
+
+
+
+ Retrieves XML from UEFI which describes the current UEFI permission/authentication information.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Apply
+
+
+
+
+ Apply a permission/authentication information package to UEFI. Input is the signed package in base64 encoded format.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ApplyResult
+
+
+
+
+ Retrieves XML describing the results of previous ApplyAuthInfo operation.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ Config
+
+
+
+
+ Device Configuration
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Current
+
+
+
+
+ Retrieves XML from UEFI which describes the current UEFI configuration.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Apply
+
+
+
+
+ Apply a configuration package to UEFI. Input is the signed package in base64 encoded format.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ApplyResult
+
+
+
+
+ Retrieves XML describing the results of previous ApplyConfig operation.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md
index 4934ae68ec..7f839bb83d 100644
--- a/windows/client-management/mdm/vpnv2-profile-xsd.md
+++ b/windows/client-management/mdm/vpnv2-profile-xsd.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/26/2017
+ms.date: 02/05/2018
---
# ProfileXML XSD
@@ -31,6 +31,8 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
+
+
@@ -46,6 +48,20 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -388,6 +404,8 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
truefalse
+ false
+ falsecorp.contoso.comcontoso.com,test.corp.contoso.com
@@ -396,6 +414,14 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
Helloworld.Com
+
+
+
+
+
+
+
+
```
diff --git a/windows/configuration/diagnostic-data-viewer-overview.md b/windows/configuration/diagnostic-data-viewer-overview.md
index c009c6c0e2..fe1598c59f 100644
--- a/windows/configuration/diagnostic-data-viewer-overview.md
+++ b/windows/configuration/diagnostic-data-viewer-overview.md
@@ -47,10 +47,8 @@ You must start this app from the **Settings** panel.
2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button.
- 
-
-f -OR-
-
+ 
-OR-
+
Go to **Start** and search for _Diagnostic Data Viewer_.
3. Close the Diagnostic Data Viewer app, use your device as you normally would for a few days, and then open Diagnostic Data Viewer again to review the updated list of diagnostic data.
@@ -98,11 +96,8 @@ When you're done reviewing your diagnostic data, you should turn of data viewing
You can review additional Windows Error Reporting diagnostic data in the **View problem reports** tool. This tool provides you with a summary of various crash reports that are sent to Microsoft as part of Windows Error Reporting. We use this data to find and fix specific issues that are hard to replicate and to improve the Windows operating system.
**To view your Windows Error Reporting diagnostic data**
-1. Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Security and Maintenance** > **Problem Reports**.
-
-- OR -
-
- Go to **Start** and search for _Problem Reports_.
+1. Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Security and Maintenance** > **Problem Reports**.
-OR-
+ Go to **Start** and search for _Problem Reports_.
The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft.
diff --git a/windows/configuration/index.md b/windows/configuration/index.md
index c462632c79..e38d95e4ca 100644
--- a/windows/configuration/index.md
+++ b/windows/configuration/index.md
@@ -20,6 +20,7 @@ Enterprises often need to apply custom configurations to devices for their users
| Topic | Description |
| --- | --- |
| [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | Use this article to make informed decisions about how you can configure Windows diagnostic data in your organization. |
+|[Diagnostic Data Viewer overview](diagnostic-data-viewer-overview.md) |Learn about the categories of diagnostic data your device is sending to Microsoft, along with how it's being used.|
| [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1709. |
|[Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)|Learn about diagnostic data that is collected by Windows Analytics.|
| [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1703. |
diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index a34a6aa5a7..efdd0f54a8 100644
--- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -16,7 +16,7 @@ ms.date: 01/29/2018
**Applies to**
-- Windows 10
+- Windows 10 Enterprise edition
- Windows Server 2016
If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
@@ -27,11 +27,19 @@ If you want to minimize connections from Windows to Microsoft services, or confi
You can configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
-To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. You should not extract this package to the windows\\system32 folder because it will not apply correctly. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article.
+To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887).
+This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state.
+Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document.
+However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended.
+Make sure should you've chosen the right settings configuration for your environment before applying.
+You should not extract this package to the windows\\system32 folder because it will not apply correctly.
+
+Applying the Windows Restricted Traffic Limited Functionality Baseline is the same as applying each setting covered in this article.
+It is recommended that you restart a device after making configuration changes to it.
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
-## What's new in Windows 10, version 1709
+## What's new in Windows 10, version 1709 Enterprise edition
Here's a list of changes that were made to this article for Windows 10, version 1709:
@@ -39,7 +47,7 @@ Here's a list of changes that were made to this article for Windows 10, version
- Added the Storage Health section.
- Added discussion of apps for websites in the Microsoft Store section.
-## What's new in Windows 10, version 1703
+## What's new in Windows 10, version 1703 Enterprise edition
Here's a list of changes that were made to this article for Windows 10, version 1703:
@@ -73,9 +81,9 @@ The following sections list the components that make network connections to Micr
If you're running Windows 10, they will be included in the next update for the Long Term Servicing Branch.
-### Settings for Windows 10 Enterprise, version 1703
+### Settings for Windows 10 Enterprise edition
-See the following table for a summary of the management settings for Windows 10 Enterprise, version 1703.
+See the following table for a summary of the management settings for Windows 10 Enterprise, version 1709 and Windows 10 Enterprise, version 1703.
| Setting | UI | Group Policy | MDM policy | Registry | Command line |
| - | :-: | :-: | :-: | :-: | :-: |
@@ -1430,11 +1438,14 @@ To change the level of diagnostic and usage data sent when you **Send your devic
-or-
-- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry**
+- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** and select the appropriate option for your deployment.
-or-
-- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry**, with a value of 0 (zero).
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry**, with a value of 0-3, as appropriate for your deployment (see below for the values for each level).
+
+> [!NOTE]
+> If the **Security** option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The **Security** option is only available in Windows 10 Enterprise edition.
-or-
@@ -1474,7 +1485,11 @@ In the **Background Apps** area, you can choose which apps can run in the backgr
To turn off **Let apps run in the background**:
-- Turn off the feature in the UI for each app.
+- In **Background apps**, set **Let apps run in the background** to **Off**.
+
+ -or-
+
+- In **Background apps**, turn off the feature for each app.
-or-
diff --git a/windows/deployment/images/feedback.PNG b/windows/deployment/images/feedback.PNG
index 8ff7391e84..15e171c4ed 100644
Binary files a/windows/deployment/images/feedback.PNG and b/windows/deployment/images/feedback.PNG differ
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 3452191682..dc565440b6 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -98,7 +98,7 @@ In Windows 10, rather than receiving several updates each month and trying to fi
To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how frequently their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity.
-With that in mind, Windows 10 offers 3 servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases about every three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
+With that in mind, Windows 10 offers 3 servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
The concept of servicing channels is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).
@@ -199,4 +199,4 @@ With all these options, which an organization chooses depends on the resources,
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage device restarts after updates](waas-restart.md)
-
\ No newline at end of file
+
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index 8b85bf57aa..5716edbdd3 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -29,7 +29,7 @@ Some new terms have been introduced as part of Windows as a service, so you shou
- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
- **Servicing channels** allow organizations to choose when to deploy new features.
- The **Semi-Annual Channel** receives feature updates twice per year.
- - The **Long Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases about every three years.
+ - The **Long Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization.
See [Overview of Windows as a service](waas-overview.md) for more information.
diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
index b22a841fb2..16de770ebb 100644
--- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
@@ -60,7 +60,7 @@ These phases are explained in greater detail [below](#the-windows-10-upgrade-pro
3. **First boot phase**: Boot failures in this phase are relatively rare, and almost exclusively caused by device drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, then retry the upgrade.
-4. **Second boot phase**: In this phase, the system is running under the target OS with new drivers. Boot failures are most commonly due to anti-virus software or filter drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, then retry the upgrade.
+4. **Second boot phase**: In this phase, the system is running under the target OS with new drivers. Boot failures are most commonly due to anti-virus software or filter drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, temporarily uninstall anti-virus software, then retry the upgrade.
If the general troubleshooting techniques described above or the [quick fixes](#quick-fixes) detailed below do not resolve your issue, you can attempt to analyze [log files](#log-files) and interpret [upgrade error codes](#upgrade-error-codes). You can also [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md) so that Microsoft can diagnose your issue.
@@ -175,7 +175,7 @@ Some result codes are self-explanatory, whereas others are more generic and requ
### Extend codes
->Important: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update.
+>**Important**: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update.
Extend codes can be matched to the phase and operation when an error occurred. To match an extend code to the phase and operation:
diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md
index a00a5c05f7..ae10dbe161 100644
--- a/windows/deployment/upgrade/upgrade-readiness-get-started.md
+++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md
@@ -84,7 +84,8 @@ To enable data sharing, whitelist the following endpoints. Note that you may nee
|---------------------------------------------------------|-----------|
| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Telemetry component endpoint for Windows 10 computers. User computers send data to Microsoft through this endpoint.
| `https://vortex-win.data.microsoft.com` | Connected User Experience and Telemetry component endpoint for operating systems older than Windows 10
-| `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. |
+| `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft.
+| `https://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. |
Note: The compatibility update KB runs under the computer’s system account.
diff --git a/windows/device-security/device-guard/images/wdac-edit-gp.png b/windows/device-security/device-guard/images/wdac-edit-gp.png
new file mode 100644
index 0000000000..17c990ac10
Binary files /dev/null and b/windows/device-security/device-guard/images/wdac-edit-gp.png differ
diff --git a/windows/hub/images/W10-WaaS-poster-old.PNG b/windows/hub/images/W10-WaaS-poster-old.PNG
new file mode 100644
index 0000000000..d3887faf89
Binary files /dev/null and b/windows/hub/images/W10-WaaS-poster-old.PNG differ
diff --git a/windows/hub/images/W10-WaaS-poster.PNG b/windows/hub/images/W10-WaaS-poster.PNG
index d3887faf89..de2251a9f2 100644
Binary files a/windows/hub/images/W10-WaaS-poster.PNG and b/windows/hub/images/W10-WaaS-poster.PNG differ
diff --git a/windows/hub/index.md b/windows/hub/index.md
index c2f87b5f74..7d1f965f9d 100644
--- a/windows/hub/index.md
+++ b/windows/hub/index.md
@@ -8,7 +8,7 @@ author: greg-lindsay
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.date: 12/18/2017
+ms.date: 02/02/2018
---
# Windows 10 and Windows 10 Mobile
@@ -19,51 +19,48 @@ Find the latest how to and support content that IT pros need to evaluate, plan,
> [!video https://www.microsoft.com/en-us/videoplayer/embed/43942201-bec9-4f8b-8ba7-2d9bfafa8bba?autoplay=false]
+
-
Threat Protection
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 4987bee4f7..0015a73387 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -19,13 +19,13 @@ ms.date: 11/08/2017
> This guide only applies to Windows 10, version 1703 or higher.
-Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair.
+Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
This deployment guide is to guide you through deploying Windows Hello for Business, based on the planning decisions made using the Planning a Windows Hello for Business Deployment Guide. It provides you with the information needed to successfully deploy Windows Hello for Business in an existing environment.
## Assumptions
-This guide assumes a baseline infrastructure exists that meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have:
+This guide assumes that baseline infrastructure exists which meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have:
* A well-connected, working network
* Internet access
* Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning
@@ -34,17 +34,20 @@ This guide assumes a baseline infrastructure exists that meets the requirements
* Active Directory Certificate Services 2012 or later
* One or more workstation computers running Windows 10, version 1703
-If you are installing a role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server.
+If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server.
Do not begin your deployment until the hosting servers and infrastructure (not roles) identified in your prerequisite worksheet are configured and properly working.
## Deployment and trust models
-Windows Hello for Business has two deployment models: Hybrid and On-premises. Each deployment model has two trust models: Key trust or certificate trust.
+Windows Hello for Business has two deployment models: Hybrid and On-premises. Each deployment model has two trust models: *Key trust* or *certificate trust*.
-Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.
+Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.
-The trust model determines how you want users to authentication to the on-premises Active Directory. Remember hybrid environments use Azure Active Directory and on-premises Active Directory. The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and they have an adequate number of 2016 domain controllers in each site to support the authentication. The certificate-trust model is for enterprise that do want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today. The certificate trust model is also enterprise who are not ready to deploy Windows Server 2016 domain controllers.
+The trust model determines how you want users to authenticate to the on-premises Active Directory:
+* The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication.
+* The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
+* The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
Following are the various deployment guides included in this topic:
* [Hybrid Key Trust Deployment](hello-hybrid-key-trust.md)
@@ -55,5 +58,5 @@ Following are the various deployment guides included in this topic:
## Provisioning
-The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
+Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index 8a37191b30..529ff6e574 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -17,14 +17,7 @@ ms.date: 04/19/2017
This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
-The following sections provide information that will help you put together your basic deployment plan for implementing BitLocker in your organization:
-
-- [Using BitLocker to encrypt volumes](#bkmk-dep1)
-- [Down-level compatibility](#bkmk-dep2)
-- [Using manage-bde to encrypt volumes with BitLocker](#bkmk-dep3)
-- [Using PowerShell to encrypt volumes with BitLocker](#bkmk-dep4)
-
-## Using BitLocker to encrypt volumes
+## Using BitLocker to encrypt volumes
BitLocker provides full volume encryption (FVE) for operating system volumes, as well as fixed and removable data volumes. To support fully encrypted operating system volumes, BitLocker uses an unencrypted system volume for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems.
@@ -182,8 +175,9 @@ Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Window
-
-### Encrypting volumes using the manage-bde command line interface
+
+
+## Encrypting volumes using the manage-bde command line interface
Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](http://technet.microsoft.com/library/ff829849.aspx).
Manage-bde offers a multitude of wider options for configuring BitLocker. This means that using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected.
@@ -240,9 +234,8 @@ A common protector for a data volume is the password protector. In the example b
manage-bde -protectors -add -pw C:
manage-bde -on C:
```
-## Using manage-bde to encrypt volumes with BitLocker
-### Encrypting volumes using the BitLocker Windows PowerShell cmdlets
+## Encrypting volumes using the BitLocker Windows PowerShell cmdlets
Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.
@@ -442,9 +435,7 @@ Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "
```
> **Note:** Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
-## Using PowerShell to encrypt volumes with BitLocker
-
-### Checking BitLocker status
+## Checking BitLocker status
To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We will look at each of the available methods in the following section.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index 3463fb30d9..9e780394d7 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -100,15 +100,16 @@ Before you create a thorough BitLocker recovery process, we recommend that you t
1. Click the **Start** button, type **cmd** in the **Start Search** box, right-click **cmd.exe**, and then click **Run as administrator**.
2. At the command prompt, type the following command and then press ENTER:
- `manage-bde -forcerecovery `
+ `manage-bde -forcerecovery `
+
**To force recovery for a remote computer**
1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**.
2. At the command prompt, type the following command and then press ENTER:
- `manage-bde. -ComputerName -forcerecovery `
+ `manage-bde. -ComputerName -forcerecovery `
-> **Note:** *ComputerName* represents the name of the remote computer. *Volume* represents the volume on the remote computer that is protected with BitLocker.
+> **Note:** Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user.
## Planning your recovery process
diff --git a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
index 380dfc0e0c..0f81162217 100644
--- a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
@@ -1056,37 +1056,37 @@ To deploy and manage a WDAC policy with Group Policy:
1. On a domain controller on a client computer on which RSAT is installed, open the GPMC by running **GPMC.MSC** or searching for “Group Policy Management” in Windows Search.
-2. Create a new GPO: right-click an OU, for example, the **DG Enabled PCs OU**, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 3.
+2. Create a new GPO: right-click an OU and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 3.
> **Note** You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
- 
+ 
- Figure 3. Create a GPO
+ Figure 3. Create a GPO
-3. Name new GPO **Contoso GPO Test**. This example uses Contoso GPO Test as the name of the GPO. You can choose any name that you prefer for this example.
+3. Name new GPO. You can choose any name.
4. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
-5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Windows Defender Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**.
+5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**.
- 
+ 
- Figure 4. Edit the group policy for Windows Defender Application Control
+ Figure 4. Edit the Group Policy for Windows Defender Application Control
6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the code integrity policy deployment path.
- In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with DeviceGuardPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 5.
+ In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with DeviceGuardPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 5.
- > [!Note]
- > The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer). Also, this policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
+ > [!Note]
+ > The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer). Also, this policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
- 
+ 
- Figure 5. Enable the Windows Defender Application Control policy
+ Figure 5. Enable the Windows Defender Application Control policy
- > [!Note]
- > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Make your WDAC policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
+ > [!Note]
+ > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Make your WDAC policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
7. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. Restarting the computer updates the WDAC policy. For information about how to audit WDAC policies, see the [Audit Windows Defender Application Control policies](#audit-windows-defender-application-control-policies) section.